Skip to content

Commit

Permalink
Revert "CiProvider as a new OIDCIssuer type (#1679)" (#1727)
Browse files Browse the repository at this point in the history
This reverts commit 66485b6.
  • Loading branch information
haydentherapper authored Jul 10, 2024
1 parent d16be8d commit f11344b
Show file tree
Hide file tree
Showing 11 changed files with 22 additions and 1,041 deletions.
38 changes: 19 additions & 19 deletions pkg/certificate/extensions.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,69 +69,69 @@ type Extensions struct {
// Deprecated
// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
// tokens from Github Actions
GithubWorkflowTrigger string `json:"GithubWorkflowTrigger,omitempty" yaml:"github-workflow-trigger,omitempty"` // OID 1.3.6.1.4.1.57264.1.2
GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2

// Deprecated
// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
// tokens from Github Actions
GithubWorkflowSHA string `json:"GithubWorkflowSHA,omitempty" yaml:"github-workflow-sha,omitempty"` // OID 1.3.6.1.4.1.57264.1.3
GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3

// Deprecated
// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
// tokens from Github Actions
GithubWorkflowName string `json:"GithubWorkflowName,omitempty" yaml:"github-workflow-name,omitempty"` // OID 1.3.6.1.4.1.57264.1.4
GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4

// Deprecated
// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
// tokens from Github Actions
GithubWorkflowRepository string `json:"GithubWorkflowRepository,omitempty" yaml:"github-workflow-repository,omitempty"` // OID 1.3.6.1.4.1.57264.1.5
GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5

// Deprecated
// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
// from Github Actions
GithubWorkflowRef string `json:"GithubWorkflowRef,omitempty" yaml:"github-workflow-ref,omitempty"` // 1.3.6.1.4.1.57264.1.6
GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6

// Reference to specific build instructions that are responsible for signing.
BuildSignerURI string `json:"BuildSignerURI,omitempty" yaml:"build-signer-uri,omitempty"` // 1.3.6.1.4.1.57264.1.9
BuildSignerURI string // 1.3.6.1.4.1.57264.1.9

// Immutable reference to the specific version of the build instructions that is responsible for signing.
BuildSignerDigest string `json:"BuildSignerDigest,omitempty" yaml:"build-signer-digest,omitempty"` // 1.3.6.1.4.1.57264.1.10
BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10

// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
RunnerEnvironment string `json:"RunnerEnvironment,omitempty" yaml:"runner-environment,omitempty"` // 1.3.6.1.4.1.57264.1.11
RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11

// Source repository URL that the build was based on.
SourceRepositoryURI string `json:"SourceRepositoryURI,omitempty" yaml:"source-repository-uri,omitempty"` // 1.3.6.1.4.1.57264.1.12
SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12

// Immutable reference to a specific version of the source code that the build was based upon.
SourceRepositoryDigest string `json:"SourceRepositoryDigest,omitempty" yaml:"source-repository-digest,omitempty"` // 1.3.6.1.4.1.57264.1.13
SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13

// Source Repository Ref that the build run was based upon.
SourceRepositoryRef string `json:"SourceRepositoryRef,omitempty" yaml:"source-repository-ref,omitempty"` // 1.3.6.1.4.1.57264.1.14
SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14

// Immutable identifier for the source repository the workflow was based upon.
SourceRepositoryIdentifier string `json:"SourceRepositoryIdentifier,omitempty" yaml:"source-repository-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.15
SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15

// Source repository owner URL of the owner of the source repository that the build was based on.
SourceRepositoryOwnerURI string `json:"SourceRepositoryOwnerURI,omitempty" yaml:"source-repository-owner-uri,omitempty"` // 1.3.6.1.4.1.57264.1.16
SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16

// Immutable identifier for the owner of the source repository that the workflow was based upon.
SourceRepositoryOwnerIdentifier string `json:"SourceRepositoryOwnerIdentifier,omitempty" yaml:"source-repository-owner-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.17
SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17

// Build Config URL to the top-level/initiating build instructions.
BuildConfigURI string `json:"BuildConfigURI,omitempty" yaml:"build-config-uri,omitempty"` // 1.3.6.1.4.1.57264.1.18
BuildConfigURI string // 1.3.6.1.4.1.57264.1.18

// Immutable reference to the specific version of the top-level/initiating build instructions.
BuildConfigDigest string `json:"BuildConfigDigest,omitempty" yaml:"build-config-digest,omitempty"` // 1.3.6.1.4.1.57264.1.19
BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19

