config

package

v1.6.1 Latest Latest Go to latest Published: Aug 14, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sigstore/fulcio

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func With(ctx context.Context, cfg *FulcioConfig) context.Context
type FulcioConfig
type InsecureOIDCConfigOption
- func WithSkipExpiryCheck() InsecureOIDCConfigOption
type IssuerMetadata
type IssuerType
type OIDCIssuer

Constants ¶

View Source

const (
	IssuerTypeBuildkiteJob      = "buildkite-job"
	IssuerTypeEmail             = "email"
	IssuerTypeGithubWorkflow    = "github-workflow"
	IssuerTypeCodefreshWorkflow = "codefresh-workflow"
	IssuerTypeGitLabPipeline    = "gitlab-pipeline"
	IssuerTypeChainguard        = "chainguard-identity"
	IssuerTypeKubernetes        = "kubernetes"
	IssuerTypeSpiffe            = "spiffe"
	IssuerTypeURI               = "uri"
	IssuerTypeUsername          = "username"
	IssuerTypeCIProvider        = "ci-provider"
)

Variables ¶

View Source

var DefaultConfig = &FulcioConfig{
	OIDCIssuers: map[string]OIDCIssuer{
		"https://oauth2.sigstore.dev/auth": {
			IssuerURL:   "https://oauth2.sigstore.dev/auth",
			ClientID:    "sigstore",
			IssuerClaim: "$.federated_claims.connector_id",
			Type:        IssuerTypeEmail,
		},
		"https://accounts.google.com": {
			IssuerURL: "https://accounts.google.com",
			ClientID:  "sigstore",
			Type:      IssuerTypeEmail,
		},
		"https://token.actions.githubusercontent.com": {
			IssuerURL: "https://token.actions.githubusercontent.com",
			ClientID:  "sigstore",
			Type:      IssuerTypeGithubWorkflow,
		},
	},
}

Functions ¶

func With ¶ added in v0.2.0

func With(ctx context.Context, cfg *FulcioConfig) context.Context

Types ¶

type FulcioConfig ¶

type FulcioConfig struct {
	OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers,omitempty" yaml:"oidc-issuers,omitempty"`

	// A meta issuer has a templated URL of the form:
	//   https://oidc.eks.*.amazonaws.com/id/*
	// Where * can match a single hostname or URI path parts
	// (in particular, no '.' or '/' are permitted, among
	// other special characters)  Some examples we want to match:
	// * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB
	// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
	MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"`

	// It defines metadata to be used for the CIProvider identity provider principal.
	// The CI provider has a generic logic for ci providers, this metadata is used
	// to define the right behavior for each ci provider that is defined
	// on the configuration file
	CIIssuerMetadata map[string]IssuerMetadata `json:"CIIssuerMetadata,omitempty" yaml:"ci-issuer-metadata,omitempty"`
	// contains filtered or unexported fields
}

func FromContext ¶ added in v0.2.0

func FromContext(ctx context.Context) *FulcioConfig

func Load ¶

func Load(configPath string) (*FulcioConfig, error)

Load a config from disk, or use defaults

func Read ¶ added in v0.2.0

func Read(b []byte) (*FulcioConfig, error)

Read parses the bytes of a config

func (*FulcioConfig) GetIssuer ¶ added in v0.2.0

func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool)

GetIssuer looks up the issuer configuration for an `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.

func (*FulcioConfig) GetVerifier ¶ added in v0.2.0

func (fc *FulcioConfig) GetVerifier(issuerURL string, opts ...InsecureOIDCConfigOption) (*oidc.IDTokenVerifier, bool)

GetVerifier fetches a token verifier for the given `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.

func (*FulcioConfig) ToIssuers ¶ added in v0.5.0

func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer

ToIssuers returns a proto representation of the OIDC issuer configuration.

type InsecureOIDCConfigOption ¶ added in v1.4.0

type InsecureOIDCConfigOption func(opt *oidc.Config)

func WithSkipExpiryCheck ¶ added in v1.4.0

func WithSkipExpiryCheck() InsecureOIDCConfigOption

type IssuerMetadata ¶ added in v1.6.0

type IssuerMetadata struct {
	// Defaults contains key-value pairs that can be used for filling the templates from ExtensionTemplates
	// If a key cannot be found on the token claims, the template will use the defaults
	DefaultTemplateValues map[string]string `json:"DefaultTemplateValues,omitempty" yaml:"default-template-values,omitempty"`
	// ExtensionTemplates contains a mapping between certificate extension and token claim
	// Provide either strings following https://pkg.go.dev/text/template syntax,
	// e.g "{{ .url }}/{{ .repository }}"
	// or non-templated strings with token claim keys to be replaced,
	// e.g "job_workflow_sha"
	ExtensionTemplates certificate.Extensions `json:"ExtensionTemplates,omitempty" yaml:"extension-templates,omitempty"`
	// Template for the Subject Alternative Name extension
	// It's typically the same value as Build Signer URI
	SubjectAlternativeNameTemplate string `json:"SubjectAlternativeNameTemplate,omitempty" yaml:"subject-alternative-name-template,omitempty"`
}

type IssuerType ¶

type IssuerType string

type OIDCIssuer ¶

type OIDCIssuer struct {
	// The expected issuer of an OIDC token
	IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
	// The expected client ID of the OIDC token
	ClientID string `json:"ClientID" yaml:"client-id,omitempty"`
	// Used to determine the subject of the certificate and if additional
	// certificate values are needed
	Type IssuerType `json:"Type" yaml:"type,omitempty"`
	// CIProvider is an optional configuration to map token claims to extensions for CI workflows
	CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"`
	// Optional, if the issuer is in a different claim in the OIDC token
	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
	// The domain that must be present in the subject for 'uri' issuer types
	// Also used to create an email for 'username' issuer types
	SubjectDomain string `json:"SubjectDomain,omitempty" yaml:"subject-domain,omitempty"`
	// SPIFFETrustDomain specifies the trust domain that 'spiffe' issuer types
	// issue ID tokens for. Tokens with a different trust domain will be
	// rejected.
	SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty" yaml:"spiffe-trust-domain,omitempty"`
	// Optional, the challenge claim expected for the issuer
	// Set if using a custom issuer
	ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"`
	// Optional, the description for the issuer
	Description string `json:"Description,omitempty" yaml:"description,omitempty"`
	// Optional, the contact for the issuer team
	// Usually it is a email
	Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"`
}

Source Files ¶

View all Source files

config.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL