SCITT OIDC Auth

by pdxjohnny 1 year ago

GNU/Linux ◆ xterm ◆ bash 406 views

SCITT OIDC Auth

References

Dependencies

Install the SCITT API Emulator with the oidc extra.

$ pip install -e .[oidc]

Usage example with GitHub Actions

Expose the server to the internet. localhost.run or ngrok are common options if you need to exposed a NAT’d machine.

$ ssh -nT -R 80:localhost:8080 nokey@localhost.run 2>/dev/null | grep --line-buffered 'tunneled with tls' | python -c 'import sys; print(sys.stdin.readline().split()[-1])' | tee public-url.txt &
$ export SCITT_URL=$(cat public-url.txt)

Create the middleware config file. Set config audience to the publicly accessible URL of the SCITT instance.

oidc-middleware-config.yaml

audience: $SCITT_URL
issuers:
- https://token.actions.githubusercontent.com
claim_schema:
  https://token.actions.githubusercontent.com:
    $schema: https://json-schema.org/draft/2020-12/schema
    properties:
      job_workflow_ref:
        enum:
        - ${WORKFLOW_REF}
        type: string
      job_workflow_sha:
        enum:
        - ${JOB_WORKFLOW_SHA}
        type: string
      repository_id:
        enum:
        - ${REPOSITORY_ID}
        type: string
      repository_owner_id:
        enum:
        - ${REPOSITORY_OWNER_ID}
        type: string
    required:
    - job_workflow_ref
    - job_workflow_sha
    - repository_owner_id
    - repository_id

Start the SCITT instance using the OIDCAuthMiddleware and associated config.

$ scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
    --middleware scitt_emulator.oidc:OIDCAuthMiddleware \
    --middleware-config-path oidc-middleware-config.json

Create GitHub Actions Workflow.

name: "SCITT Notary"

on:
  push:
    branches:
      - main
    paths-ignore:
      - '**.md'
  workflow_dispatch:
    inputs:
      scitt-url:
        description: 'URL of SCITT instance'
        type: string
      payload:
        description: 'Payload for claim'
        default: ''
        type: string
  workflow_call:
    inputs:
      scitt-url:
        description: 'URL of SCITT instance'
        type: string
      payload:
        description: 'Payload for claim'
        type: string

jobs:
  notarize:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
    env:
      SCITT_URL: '${{ inputs.scitt-url || github.event.inputs.scitt-url }}'
      PAYLOAD: '${{ inputs.payload || github.event.inputs.payload }}'
    steps:
      - name: Set defaults if env vars not set (as happens with on.push trigger)
        run: |
          if [[ "x${SCITT_URL}" = "x" ]]; then
            echo "SCITT_URL=http://localhost:8080" >> "${GITHUB_ENV}"
          fi
          if [[ "x${PAYLOAD}" = "x" ]]; then
            echo 'PAYLOAD={"key": "value"}' >> "${GITHUB_ENV}"
          fi
      - uses: actions/checkout@v4
      - name: Set up Python 3.8
        uses: actions/setup-python@v4
        with:
          python-version: 3.8
      - name: Install SCITT API Emulator
        run: |
          pip install -U pip setuptools wheel
          pip install .[oidc]
      - name: Install github-script dependencies
        run: |
          npm install @actions/core
      - name: Get OIDC token to use as bearer token for auth to SCITT
        uses: actions/github-script@v6
        id: github-oidc
        with:
          script: |
            const {SCITT_URL} = process.env;
            core.setOutput('token', await core.getIDToken(SCITT_URL));
      - name: Create claim
        run: |
          scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload "${PAYLOAD}" --out claim.cose
      - name: Submit claim
        env:
          OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
          WORKFLOW_REF: '${{ github.workflow_ref }}'
          # Use of job_workflow_sha blocked by
          # https://github.com/actions/runner/issues/2417#issuecomment-1718369460
          JOB_WORKFLOW_SHA: '${{ github.sha }}'
          REPOSITORY_OWNER_ID: '${{ github.repository_owner_id }}'
          REPOSITORY_ID: '${{ github.repository_id }}'
        run: |
          # Create the middleware config file
          tee oidc-middleware-config.json <<EOF
          {
              "issuers": ["https://token.actions.githubusercontent.com"],
              "claim_schema": {
                  "https://token.actions.githubusercontent.com": {
                        "\$schema": "https://json-schema.org/draft/2020-12/schema",
                        "required": [
                            "job_workflow_ref",
                            "job_workflow_sha",
                            "repository_owner_id",
                            "repository_id"
                        ],
                        "properties": {
                            "job_workflow_ref": {
                                "type": "string",
                                "enum": [
                                    "${WORKFLOW_REF}"
                                ]
                            },
                            "job_workflow_sha": {
                                "type": "string",
                                "enum": [
                                    "${JOB_WORKFLOW_SHA}"
                                ]
                            },
                            "repository_owner_id": {
                                "type": "string",
                                "enum": [
                                    "${REPOSITORY_OWNER_ID}"
                                ]
                            },
                            "repository_id": {
                                "type": "string",
                                "enum": [
                                    "${REPOSITORY_ID}"
                                ]
                            }
                        }
                    }
              },
              "audience": "${SCITT_URL}"
          }
          EOF
          # Start SCITT using the `OIDCAuthMiddleware` and associated config.
          if [[ "x${SCITT_URL}" = "xhttp://localhost:8080" ]]; then
            scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
              --middleware scitt_emulator.oidc:OIDCAuthMiddleware \
              --middleware-config-path oidc-middleware-config.json &
            sleep 1s
          fi
          # Submit the claim using OIDC token as auth
          scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor

Dispatch GitHub Actions Workflow.

$ gh -R scitt-community/scitt-api-emulator workflow run notarize.yml -F scitt-url=$(cat public-url.txt)

Check SCITT instance logs

Leaf hash: 2c58c822a8344b9fa14d247987977eaa3719dbe02df74169d3893ed6365bb181
Root: 0d5ae584ce5c9aac751d6b6ad79e1d61fd7c51933c45b127409e6147abdab4e2
Receipt written to workspace/storage/2.receipt.cbor
Claim written to workspace/storage/2.cose
127.0.0.1 - - [12/Sep/2023 22:31:08] "POST /entries HTTP/1.1" 201 -
127.0.0.1 - - [12/Sep/2023 22:31:09] "GET /entries/2/receipt HTTP/1.1" 200 -

Basic GitHub Action Reusable Workflow OIDC validation support as used by slsa generator TS submission and others requires validating claims to do workload based identity where the workload is identified by job_workflow_ref, job_workflow_sha, repository_owner_id, and repository_id claims.

https://github.com/sigstore/fulcio/issues/305

audience: http://localhost:8080
issuers:
- https://token.actions.githubusercontent.com
claim_schema:
  https://token.actions.githubusercontent.com:
    required:
    - job_workflow_ref
    - job_workflow_sha
    - repository_owner_id
    - repository_id
    properties:
      job_workflow_ref:
        enum:
        - 'pdxjohnny/scitt-api-emulator/.github/workflows/notarize.yml@refs/heads/auth'
        type: string
      job_workflow_sha:
        enum:
        - '215777b7ea418f1e0bd54f39cc70467e1fb76b8e'
        type: string
      repository_id:
        enum:
        - '621131680'
        type: string
      repository_owner_id:
        enum:
        - '5950433'
        type: string

More by pdxjohnny

2024-08-31-13-40-1725133216s 00:26

by pdxjohnny 2 months ago

2023-10-16-18-46-1697507195s 24:30

by pdxjohnny 1 year ago

2023-10-15 @pdxjohnny Engineering Logs: Bovine ActivityPub Ramp Up #3 39:11

by pdxjohnny 1 year ago

2023-11-12-16-13-1699802019s 03:08

by pdxjohnny 1 year ago

See all

You can download this recording in asciicast v2 format, as a .cast file.

Download

Replay in terminal

You can replay the downloaded recording in your terminal using the asciinema play command:

asciinema play 607600.cast

If you don't have asciinema CLI installed then see installation instructions.

Use with stand-alone player on your website

Download asciinema player from the releases page (you only need .js and .css file), then use it like this:

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="asciinema-player.css" />
</head>
<body>
  <div id="player"></div>
  <script src="asciinema-player.min.js"></script>
  <script>
    AsciinemaPlayer.create(
      '/assets/607600.cast',
      document.getElementById('player'),
      { cols: 115, rows: 36 }
    );
  </script>
</body>
</html>

See asciinema player quick-start guide for full usage instructions.

While this site doesn't provide GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.

Once you have it installed, generate a GIF with the following command:

agg https://asciinema.org/a/607600 demo.gif

Or, if you already downloaded the recording file:

agg demo.cast demo.gif

Check agg --help for all available options. You can change font family and size, select color theme, adjust speed and more.

See agg manual for full usage instructions.