1
0
Fork 0

Merge pull request #1796 from actions/bdehamer/attest-issuer

derive default OIDC issuer from current tenant
pull/1797/head
Brian DeHamer 2024-08-16 12:21:00 -07:00 committed by GitHub
commit 7cc96bb976
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 41 additions and 23 deletions

View File

@ -3,6 +3,7 @@
### 1.4.0 ### 1.4.0
- Add new `headers` parameter to the `attest` and `attestProvenance` functions. - Add new `headers` parameter to the `attest` and `attestProvenance` functions.
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context.
### 1.3.1 ### 1.3.1

View File

@ -9,7 +9,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
"workflow": { "workflow": {
"path": ".github/workflows/main.yml", "path": ".github/workflows/main.yml",
"ref": "main", "ref": "main",
"repository": "https://github.com/owner/repo", "repository": "https://foo.ghe.com/owner/repo",
}, },
}, },
"internalParameters": { "internalParameters": {
@ -25,16 +25,16 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
"digest": { "digest": {
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b", "gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
}, },
"uri": "git+https://github.com/owner/repo@refs/heads/main", "uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
}, },
], ],
}, },
"runDetails": { "runDetails": {
"builder": { "builder": {
"id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main", "id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
}, },
"metadata": { "metadata": {
"invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt", "invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
}, },
}, },
}, },

View File

@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
describe('provenance functions', () => { describe('provenance functions', () => {
const originalEnv = process.env const originalEnv = process.env
const issuer = 'https://example.com' const issuer = 'https://token.actions.foo.ghe.com'
const audience = 'nobody' const audience = 'nobody'
const jwksPath = '/.well-known/jwks.json' const jwksPath = '/.well-known/jwks.json'
const tokenPath = '/token' const tokenPath = '/token'
@ -38,7 +38,7 @@ describe('provenance functions', () => {
...originalEnv, ...originalEnv,
ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`, ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token', ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
GITHUB_SERVER_URL: 'https://github.com', GITHUB_SERVER_URL: 'https://foo.ghe.com',
GITHUB_REPOSITORY: claims.repository GITHUB_REPOSITORY: claims.repository
} }
@ -68,7 +68,7 @@ describe('provenance functions', () => {
describe('buildSLSAProvenancePredicate', () => { describe('buildSLSAProvenancePredicate', () => {
it('returns a provenance hydrated from an OIDC token', async () => { it('returns a provenance hydrated from an OIDC token', async () => {
const predicate = await buildSLSAProvenancePredicate(issuer) const predicate = await buildSLSAProvenancePredicate()
expect(predicate).toMatchSnapshot() expect(predicate).toMatchSnapshot()
}) })
}) })
@ -96,9 +96,9 @@ describe('provenance functions', () => {
}) })
describe('when using the github Sigstore instance', () => { describe('when using the github Sigstore instance', () => {
beforeEach(async () => {
const {fulcioURL, tsaServerURL} = signingEndpoints('github') const {fulcioURL, tsaServerURL} = signingEndpoints('github')
beforeEach(async () => {
// Mock Sigstore // Mock Sigstore
await mockFulcio({baseURL: fulcioURL, strict: false}) await mockFulcio({baseURL: fulcioURL, strict: false})
await mockTSA({baseURL: tsaServerURL}) await mockTSA({baseURL: tsaServerURL})
@ -118,8 +118,7 @@ describe('provenance functions', () => {
subjectName, subjectName,
subjectDigest, subjectDigest,
token: 'token', token: 'token',
sigstore: 'github', sigstore: 'github'
issuer
}) })
expect(attestation).toBeDefined() expect(attestation).toBeDefined()
@ -146,8 +145,7 @@ describe('provenance functions', () => {
const attestation = await attestProvenance({ const attestation = await attestProvenance({
subjectName, subjectName,
subjectDigest, subjectDigest,
token: 'token', token: 'token'
issuer
}) })
expect(attestation).toBeDefined() expect(attestation).toBeDefined()
@ -183,8 +181,7 @@ describe('provenance functions', () => {
subjectName, subjectName,
subjectDigest, subjectDigest,
token: 'token', token: 'token',
sigstore: 'public-good', sigstore: 'public-good'
issuer
}) })
expect(attestation).toBeDefined() expect(attestation).toBeDefined()
@ -211,8 +208,7 @@ describe('provenance functions', () => {
const attestation = await attestProvenance({ const attestation = await attestProvenance({
subjectName, subjectName,
subjectDigest, subjectDigest,
token: 'token', token: 'token'
issuer
}) })
expect(attestation).toBeDefined() expect(attestation).toBeDefined()
@ -238,8 +234,7 @@ describe('provenance functions', () => {
subjectDigest, subjectDigest,
token: 'token', token: 'token',
sigstore: 'public-good', sigstore: 'public-good',
skipWrite: true, skipWrite: true
issuer
}) })
expect(attestation).toBeDefined() expect(attestation).toBeDefined()

View File

@ -4,6 +4,11 @@ import * as jose from 'jose'
const OIDC_AUDIENCE = 'nobody' const OIDC_AUDIENCE = 'nobody'
const VALID_SERVER_URLS = [
'https://github.com',
new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
] as const
const REQUIRED_CLAIMS = [ const REQUIRED_CLAIMS = [
'iss', 'iss',
'ref', 'ref',
@ -25,7 +30,8 @@ type OIDCConfig = {
jwks_uri: string jwks_uri: string
} }
export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => { export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
issuer = issuer || getIssuer()
try { try {
const token = await getIDToken(OIDC_AUDIENCE) const token = await getIDToken(OIDC_AUDIENCE)
const claims = await decodeOIDCToken(token, issuer) const claims = await decodeOIDCToken(token, issuer)
@ -82,3 +88,21 @@ function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
throw new Error(`Missing claims: ${missingClaims.join(', ')}`) throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
} }
} }
// Derive the current OIDC issuer based on the server URL
function getIssuer(): string {
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
// Ensure the server URL is a valid GitHub server URL
if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
throw new Error(`Invalid server URL: ${serverURL}`)
}
let host = new URL(serverURL).hostname
if (host === 'github.com') {
host = 'githubusercontent.com'
}
return `https://token.actions.${host}`
}

View File

@ -5,8 +5,6 @@ import type {Attestation, Predicate} from './shared.types'
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1' const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1' const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
export type AttestProvenanceOptions = Omit< export type AttestProvenanceOptions = Omit<
AttestOptions, AttestOptions,
'predicate' | 'predicateType' 'predicate' | 'predicateType'
@ -24,7 +22,7 @@ export type AttestProvenanceOptions = Omit<
* @returns The SLSA provenance predicate. * @returns The SLSA provenance predicate.
*/ */
export const buildSLSAProvenancePredicate = async ( export const buildSLSAProvenancePredicate = async (
issuer: string = DEFAULT_ISSUER issuer?: string
): Promise<Predicate> => { ): Promise<Predicate> => {
const serverURL = process.env.GITHUB_SERVER_URL const serverURL = process.env.GITHUB_SERVER_URL
const claims = await getIDTokenClaims(issuer) const claims = await getIDTokenClaims(issuer)