Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct SPIFFE trust domain checking #588

Merged
merged 1 commit into from May 17, 2022
Merged

Correct SPIFFE trust domain checking #588

merged 1 commit into from May 17, 2022

Conversation

nsmith5
Copy link
Contributor

@nsmith5 nsmith5 commented May 16, 2022
edited

Summary

SPIFFE issuers must configure a trust domain. We no longer assume that
the the trust domain has some implicit relationship with the OIDC issuer
domain. Tokens with a mismatch in trust domain are rejected.

Release Note

* SPIFFE issuers must now configure a trust domain and tokens with mismatched trust domains will be rejected

@codecov-commenter
Copy link

Codecov Report

Merging #588 (bce3a8c) into main (fdaedd6) will increase coverage by 0.39%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #588      +/-   ##
==========================================
+ Coverage   45.90%   46.30%   +0.39%     
==========================================
  Files          21       21              
  Lines        1501     1501              
==========================================
+ Hits          689      695       +6     
+ Misses        740      736       -4     
+ Partials       72       70       -2
Impacted Files Coverage Δ
pkg/challenges/challenges.go 39.51% <100.00%> (+1.61%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fdaedd6...bce3a8c. Read the comment docs.

haydentherapper
haydentherapper requested changes May 16, 2022
View reviewed changes
pkg/challenges/challenges.go Outdated Show resolved Hide resolved
@nsmith5 nsmith5 force-pushed the fix-allowed-spiffe-id branch 2 times, most recently from 2973812 to f96c3a8 Compare May 17, 2022 17:07
@haydentherapper
Copy link
Contributor

The failing test is because you will need to update grpc_server_test to include the new config field

spiffe: correct trust domain checking
5d9a4d1 
SPIFFE issuers must configure a trust domain. We no longer assume that
the the trust domain has some implicit relationship with the OIDC issuer
domain. Tokens with a mismatch in trust domain are rejected.

Signed-off-by: Nathan Smith <nathan@chainguard.dev>
haydentherapper
haydentherapper approved these changes May 17, 2022
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@haydentherapper
Copy link
Contributor

Can you update the PR summary?

@dlorenc dlorenc merged commit f334c15 into sigstore:main May 17, 2022
@nsmith5 nsmith5 deleted the fix-allowed-spiffe-id branch May 17, 2022 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lumjjb lumjjb lumjjb left review comments

@azdagron azdagron azdagron left review comments

@dlorenc dlorenc dlorenc approved these changes

@haydentherapper haydentherapper haydentherapper approved these changes

@bobcallaway bobcallaway Awaiting requested review from bobcallaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@nsmith5 @codecov-commenter @haydentherapper @dlorenc @lumjjb @azdagron