Add GitLab.com OIDC to Fulcio (#983)

Signed-off-by: cpanato <[email protected]>

config/fulcio-config.yaml

@@ -33,6 +33,11 @@ data:
               "Type": "spiffe",
               "SPIFFETrustDomain": "allow.pub"
             },
+            "https://gitlab.com": {
+              "IssuerURL": "https://gitlab.com",
+              "ClientID": "sigstore",
+              "Type": "gitlab-pipeline"
+            },
             "https://oauth2.sigstore.dev/auth": {
               "IssuerURL": "https://oauth2.sigstore.dev/auth",
               "ClientID": "sigstore",

federation/gitlab.com/config.yaml

@@ -0,0 +1,18 @@
+# Copyright 2023 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+url: https://gitlab.com
+contact: [email protected]
+description: "GitLab OIDC tokens for job identity"
+type: "gitlab-pipeline"

pkg/challenges/challenges.go

@@ -29,6 +29,7 @@ import (
 	"github.com/sigstore/fulcio/pkg/identity/buildkite"
 	"github.com/sigstore/fulcio/pkg/identity/email"
 	"github.com/sigstore/fulcio/pkg/identity/github"
+	"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
 	"github.com/sigstore/fulcio/pkg/identity/kubernetes"
 	"github.com/sigstore/fulcio/pkg/identity/spiffe"
 	"github.com/sigstore/fulcio/pkg/identity/uri"
@@ -60,6 +61,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 	switch iss.Type {
 	case config.IssuerTypeBuildkiteJob:
 		principal, err = buildkite.JobPrincipalFromIDToken(ctx, tok)
+	case config.IssuerTypeGitLabPipeline:
+		principal, err = gitlabcom.JobPrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeEmail:
 		principal, err = email.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeSpiffe:

pkg/config/config.go

@@ -214,6 +214,7 @@ const (
 	IssuerTypeBuildkiteJob   = "buildkite-job"
 	IssuerTypeEmail          = "email"
 	IssuerTypeGithubWorkflow = "github-workflow"
+	IssuerTypeGitLabPipeline = "gitlab-pipeline"
 	IssuerTypeKubernetes     = "kubernetes"
 	IssuerTypeSpiffe         = "spiffe"
 	IssuerTypeURI            = "uri"
@@ -468,6 +469,8 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 	switch issType {
 	case IssuerTypeBuildkiteJob:
 		return "sub"
+	case IssuerTypeGitLabPipeline:
+		return "sub"
 	case IssuerTypeEmail:
 		return "email"
 	case IssuerTypeGithubWorkflow:

pkg/config/config_test.go

@@ -489,6 +489,9 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}
+	if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {
+		t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)
+	}
 	if claim := issuerToChallengeClaim(IssuerTypeKubernetes, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for K8S issuer, got %s", claim)
 	}

pkg/identity/gitlabcom/issuer.go

@@ -0,0 +1,38 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gitlabcom
+
+import (
+	"context"
+
+	"github.com/sigstore/fulcio/pkg/identity"
+	"github.com/sigstore/fulcio/pkg/identity/base"
+)
+
+type gitlabIssuer struct {
+	identity.Issuer
+}
+
+func Issuer(issuerURL string) identity.Issuer {
+	return &gitlabIssuer{base.Issuer(issuerURL)}
+}
+
+func (e *gitlabIssuer) Authenticate(ctx context.Context, token string) (identity.Principal, error) {
+	idtoken, err := identity.Authorize(ctx, token)
+	if err != nil {
+		return nil, err
+	}
+	return JobPrincipalFromIDToken(ctx, idtoken)
+}

pkg/identity/gitlabcom/issuer_test.go

@@ -0,0 +1,88 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gitlabcom
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/sigstore/fulcio/pkg/identity"
+)
+
+func TestIssuer(t *testing.T) {
+	ctx := context.Background()
+	url := "test-issuer-url"
+	issuer := Issuer(url)
+
+	// test the Match function
+	t.Run("match", func(t *testing.T) {
+		if matches := issuer.Match(ctx, url); !matches {
+			t.Fatal("expected url to match but it doesn't")
+		}
+		if matches := issuer.Match(ctx, "some-other-url"); matches {
+			t.Fatal("expected match to fail but it didn't")
+		}
+	})
+
+	t.Run("authenticate", func(t *testing.T) {
+		token := &oidc.IDToken{
+			Issuer:  "https://iss.example.com",
+			Subject: "repo:sigstore/fulcio:ref:refs/heads/main",
+		}
+		claims, err := json.Marshal(map[string]interface{}{
+			"namespace_id":       "1730270",
+			"namespace_path":     "cpanato",
+			"project_id":         "42831435",
+			"project_path":       "cpanato/testing-cosign",
+			"user_id":            "1430381",
+			"user_login":         "cpanato",
+			"user_email":         "[email protected]",
+			"pipeline_id":        "757451528",
+			"pipeline_source":    "push",
+			"job_id":             "3659681386",
+			"sha":                "714a629c0b401fdce83e847fc9589983fc6f46bc",
+			"runner_id":          1,
+			"runner_environment": "gitlab-hosted",
+			"ref":                "main",
+			"ref_type":           "branch",
+			"ref_protected":      "true",
+			"jti":                "914910cc-09f6-4217-8091-a1d3231a37db",
+			"iss":                "https://gitlab.com",
+			"iat":                1674658264,
+			"nbf":                1674658259,
+			"exp":                1674661864,
+			"sub":                "project_path:cpanato/testing-cosign:ref_type:branch:ref:main",
+			"aud":                "sigstore",
+		})
+		if err != nil {
+			t.Fatal(err)
+		}
+		withClaims(token, claims)
+
+		identity.Authorize = func(_ context.Context, _ string) (*oidc.IDToken, error) {
+			return token, nil
+		}
+		principal, err := issuer.Authenticate(ctx, "token")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if principal.Name(ctx) != "repo:sigstore/fulcio:ref:refs/heads/main" {
+			t.Fatalf("got unexpected name %s", principal.Name(ctx))
+		}
+	})
+}