Documentation
¶
Index ¶
Constants ¶
View Source
const ( IssuerTypeBuildkiteJob = "buildkite-job" IssuerTypeEmail = "email" IssuerTypeGithubWorkflow = "github-workflow" IssuerTypeGitLabPipeline = "gitlab-pipeline" IssuerTypeKubernetes = "kubernetes" IssuerTypeSpiffe = "spiffe" IssuerTypeURI = "uri" IssuerTypeUsername = "username" )
Variables ¶
View Source
var DefaultConfig = &FulcioConfig{ OIDCIssuers: map[string]OIDCIssuer{ "https://oauth2.sigstore.dev/auth": { IssuerURL: "https://oauth2.sigstore.dev/auth", ClientID: "sigstore", IssuerClaim: "$.federated_claims.connector_id", Type: IssuerTypeEmail, }, "https://accounts.google.com": { IssuerURL: "https://accounts.google.com", ClientID: "sigstore", Type: IssuerTypeEmail, }, "https://token.actions.githubusercontent.com": { IssuerURL: "https://token.actions.githubusercontent.com", ClientID: "sigstore", Type: IssuerTypeGithubWorkflow, }, }, }
Functions ¶
Types ¶
type FulcioConfig ¶
type FulcioConfig struct {
OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers,omitempty"`
// A meta issuer has a templated URL of the form:
// https://oidc.eks.*.amazonaws.com/id/*
// Where * can match a single hostname or URI path parts
// (in particular, no '.' or '/' are permitted, among
// other special characters) Some examples we want to match:
// * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB
// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty"`
// contains filtered or unexported fields
}
func FromContext ¶ added in v0.2.0
func FromContext(ctx context.Context) *FulcioConfig
func Load ¶
func Load(configPath string) (*FulcioConfig, error)
Load a config from disk, or use defaults
func Read ¶ added in v0.2.0
func Read(b []byte) (*FulcioConfig, error)
Read parses the bytes of a config
func (*FulcioConfig) GetIssuer ¶ added in v0.2.0
func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool)
GetIssuer looks up the issuer configuration for an `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.
func (*FulcioConfig) GetVerifier ¶ added in v0.2.0
func (fc *FulcioConfig) GetVerifier(issuerURL string, opts ...InsecureOIDCConfigOption) (*oidc.IDTokenVerifier, bool)
GetVerifier fetches a token verifier for the given `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.
func (*FulcioConfig) ToIssuers ¶ added in v0.5.0
func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer
ToIssuers returns a proto representation of the OIDC issuer configuration.
type InsecureOIDCConfigOption ¶ added in v1.4.0
func WithSkipExpiryCheck ¶ added in v1.4.0
func WithSkipExpiryCheck() InsecureOIDCConfigOption
type IssuerType ¶
type IssuerType string
type OIDCIssuer ¶
type OIDCIssuer struct {
// The expected issuer of an OIDC token
IssuerURL string `json:"IssuerURL,omitempty"`
// The expected client ID of the OIDC token
ClientID string `json:"ClientID"`
// Used to determine the subject of the certificate and if additional
// certificate values are needed
Type IssuerType `json:"Type"`
// Optional, if the issuer is in a different claim in the OIDC token
IssuerClaim string `json:"IssuerClaim,omitempty"`
// The domain that must be present in the subject for 'uri' issuer types
// Also used to create an email for 'username' issuer types
SubjectDomain string `json:"SubjectDomain,omitempty"`
// SPIFFETrustDomain specifies the trust domain that 'spiffe' issuer types
// issue ID tokens for. Tokens with a different trust domain will be
// rejected.
SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty"`
// Optional, the challenge claim expected for the issuer
// Set if using a custom issuer
ChallengeClaim string `json:"ChallengeClaim,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.