Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add ambient credential detection with spiffe/spire #1220

Merged
merged 2 commits into from
Dec 20, 2021
Merged

feat: add ambient credential detection with spiffe/spire #1220

merged 2 commits into from
Dec 20, 2021

Conversation

developer-guy
Copy link
Member

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

Summary

Support ambient credential detection with SPIFFE/SPIRE by looking at socket path and through SVID (Spiffe Verifiable Identity Document)

Ticket Link

Fixes #645

Release Note

feat: add ambient credential detection with spiffe/spire

@developer-guy
Copy link
Member Author

developer-guy commented Dec 15, 2021
edited
Loading

@dlorenc we got the following error:

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
JWT: eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}

$ jwt eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
To verify on jwt.io:

https://jwt.io/#id_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg

✻ Header
{
  "alg": "ES256",
  "kid": "SxGAbucZkwmDY281qFKtTQcRhbXgtbY9",
  "typ": "JWT"
}

✻ Payload
{
  "aud": [
    "sigstore"
  ],
  "exp": 1639600125,
  "iat": 1639599825,
  "sub": "spiffe://example.org/myservice2"
}
   Issued At: 1639599825 12/15/2021, 11:23:45 PM
   Expiration Time: 1639600125 12/15/2021, 11:28:45 PM

✻ Signature wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg

I think the reason why we got this error above is that we do not have an iss information within the JWT, WDYT?

@developer-guy
Copy link
Member Author

kindly ping @colek42 @dlorenc @mattmoor

@colek42
Copy link

colek42 commented Dec 16, 2021

Are you saying SPIRE is not setting the ISS claim?
https://github.com/spiffe/spire/blob/04bee9741ac3b8c4b204e6367d0bd6146f78a8c7/pkg/common/jwtsvid/sign.go#L57

It seems like it should.

@colek42
Copy link

colek42 commented Dec 16, 2021

I'm wondering about the trust model. Instead of SPIRE->JWT->Fulcio->x.509->Sign Blob->Sig Store
we could use x.509 certs issued by SPIRE to sign the Blob.

@developer-guy
Copy link
Member Author

I followed up the demo: Quickstart for Linux and MacOS X, and couldn't find any iss field in the JWT, this is why I got the following error, right? are you saying that this PR would work in the right environment?

@colek42
Copy link

colek42 commented Dec 16, 2021

I'm not sure. It looks like it should get set based on the spire code. @evan2645

@dlorenc
Copy link
Member

dlorenc commented Dec 16, 2021 

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
JWT: eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}

This will only work if the SPIFFE domain used to grant the IDs is setup in the fulcio federation config. See here for an example: https://github.com/sigstore/fulcio/tree/main/federation/external/oidc.dlorenc.dev

@dlorenc
Copy link
Member

dlorenc commented Dec 16, 2021

I'm wondering about the trust model. Instead of SPIRE->JWT->Fulcio->x.509->Sign Blob->Sig Store we could use x.509 certs issued by SPIRE to sign the Blob.

This will work but the certs expire each day - so going over the fulcio path allows you to get a cert that's setup for timestamping/transparency logging.

@dlorenc
Copy link
Member

dlorenc commented Dec 17, 2021

Looks like a lint issue, overall seems correct but we'll need to figure out a testing story too probably at some point.

@evan2645
Copy link

Are you saying SPIRE is not setting the ISS claim?

The value of the issuer claim is configurable and set via jwt_issuer on the server.

It should be set to a URL that can be used to reach your OIDC discovery provider.

cpanato and others added 2 commits December 20, 2021 12:22
@cpanato @developer-guy
update build images for release and bump cosign in the release job (s…
264993e 
…igstore#1234)

Signed-off-by: Carlos Panato <ctadeu@gmail.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@Dentrax @developer-guy
fix(spiffe): sock path
39d6cfe 
Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
@developer-guy
Copy link
Member Author

kindly ping @dlorenc, which URL should I use to test this? I saw the iss field filled once I set the jwt_issuer property to the server configuration. But I got an error something like you mentioned above:

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: fulcio.sigstore.dev"}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: fulcio.sigstore.dev"}
$ bin/spire-agent api fetch jwt -audience sigstore
token(spiffe://example.org/myservice):    eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

$ jwt eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

To verify on jwt.io:

https://jwt.io/#id_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

✻ Header
{
  "alg": "ES256",
  "kid": "JVFHlsj9yAoGgU8lsjBbm2inK96jhtLf",
  "typ": "JWT"
}

✻ Payload
{
  "aud": [
    "sigstore"
  ],
  "exp": 1639995018,
  "iat": 1639994718,
  "iss": "fulcio.sigstore.dev", # here !
  "sub": "spiffe://example.org/myservice"
}
   Issued At: 1639994718 12/20/2021, 1:05:18 PM
   Expiration Time: 1639995018 12/20/2021, 1:10:18 PM

✻ Signature q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

@mattmoor
Copy link
Member

This LGTM. Not sure if @dlorenc has anything else?

@dlorenc dlorenc merged commit 6a4afef into sigstore:main Dec 20, 2021
@github-actions github-actions bot added this to the v1.5.0 milestone Dec 20, 2021
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jan 25, 2022
@bmwiedemann
Update cosign to version 1.5.0 / rev 2 via SR 949015
779bc4c 
https://build.opensuse.org/request/show/949015
by user msmeissn + dimstar_suse
- updated to 1.5.0
  ## Highlights
  * enable sbom generation when releasing (sigstore/cosign#1261)
  * feat: log error to stderr (sigstore/cosign#1260)
  * feat: support attach attestation (sigstore/cosign#1253)
  * feat: resolve --cert from URL (sigstore/cosign#1245)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1237)
  * feat: vuln attest support (sigstore/cosign#1168)
  * feat: add ambient credential detection with spiffe/spire (sigstore/cosign#1220)
  * feat: generate/upload sbom for cosign projects (sigstore/cosign#1236)
  * feat: implement cosign download attestation (https
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor approved these changes

@dekkagaijin dekkagaijin Awaiting requested review from dekkagaijin

@cpanato cpanato Awaiting requested review from cpanato

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

Add SPIFFE/SPIRE Support for Ambient Credential Detection
7 participants
@developer-guy @colek42 @dlorenc @evan2645 @mattmoor @cpanato @Dentrax