Merge pull request #731 from sigstore/signing-matching

Use Matchers in OidcIdentity matching

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java

@@ -38,6 +38,7 @@
 import dev.sigstore.oidc.client.OidcClients;
 import dev.sigstore.oidc.client.OidcException;
 import dev.sigstore.oidc.client.OidcToken;
+import dev.sigstore.oidc.client.OidcTokenMatcher;
 import dev.sigstore.rekor.client.HashedRekordRequest;
 import dev.sigstore.rekor.client.RekorClient;
 import dev.sigstore.rekor.client.RekorClientHttp;
@@ -86,7 +87,7 @@ public class KeylessSigner implements AutoCloseable {
   private final RekorClient rekorClient;
   private final RekorVerifier rekorVerifier;
   private final OidcClients oidcClients;
-  private final List<OidcIdentity> oidcIdentities;
+  private final List<OidcTokenMatcher> oidcIdentities;
   private final Signer signer;
   private final Duration minSigningCertificateLifetime;
 
@@ -109,7 +110,7 @@ private KeylessSigner(
       RekorClient rekorClient,
       RekorVerifier rekorVerifier,
       OidcClients oidcClients,
-      List<OidcIdentity> oidcIdentities,
+      List<OidcTokenMatcher> oidcIdentities,
       Signer signer,
       Duration minSigningCertificateLifetime) {
     this.fulcioClient = fulcioClient;
@@ -141,7 +142,7 @@ public static Builder builder() {
   public static class Builder {
     private TrustedRootProvider trustedRootProvider;
     private OidcClients oidcClients;
-    private List<OidcIdentity> oidcIdentities = Collections.emptyList();
+    private List<OidcTokenMatcher> oidcIdentities = Collections.emptyList();
     private Signer signer;
     private Duration minSigningCertificateLifetime = DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;
     private URI fulcioUri;
@@ -177,7 +178,7 @@ public Builder oidcClients(OidcClients oidcClients) {
      * null but can be an empty list and will allow all identities.
      */
     @CanIgnoreReturnValue
-    public Builder allowedOidcIdentities(List<OidcIdentity> oidcIdentities) {
+    public Builder allowedOidcIdentities(List<OidcTokenMatcher> oidcIdentities) {
       this.oidcIdentities = ImmutableList.copyOf(oidcIdentities);
       return this;
     }
@@ -378,12 +379,9 @@ private void renewSigningCertificate()
 
       // check if we have an allow list and if so, ensure the provided token is in there
       if (!oidcIdentities.isEmpty()) {
-        var obtainedToken = OidcIdentity.from(tokenInfo);
-        if (!oidcIdentities.contains(OidcIdentity.from(tokenInfo))) {
+        if (oidcIdentities.stream().noneMatch(id -> id.test(tokenInfo))) {
           throw new KeylessSignerException(
-              "Obtained Oidc Token "
-                  + obtainedToken
-                  + " does not match any identities in allow list");
+              "Obtained Oidc Token " + tokenInfo + " does not match any identities in allow list");
         }
       }
 

sigstore-java/src/main/java/dev/sigstore/OidcIdentity.java

@@ -27,5 +27,6 @@ public interface OidcToken {
   String getIssuer();
 
   /** The full oidc token obtained from the provider. */
+  @Value.Redacted
   String getIdToken();
 }

sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcToken.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2023 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.oidc.client;
+
+import dev.sigstore.strings.StringMatcher;
+import java.util.function.Predicate;
+
+/**
+ * An interface for allowing direct string matching or regular expressions on {@link OidcToken}. Use
+ * the static factory {@link #of(StringMatcher, StringMatcher)} to instantiate the matcher. Custom
+ * implementations should override {@link Object#toString} for better error reporting.
+ */
+public interface OidcTokenMatcher extends Predicate<OidcToken> {
+
+  static OidcTokenMatcher of(StringMatcher san, StringMatcher issuer) {
+    return new OidcTokenMatcher() {
+      @Override
+      public boolean test(OidcToken oidcToken) {
+        return san.test(oidcToken.getSubjectAlternativeName())
+            && issuer.test(oidcToken.getIssuer());
+      }
+
+      @Override
+      public String toString() {
+        return "{subjectAlternativeName: " + san + ", issuer: " + issuer + "}";
+      }
+    };
+  }
+}

sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcTokenMatcher.java

@@ -15,11 +15,10 @@
  */
 package dev.sigstore;
 
