build provenance stmt from OIDC claims

Signed-off-by: Brian DeHamer <bdehamer@github.com>

packages/attest/__tests__/__snapshots__/intoto.test.ts.snap

@@ -1,6 +1,6 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`buildIntotoStatement returns a provenance hydrated from env vars 1`] = `
+exports[`buildIntotoStatement returns an intoto statement 1`] = `
 {
   "_type": "https://in-toto.io/Statement/v1",
   "predicate": {

packages/attest/__tests__/__snapshots__/provenance.test.ts.snap

@@ -1,6 +1,6 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
-exports[`buildSLSAProvenancePredicate returns a provenance hydrated from env vars 1`] = `
+exports[`provenance functions buildSLSAProvenancePredicate returns a provenance hydrated from an OIDC token 1`] = `
 {
   "params": {
     "buildDefinition": {

packages/attest/__tests__/intoto.test.ts

@@ -16,7 +16,7 @@ describe('buildIntotoStatement', () => {
     }
   }
 
-  it('returns a provenance hydrated from env vars', () => {
+  it('returns an intoto statement', () => {
     const statement = buildIntotoStatement(subject, predicate)
     expect(statement).toMatchSnapshot()
   })

packages/attest/__tests__/oidc.test.ts

@@ -0,0 +1,147 @@
+import * as jose from 'jose'
+import nock from 'nock'
+import {getIDTokenClaims} from '../src/oidc'
+
+describe('getIDTokenClaims', () => {
+  const originalEnv = process.env
+  const issuer = 'https://example.com'
+  const audience = 'nobody'
+  const requestToken = 'token'
+  const openidConfigPath = '/.well-known/openid-configuration'
+  const jwksPath = '/.well-known/jwks.json'
+  const tokenPath = '/token'
+  const openIDConfig = {jwks_uri: `${issuer}${jwksPath}`}
+
+  /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+  let key: any
+
+  beforeEach(async () => {
+    process.env = {
+      ...originalEnv,
+      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: requestToken
+    }
+
+    // Generate JWT signing key
+    key = await jose.generateKeyPair('PS256')
+
+    // Create JWK and JWKS
+    const jwk = await jose.exportJWK(key.publicKey)
+    const jwks = {keys: [jwk]}
+
+    nock(issuer).get(openidConfigPath).reply(200, openIDConfig)
+    nock(issuer).get(jwksPath).reply(200, jwks)
+  })
+
+  afterEach(() => {
+    process.env = originalEnv
+  })
+
+  describe('when ID token is valid', () => {
+    const claims = {
+      iss: issuer,
+      aud: audience,
+      ref: 'ref',
+      sha: 'sha',
+      repository: 'repo',
+      event_name: 'push',
+      workflow_ref: 'main',
+      repository_id: '1',
+      repository_owner_id: '1',
+      runner_environment: 'github-hosted',
+      run_id: '1',
+      run_attempt: '1'
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('returns the ID token claims', async () => {
+      const result = await getIDTokenClaims(issuer)
+      expect(result).toEqual(claims)
+    })
+  })
+
+  describe('when ID token is missing required claims', () => {
+    const claims = {
+      iss: issuer,
+      aud: audience
+    }
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing claims/i)
+    })
+  })
+
+  describe('when ID has the wrong issuer', () => {
+    const claims = {foo: 'bar', iss: 'foo', aud: 'nobody'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/issuer invalid/)
+    })
+  })
+
+  describe('when ID has the wrong audience', () => {
+    const claims = {foo: 'bar', iss: issuer, aud: 'bar'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+    })
+
+    it('throw an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(/audience invalid/)
+    })
+  })
+
+  describe('when openid config cannot be retrieved', () => {
+    const claims = {foo: 'bar', iss: issuer, aud: 'nobody'}
+
+    beforeEach(async () => {
+      const jwt = await new jose.SignJWT(claims)
+        .setProtectedHeader({alg: 'PS256'})
+        .sign(key.privateKey)
+
+      nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
+
+      // Disable the openid config endpoint
+      nock.removeInterceptor({
+        proto: 'https',
+        hostname: 'example.com',
+        port: '443',
+        method: 'GET',
+        path: openidConfigPath
+      })
+    })
+
+    it('throws an error', async () => {
+      await expect(getIDTokenClaims(issuer)).rejects.toThrow(
+        /failed to get id/i
+      )
+    })
+  })
+})

packages/attest/__tests__/provenance.test.ts

@@ -1,213 +1,240 @@
 import * as github from '@actions/github'
 import {mockFulcio, mockRekor, mockTSA} from '@sigstore/mock'
+import * as jose from 'jose'
 import nock from 'nock'
 import {SIGSTORE_GITHUB, SIGSTORE_PUBLIC_GOOD} from '../src/endpoints'
 import {attestProvenance, buildSLSAProvenancePredicate} from '../src/provenance'
 
