Skip to content

Commit

Permalink
Validation of OIDC claims via JSON schema validator
Browse files Browse the repository at this point in the history
Related: actions/runner#2417 (comment)
Signed-off-by: John Andersen <[email protected]>
  • Loading branch information
pdxjohnny committed Sep 13, 2023
1 parent 7bd5668 commit 1faa262
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 2 deletions.
30 changes: 29 additions & 1 deletion .github/workflows/notarize.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,38 @@ jobs:
- name: Submit claim
env:
OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
WORKFLOW_REF: '${{ github.workflow_ref }}'
# Use of job_workflow_sha blocked by
# https://github.com/actions/runner/issues/2417#issuecomment-1718369460
JOB_WORKFLOW_SHA: '${{ github.sha }}'
run: |
# Create the middleware config file
cat > oidc-middleware-config.json <<EOF
tee oidc-middleware-config.json <<EOF
{
"issuers": ["https://token.actions.githubusercontent.com"],
"claim_schema": {
"https://token.actions.githubusercontent.com": {
"\$schema": "https://json-schema.org/draft/2020-12/schema",
"required": [
"job_workflow_ref",
"job_workflow_sha"
],
"properties": {
"job_workflow_ref": {
"type": "string",
"enum": [
"${WORKFLOW_REF}"
]
},
"job_workflow_sha": {
"type": "string",
"enum": [
"${JOB_WORKFLOW_SHA}"
]
}
}
}
},
"audience": "${SCITT_URL}"
}
EOF
Expand All @@ -79,6 +106,7 @@ jobs:
scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
--middleware scitt_emulator.oidc:OIDCAuthMiddleware \
--middleware-config-path oidc-middleware-config.json &
sleep 1s
fi
# Submit the claim using OIDC token as auth
scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor
5 changes: 4 additions & 1 deletion scitt_emulator/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import jwt
import json
import jwcrypto.jwk
import jsonschema
from flask import jsonify
from werkzeug.wrappers import Request
from scitt_emulator.client import HttpClient
Expand All @@ -27,7 +28,9 @@ def __init__(self, app, config_path):

def __call__(self, environ, start_response):
request = Request(environ)
self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
claims = self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
if "claim_schema" in self.config and claims["iss"] in self.config["claim_schema"]:
jsonschema.validate(claims, schema=self.config["claim_schema"][claims["iss"]])
return self.app(environ, start_response)

def validate_token(self, token):
Expand Down
1 change: 1 addition & 0 deletions setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
"oidc": [
"PyJWT",
"jwcrypto",
"jsonschema",
]
},
)

0 comments on commit 1faa262

Please sign in to comment.