Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure additional certificate extensions for Buildkite #1903

Merged
merged 2 commits into from
Jan 16, 2025

Conversation

yob
Copy link
Contributor

@yob yob commented Jan 2, 2025

Summary

The Buildkite Issuer was added in #890, prior to the efforts to standardise certificate extensions for CI providers, and #1074 calls for the Buildkite issuer to be updated to use the new extensions (where applicable).

This is an early attempt to make those changes. I initially started these in #1307, however this is a new swing at it using the new CIProvider issuer (see #1729 and #1743).

I've added the extensions that make the most sense in a Buildkite context, like RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the other extensions don't apply because we're not a code host as well, or need further discussion.

I have tested this locally with a Buildkite agent and OIDC token, and the certificate was issued as expected. I started a local fulcio like this:

$ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml

... and signed git commits with gitsign. The relevant bits of the certificates look like:

    git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
    ...
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Extended Key Usage:
            Code Signing
        X509v3 Subject Key Identifier:
            36:D2:99:B9:BA:98:4B:3A:77:51:DC:08:05:83:12:9A:F4:EE:41:E5
        X509v3 Authority Key Identifier:
            D2:41:21:29:23:AD:E9:27:69:6F:DB:85:6D:1B:3F:7E:A9:55:F3:02
        X509v3 Subject Alternative Name: critical
            URI:https://buildkite.com/yob-opensource/oidc-signing-experiment
        1.3.6.1.4.1.57264.1.1:
            https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.8:
            ..https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.11:
            ..self-hosted
        1.3.6.1.4.1.57264.1.13:
            .(078a6dd4a32fa40592c21a40aedaf27105503140
        1.3.6.1.4.1.57264.1.20:
            ..ui
        1.3.6.1.4.1.57264.1.21:
            .khttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/52#01943a38-f93e-4355-abe8-90a30369c270

Fixes #1074

cc @sj26

Release Note

None.

Documentation

None

config/identity/config.yaml Outdated Show resolved Hide resolved
config/identity/config.yaml Outdated Show resolved Hide resolved
@yob
Copy link
Contributor Author

yob commented Jan 2, 2025

@haydentherapper @feelepxyz I've had another swing at this. It's not mergable yet, but I'd value your feedback!

A specific question I had while working on this: if Buildkite identity is now managed by the CIProvider type, can we rip out the Buildkite specific issuer - either in this PR or in a follow up? Or is it needed for backwards compatibility?

Also: would you like this PR to update the table in docs/oid-info.md ?

Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No additional tests are necessary if this is working locally! We'll roll this out to our staging environment first, fulcio.sigstage.dev, for you to test against.

config/identity/config.yaml Show resolved Hide resolved
@haydentherapper
Copy link
Contributor

A specific question I had while working on this: if Buildkite identity is now managed by the CIProvider type, can we rip out the Buildkite specific issuer - either in this PR or in a follow up? Or is it needed for backwards compatibility?

The Buildkite specific issuer should no longer be necessary. I was planning to remove all specific CI issuers as part of a 2.x release, waiting for backwards compatibility just in case someone has deployed a local instance.

Also: would you like this PR to update the table in docs/oid-info.md ?

Yes please! Thank you.

@yob
Copy link
Contributor Author

yob commented Jan 4, 2025

Brilliant, thanks! I'll look at getting those two new claims into our tokens this coming week, then update this and mark it ready for review

Copy link

codecov bot commented Jan 5, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.25%. Comparing base (cf238ac) to head (d5e7817).
Report is 275 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1903      +/-   ##
==========================================
- Coverage   57.93%   49.25%   -8.69%     
==========================================
  Files          50       70      +20     
  Lines        3119     5214    +2095     
==========================================
+ Hits         1807     2568     +761     
- Misses       1154     2413    +1259     
- Partials      158      233      +75     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@yob yob force-pushed the buildkite-extensions-config branch 2 times, most recently from c73a062 to c317ac0 Compare January 6, 2025 06:17
@yob
Copy link
Contributor Author

yob commented Jan 6, 2025

@haydentherapper this is now as functional enough to be mergable from our perspective. The new extensions are working in my local testing (see updated PR description), and I've fixed the URL construction to handle the integer build_number claim.

I assume you might want a test for the changes in mapValuesToString()? I'm also a bit weirded out that our integer build_number is a float64 by the time it reaches mapValuesToString(). Maybe the real fix is to make that function just use %v with no reflection, and find a way to get the claim value passed around as the integer it is?

https://buildkite.com/docs/agent/v3/cli-oidc#claims-example-token-contents as an example token with our claims (not runner_environment or build_source yet), and you can see build_number is an int.

@haydentherapper
Copy link
Contributor

haydentherapper commented Jan 8, 2025

@yob I looked into this, the root cause is how the JSON unmarshaller works. token.Claims is just a wrapper around json.Unmarshal. https://pkg.go.dev/encoding/json#Unmarshal notes that JSON numbers are unmarshalled to floats. You can initialize a json.Decoder with UseNumber() which will instead map JSON numbers to strings, but since the raw claims byte[] is not public, you can't use your own JSON decoder object.