// Event or action that initiated the build.
BuildTrigger string `json:"BuildTrigger,omitempty" yaml:"build-trigger,omitempty"` // 1.3.6.1.4.1.57264.1.20
BuildTrigger string // 1.3.6.1.4.1.57264.1.20

// Run Invocation URL to uniquely identify the build execution.
RunInvocationURI string `json:"RunInvocationURI,omitempty" yaml:"run-invocation-uri,omitempty"` // 1.3.6.1.4.1.57264.1.21
RunInvocationURI string // 1.3.6.1.4.1.57264.1.21

// Source repository visibility at the time of signing the certificate.
SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22
SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22
}

func (e Extensions) Render() ([]pkix.Extension, error) {
Expand Down
3 changes: 0 additions & 3 deletions pkg/challenges/challenges.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"github.com/sigstore/fulcio/pkg/config"
"github.com/sigstore/fulcio/pkg/identity"
"github.com/sigstore/fulcio/pkg/identity/buildkite"
"github.com/sigstore/fulcio/pkg/identity/ciprovider"
"github.com/sigstore/fulcio/pkg/identity/email"
"github.com/sigstore/fulcio/pkg/identity/github"
"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
Expand Down Expand Up @@ -76,8 +75,6 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
principal, err = uri.PrincipalFromIDToken(ctx, tok)
case config.IssuerTypeUsername:
principal, err = username.PrincipalFromIDToken(ctx, tok)
case config.IssuerTypeCIProvider:
principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok)
default:
return nil, fmt.Errorf("unsupported issuer: %s", iss.Type)
}
Expand Down
58 changes: 1 addition & 57 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"encoding/json"
"errors"
"fmt"
"html/template"
"net/http"
"net/url"
"os"
Expand All @@ -32,7 +31,6 @@ import (

"github.com/coreos/go-oidc/v3/oidc"
lru "github.com/hashicorp/golang-lru"
"github.com/sigstore/fulcio/pkg/certificate"
fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf"
"github.com/sigstore/fulcio/pkg/log"
"github.com/spiffe/go-spiffe/v2/spiffeid"
Expand Down Expand Up @@ -62,33 +60,12 @@ type FulcioConfig struct {
// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"`

// It defines metadata to be used for the CIProvider identity provider principal.
// The CI provider has a generic logic for ci providers, this metadata is used
// to define the right behavior for each ci provider that is defined
// on the configuration file
CIIssuerMetadata map[string]IssuerMetadata `json:"CIIssuerMetadata,omitempty" yaml:"ci-issuer-metadata,omitempty"`

// verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers.
verifiers map[string][]*verifierWithConfig
// lru is an LRU cache of recently used verifiers for our meta issuers.
lru *lru.TwoQueueCache
}

type IssuerMetadata struct {
// Defaults contains key-value pairs that can be used for filling the templates from ExtensionTemplates
// If a key cannot be found on the token claims, the template will use the defaults
DefaultTemplateValues map[string]string `json:"DefaultTemplateValues,omitempty" yaml:"default-template-values,omitempty"`
// ExtensionTemplates contains a mapping between certificate extension and token claim
// Provide either strings following https://pkg.go.dev/text/template syntax,
// e.g "{{ .url }}/{{ .repository }}"
// or non-templated strings with token claim keys to be replaced,
// e.g "job_workflow_sha"
ExtensionTemplates certificate.Extensions `json:"ExtensionTemplates,omitempty" yaml:"extension-templates,omitempty"`
// Template for the Subject Alternative Name extension
// It's typically the same value as Build Signer URI
SubjectAlternativeNameTemplate string `json:"SubjectAlternativeNameTemplate,omitempty" yaml:"subject-alternative-name-template,omitempty"`
}

type OIDCIssuer struct {
// The expected issuer of an OIDC token
IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
Expand All @@ -97,8 +74,6 @@ type OIDCIssuer struct {
// Used to determine the subject of the certificate and if additional
// certificate values are needed
Type IssuerType `json:"Type" yaml:"type,omitempty"`
// CIProvider is an optional configuration to map token claims to extensions for CI workflows
CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"`
// Optional, if the issuer is in a different claim in the OIDC token
IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
// The domain that must be present in the subject for 'uri' issuer types
Expand Down Expand Up @@ -309,7 +284,6 @@ const (
IssuerTypeSpiffe = "spiffe"
IssuerTypeURI = "uri"
IssuerTypeUsername = "username"
IssuerTypeCIProvider = "ci-provider"
)

func parseConfig(b []byte) (cfg *FulcioConfig, err error) {
Expand Down Expand Up @@ -417,7 +391,7 @@ func validateConfig(conf *FulcioConfig) error {
}
}

return validateCIIssuerMetadata(conf)
return nil
}

var DefaultConfig = &FulcioConfig{
Expand Down Expand Up @@ -458,34 +432,6 @@ func FromContext(ctx context.Context) *FulcioConfig {
return untyped.(*FulcioConfig)
}

