Add URI OIDC type to support URI subjects #455
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
haydentherapper
force-pushed
the
oidc-uri
branch
from
d876a44
to
efd4de7
Compare
Implementing the first part of sigstore#398, which adds support for subjects in OIDC tokens that are URIs. The implementation is very similar to SPIFFE-based tokens. Tokens must conform to the following: * The issuer of the token must partially match the domain in the configuration. This means that the scheme, top level domain, and second level domain must match. It is also expected that we validate that the requester who adds the configuration for the issuer has control over both the issuer and domain configuration fields (ACME). * The domain of the configuration and hostname of the subject of the token must match exactly. Slightly reworked the API test to test this issuer type. I'll follow up in a later PR with some more refactoring around this class, I think we can exercise the codepaths for all issuers. Signed-off-by: Hayden Blauzvern <[email protected]>
haydentherapper
force-pushed
the
oidc-uri
branch
from
efd4de7
to
fc39b28
Compare
Codecov Report
@@ Coverage Diff @@
## main #455 +/- ##
=======================================
Coverage ? 46.58%
=======================================
Files ? 14
Lines ? 1024
Branches ? 0
=======================================
Hits ? 477
Misses ? 478
Partials ? 69 Continue to review full report at Codecov.
|
|
cc @znewman01 |
jchestershopify
approved these changes
Mar 8, 2022
Signed-off-by: Hayden Blauzvern <[email protected]>
|
Thanks for the comments @jchestershopify! |
haydentherapper
added a commit
to haydentherapper/fulcio
that referenced
this pull request
Mar 9, 2022
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
This was referenced Mar 9, 2022
dlorenc
approved these changes
Mar 11, 2022
znewman01
approved these changes
Mar 11, 2022
haydentherapper
added a commit
to haydentherapper/fulcio
that referenced
this pull request
Mar 14, 2022
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
haydentherapper
added a commit
to haydentherapper/fulcio
that referenced
this pull request
Mar 14, 2022
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
haydentherapper
added a commit
to haydentherapper/fulcio
that referenced
this pull request
Mar 14, 2022
This implements the second part of sigstore#398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like sigstore#455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]>
dlorenc
pushed a commit
that referenced
this pull request
Mar 18, 2022
* Add Username scoped to domain OIDC type This implements the second part of #398, adding support for OIDC subjects that are simply usernames. A configured domain will be appended to the username and included as a SAN email address. Like #455, token issuers must partially match the configured domain. The top level and second level domain must match, and it's expected that we validate ownership for what's configured in the issuer and domain fields. Signed-off-by: Hayden Blauzvern <[email protected]> * Refactor API tests This refactor adds tests for all supported OIDC types, and makes it simpler to add new tests for new OIDC types. * Add tests for K8s and GitHub OIDC types. * Add additional verification for issued certificate values * Add dedicated test for RootCert success, don't call RootCert in every test. * Move common expectations to function. This provides a single place to check response values. * Move common set up to dedicated functions. * Lowercase all error messages, because style. Signed-off-by: Hayden Blauzvern <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implementing the first part of #398, which adds support
for subjects in OIDC tokens that are URIs. The implementation
is very similar to SPIFFE-based tokens.
Tokens must conform to the following:
configuration. This means that the scheme, top level domain, and
second level domain must match. It is also expected that we validate
that the requester who adds the configuration for the issuer has
control over both the issuer and domain configuration fields (ACME).
token must match exactly.
Slightly reworked the API test to test this issuer type. I'll
follow up in a later PR with some more refactoring around this
class, I think we can exercise the codepaths for all issuers.
Also planning to write documentation on the supported issuers.
Signed-off-by: Hayden Blauzvern [email protected]
Summary
Ticket Link
Ref #398
Release Note