actions
/
toolkit
mirror of https://github.com/actions/toolkit
1
0
Fork 0
Code

remove hard-coded issuer from JWT verification 

Signed-off-by: Brian DeHamer <bdehamer@github.com>
bdehamer/attest-issuer-fix
Brian DeHamer 2024-08-08 15:10:57 -07:00
parent f003268b32
commit a7e08af9b5
No known key found for this signature in database
4 changed files with 31 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
packages/attest/__tests__/oidc.test.ts
View File

@ -4,7 +4,7 @@ import {getIDTokenClaims} from '../src/oidc'
describe('getIDTokenClaims', () => { describe('getIDTokenClaims', () => {
const originalEnv = process.env const originalEnv = process.env
const issuer = 'https://example.com' const issuer = 'https://token.actions.example.ghe.com'
const audience = 'nobody' const audience = 'nobody'
const requestToken = 'token' const requestToken = 'token'
const openidConfigPath = '/.well-known/openid-configuration' const openidConfigPath = '/.well-known/openid-configuration'
@ -63,7 +63,7 @@ describe('getIDTokenClaims', () => {
}) })
it('returns the ID token claims', async () => { it('returns the ID token claims', async () => {
const result = await getIDTokenClaims(issuer) const result = await getIDTokenClaims()
expect(result).toEqual(claims) expect(result).toEqual(claims)
}) })
}) })
@ -83,7 +83,7 @@ describe('getIDTokenClaims', () => {
}) })
it('throws an error', async () => { it('throws an error', async () => {
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing claims/i) await expect(getIDTokenClaims()).rejects.toThrow(/missing claims/i)
}) })
}) })
@ -99,7 +99,7 @@ describe('getIDTokenClaims', () => {
}) })
it('throws an error', async () => { it('throws an error', async () => {
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "iss"/) await expect(getIDTokenClaims()).rejects.toThrow(/issuer mismatch/i)
}) })
}) })
@ -115,7 +115,7 @@ describe('getIDTokenClaims', () => {
}) })
it('throw an error', async () => { it('throw an error', async () => {
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "aud"/) await expect(getIDTokenClaims()).rejects.toThrow(/verification failed/i)
}) })
}) })
@ -140,9 +140,7 @@ describe('getIDTokenClaims', () => {
}) })
it('throws an error', async () => { it('throws an error', async () => {
await expect(getIDTokenClaims(issuer)).rejects.toThrow( await expect(getIDTokenClaims()).rejects.toThrow(/failed to get id/i)
/failed to get id/i
)
}) })
}) })
}) })

2
packages/attest/__tests__/provenance.test.ts
View File

@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
describe('provenance functions', () => { describe('provenance functions', () => {
const originalEnv = process.env const originalEnv = process.env
const issuer = 'https://example.com' const issuer = 'https://token.actions.githubusercontent.com'
const audience = 'nobody' const audience = 'nobody'
const jwksPath = '/.well-known/jwks.json' const jwksPath = '/.well-known/jwks.json'
const tokenPath = '/token' const tokenPath = '/token'

32
packages/attest/src/oidc.ts
View File

@ -2,6 +2,11 @@ import {getIDToken} from '@actions/core'
import {HttpClient} from '@actions/http-client' import {HttpClient} from '@actions/http-client'
import * as jose from 'jose' import * as jose from 'jose'
const VALID_ISSUERS = [
'https://token.actions.githubusercontent.com',
new RegExp('^https://token\\.actions\\.[a-z0-9-]+\\.ghe\\.com$')
] as const
const OIDC_AUDIENCE = 'nobody' const OIDC_AUDIENCE = 'nobody'
const REQUIRED_CLAIMS = [ const REQUIRED_CLAIMS = [
@ -25,10 +30,10 @@ type OIDCConfig = {
jwks_uri: string jwks_uri: string
} }
export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => { export const getIDTokenClaims = async (): Promise<ClaimSet> => {
try { try {
const token = await getIDToken(OIDC_AUDIENCE) const token = await getIDToken(OIDC_AUDIENCE)
const claims = await decodeOIDCToken(token, issuer) const claims = await decodeOIDCToken(token)
assertClaimSet(claims) assertClaimSet(claims)
return claims return claims
} catch (error) { } catch (error) {
@ -36,15 +41,24 @@ export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
} }
} }
const decodeOIDCToken = async ( const decodeOIDCToken = async (token: string): Promise<jose.JWTPayload> => {
token: string, // Decode is an unsafe operation (no signature verification) but we're
issuer: string // verifying the signature below after retrieving the issuer.
): Promise<jose.JWTPayload> => { const {iss} = jose.decodeJwt(token)
if (!iss) {
throw new Error('No issuer found')
}
// Issuer must match at least one of the valid issuers
if (!VALID_ISSUERS.some(allowed => iss.match(allowed))) {
throw new Error('Issuer mismatch')
}
// Verify and decode token // Verify and decode token
const jwks = jose.createLocalJWKSet(await getJWKS(issuer)) const jwks = jose.createLocalJWKSet(await getJWKS(iss))
const {payload} = await jose.jwtVerify(token, jwks, { const {payload} = await jose.jwtVerify(token, jwks, {
audience: OIDC_AUDIENCE, audience: OIDC_AUDIENCE
issuer
}) })
return payload return payload

2
packages/attest/src/provenance.ts
View File

@ -27,7 +27,7 @@ export const buildSLSAProvenancePredicate = async (
issuer: string = DEFAULT_ISSUER issuer: string = DEFAULT_ISSUER
): Promise<Predicate> => { ): Promise<Predicate> => {
const serverURL = process.env.GITHUB_SERVER_URL const serverURL = process.env.GITHUB_SERVER_URL
const claims = await getIDTokenClaims(issuer) const claims = await getIDTokenClaims()
// Split just the path and ref from the workflow string. // Split just the path and ref from the workflow string.
// owner/repo/.github/workflows/main.yml@main => // owner/repo/.github/workflows/main.yml@main =>