// It checks that the templates defined are parseable
// We should check it during the service bootstrap to avoid errors further
func validateCIIssuerMetadata(fulcioConfig *FulcioConfig) error {

checkParse := func(temp string) error {
t := template.New("").Option("missingkey=error")
_, err := t.Parse(temp)
return err
}

for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata {
v := reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
for i := 0; i < v.NumField(); i++ {
s := v.Field(i).String()
err := checkParse(s)
if err != nil {
return err
}
}

err := checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate)
if err != nil {
return err
}
}
return nil
}

// Load a config from disk, or use defaults
func Load(configPath string) (*FulcioConfig, error) {
if _, err := os.Stat(configPath); os.IsNotExist(err) {
Expand Down Expand Up @@ -570,8 +516,6 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
return "email"
case IssuerTypeGithubWorkflow:
return "sub"
case IssuerTypeCIProvider:
return "sub"
case IssuerTypeCodefreshWorkflow:
return "sub"
case IssuerTypeChainguard:
Expand Down
56 changes: 0 additions & 56 deletions pkg/config/config_network_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (

"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/sigstore/fulcio/pkg/certificate"
)

func TestLoad(t *testing.T) {
Expand Down Expand Up @@ -69,61 +68,6 @@ func TestLoad(t *testing.T) {
}
}

func TestParseTemplate(t *testing.T) {

validTemplate := "{{.foobar}}"
invalidTemplate := "{{.foobar}"
ciissuerMetadata := make(map[string]IssuerMetadata)
ciissuerMetadata["github"] = IssuerMetadata{
ExtensionTemplates: certificate.Extensions{
BuildTrigger: invalidTemplate,
},
}
fulcioConfig := &FulcioConfig{
CIIssuerMetadata: ciissuerMetadata,
}
// BuildTrigger as a invalid template should raise an error
err := validateCIIssuerMetadata(fulcioConfig)
if err == nil {
t.Error("invalid template should raise an error")
}
ciissuerMetadata["github"] = IssuerMetadata{
ExtensionTemplates: certificate.Extensions{
BuildTrigger: validTemplate,
},
}
fulcioConfig = &FulcioConfig{
CIIssuerMetadata: ciissuerMetadata,
}
// BuildTrigger as a valid template shouldn't raise an error
err = validateCIIssuerMetadata(fulcioConfig)
if err != nil {
t.Error("valid template shouldn't raise an error, error: %w", err)
}
ciissuerMetadata["github"] = IssuerMetadata{
SubjectAlternativeNameTemplate: invalidTemplate,
}
fulcioConfig = &FulcioConfig{
CIIssuerMetadata: ciissuerMetadata,
}
// A SAN as a invalid template should raise an error
err = validateCIIssuerMetadata(fulcioConfig)
if err == nil {
t.Error("invalid SAN should raise an error")
}
ciissuerMetadata["github"] = IssuerMetadata{
SubjectAlternativeNameTemplate: invalidTemplate,
}
fulcioConfig = &FulcioConfig{
CIIssuerMetadata: ciissuerMetadata,
}
// A SAN as a valid template should raise an error
err = validateCIIssuerMetadata(fulcioConfig)
if err == nil {
t.Error("valid SAN shouldn't raise an error")
}
}

func TestLoadDefaults(t *testing.T) {
td := t.TempDir()

Expand Down
3 changes: 0 additions & 3 deletions pkg/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -492,9 +492,6 @@ func Test_issuerToChallengeClaim(t *testing.T) {
if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
}
if claim := issuerToChallengeClaim(IssuerTypeCIProvider, ""); claim != "sub" {
t.Fatalf("expected sub subject claim for CI issuer, got %s", claim)
}
if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {
t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)
}
Expand Down
39 changes: 0 additions & 39 deletions pkg/identity/ciprovider/issuer.go

This file was deleted.

Loading

0 comments on commit f11344b

Please sign in to comment.