-// Dummy workflow environment
-const env = {
-  GITHUB_REPOSITORY: 'owner/repo',
-  GITHUB_REF: 'refs/heads/main',
-  GITHUB_SHA: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
-  GITHUB_WORKFLOW_REF: 'owner/repo/.github/workflows/main.yml@main',
-  GITHUB_SERVER_URL: 'https://github.com',
-  GITHUB_EVENT_NAME: 'push',
-  GITHUB_REPOSITORY_ID: 'repo-id',
-  GITHUB_REPOSITORY_OWNER_ID: 'owner-id',
-  GITHUB_RUN_ID: 'run-id',
-  GITHUB_RUN_ATTEMPT: 'run-attempt',
-  RUNNER_ENVIRONMENT: 'github-hosted'
-}
-
-describe('buildSLSAProvenancePredicate', () => {
-  it('returns a provenance hydrated from env vars', () => {
-    const predicate = buildSLSAProvenancePredicate(env)
-    expect(predicate).toMatchSnapshot()
-  })
-})
-
-describe('attestProvenance', () => {
-  // Capture original environment variables so we can restore them after each
-  // test
+describe('provenance functions', () => {
   const originalEnv = process.env
+  const issuer = 'https://example.com'
+  const audience = 'nobody'
+  const jwksPath = '/.well-known/jwks.json'
+  const tokenPath = '/token'
 
-  // Subject to attest
-  const subjectName = 'subjective'
-  const subjectDigest = {
-    sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+  const claims = {
+    iss: issuer,
+    aud: 'nobody',
+    repository: 'owner/repo',
+    ref: 'refs/heads/main',
+    sha: 'babca52ab0c93ae16539e5923cb0d7403b9a093b',
+    workflow_ref: 'owner/repo/.github/workflows/main.yml@main',
+    event_name: 'push',
+    repository_id: 'repo-id',
+    repository_owner_id: 'owner-id',
+    run_id: 'run-id',
+    run_attempt: 'run-attempt',
+    runner_environment: 'github-hosted'
   }
 
-  // Fake an OIDC token
-  const oidcPayload = {sub: 'foo@bar.com', iss: ''}
-  const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
-    'base64'
-  )}.}`
-
-  const tokenURL = 'https://token.url'
-  const attestationID = '1234567890'
-
   beforeEach(async () => {
-    jest.clearAllMocks()
-
-    nock(tokenURL)
-      .get('/')
-      .query({audience: 'sigstore'})
-      .reply(200, {value: oidcToken})
-
-    // Set-up GHA environment variables
     process.env = {
       ...originalEnv,
-      ...env,
-      ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
-      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token'
+      ACTIONS_ID_TOKEN_REQUEST_URL: `${issuer}${tokenPath}?`,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: 'token',
+      GITHUB_SERVER_URL: 'https://github.com',
+      GITHUB_REPOSITORY: claims.repository
     }
+
+    // Generate JWT signing key
+    const key = await jose.generateKeyPair('PS256')
+
+    // Create JWK, JWKS, and JWT
+    const jwk = await jose.exportJWK(key.publicKey)
+    const jwks = {keys: [jwk]}
+    const jwt = await new jose.SignJWT(claims)
+      .setProtectedHeader({alg: 'PS256'})
+      .sign(key.privateKey)
+
+    // Mock OpenID configuration and JWKS endpoints
+    nock(issuer)
+      .get('/.well-known/openid-configuration')
+      .reply(200, {jwks_uri: `${issuer}${jwksPath}`})
+    nock(issuer).get(jwksPath).reply(200, jwks)
+
+    // Mock OIDC token endpoint for populating the provenance
+    nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
   })
 
   afterEach(() => {
-    // Restore the original environment
     process.env = originalEnv
   })
 
