migrating buildkite to ci provider

config/identity/config.yaml

@@ -12,57 +12,93 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+define:
+  - &github-type "github-workflow"
+  - &gitlab-type "gitlab-pipeline"
+  - &codefresh-type "codefresh-workflow"
+  - &buildkite-type "buildkite-job"
 oidc-issuers:
   https://accounts.google.com:
     issuer-url: https://accounts.google.com
     client-id: sigstore
     type: email
+    contact: tac@sigstore.dev
+    description: "Google OIDC auth"
   https://agent.buildkite.com:
     issuer-url: https://agent.buildkite.com
     client-id: sigstore
-    type: buildkite-job
+    type: ci-provider
+    ci-provider: *buildkite-type
+    contact: support@buildkite.com
+    description: "Buildkite Agent OIDC tokens for job identity"
   https://allow.pub:
     issuer-url: https://allow.pub
     client-id: sigstore
     type: spiffe
     spiffe-trust-domain: allow.pub
+    contact: evan@phx.io
+    description: "Server side signing support for the OCI registry vcr.pub"
   https://auth.eclipse.org/auth/realms/sigstore:
     issuer-url: https://auth.eclipse.org/auth/realms/sigstore
     client-id: sigstore
     type: email
+    contact: security@eclipse-foundation.org
+    description: "Eclipse Foundation Production OIDC provider"
   https://dev.gitlab.org:
     issuer-url: https://dev.gitlab.org
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
+    contact: distribution-be@gitlab.com
+    description: "GitLab OIDC tokens for job identity"
   https://gitlab.archlinux.org:
     issuer-url: https://gitlab.archlinux.org
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
+    contact: sigstore@archlinux.org
+    description: "GitLab OIDC tokens for job identity"
   https://gitlab.com:
     issuer-url: https://gitlab.com
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
+    contact: support@gitlab.com
+    description: "GitLab OIDC tokens for job identity"
   https://issuer.enforce.dev:
     issuer-url: https://issuer.enforce.dev
     client-id: sigstore
     type: chainguard-identity
+    contact: mattmoor@chainguard.dev
+    description: "Chainguard identity tokens"
   https://oauth2.sigstore.dev/auth:
     issuer-url: https://oauth2.sigstore.dev/auth
     client-id: sigstore
     type: email
     issuer-claim: $.federated_claims.connector_id
+    contact: tac@sigstore.dev
+    description: "dex address for fulcio"
   https://oidc.codefresh.io:
     issuer-url: https://oidc.codefresh.io
     client-id: sigstore
-    type: codefresh-workflow
+    type: ci-provider
+    ci-provider: *codefresh-type
+    contact: support@codefresh.io
+    description: "Codefresh OIDC tokens for job identity"
   https://ops.gitlab.net:
     issuer-url: https://ops.gitlab.net
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
+    contact: distribution-be@gitlab.com
+    description: "GitLab OIDC tokens for job identity"
   https://token.actions.githubusercontent.com:
     issuer-url: https://token.actions.githubusercontent.com
     client-id: sigstore
-    type: github-workflow
+    type: ci-provider
+    ci-provider: *github-type
+    contact: tac@sigstore.dev
+    description: "GitHub Actions OIDC auth"
 meta-issuers:
   https://*.oic.prod-aks.azure.com/*:
     client-id: sigstore
@@ -78,4 +114,64 @@ meta-issuers:
     type: kubernetes
   https://token.actions.githubusercontent.com/*:
     client-id: sigstore
-    type: github-workflow
+    type: ci-provider
+    ci-provider: *github-type
+ci-issuer-metadata:
+  *github-type:
+      default-template-values:
+          url: "https://github.com"
+      extension-templates:
+          github-workflow-trigger: "event_name"
+          github-workflow-sha: "sha"
+          github-workflow-name: "workflow"
+          github-workflow-repository: "repository"
+          github-workflow-ref: "ref"
+          build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}"
+          build-signer-digest: "job_workflow_sha"
+          runner-environment: "runner_environment"
+          source-repository-uri: "{{ .url }}/{{ .repository }}"
+          source-repository-digest: "sha"
+          source-repository-ref: "ref"
+          source-repository-identifier: "repository_id"
+          source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}"
+          source-repository-owner-identifier: "repository_owner_id"
+          build-config-uri: "{{ .url }}/{{ .workflow_ref }}"
+          build-config-digest: "workflow_sha"
+          build-trigger: "event_name"
+          run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}"
+          source-repository-visibility-at-signing: "repository_visibility"
+      subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}"
+  *gitlab-type:
+    default-template-values:
+        url: "https://gitlab.com"
+    extension-templates:
+        build-signer-uri: "https://{{ .ci_config_ref_uri }}"
+        build-signer-digest: "ci_config_sha"
+        runner-environment: "runner_environment"
+        source-repository-uri: "{{ .url }}/{{ .repository }}"
+        source-repository-digest: "sha"
+        source-repository-ref: "ref"
+        source-repository-identifier: "project_id"
+        source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}"
+        source-repository-owner-identifier: "namespace_id"
+        build-config-uri: "https://{{ .ci_config_ref_uri }}"
+        build-config-digest: "ci_config_sha"
+        build-trigger: "pipeline_source"
+        run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}"
+        source-repository-visibility-at-signing: "repository_visibility"
+    subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}"
+  *codefresh-type:
+    default-template-values:
+        url: "https://g.codefresh.io"
+    extension-templates:
+        build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
+        runner-environment: "runner_environment"
+        source-repository-uri: "scm_repo_url"
+        source-repository-ref: "scm_ref"
+        build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}"
+        run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
+    subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}"
+  *buildkite-type:
+    default-template-values:
+        url: "https://buildkite.com"
+    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"

docs/oidc.md

@@ -10,13 +10,18 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the
 
 To add a new OIDC issuer:
 
-* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
-* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
-* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
-* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)
-* Update the end-to-end gRPC tests:
-   * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175)
-   * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331))
+* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml).
+  * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)).
+  * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one.
+* If your issuer is not for a CI provider, you need to follow the next steps:
+  * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
+  * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
+  * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
+  * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)
+* These next steps are required only for non-ci issuers, as it is already tested for generically. Although, you are welcome to add tests for your provider if you want to.
+  * Update the end-to-end gRPC tests:
+    * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175)
+    * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331))
 
 See [this example](https://github.com/sigstore/fulcio/pull/890), although it is out of date as you'll now need to create an issuer type.