Validation of OIDC claims via JSON schema validator

Related: actions/runner#2417 (comment)
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>

.github/workflows/notarize.yml

@@ -66,11 +66,38 @@ jobs:
       - name: Submit claim
         env:
           OIDC_TOKEN: '${{ steps.github-oidc.outputs.token }}'
+          WORKFLOW_REF: '${{ github.workflow_ref }}'
+          # Use of job_workflow_sha blocked by
+          # https://github.com/actions/runner/issues/2417#issuecomment-1718369460
+          JOB_WORKFLOW_SHA: '${{ github.sha }}'
         run: |
           # Create the middleware config file
-          cat > oidc-middleware-config.json <<EOF
+          tee oidc-middleware-config.json <<EOF
           {
               "issuers": ["https://token.actions.githubusercontent.com"],
+              "claim_schema": {
+                  "https://token.actions.githubusercontent.com": {
+                        "\$schema": "https://json-schema.org/draft/2020-12/schema",
+                        "required": [
+                            "job_workflow_ref",
+                            "job_workflow_sha"
+                        ],
+                        "properties": {
+                            "job_workflow_ref": {
+                                "type": "string",
+                                "enum": [
+                                    "${WORKFLOW_REF}"
+                                ]
+                            },
+                            "job_workflow_sha": {
+                                "type": "string",
+                                "enum": [
+                                    "${JOB_WORKFLOW_SHA}"
+                                ]
+                            }
+                        }
+                    }
+              },
               "audience": "${SCITT_URL}"
           }
           EOF
@@ -79,6 +106,7 @@ jobs:
             scitt-emulator server --port 8080 --workspace workspace/ --tree-alg CCF \
               --middleware scitt_emulator.oidc:OIDCAuthMiddleware \
               --middleware-config-path oidc-middleware-config.json &
+            sleep 1s
           fi
           # Submit the claim using OIDC token as auth
           scitt-emulator client submit-claim --token "${OIDC_TOKEN}" --url "${SCITT_URL}" --claim claim.cose --out claim.receipt.cbor

scitt_emulator/oidc.py

@@ -3,6 +3,7 @@
 import jwt
 import json
 import jwcrypto.jwk
+import jsonschema
 from flask import jsonify
 from werkzeug.wrappers import Request
 from scitt_emulator.client import HttpClient
@@ -27,7 +28,9 @@ def __init__(self, app, config_path):
 
     def __call__(self, environ, start_response):
         request = Request(environ)
-        self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
+        claims = self.validate_token(request.headers["Authorization"].replace("Bearer ", ""))
+        if "claim_schema" in self.config and claims["iss"] in self.config["claim_schema"]:
+            jsonschema.validate(claims, schema=self.config["claim_schema"][claims["iss"]])
         return self.app(environ, start_response)
 
     def validate_token(self, token):

setup.py

@@ -25,6 +25,7 @@
         "oidc": [
             "PyJWT",
             "jwcrypto",
+            "jsonschema",
         ]
     },
 )

tests/test_cli.py

@@ -203,6 +203,7 @@ def test_client_cli_token(tmp_path):
     key = jwcrypto.jwk.JWK.generate(kty="RSA", size=2048)
     algorithm = "RS256"
     audience = "scitt.example.org"
+    subject = "repo:scitt-community/scitt-api-emulator:ref:refs/heads/main"
 
     with Service(
         {"key": key, "algorithms": [algorithm]},
@@ -213,7 +214,21 @@ def test_client_cli_token(tmp_path):
         )
         middleware_config_path = tmp_path / "oidc-middleware-config.json"
         middleware_config_path.write_text(
-            json.dumps({"issuers": [oidc_service.url], "audience": audience})
+            json.dumps(
+                {
+                    "issuers": [oidc_service.url],
+                    "audience": audience,
+                    "claim_schema": {
+                        oidc_service.url: {
+                            "$schema": "https://json-schema.org/draft/2020-12/schema",
+                            "required": ["sub"],
+                            "properties": {
+                                "sub": {"type": "string", "enum": [subject]},
+                            },
+                        }
+                    },
+                }
+            )
         )
         with Service(
             {
@@ -263,18 +278,36 @@ def test_client_cli_token(tmp_path):
             assert not os.path.exists(receipt_path)
             assert not os.path.exists(entry_id_path)
 
-            # create token
+            # create token without subject
             token = jwt.encode(
                 {"iss": oidc_service.url, "aud": audience},
                 key.export_to_pem(private_key=True, password=None),
                 algorithm=algorithm,
                 headers={"kid": key.thumbprint()},
             )
-            # submit claim with token
+            # submit claim with token lacking subject
             command += [
                 "--token",
                 token,
             ]
+            check_error = None
+            try:
+                execute_cli(command)
+            except Exception as error:
+                check_error = error
+            assert check_error
+            assert not os.path.exists(receipt_path)
+            assert not os.path.exists(entry_id_path)
+
+            # create token with subject
+            token = jwt.encode(
+                {"iss": oidc_service.url, "aud": audience, "sub": subject},
+                key.export_to_pem(private_key=True, password=None),
+                algorithm=algorithm,
+                headers={"kid": key.thumbprint()},
+            )
+            # submit claim with token containing subject
+            command[-1] = token
             execute_cli(command)
             assert os.path.exists(receipt_path)
             assert os.path.exists(entry_id_path)