Support Buildkite job principals

This is a super basic principal which doesn't include any extensions yet, while waiting for what the common set of CI extensions might be. Signed-off-by: Samuel Cochran <sj26@sj26.com>
sigstore · Nov 17, 2022 · 09ad89f · 09ad89f
1 parent 0e41194
commit 09ad89f
Show file tree

Hide file tree

Showing 4 changed files with 375 additions and 0 deletions.
diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/identity"
+	"github.com/sigstore/fulcio/pkg/identity/buildkite"
 	"github.com/sigstore/fulcio/pkg/identity/email"
 	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/kubernetes"
@@ -57,6 +58,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 	var principal identity.Principal
 	var err error
 	switch iss.Type {
+	case config.IssuerTypeBuildkiteJob:
+		principal, err = buildkite.JobPrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeEmail:
 		principal, err = email.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeSpiffe:

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -208,6 +208,7 @@ func (fc *FulcioConfig) prepare() error {
 type IssuerType string
 
 const (
+	IssuerTypeBuildkiteJob   = "buildkite-job"
 	IssuerTypeEmail          = "email"
 	IssuerTypeGithubWorkflow = "github-workflow"
 	IssuerTypeKubernetes     = "kubernetes"
@@ -459,6 +460,8 @@ func validateAllowedDomain(subjectHostname, issuerHostname string) error {
 
 func issuerToChallengeClaim(issType IssuerType) string {
 	switch issType {
+	case IssuerTypeBuildkiteJob:
+		return "sub"
 	case IssuerTypeEmail:
 		return "email"
 	case IssuerTypeGithubWorkflow:

diff --git a/pkg/identity/buildkite/principal.go b/pkg/identity/buildkite/principal.go
@@ -0,0 +1,98 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package buildkite
+
+import (
+	"context"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net/url"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/sigstore/fulcio/pkg/certificate"
+	"github.com/sigstore/fulcio/pkg/identity"
+)
+
+type jobPrincipal struct {
+	// Subject matches the 'sub' claim from the OIDC ID token this is what is
+	// signed as proof of possession for Buildkite job identities
+	subject string
+
+	// OIDC Issuer URL. Matches 'iss' claim from ID token. The real issuer URL is
+	// https://agent.buildkite.com/.well-known/openid-configution
+	issuer string
+
+	// The full URL to the job. This will be the set as SubjectAlternativeName URI in
+	// the final certificate.
+	url string
+}
+
+func JobPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) {
+	var claims struct {
+		OrganizationSlug string `json:"organization_slug"`
+		PipelineSlug     string `json:"pipeline_slug"`
+		BuildNumber      int    `json:"build_number"`
+		JobID            string `json:"job_id"`
+	}
+	if err := token.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	if claims.OrganizationSlug == "" {
+		return nil, errors.New("missing organization_slug claim in ID token")
+	}
+
+	if claims.PipelineSlug == "" {
+		return nil, errors.New("missing pipeline_slug claim in ID token")
+	}
+
+	if claims.BuildNumber == 0 {
+		return nil, errors.New("missing build_number claim in ID token")
+	}
+
+	if claims.JobID == "" {
+		return nil, errors.New("missing job_id claim in ID token")
+	}
+
+	return &jobPrincipal{
+		subject: token.Subject,
+		issuer:  token.Issuer,
+		url:     fmt.Sprintf("https://buildkite.com/%s/%s/builds/%d#%s", claims.OrganizationSlug, claims.PipelineSlug, claims.BuildNumber, claims.JobID),
+	}, nil
+}
+
+func (p jobPrincipal) Name(ctx context.Context) string {
+	return p.subject
+}
+
+func (p jobPrincipal) Embed(ctx context.Context, cert *x509.Certificate) error {
+	// Set job URL to SubjectAlternativeName on certificate
+	parsed, err := url.Parse(p.url)
+	if err != nil {
+		return err
+	}
+	cert.URIs = []*url.URL{parsed}
+
+	// Embed additional information into custom extensions
+	cert.ExtraExtensions, err = certificate.Extensions{
+		Issuer: p.issuer,
+	}.Render()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}