mirror of https://github.com/actions/toolkit
remove hard-coded issuer from JWT verification
Signed-off-by: Brian DeHamer <bdehamer@github.com>bdehamer/attest-issuer-fix
Brian DeHamer
parent
f003268b32
commit
a7e08af9b5
|
|
@ -4,7 +4,7 @@ import {getIDTokenClaims} from '../src/oidc'
|
|||
|
||||
describe('getIDTokenClaims', () => {
|
||||
const originalEnv = process.env
|
||||
const issuer = 'https://example.com'
|
||||
const issuer = 'https://token.actions.example.ghe.com'
|
||||
const audience = 'nobody'
|
||||
const requestToken = 'token'
|
||||
const openidConfigPath = '/.well-known/openid-configuration'
|
||||
|
|
@ -63,7 +63,7 @@ describe('getIDTokenClaims', () => {
|
|||
})
|
||||
|
||||
it('returns the ID token claims', async () => {
|
||||
const result = await getIDTokenClaims(issuer)
|
||||
const result = await getIDTokenClaims()
|
||||
expect(result).toEqual(claims)
|
||||
})
|
||||
})
|
||||
|
|
@ -83,7 +83,7 @@ describe('getIDTokenClaims', () => {
|
|||
})
|
||||
|
||||
it('throws an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing claims/i)
|
||||
await expect(getIDTokenClaims()).rejects.toThrow(/missing claims/i)
|
||||
})
|
||||
})
|
||||
|
||||
|
|
@ -99,7 +99,7 @@ describe('getIDTokenClaims', () => {
|
|||
})
|
||||
|
||||
it('throws an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "iss"/)
|
||||
await expect(getIDTokenClaims()).rejects.toThrow(/issuer mismatch/i)
|
||||
})
|
||||
})
|
||||
|
||||
|
|
@ -115,7 +115,7 @@ describe('getIDTokenClaims', () => {
|
|||
})
|
||||
|
||||
it('throw an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "aud"/)
|
||||
await expect(getIDTokenClaims()).rejects.toThrow(/verification failed/i)
|
||||
})
|
||||
})
|
||||
|
||||
|
|
@ -140,9 +140,7 @@ describe('getIDTokenClaims', () => {
|
|||
})
|
||||
|
||||
it('throws an error', async () => {
|
||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(
|
||||
/failed to get id/i
|
||||
)
|
||||
await expect(getIDTokenClaims()).rejects.toThrow(/failed to get id/i)
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
|
|||
|
||||
describe('provenance functions', () => {
|
||||
const originalEnv = process.env
|
||||
const issuer = 'https://example.com'
|
||||
const issuer = 'https://token.actions.githubusercontent.com'
|
||||
const audience = 'nobody'
|
||||
const jwksPath = '/.well-known/jwks.json'
|
||||
const tokenPath = '/token'
|
||||
|
|
|
|||
|
|
@ -2,6 +2,11 @@ import {getIDToken} from '@actions/core'
|
|||
import {HttpClient} from '@actions/http-client'
|
||||
import * as jose from 'jose'
|
||||
|
||||
const VALID_ISSUERS = [
|
||||
'https://token.actions.githubusercontent.com',
|
||||
new RegExp('^https://token\\.actions\\.[a-z0-9-]+\\.ghe\\.com$')
|
||||
] as const
|
||||
|
||||
const OIDC_AUDIENCE = 'nobody'
|
||||
|
||||
const REQUIRED_CLAIMS = [
|
||||
|
|
@ -25,10 +30,10 @@ type OIDCConfig = {
|
|||
jwks_uri: string
|
||||
}
|
||||
|
||||
export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
|
||||
export const getIDTokenClaims = async (): Promise<ClaimSet> => {
|
||||
try {
|
||||
const token = await getIDToken(OIDC_AUDIENCE)
|
||||
const claims = await decodeOIDCToken(token, issuer)
|
||||
const claims = await decodeOIDCToken(token)
|
||||
assertClaimSet(claims)
|
||||
return claims
|
||||
} catch (error) {
|
||||
|
|
@ -36,15 +41,24 @@ export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
|
|||
}
|
||||
}
|
||||
|
||||
const decodeOIDCToken = async (
|
||||
token: string,
|
||||
issuer: string
|
||||
): Promise<jose.JWTPayload> => {
|
||||
const decodeOIDCToken = async (token: string): Promise<jose.JWTPayload> => {
|
||||
// Decode is an unsafe operation (no signature verification) but we're
|
||||
// verifying the signature below after retrieving the issuer.
|
||||
const {iss} = jose.decodeJwt(token)
|
||||
|
||||
if (!iss) {
|
||||
throw new Error('No issuer found')
|
||||
}
|
||||
|
||||
// Issuer must match at least one of the valid issuers
|
||||
if (!VALID_ISSUERS.some(allowed => iss.match(allowed))) {
|
||||
throw new Error('Issuer mismatch')
|
||||
}
|
||||
|
||||
// Verify and decode token
|
||||
const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
|
||||
const jwks = jose.createLocalJWKSet(await getJWKS(iss))
|
||||
const {payload} = await jose.jwtVerify(token, jwks, {
|
||||
audience: OIDC_AUDIENCE,
|
||||
issuer
|
||||
audience: OIDC_AUDIENCE
|
||||
})
|
||||
|
||||
return payload
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ export const buildSLSAProvenancePredicate = async (
|
|||
issuer: string = DEFAULT_ISSUER
|
||||
): Promise<Predicate> => {
|
||||
const serverURL = process.env.GITHUB_SERVER_URL
|
||||
const claims = await getIDTokenClaims(issuer)
|
||||
const claims = await getIDTokenClaims()
|
||||
|
||||
// Split just the path and ref from the workflow string.
|
||||
// owner/repo/.github/workflows/main.yml@main =>
|
||||
|
|
|
|||
Loading…
Reference in New Issue