Validation of OIDC claims via JSON schema validator

Related: actions/runner#2417 (comment) Signed-off-by: John Andersen <[email protected]>
johnandersen777 · Sep 13, 2023 · 9640aa5 · 9640aa5
1 parent 7bd5668
commit 9640aa5
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/.github/workflows/notarize.yml b/.github/workflows/notarize.yml
@@ -66,11 +66,38 @@ jobs:
       - name: Submit claim
         env:
           OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
+          WORKFLOW_REF: '${{ github.workflow_ref }}'
+          # Use of job_workflow_sha blocked by
+          # https://github.com/actions/runner/issues/2417#issuecomment-1718369460
+          JOB_WORKFLOW_SHA: '${{ github.sha }}'
         run: |
           # Create the middleware config file
-          cat > oidc-middleware-config.json <<EOF
+          tee oidc-middleware-config.json <<EOF
           {
               "issuers": ["https://token.actions.githubusercontent.com"],
+              "claim_schema": {
+                  "https://token.actions.githubusercontent.com": {
+                        "\$schema": "https://json-schema.org/draft/2020-12/schema",
+                        "required": [
+                            "job_workflow_ref",
+                            "job_workflow_sha"
+                        ],
+                        "properties": {
+                            "job_workflow_ref": {
+                                "type": "string",
+                                "enum": [
+                                    "${WORKFLOW_REF}"
+                                ]
+                            },
+                            "job_workflow_sha": {
+                                "type": "string",
+                                "enum": [
+                                    "${JOB_WORKFLOW_SHA}"
+                                ]
+                            }
+                        }
+                    }
+              },
               "audience": "${SCITT_URL}"
           }
           EOF
@@ -79,6 +106,7 @@ jobs:
             scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
               --middleware scitt_emulator.oidc:OIDCAuthMiddleware \
               --middleware-config-path oidc-middleware-config.json &
+            sleep 1s
           fi
           # Submit the claim using OIDC token as auth
           scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor
diff --git a/scitt_emulator/oidc.py b/scitt_emulator/oidc.py
@@ -3,6 +3,7 @@
 import jwt
 import json
 import jwcrypto.jwk
+import jsonschema
 from flask import jsonify
 from werkzeug.wrappers import Request
 from scitt_emulator.client import HttpClient
@@ -27,7 +28,9 @@ def __init__(self, app, config_path):
 
     def __call__(self, environ, start_response):
         request = Request(environ)
-        self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
+        claims = self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
+        if "claim_schema" in self.config and claims["iss"] in self.config["claim_schema"]:
+            jsonschema.validate(claims, schema=self.config["claim_schema"][claims["iss"]])
         return self.app(environ, start_response)
 
     def validate_token(self, token):

diff --git a/setup.py b/setup.py
@@ -25,6 +25,7 @@
         "oidc": [
             "PyJWT",
             "jwcrypto",
+            "jsonschema",
         ]
     },
 )