diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 218e98e64..191bb81e6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -17,6 +17,7 @@ define: - &gitlab-type "gitlab-pipeline" - &codefresh-type "codefresh-workflow" - &buildkite-type "buildkite-job" + - &circleci-type "circleci-job" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -262,3 +263,20 @@ ci-issuer-metadata: # build_source: Event that triggered this workflow run. (valid values: api, ui, webhook, trigger_job, schedule) build-trigger: "build_source" subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" # seems correct, do we still need the code in pkg/identity/buildkite/principal.go ? + *circleci-type: + default-template-values: + # principal gives priority to the claimed value over the default + api_url: "https://circleci.com/api/v2" + extension-templates: + # NOTE: Because of how the text/template parsing works with / and . characters, + # we use " inside our template fragments which is why we use ' to wrap + + # this API call leads back to the exact generated config used for this run + build-config-uri: '{{.api_url}}/pipeline/{{(index . "oidc.circleci.com/pipeline-id")}}/config' + # this API call leads back to the definition of the pipeline used for this run + # https://circleci.com/api/v2/projects/{project_id}/pipeline-definitions/{pipeline_definition_id} + build-signer-uri: '{{.api_url}}/projects/{{(index . "oidc.circleci.com/project-id")}}/pipeline-definitions/{{(index . "oidc.circleci.com/pipeline-definition-id")}}' + runner-environment: '{{if eq (index . "oidc.circleci.com/ssh-rerun") "true"}}ssh-rerun{{ else }}""{{end}}' + source-repository-ref: '{{index . "oidc.circleci.com/vcs-ref"}}' + source-repository-uri: '{{index . "oidc.circleci.com/vcs-origin"}}' + subject-alternative-name-template: '{{.api_url}}/projects/{{(index . "oidc.circleci.com/project-id")}}/pipeline-definitions/{{(index . "oidc.circleci.com/pipeline-definition-id")}}' diff --git a/docs/oid-info.md b/docs/oid-info.md index e89d14cad..73ba42b2d 100644 --- a/docs/oid-info.md +++ b/docs/oid-info.md @@ -193,28 +193,29 @@ that Sigstore operates. ## Mapping OIDC token claims to Fulcio OIDs -| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | Fulcio Certificate Extension | Why / Notes / Questions | -| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| aud | aud | aud | aud | N/A | Only used to validate the JWT. | -| iss | iss | iss | iss | Issuer | This already exists. For example: | -| exp | exp | exp | exp | N/A | Only used to validate the JWT. | -| nbf | nbf | nbf | nbf | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | -| iat | iat | iat | iat | N/A | Only used to validate the JWT. | -| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | -| job_workflow_sha | ci_config_sha | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| runner_environment | runner_environment | runner_environment | runner_environment | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | -| server_url + repository | server_url + project_path | N/A | scm_repo_url | Source Repository URI | Should include a fully qualified repository URL. | -| sha | sha | build_commit | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | -| repository_id | project_id | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | -| server_url + repository_owner | server_url + namespace_path | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | -| repository_owner_id | namespace_id | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | -| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | Build Config URI | A reference to the initiating build instructions. | -| workflow_sha | ci_config_sha | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | -| event_name | pipeline_source | build_source | N/A | Build Trigger | The event or action that triggered the build. | -| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | -| repository_visibility | project_visibility | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | -| environment | environment | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | +| GitHub [(docs)][github-oidc-doc] | GitLab [(docs)](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#token-payload) | Buildkite [(docs)](https://buildkite.com/docs/agent/v3/cli-oidc#claims) | Codefresh [(docs)](https://codefresh.io/docs/docs/integrations/oidc-pipelines/) | CircleCI [(docs)][circleci-oidc-doc] | Fulcio Certificate Extension | Why / Notes / Questions | +| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| aud | aud | aud | aud | aud | N/A | Only used to validate the JWT. | +| iss | iss | iss | iss | iss | Issuer | This already exists. For example: | +| exp | exp | exp | exp | exp | N/A | Only used to validate the JWT. | +| nbf | nbf | nbf | nbf | N/A | N/A | Only used to validate the JWT. Optional, as per the OIDC spec | +| iat | iat | iat | iat | iat | N/A | Only used to validate the JWT. | +| server_url + job_workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/build/" + workflow_id | api_url + "/projects/" + project-id + "/pipeline-definition/" + pipeline-definition-id | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | +| job_workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| runner_environment | runner_environment | runner_environment | runner_environment | if "oidc.circleci.com/ssh-rerun" is true, this will have value of "ssh-rerun". Don't trust when runner_environment is "ssh-rerun". | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | +| server_url + repository | server_url + project_path | N/A | scm_repo_url | oidc.circleci.com/vcs-origin | Source Repository URI | Should include a fully qualified repository URL. | +| sha | sha | build_commit | N/A | N/A | Source Repository Digest | An immutable reference to a specific version of the source code. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| ref | "ref/heads/" + ref **OR** "ref/tags/" + ref | N/A | scm_ref | oidc.circleci.com/vcs-ref | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| repository_id | project_id | N/A | N/A | N/A | Source Repository Identifier | Stable identifier for the owner of the source repository. | +| server_url + repository_owner | server_url + namespace_path | N/A | N/A | N/A | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | +| repository_owner_id | namespace_id | N/A | N/A | N/A | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | +| server_url + workflow_ref | "https://" + ci_config_ref_uri | N/A | platform_url + "/api/pipelines/" + pipeline_id | api_url + "/pipeline/" + pipeline-id + "/config" | Build Config URI | A reference to the initiating build instructions. | +| workflow_sha | ci_config_sha | N/A | N/A | N/A | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. May include the digest type followed by the digest, e.g. `sha1:abc123`. | +| event_name | pipeline_source | build_source | N/A | N/A | Build Trigger | The event or action that triggered the build. | +| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | server_url + project_path + "/-/jobs/" + job_id | server_url + "/" organization_slug + "/" + pipeline_slug + "/builds/" + build_number + "#" + job_id | platform_url + "/build/" + workflow_id | oidc.circleci.com/pipeline-id | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | +| repository_visibility | project_visibility | N/A | N/A | N/A | Source Repository Visibility At Signing | Source repository visibility at the time of signing the certificate | +| environment | environment | N/A | N/A | N/A | Deployment Environment | Deployment target for a workflow or job | [github-oidc-doc]: https://docs.github.com/en/actions/reference/security/oidc#oidc-token-claims [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264 +[circleci-oidc-doc]: https://circleci.com/docs/guides/permissions-authentication/openid-connect-tokens/ diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index b01bb9817..348390492 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -338,6 +338,7 @@ func TestApplyTemplateOrReplace(t *testing.T) { "ref_tag": "1.0.0", "html_claim": "", "claim_foo": "bar", + "with.dot.and/slash": "cat", } issuerMetadata := map[string]string{ "url": "https://github.com", @@ -397,6 +398,11 @@ func TestApplyTemplateOrReplace(t *testing.T) { ExpectedResult: "refs/tags/1.0.0", ExpectErr: false, }, + `Template with slash and dots in key`: { + Template: `{{ .aud }}/{{(index . "with.dot.and/slash")}}`, + ExpectedResult: "sigstore/cat", + ExpectErr: false, + }, `Raise error for empty key in comparison`: { Template: `{{if eq . ""}}foo{{else}}bar{{end}}`, ExpectedResult: "",