mirror of https://github.com/actions/toolkit
derive default OIDC issuer from current tenant
Signed-off-by: Brian DeHamer <bdehamer@github.com>pull/1796/head
parent
279e891118
commit
fa6cc53297
|
@ -3,6 +3,7 @@
|
||||||
### 1.4.0
|
### 1.4.0
|
||||||
|
|
||||||
- Add new `headers` parameter to the `attest` and `attestProvenance` functions.
|
- Add new `headers` parameter to the `attest` and `attestProvenance` functions.
|
||||||
|
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context.
|
||||||
|
|
||||||
### 1.3.1
|
### 1.3.1
|
||||||
|
|
||||||
|
|
|
@ -9,7 +9,7 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
|
||||||
"workflow": {
|
"workflow": {
|
||||||
"path": ".github/workflows/main.yml",
|
"path": ".github/workflows/main.yml",
|
||||||
"ref": "main",
|
"ref": "main",
|
||||||
"repository": "https://github.com/owner/repo",
|
"repository": "https://foo.ghe.com/owner/repo",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
"internalParameters": {
|
"internalParameters": {
|
||||||
|
@ -25,16 +25,16 @@ exports[`provenance functions buildSLSAProvenancePredicate returns a provenance
|
||||||
"digest": {
|
"digest": {
|
||||||
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
|
"gitCommit": "babca52ab0c93ae16539e5923cb0d7403b9a093b",
|
||||||
},
|
},
|
||||||
"uri": "git+https://github.com/owner/repo@refs/heads/main",
|
"uri": "git+https://foo.ghe.com/owner/repo@refs/heads/main",
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
"runDetails": {
|
"runDetails": {
|
||||||
"builder": {
|
"builder": {
|
||||||
"id": "https://github.com/owner/workflows/.github/workflows/publish.yml@main",
|
"id": "https://foo.ghe.com/owner/workflows/.github/workflows/publish.yml@main",
|
||||||
},
|
},
|
||||||
"metadata": {
|
"metadata": {
|
||||||
"invocationId": "https://github.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
|
"invocationId": "https://foo.ghe.com/owner/repo/actions/runs/run-id/attempts/run-attempt",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -8,7 +8,7 @@ import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
|
||||||
|
|
||||||
describe('provenance functions', () => {
|
describe('provenance functions', () => {
|
||||||
const originalEnv = process.env
|
const originalEnv = process.env
|
||||||
const issuer = 'https://example.com'
|
const issuer = 'https://token.actions.foo.ghe.com'
|
||||||
const audience = 'nobody'
|
const audience = 'nobody'
|
||||||
const jwksPath = '/.well-known/jwks.json'
|
const jwksPath = '/.well-known/jwks.json'
|
||||||
const tokenPath = '/token'
|
const tokenPath = '/token'
|
||||||
|
@ -38,7 +38,7 @@ describe('provenance functions', () => {
|
||||||
...originalEnv,
|
...originalEnv,
|
||||||
ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
|
ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
|
||||||
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
|
ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
|
||||||
GITHUB_SERVER_URL: 'https://github.com',
|
GITHUB_SERVER_URL: 'https://foo.ghe.com',
|
||||||
GITHUB_REPOSITORY: claims.repository
|
GITHUB_REPOSITORY: claims.repository
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ describe('provenance functions', () => {
|
||||||
|
|
||||||
describe('buildSLSAProvenancePredicate', () => {
|
describe('buildSLSAProvenancePredicate', () => {
|
||||||
it('returns a provenance hydrated from an OIDC token', async () => {
|
it('returns a provenance hydrated from an OIDC token', async () => {
|
||||||
const predicate = await buildSLSAProvenancePredicate(issuer)
|
const predicate = await buildSLSAProvenancePredicate()
|
||||||
expect(predicate).toMatchSnapshot()
|
expect(predicate).toMatchSnapshot()
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
@ -96,9 +96,9 @@ describe('provenance functions', () => {
|
||||||
})
|
})
|
||||||
|
|
||||||
describe('when using the github Sigstore instance', () => {
|
describe('when using the github Sigstore instance', () => {
|
||||||
|
beforeEach(async () => {
|
||||||
const {fulcioURL, tsaServerURL} = signingEndpoints('github')
|
const {fulcioURL, tsaServerURL} = signingEndpoints('github')
|
||||||
|
|
||||||
beforeEach(async () => {
|
|
||||||
// Mock Sigstore
|
// Mock Sigstore
|
||||||
await mockFulcio({baseURL: fulcioURL, strict: false})
|
await mockFulcio({baseURL: fulcioURL, strict: false})
|
||||||
await mockTSA({baseURL: tsaServerURL})
|
await mockTSA({baseURL: tsaServerURL})
|
||||||
|
@ -118,8 +118,7 @@ describe('provenance functions', () => {
|
||||||
subjectName,
|
subjectName,
|
||||||
subjectDigest,
|
subjectDigest,
|
||||||
token: 'token',
|
token: 'token',
|
||||||
sigstore: 'github',
|
sigstore: 'github'
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(attestation).toBeDefined()
|
expect(attestation).toBeDefined()
|
||||||
|
