feat: add ambient credential detection with spiffe/spire

[developer-guy]

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

Summary

Support ambient credential detection with SPIFFE/SPIRE by looking at socket path and through SVID (Spiffe Verifiable Identity Document)

Ticket Link

Fixes #645

Release Note

feat: add ambient credential detection with spiffe/spire

[developer-guy]

@dlorenc we got the following error:

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
JWT: eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}

$ jwt eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
To verify on jwt.io:

https://jwt.io/#id_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg

✻ Header
{
  "alg": "ES256",
  "kid": "SxGAbucZkwmDY281qFKtTQcRhbXgtbY9",
  "typ": "JWT"
}

✻ Payload
{
  "aud": [
    "sigstore"
  ],
  "exp": 1639600125,
  "iat": 1639599825,
  "sub": "spiffe://example.org/myservice2"
}
   Issued At: 1639599825 12/15/2021, 11:23:45 PM
   Expiration Time: 1639600125 12/15/2021, 11:28:45 PM

✻ Signature wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg

I think the reason why we got this error above is that we do not have an iss information within the JWT, WDYT?

[developer-guy]

kindly ping @colek42 @dlorenc @mattmoor

[colek42]

Are you saying SPIRE is not setting the ISS claim?
https://github.com/spiffe/spire/blob/04bee9741ac3b8c4b204e6367d0bd6146f78a8c7/pkg/common/jwtsvid/sign.go#L57

It seems like it should.

[colek42]

I'm wondering about the trust model. Instead of SPIRE->JWT->Fulcio->x.509->Sign Blob->Sig Store
we could use x.509 certs issued by SPIRE to sign the Blob.

[developer-guy]

I followed up the demo: Quickstart for Linux and MacOS X, and couldn't find any iss field in the JWT, this is why I got the following error, right? are you saying that this PR would work in the right environment?

[colek42]

I'm not sure. It looks like it should get set based on the spire code. @evan2645

[dlorenc]

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
JWT: eyJhbGciOiJFUzI1NiIsImtpZCI6IlN4R0FidWNaa3dtRFkyODFxRkt0VFFjUmhiWGd0Ylk5IiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5NjAwMTI1LCJpYXQiOjE2Mzk1OTk4MjUsInN1YiI6InNwaWZmZTovL2V4YW1wbGUub3JnL215c2VydmljZTIifQ.wQdHjEAcO6fn1WIv7fPLjRriahfhZx0sNDEW5BKOWj6Vl7CiL9awflFvb_VgHvWDjoTQYHFmnqH2ymC8bHpDgg
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: "}

This will only work if the SPIFFE domain used to grant the IDs is setup in the fulcio federation config. See here for an example: https://github.com/sigstore/fulcio/tree/main/federation/external/oidc.dlorenc.dev

[dlorenc]

I'm wondering about the trust model. Instead of SPIRE->JWT->Fulcio->x.509->Sign Blob->Sig Store we could use x.509 certs issued by SPIRE to sign the Blob.

This will work but the certs expire each day - so going over the fulcio path allows you to get a cert that's setup for timestamping/transparency logging.

[dlorenc]

Looks like a lint issue, overall seems correct but we'll need to figure out a testing story too probably at some point.

[evan2645]

Are you saying SPIRE is not setting the ISS claim?

The value of the issuer claim is configurable and set via jwt_issuer on the server.

It should be set to a URL that can be used to reach your OIDC discovery provider.

[developer-guy]

kindly ping @dlorenc, which URL should I use to test this? I saw the iss field filled once I set the jwt_issuer property to the server configuration. But I got an error something like you mentioned above:

$ COSIGN_EXPERIMENTAL=1 ./cosign sign devopps/nginx:latest
Generating ephemeral keys...
Retrieving signed certificate...
Error: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: fulcio.sigstore.dev"}
main.go:46: error during command execution: signing [devopps/nginx:latest]: getting signer: getting key from Fulcio: retrieving cert: {"code":400,"message":"unsupported issuer: fulcio.sigstore.dev"}

$ bin/spire-agent api fetch jwt -audience sigstore
token(spiffe://example.org/myservice):    eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

$ jwt eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

To verify on jwt.io:

https://jwt.io/#id_token=eyJhbGciOiJFUzI1NiIsImtpZCI6IkpWRkhsc2o5eUFvR2dVOGxzakJibTJpbks5NmpodExmIiwidHlwIjoiSldUIn0.eyJhdWQiOlsic2lnc3RvcmUiXSwiZXhwIjoxNjM5OTk1MDE4LCJpYXQiOjE2Mzk5OTQ3MTgsImlzcyI6ImZ1bGNpby5zaWdzdG9yZS5kZXYiLCJzdWIiOiJzcGlmZmU6Ly9leGFtcGxlLm9yZy9teXNlcnZpY2UifQ.q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

✻ Header
{
  "alg": "ES256",
  "kid": "JVFHlsj9yAoGgU8lsjBbm2inK96jhtLf",
  "typ": "JWT"
}

✻ Payload
{
  "aud": [
    "sigstore"
  ],
  "exp": 1639995018,
  "iat": 1639994718,
  "iss": "fulcio.sigstore.dev", # here !
  "sub": "spiffe://example.org/myservice"
}
   Issued At: 1639994718 12/20/2021, 1:05:18 PM
   Expiration Time: 1639995018 12/20/2021, 1:10:18 PM

✻ Signature q_D8_1qU6v_ReN4pevkZSNi2aijKwmZewdFQI8C7Cdum9Z_8BKdkkhWNLDb-_l3PTvhSXTjP66KAvN11o0JdYw

[mattmoor]

This LGTM. Not sure if @dlorenc has anything else?