-  describe('when using the github Sigstore instance', () => {
-    const {fulcioURL, tsaServerURL} = SIGSTORE_GITHUB
-
-    beforeEach(async () => {
-      // Mock Sigstore
-      await mockFulcio({baseURL: fulcioURL, strict: false})
-      await mockTSA({baseURL: tsaServerURL})
-
-      // Mock GH attestations API
-      nock('https://api.github.com')
-        .post(/^\/repos\/.*\/.*\/attestations$/)
-        .reply(201, {id: attestationID})
-    })
-
-    describe('when the sigstore instance is explicitly set', () => {
-      it('attests provenance', async () => {
-        const attestation = await attestProvenance({
-          subjectName,
-          subjectDigest,
-          token: 'token',
-          sigstore: 'github'
-        })
-
-        expect(attestation).toBeDefined()
-        expect(attestation.bundle).toBeDefined()
-        expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
-        expect(attestation.tlogID).toBeUndefined()
-        expect(attestation.attestationID).toBe(attestationID)
-      })
-    })
-
-    describe('when the sigstore instance is inferred from the repo visibility', () => {
-      const savedRepository = github.context.payload.repository
-
-      beforeEach(() => {
-        /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
-        github.context.payload.repository = {visibility: 'private'} as any
-      })
-
-      afterEach(() => {
-        github.context.payload.repository = savedRepository
-      })
-
-      it('attests provenance', async () => {
-        const attestation = await attestProvenance({
-          subjectName,
-          subjectDigest,
-          token: 'token'
-        })
-
-        expect(attestation).toBeDefined()
-        expect(attestation.bundle).toBeDefined()
-        expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
-        expect(attestation.tlogID).toBeUndefined()
-        expect(attestation.attestationID).toBe(attestationID)
-      })
+  describe('buildSLSAProvenancePredicate', () => {
+    it('returns a provenance hydrated from an OIDC token', async () => {
+      const predicate = await buildSLSAProvenancePredicate(issuer)
+      expect(predicate).toMatchSnapshot()
     })
   })
 
-  describe('when using the public-good Sigstore instance', () => {
-    const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
+  describe('attestProvenance', () => {
+    // Subject to attest
+    const subjectName = 'subjective'
+    const subjectDigest = {
+      sha256: '7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
+    }
+
+    // Fake an OIDC token
+    const oidcPayload = {sub: 'foo@bar.com', iss: ''}
+    const oidcToken = `.${Buffer.from(JSON.stringify(oidcPayload)).toString(
+      'base64'
+    )}.}`
+
+    const attestationID = '1234567890'
 
     beforeEach(async () => {
-      // Mock Sigstore
-      await mockFulcio({baseURL: fulcioURL, strict: false})
-      await mockRekor({baseURL: rekorURL})
-
-      // Mock GH attestations API
-      nock('https://api.github.com')
-        .post(/^\/repos\/.*\/.*\/attestations$/)
-        .reply(201, {id: attestationID})
+      nock(issuer)
+        .get(tokenPath)
+        .query({audience: 'sigstore'})
+        .reply(200, {value: oidcToken})
     })
 