-import com.google.api.client.json.gson.GsonFactory;
-import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.common.hash.Hashing;
 import dev.sigstore.bundle.Bundle;
-import dev.sigstore.oidc.client.GithubActionsOidcClient;
+import dev.sigstore.oidc.client.OidcTokenMatcher;
+import dev.sigstore.strings.StringMatcher;
 import dev.sigstore.testing.matchers.ByteArrayListMatcher;
 import dev.sigstore.testkit.annotations.EnabledIfOidcExists;
 import dev.sigstore.testkit.annotations.OidcProviderType;
@@ -104,12 +103,15 @@ public void sign_digest() throws Exception {
 
   @Test
   @EnabledIfOidcExists(provider = OidcProviderType.GITHUB)
-  // this test will only pass on the github.com/sigstore/sigstore-java repository
   public void sign_failGithubOidcCheck() throws Exception {
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
-            .allowedOidcIdentities(List.of(OidcIdentity.of("goose@goose.com", "goose.com")))
+            .allowedOidcIdentities(
+                List.of(
+                    OidcTokenMatcher.of(
+                        StringMatcher.string("goose@goose.com"),
+                        StringMatcher.string("goose.com"))))
             .build();
     var ex =
         Assertions.assertThrows(
@@ -127,20 +129,19 @@ public void sign_failGithubOidcCheck() throws Exception {
   @EnabledIfOidcExists(provider = OidcProviderType.GITHUB)
   // this test will only pass on the github.com/sigstore/sigstore-java repository
   public void sign_passGithubOidcCheck() throws Exception {
-    // silly way to get the right oidc identity to make sure our simple matcher works
-    var jws =
-        JsonWebSignature.parse(
-            new GsonFactory(),
-            GithubActionsOidcClient.builder().build().getIDToken(System.getenv()).getIdToken());
-    var expectedGithubSubject = jws.getPayload().getSubject();
     var signer =
         KeylessSigner.builder()
             .sigstorePublicDefaults()
             .allowedOidcIdentities(
                 List.of(
-                    OidcIdentity.of(
-                        expectedGithubSubject, "https://token.actions.githubusercontent.com"),
-                    OidcIdentity.of("some@other.com", "https://accounts.other.com")))
+                    OidcTokenMatcher.of(
+                        // this is bad matching, do not use it as an example of what to do in a
+                        // production environment
+                        StringMatcher.regex(".*sigstore/sigstore-java.*"),
+                        StringMatcher.string("https://token.actions.githubusercontent.com")),
+                    OidcTokenMatcher.of(
+                        StringMatcher.string("some@other.com"),
+                        StringMatcher.string("https://accounts.other.com"))))
             .build();
     Assertions.assertDoesNotThrow(
         () ->

sigstore-java/src/test/java/dev/sigstore/KeylessSignerTest.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright 2024 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.oidc.client;
+
+import dev.sigstore.strings.RegexSyntaxException;
+import dev.sigstore.strings.StringMatcher;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class OidcTokenMatcherTest {
+
+  @Test
+  public void testString() {
+    var testMatcher =
+        OidcTokenMatcher.of(StringMatcher.string("test-san"), StringMatcher.string("test-issuer"));
+    Assertions.assertTrue(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertTrue(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("wrong-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("wrong-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("")
+                .issuer("")
+                .build()));
+
+    Assertions.assertEquals(
+        "{subjectAlternativeName: 'String: test-san', issuer: 'String: test-issuer'}",
+        testMatcher.toString());
+  }
+
+  @Test
+  public void testRegex() throws RegexSyntaxException {
+    var testMatcher =
+        OidcTokenMatcher.of(StringMatcher.regex("test-..."), StringMatcher.regex("test-.*"));
+    Assertions.assertTrue(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertTrue(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("wrong-san")
+                .issuer("test-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("test-san")
+                .issuer("wrong-issuer")
+                .build()));
+    Assertions.assertFalse(
+        testMatcher.test(
+            ImmutableOidcToken.builder()
+                .idToken("hidden stuff")
+                .subjectAlternativeName("")
+                .issuer("")
+                .build()));
+
+    Assertions.assertEquals(
+        "{subjectAlternativeName: 'RegEx: test-...', issuer: 'RegEx: test-.*'}",
+        testMatcher.toString());
+  }
+}

sigstore-java/src/test/java/dev/sigstore/oidc/client/OidcTokenMatcherTest.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2024 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.oidc.client;
+
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class OidcTokenTest {
+
+  @Test
+  public void test_redacted() {
+    var testToken =
+        ImmutableOidcToken.builder()
+            .issuer("issuer")
+            .idToken("secret")
+            .subjectAlternativeName("name")
+            .build();
+    Assertions.assertEquals(
+        "OidcToken{subjectAlternativeName=name, issuer=issuer}", testToken.toString());
+  }
+}