Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding Gitpod IDp #1177

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Adding Gitpod IDp #1177

wants to merge 4 commits into from

Conversation

ChevronTango
Copy link

Closes #1176

Summary

This MR adds Gitpod as a trusted identity provider using the email type to SaaS Fulcio. Gitpod is an remote IDE service aimed at providing workspace IDEs to users with all of the dependencies installed in seconds. Gitpod have been looking at Fulcio and gitsign as a means to achieve GPG signing for all commits made by users within a gitpod workspace. Adding Gitpod to SaaS Fulcio would allow them to pass through JWT tokens that identify a user, and get back a certificate automatically, without the user needing to do any additional authorisation.

Release Note

Documentation

@ChevronTango ChevronTango mentioned this pull request May 19, 2023
Closed
@haydentherapper
Copy link
Contributor

You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.

@ChevronTango
Copy link
Author

to answer @haydentherapper question in the original thread, I'll attempt to highlight the gitpod IDP based on the criteria outlined in #397

  • Integrating with Dex - Not really suitably. Gitpod itself federates to other IDPs so adding it to Dex achieves nothing. It also doesn't support that kind of federation

  • Adding the IDP directly to Fulcio's OIDC issuer config list - The better option. This would allow Gitpod to pass fulcio a JWT it has generated and for fulcio to return a valid signing certificate

  • Key rotation policy - the Gitpod JWT tokens are short lived

  • Signing key storage policy - Gitpod doesn't store these tokens, they are generated automatically on request

  • Uptime requirements - Gitpod has a high resiliency, though I don't have exact figures on its downtime

  • A hosted .well-known/openid-configuration (which should be a given for OIDC, but it's worth having this explicitly checked as part of onboarding a new IDP) https://api.gitpod.io/idp/.well-known/openid-configuration

  • Minimum set of supported claims (issuer, subject, audience, issued at, expiration). I propose that we don't enforce that all tokens have precise claim name (iss, sub, aud, for some examples), but that these values are represented in some claim on the token. For example, the subject could be in sub or email or maybe some other claim. - Gitpod have just added email and email_verified to there token in addition to the claims outlined in Add Gitpod as a trusted ID token provider #1176

  • An OIDC provider must challenge the email address Gitpod federates to other IDPs

  • A configurable audience (aud) for the token, setting the audience to sigstore The audience is configurable, and the plan is to generate tokens with the sigstore aud for use with Fulcio

@ChevronTango
Copy link
Author

You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.

Can do. Where can I find the federation file? I'll pass it along to them.

@haydentherapper
Copy link
Contributor

https://github.com/sigstore/fulcio/tree/main/federation

thanks for the responses, I’ll follow up with any questions shortly

@ChevronTango
Copy link
Author

@loujaybee are you able to provide a contact email for gitpod support?

@haydentherapper
Copy link
Contributor

@ChevronTango Can you also update https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml?

Would you be able to test this out too? Run docker-compose build; docker-compose up, or if you don't have docker-compose, go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/config.jsn

Edit https://github.com/sigstore/fulcio/blob/main/examples/request-certificate/main.go (sorry for the list of steps, this is probably simplest):

  • fulcioUrl to localhost:5554
  • Change 80 to 5554 on line 88
  • Remove lines 48-51
  • Change tok.Subject to the email from GitPod
  • Change tok.RawString to the ID token from GitPod

Run go run examples/request-certificate/main.go and check a certificate is issued.

@codecov
Copy link

codecov bot commented May 22, 2023
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 56.02%. Comparing base (cf238ac) to head (59cf06b).
Report is 49 commits behind head on main.

❗ Current head 59cf06b differs from pull request most recent head b295a67. Consider uploading reports for the commit b295a67 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1177      +/-   ##
==========================================
- Coverage   57.93%   56.02%   -1.91%     
==========================================
  Files          50       50              
  Lines        3119     2904     -215     
==========================================
- Hits         1807     1627     -180     
+ Misses       1154     1133      -21     
+ Partials      158      144      -14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@haydentherapper
Copy link
Contributor

You'll need to alphabetize the configuration

@loujaybee
Copy link

@loujaybee are you able to provide a contact email for gitpod support?

Will support@gitpod.io suffice?

https://www.gitpod.io/support

@haydentherapper
Copy link
Contributor

Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using #1177 (comment)?

@ChevronTango
Copy link
Author

Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using #1177 (comment)?

Hi Hayden. Just ran the tests and it looks like Gitpod have a couple more things they need to do on their side. I suggest we hold fire for now and I'll post back here once I have a successful test.

@haydentherapper
Copy link
Contributor

SG, thanks!