@ -146,8 +145,7 @@ describe('provenance functions', () => {
|
||||||
const attestation = await attestProvenance({
|
const attestation = await attestProvenance({
|
||||||
subjectName,
|
subjectName,
|
||||||
subjectDigest,
|
subjectDigest,
|
||||||
token: 'token',
|
token: 'token'
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(attestation).toBeDefined()
|
expect(attestation).toBeDefined()
|
||||||
|
@ -183,8 +181,7 @@ describe('provenance functions', () => {
|
||||||
subjectName,
|
subjectName,
|
||||||
subjectDigest,
|
subjectDigest,
|
||||||
token: 'token',
|
token: 'token',
|
||||||
sigstore: 'public-good',
|
sigstore: 'public-good'
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(attestation).toBeDefined()
|
expect(attestation).toBeDefined()
|
||||||
|
@ -211,8 +208,7 @@ describe('provenance functions', () => {
|
||||||
const attestation = await attestProvenance({
|
const attestation = await attestProvenance({
|
||||||
subjectName,
|
subjectName,
|
||||||
subjectDigest,
|
subjectDigest,
|
||||||
token: 'token',
|
token: 'token'
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(attestation).toBeDefined()
|
expect(attestation).toBeDefined()
|
||||||
|
@ -238,8 +234,7 @@ describe('provenance functions', () => {
|
||||||
subjectDigest,
|
subjectDigest,
|
||||||
token: 'token',
|
token: 'token',
|
||||||
sigstore: 'public-good',
|
sigstore: 'public-good',
|
||||||
skipWrite: true,
|
skipWrite: true
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(attestation).toBeDefined()
|
expect(attestation).toBeDefined()
|
||||||
|
|
|
@ -4,6 +4,11 @@ import * as jose from 'jose'
|
||||||
|
|
||||||
const OIDC_AUDIENCE = 'nobody'
|
const OIDC_AUDIENCE = 'nobody'
|
||||||
|
|
||||||
|
const VALID_SERVER_URLS = [
|
||||||
|
'https://github.com',
|
||||||
|
new RegExp('^https://[a-z0-9-]+\\.ghe\\.com$')
|
||||||
|
] as const
|
||||||
|
|
||||||
const REQUIRED_CLAIMS = [
|
const REQUIRED_CLAIMS = [
|
||||||
'iss',
|
'iss',
|
||||||
'ref',
|
'ref',
|
||||||
|
@ -25,7 +30,8 @@ type OIDCConfig = {
|
||||||
jwks_uri: string
|
jwks_uri: string
|
||||||
}
|
}
|
||||||
|
|
||||||
export const getIDTokenClaims = async (issuer: string): Promise<ClaimSet> => {
|
export const getIDTokenClaims = async (issuer?: string): Promise<ClaimSet> => {
|
||||||
|
issuer = issuer || getIssuer()
|
||||||
try {
|
try {
|
||||||
const token = await getIDToken(OIDC_AUDIENCE)
|
const token = await getIDToken(OIDC_AUDIENCE)
|
||||||
const claims = await decodeOIDCToken(token, issuer)
|
const claims = await decodeOIDCToken(token, issuer)
|
||||||
|
@ -82,3 +88,21 @@ function assertClaimSet(claims: jose.JWTPayload): asserts claims is ClaimSet {
|
||||||
throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
|
throw new Error(`Missing claims: ${missingClaims.join(', ')}`)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Derive the current OIDC issuer based on the server URL
|
||||||
|
function getIssuer(): string {
|
||||||
|
const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'
|
||||||
|
|
||||||
|
// Ensure the server URL is a valid GitHub server URL
|
||||||
|
if (!VALID_SERVER_URLS.some(valid_url => serverURL.match(valid_url))) {
|
||||||
|
throw new Error(`Invalid server URL: ${serverURL}`)
|
||||||
|
}
|
||||||
|
|
||||||
|
let host = new URL(serverURL).hostname
|
||||||
|
|
||||||
|
if (host === 'github.com') {
|
||||||
|
host = 'githubusercontent.com'
|
||||||
|
}
|
||||||
|
|
||||||
|
return `https://token.actions.${host}`
|
||||||
|
}
|
||||||
|
|
|
@ -5,8 +5,6 @@ import type {Attestation, Predicate} from './shared.types'
|
||||||
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
|
const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'
|
||||||
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
|
const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'
|
||||||
|
|
||||||
const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'
|
|
||||||
|
|
||||||
export type AttestProvenanceOptions = Omit<
|
export type AttestProvenanceOptions = Omit<
|
||||||
AttestOptions,
|
AttestOptions,
|
||||||
'predicate' | 'predicateType'
|
'predicate' | 'predicateType'
|
||||||
|
@ -24,7 +22,7 @@ export type AttestProvenanceOptions = Omit<
|
||||||
* @returns The SLSA provenance predicate.
|
* @returns The SLSA provenance predicate.
|
||||||
*/
|
*/
|
||||||
export const buildSLSAProvenancePredicate = async (
|
export const buildSLSAProvenancePredicate = async (
|
||||||
issuer: string = DEFAULT_ISSUER
|
issuer?: string
|
||||||
): Promise<Predicate> => {
|
): Promise<Predicate> => {
|
||||||
const serverURL = process.env.GITHUB_SERVER_URL
|
const serverURL = process.env.GITHUB_SERVER_URL
|
||||||
const claims = await getIDTokenClaims(issuer)
|
const claims = await getIDTokenClaims(issuer)
|
||||||
|
|
Loading…
Reference in New Issue