Documentation ¶
Index ¶
Constants ¶
View Source
const ( IssuerTypeBuildkiteJob = "buildkite-job" IssuerTypeEmail = "email" IssuerTypeGithubWorkflow = "github-workflow" IssuerTypeKubernetes = "kubernetes" IssuerTypeSpiffe = "spiffe" IssuerTypeURI = "uri" IssuerTypeUsername = "username" )
Variables ¶
View Source
var DefaultConfig = &FulcioConfig{ OIDCIssuers: map[string]OIDCIssuer{ "https://oauth2.sigstore.dev/auth": { IssuerURL: "https://oauth2.sigstore.dev/auth", ClientID: "sigstore", IssuerClaim: "$.federated_claims.connector_id", Type: IssuerTypeEmail, }, "https://accounts.google.com": { IssuerURL: "https://accounts.google.com", ClientID: "sigstore", Type: IssuerTypeEmail, }, "https://token.actions.githubusercontent.com": { IssuerURL: "https://token.actions.githubusercontent.com", ClientID: "sigstore", Type: IssuerTypeGithubWorkflow, }, }, }
Functions ¶
Types ¶
type FulcioConfig ¶
type FulcioConfig struct { OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers,omitempty"` // A meta issuer has a templated URL of the form: // https://oidc.eks.*.amazonaws.com/id/* // Where * can match a single hostname or URI path parts // (in particular, no '.' or '/' are permitted, among // other special characters) Some examples we want to match: // * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB // * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty"` // contains filtered or unexported fields }
func FromContext ¶ added in v0.2.0
func FromContext(ctx context.Context) *FulcioConfig
func Load ¶
func Load(configPath string) (*FulcioConfig, error)
Load a config from disk, or use defaults
func Read ¶ added in v0.2.0
func Read(b []byte) (*FulcioConfig, error)
Read parses the bytes of a config
func (*FulcioConfig) GetIssuer ¶ added in v0.2.0
func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool)
GetIssuer looks up the issuer configuration for an `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.
func (*FulcioConfig) GetVerifier ¶ added in v0.2.0
func (fc *FulcioConfig) GetVerifier(issuerURL string) (*oidc.IDTokenVerifier, bool)
GetVerifier fetches a token verifier for the given `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.
func (*FulcioConfig) ToIssuers ¶ added in v0.5.0
func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer
ToIssuers returns a proto representation of the OIDC issuer configuration.
type IssuerType ¶
type IssuerType string
type OIDCIssuer ¶
type OIDCIssuer struct { // The expected issuer of an OIDC token IssuerURL string `json:"IssuerURL,omitempty"` // The expected client ID of the OIDC token ClientID string `json:"ClientID"` // Used to determine the subject of the certificate and if additional // certificate values are needed Type IssuerType `json:"Type"` // Optional, if the issuer is in a different claim in the OIDC token IssuerClaim string `json:"IssuerClaim,omitempty"` // The domain that must be present in the subject for 'uri' issuer types // Also used to create an email for 'username' issuer types SubjectDomain string `json:"SubjectDomain,omitempty"` // SPIFFETrustDomain specifies the trust domain that 'spiffe' issuer types // issue ID tokens for. Tokens with a different trust domain will be // rejected. SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty"` // Optional, the challenge claim expected for the issuer // Set if using a custom issuer ChallengeClaim string `json:"ChallengeClaim,omitempty"` }
Click to show internal directories.
Click to hide internal directories.