@ChevronTango
Copy link
Author

whilst waiting on Gitpod to action things on their side, I did have a question about the script you meantioned in #1177 (comment)

When I ran it after following your instructions, I got:

$ go run examples/request-certificate/main.go
2023/05/23 22:49:29 rpc error: code = Internal desc = Error entering certificate in CTL
exit status 1

with the following from the docker stack:

fulcio-ct_server-1            | W0523 22:49:29.552818       1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1        | 2023-05-23T22:49:29.553Z        ERROR   server/error.go:45      returning with error    {"requestID": "Slfmo6ng", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}

just wanted to clarify if there was any settings in docker or go that were missing that would resolve this. Thankfully these don't look like errors relating to the JWT auth, but it would still be nice for your script to pass cleanly.

@haydentherapper
Copy link
Contributor

docker-compose should spin up the transparency log too. There should be some error message from Trillian about why the certificate couldnt be entered in the log.

Otherwise, you can run the go run command with --ct-log-url="" which should prevent certs from being added to the local log.

@ChevronTango
Copy link
Author

Nothing from Trillian. Nothing is logged after the initial startup. the only logs are the ones I posted:

fulcio-ct_server-1            | W0523 23:16:23.228738       1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1        | 2023-05-23T23:16:23.228Z        ERROR   server/error.go:45      returning with error    {"requestID": "rcBeWTJI", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/server.handleFulcioGRPCError
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/server/error.go:45
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/server.(*grpcCAServer).CreateSigningCertificate
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/server/grpc_server.go:199
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler.func1
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:147
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-prometheus@v1.2.1-0.20210315223345-82c243799c99/server_metrics.go:108
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/chain.go:48
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/cmd/app.PassFulcioConfigThruContext.func1
fulcio-fulcio-server-1        |         /opt/app-root/src/cmd/app/grpc.go:64
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/chain.go:48
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware/logging/zap.UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/zap/server_interceptors.go:31
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/chain.go:48
fulcio-fulcio-server-1        | github.com/goadesign/goa/grpc/middleware.UnaryRequestID.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/goadesign/goa@v2.2.5+incompatible/grpc/middleware/requestid.go:34
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/chain.go:48
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/recovery/interceptors.go:33
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/chain.go:53
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:149
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).processUnaryRPC
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/grpc@v1.55.0/server.go:1337
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).handleStream
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/grpc@v1.55.0/server.go:1714
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).serveStreams.func1.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/grpc@v1.55.0/server.go:959
fulcio-fulcio-server-1        | 2023-05-23T23:16:23.228Z        DEBUG   log/log.go:106  finished unary call with code Internal  {"grpc.start_time": "2023-05-23T23:16:23Z", "system": "grpc", "span.kind": "server", "grpc.service": "dev.sigstore.fulcio.v2.CA", "grpc.method": "CreateSigningCertificate", "error": "rpc error: code = Internal desc = Error entering certificate in CTL", "grpc.code": "Internal", "requestID": "rcBeWTJI", "grpc.time_ms": 2.567}

@haydentherapper
Copy link
Contributor

Could be that the log failed to start up, sometimes it’s a little finicky. The easiest solution is with go run if docker compose isn’t working.

@ChevronTango ChevronTango mentioned this pull request Jun 13, 2023
Closed
@haydentherapper haydentherapper mentioned this pull request Jun 24, 2023
Open
@ChevronTango ChevronTango mentioned this pull request Jun 25, 2023
Open
@haydentherapper
Copy link
Contributor

Moving to draft while there are ongoing conversations

@haydentherapper haydentherapper marked this pull request as draft August 31, 2023 21:13
@ChevronTango ChevronTango marked this pull request as ready for review March 15, 2024 16:21
@ChevronTango
Copy link
Author

Gitpod have updated their docs now that they are providing tokens of the correct format: https://www.gitpod.io/docs/configure/workspaces/oidc

Not every token that you can create for Gitpod will be valid from the looks of it:

Important: email_verified is only true if you are signed in to Gitpod via an SSO provider. If you’re only signed in with an SCM authentication provider, this field will be false.

I'll update the code I submitted in sigstore/cosign#2998 originally to include logic to make sure only valid tokens are submitted automatically.

@ChevronTango
Adding Gitpod Provider
c9417a4 
Signed-off-by: Edward Brough <edward.brough@gmail.com>
@ChevronTango
Adding federation config for Gitpod.io
8e911b8 
Signed-off-by: Edward Brough <edward.brough@gmail.com>
@ChevronTango
Adding additional fulcio-config for Gitpod
1e8e8ea 
Signed-off-by: Edward Brough <edward.brough@gmail.com>
@ChevronTango
reordering config and adding contact email
b295a67 
Signed-off-by: Edward Brough <edward.brough@gmail.com>
@ChevronTango ChevronTango changed the title adding gitpod idp Adding Gitpod IDp Mar 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Gitpod as a trusted ID token provider
3 participants
@ChevronTango @haydentherapper @loujaybee