sigstore, test: add CircleCI credential detection

[woodruffw]

See #31.

Signed-off-by: William Woodruff william@trailofbits.com

[woodruffw]

Yep, correct. It looks like CircleCI uses a similar permission style as GitHub, but skips the indirection of a request. Sent from mobile. Please excuse my brevity.

…

On May 6, 2022, at 12:28 PM, Dustin Ingram ***@***.***> wrote:  @di commented on this pull request. In sigstore/_internal/oidc/ambient.py: > + + +def detect_circleci() -> Optional[str]: + logger.debug("CircleCI: looking for OIDC credentials") + + if not os.getenv("CIRCLECI"): + logger.debug("CircleCI: environment doesn't look right; giving up") + return None + + token = os.getenv("CIRCLE_OIDC_TOKEN") + if not token: + raise AmbientCredentialError( + "CircleCI: missing or insufficient OIDC token permissions" + ) + + return token This is the actual identity token? We don't need to make additional requests here? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were assigned.

[di]

This LGTM but I want to add a simple integration test for CircleCI before merging. I don't have the ability to do this for this repo anymore though, so hang tight while I figure out who can.

[woodruffw]

Sounds good!

[di]

This seems like a dealbreaker. From https://circleci.com/docs/2.0/openid-connect-tokens/#format-of-the-openid-connect-id-token

aud: The audience. Currently, this is a fixed value "<organization-id>", a string containing a UUID that identifies the job’s project’s organization.

[di]

Marking this as blocked on https://circleci.canny.io/cloud-feature-requests/p/customizable-audience-claim-in-oidc-tokens, please upvote that feature request if you need this feature.

[woodruffw]

Oh well; that's too bad. At least the changeset here is pretty small, so we'll be able to move this along rapidly once that gets unblocked.

[di]

When we're ready to merge this, we should go to https://app.circleci.com/settings/project/github/sigstore/sigstore-python/advanced and re-enable "GitHub Status Updates" before rebasing.

[di]

Given the slow movement here, dropping this out of the 1.0 milestone.

[jerdog]

CircleCI has just added customizable audience claims in OIDC tokens =)

https://circleci.com/docs/api/v2/index.html#tag/OIDC-Token-Management

[woodruffw]

@jerdog fantastic, thanks for letting us know!

This PR is pretty stale at this point, but I'll see about refreshing it.

[woodruffw]

NB: This will require upstream changes to id, since we've moved all ambient credential detection logic there.

[woodruffw]

Upstream tracking: di/id#61

[woodruffw]

This has been done upstream. The only remaining item for CircleCI support in sigstore-python is to update our dependency on id, which is currently in the works.