The solution you have here seems sufficient. A small test would be great.

@haydentherapper
Copy link
Contributor

Oh, I also wanted to pass along a link for being added to PyPI's list of accepted trusted publishers -
https://docs.pypi.org/trusted-publishers/internals/#how-do-i-become-a-trusted-publishing-provider

Once this PR is in and rolled out, it should be straightforward to get Buildkite added to PyPI.

@yob
Copy link
Contributor Author

yob commented Jan 8, 2025

neat, thanks! I've started chatting to the rubygems folks about their trusted publisher support too: rubygems/rubygems.org#5377

@yob yob force-pushed the buildkite-extensions-config branch from c317ac0 to e22971d Compare January 9, 2025 02:14
@yob
Copy link
Contributor Author

yob commented Jan 9, 2025

The solution you have here seems sufficient. A small test would be great.

@haydentherapper done!

I ended up tweaking the float->string logic a little, so floats with a fractional part don't get truncated into an int. That's not required for Buildkite tokens (we have no claims with a float value), but it felt like the least surprising behaviour to leave for future travelers.

I was tempted to adjust TestWorkflowPrincipalFromIDToken to have tables with standard GHA and Buildkite tokens as input, and verify the correct extensions come out - to ignore the implementation of the package a bit. That would've required more surgery (the existing GHA flavoured test is not setup to easily work with other providers) so ended up testing the getTokenClaims function, which felt like a nice place to test the conversion of various token shapes to string claims.

Maybe we could consider the TestWorkflowPrincipalFromIDToken changes in a follow up test-only PR if you're interested?

yob added 2 commits January 9, 2025 15:06
The default behaviour of %v is fine in most cases:

>  bool:                    %t
>  int, int8 etc.:          %d
>  uint, uint8 etc.:        %d, %#x if printed with %#v
>  float32, complex64, etc: %g
>  string:                  %s
>  chan:                    %p
>  pointer:                 %p

However Buildkite's build_number claim is an int in the JSON, but comes
through as a Float64 and we need to render it into a string value as a
regular int.

Claim values that are floats with a fractional part will also be
converted to a string, but their fractional part will be retained. This
isn't required for Buildkite OIDC tokens, but feels like the
least-surprising behaviour for future travelers.

Signed-off-by: James Healy <james@buildkite.com>
The Buildkite Issuer was added in sigstore#890, prior to the efforts to standardise
certificate extensions for CI providers, and sigstore#1074 calls for the Buildkite
issuer to be updated to use the new extensions (where applicable).

This is an early attempt to make those changes. I initially started these in sigstore#1307,
however is is a new swing at it using the new CIProvider issuer (see sigstore#1729 and sigstore#1743).

I've added the extensions that make the most sense in a Buildkite context, like
RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the
other extensions don't apply because we're not a code host as well, or need
further discussion.

I have not added tests yet. This is my first contribution to fulcio and I'm
keen to confirm I'm heading in the right direction before adding tests.
However, I have tested this locally with a Buildkite agent and OIDC token, and
the certificate was issued as expected.

I started a local fulcio like this:

    $ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml

... and signed git commits with gitsign. The relevant bits of the
certificates look like:

    git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
    ...
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Extended Key Usage:
            Code Signing
        X509v3 Subject Key Identifier:
            36:D2:99:B9:BA:98:4B:3A:77:51:DC:08:05:83:12:9A:F4:EE:41:E5
        X509v3 Authority Key Identifier:
            D2:41:21:29:23:AD:E9:27:69:6F:DB:85:6D:1B:3F:7E:A9:55:F3:02
        X509v3 Subject Alternative Name: critical
            URI:https://buildkite.com/yob-opensource/oidc-signing-experiment
        1.3.6.1.4.1.57264.1.1:
            https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.8:
            ..https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.11:
            ..self-hosted
        1.3.6.1.4.1.57264.1.13:
            .(078a6dd4a32fa40592c21a40aedaf27105503140
        1.3.6.1.4.1.57264.1.20:
            ..ui
        1.3.6.1.4.1.57264.1.21:
            .khttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/52#01943a38-f93e-4355-abe8-90a30369c270

Signed-off-by: James Healy <james@buildkite.com>
@yob yob force-pushed the buildkite-extensions-config branch from e22971d to d5e7817 Compare January 9, 2025 04:06
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay, this is great! Thanks for the contribution!

Following up on TestWorkflowPrincipalFromIDToken SGTM.

@haydentherapper haydentherapper merged commit f7655ce into sigstore:main Jan 16, 2025
13 checks passed
@yob
Copy link
Contributor Author

yob commented Jan 16, 2025

@haydentherapper great timing, I was just thinking this morning about following this PR up 😁

I've just flipped the feature flag that will add the new runner_environment and build_source claims to all our tokens. Let me know if I can help with testing in staging!

@haydentherapper
Copy link
Contributor

Just getting a few other PRs merged, then I'll cut a release and ping you here once it's in staging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update Buildkite issuer to include new extensions
2 participants