-    describe('when the sigstore instance is explicitly set', () => {
+    describe('when using the github Sigstore instance', () => {
+      const {fulcioURL, tsaServerURL} = SIGSTORE_GITHUB
+
+      beforeEach(async () => {
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockTSA({baseURL: tsaServerURL})
+
+        // Mock GH attestations API
+        nock('https://api.github.com')
+          .post(/^\/repos\/.*\/.*\/attestations$/)
+          .reply(201, {id: attestationID})
+      })
+
+      describe('when the sigstore instance is explicitly set', () => {
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjectName,
+            subjectDigest,
+            token: 'token',
+            sigstore: 'github',
+            issuer
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeUndefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+
+      describe('when the sigstore instance is inferred from the repo visibility', () => {
+        const savedRepository = github.context.payload.repository
+
+        beforeEach(() => {
+          /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+          github.context.payload.repository = {visibility: 'private'} as any
+        })
+
+        afterEach(() => {
+          github.context.payload.repository = savedRepository
+        })
+
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjectName,
+            subjectDigest,
+            token: 'token',
+            issuer
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeUndefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+    })
+
+    describe('when using the public-good Sigstore instance', () => {
+      const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
+
+      beforeEach(async () => {
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockRekor({baseURL: rekorURL})
+
+        // Mock GH attestations API
+        nock('https://api.github.com')
+          .post(/^\/repos\/.*\/.*\/attestations$/)
+          .reply(201, {id: attestationID})
+      })
+
+      describe('when the sigstore instance is explicitly set', () => {
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjectName,
+            subjectDigest,
+            token: 'token',
+            sigstore: 'public-good',
+            issuer
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeDefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+
+      describe('when the sigstore instance is inferred from the repo visibility', () => {
+        const savedRepository = github.context.payload.repository
+
+        beforeEach(() => {
+          /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
+          github.context.payload.repository = {visibility: 'public'} as any
+        })
+
+        afterEach(() => {
+          github.context.payload.repository = savedRepository
+        })
+
+        it('attests provenance', async () => {
+          const attestation = await attestProvenance({
+            subjectName,
+            subjectDigest,
+            token: 'token',
+            issuer
+          })
+
+          expect(attestation).toBeDefined()
+          expect(attestation.bundle).toBeDefined()
+          expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
+          expect(attestation.tlogID).toBeDefined()
+          expect(attestation.attestationID).toBe(attestationID)
+        })
+      })
+    })
+
+    describe('when skipWrite is set to true', () => {
+      const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
+      beforeEach(async () => {
+        // Mock Sigstore
+        await mockFulcio({baseURL: fulcioURL, strict: false})
+        await mockRekor({baseURL: rekorURL})
+      })
+
       it('attests provenance', async () => {
         const attestation = await attestProvenance({
           subjectName,
           subjectDigest,
           token: 'token',
-          sigstore: 'public-good'
+          sigstore: 'public-good',
+          skipWrite: true,
+          issuer
         })
 
         expect(attestation).toBeDefined()
         expect(attestation.bundle).toBeDefined()
         expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
         expect(attestation.tlogID).toBeDefined()
-        expect(attestation.attestationID).toBe(attestationID)
+        expect(attestation.attestationID).toBeUndefined()
       })
     })
-
-    describe('when the sigstore instance is inferred from the repo visibility', () => {
-      const savedRepository = github.context.payload.repository
-
-      beforeEach(() => {
-        /* eslint-disable-next-line @typescript-eslint/no-explicit-any */
-        github.context.payload.repository = {visibility: 'public'} as any
-      })
-
-      afterEach(() => {
-        github.context.payload.repository = savedRepository
-      })
-
-      it('attests provenance', async () => {
-        const attestation = await attestProvenance({
-          subjectName,
-          subjectDigest,
-          token: 'token'
-        })
-
-        expect(attestation).toBeDefined()
-        expect(attestation.bundle).toBeDefined()
-        expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
-        expect(attestation.tlogID).toBeDefined()
-        expect(attestation.attestationID).toBe(attestationID)
-      })
-    })
-  })
-
-  describe('when skipWrite is set to true', () => {
-    const {fulcioURL, rekorURL} = SIGSTORE_PUBLIC_GOOD
-    beforeEach(async () => {
-      // Mock Sigstore
-      await mockFulcio({baseURL: fulcioURL, strict: false})
-      await mockRekor({baseURL: rekorURL})
-    })
-
-    it('attests provenance', async () => {
-      const attestation = await attestProvenance({
-        subjectName,
-        subjectDigest,
-        token: 'token',
-        sigstore: 'public-good',
-        skipWrite: true
-      })
-
-      expect(attestation).toBeDefined()
-      expect(attestation.bundle).toBeDefined()
-      expect(attestation.certificate).toMatch(/-----BEGIN CERTIFICATE-----/)
-      expect(attestation.tlogID).toBeDefined()
-      expect(attestation.attestationID).toBeUndefined()
-    })
   })
 })

packages/attest/__tests__/store.test.ts

@@ -38,7 +38,7 @@ describe('writeAttestation', () => {
         .reply(500, 'oops')
     })
 
-    it('persists the attestation', async () => {
+    it('throws an error', async () => {
       await expect(writeAttestation(attestation, token)).rejects.toThrow(/oops/)
     })
   })