Adding Gitpod IDp

[ChevronTango]

Closes #1176

Summary

This MR adds Gitpod as a trusted identity provider using the email type to SaaS Fulcio. Gitpod is an remote IDE service aimed at providing workspace IDEs to users with all of the dependencies installed in seconds. Gitpod have been looking at Fulcio and gitsign as a means to achieve GPG signing for all commits made by users within a gitpod workspace. Adding Gitpod to SaaS Fulcio would allow them to pass through JWT tokens that identify a user, and get back a certificate automatically, without the user needing to do any additional authorisation.

Release Note

Documentation

[haydentherapper]

You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.

[ChevronTango]

to answer @haydentherapper question in the original thread, I'll attempt to highlight the gitpod IDP based on the criteria outlined in #397

• Integrating with Dex - Not really suitably. Gitpod itself federates to other IDPs so adding it to Dex achieves nothing. It also doesn't support that kind of federation

• Adding the IDP directly to Fulcio's OIDC issuer config list - The better option. This would allow Gitpod to pass fulcio a JWT it has generated and for fulcio to return a valid signing certificate

• Key rotation policy - the Gitpod JWT tokens are short lived

• Signing key storage policy - Gitpod doesn't store these tokens, they are generated automatically on request

• Uptime requirements - Gitpod has a high resiliency, though I don't have exact figures on its downtime

• A hosted .well-known/openid-configuration (which should be a given for OIDC, but it's worth having this explicitly checked as part of onboarding a new IDP) https://api.gitpod.io/idp/.well-known/openid-configuration

• Minimum set of supported claims (issuer, subject, audience, issued at, expiration). I propose that we don't enforce that all tokens have precise claim name (iss, sub, aud, for some examples), but that these values are represented in some claim on the token. For example, the subject could be in sub or email or maybe some other claim. - Gitpod have just added email and email_verified to there token in addition to the claims outlined in Add Gitpod as a trusted ID token provider #1176

• An OIDC provider must challenge the email address Gitpod federates to other IDPs

• A configurable audience (aud) for the token, setting the audience to sigstore The audience is configurable, and the plan is to generate tokens with the sigstore aud for use with Fulcio

[ChevronTango]

You’ll need to sign the DCO in your commit and also add the federation file, which just requires a contact.

Can do. Where can I find the federation file? I'll pass it along to them.

[haydentherapper]

https://github.com/sigstore/fulcio/tree/main/federation

thanks for the responses, I’ll follow up with any questions shortly

[ChevronTango]

@loujaybee are you able to provide a contact email for gitpod support?

[haydentherapper]

@ChevronTango Can you also update https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml?

Would you be able to test this out too? Run docker-compose build; docker-compose up, or if you don't have docker-compose, go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/config.jsn

Edit https://github.com/sigstore/fulcio/blob/main/examples/request-certificate/main.go (sorry for the list of steps, this is probably simplest):

• fulcioUrl to localhost:5554
• Change 80 to 5554 on line 88
• Remove lines 48-51
• Change tok.Subject to the email from GitPod
• Change tok.RawString to the ID token from GitPod

Run go run examples/request-certificate/main.go and check a certificate is issued.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 56.02%. Comparing base (cf238ac) to head (59cf06b).
Report is 49 commits behind head on main.

❗ Current head 59cf06b differs from pull request most recent head b295a67. Consider uploading reports for the commit b295a67 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1177      +/-   ##
==========================================
- Coverage   57.93%   56.02%   -1.91%     
==========================================
  Files          50       50              
  Lines        3119     2904     -215     
==========================================
- Hits         1807     1627     -180     
+ Misses       1154     1133      -21     
+ Partials      158      144      -14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

You'll need to alphabetize the configuration

[loujaybee]

@loujaybee are you able to provide a contact email for gitpod support?

Will [email protected] suffice?

https://www.gitpod.io/support

[haydentherapper]

Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using #1177 (comment)?

[ChevronTango]

Thanks @ChevronTango! Since you have been using Gitpod, could you also test that this works using #1177 (comment)?

Hi Hayden. Just ran the tests and it looks like Gitpod have a couple more things they need to do on their side. I suggest we hold fire for now and I'll post back here once I have a successful test.

[haydentherapper]

SG, thanks!

[ChevronTango]

whilst waiting on Gitpod to action things on their side, I did have a question about the script you meantioned in #1177 (comment)

When I ran it after following your instructions, I got:

$ go run examples/request-certificate/main.go
2023/05/23 22:49:29 rpc error: code = Internal desc = Error entering certificate in CTL
exit status 1

with the following from the docker stack:

fulcio-ct_server-1            | W0523 22:49:29.552818       1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1        | 2023-05-23T22:49:29.553Z        ERROR   server/error.go:45      returning with error    {"requestID": "Slfmo6ng", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}

just wanted to clarify if there was any settings in docker or go that were missing that would resolve this. Thankfully these don't look like errors relating to the JWT auth, but it would still be nice for your script to pass cleanly.

[haydentherapper]

docker-compose should spin up the transparency log too. There should be some error message from Trillian about why the certificate couldnt be entered in the log.

Otherwise, you can run the go run command with --ct-log-url="" which should prevent certs from being added to the local log.

[ChevronTango]

Nothing from Trillian. Nothing is logged after the initial startup. the only logs are the ones I posted:

fulcio-ct_server-1            | W0523 23:16:23.228738       1 handlers.go:198] test{4176810766482965144}: AddPreChain handler error: failed to verify add-chain contents: chain failed to verify: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "sigstore")
fulcio-fulcio-server-1        | 2023-05-23T23:16:23.228Z        ERROR   server/error.go:45      returning with error    {"requestID": "rcBeWTJI", "code": "Internal", "clientMessage": "Error entering certificate in CTL", "error": "got HTTP status \"400 Bad Request\""}
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/server.handleFulcioGRPCError
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/server/error.go:45
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/server.(*grpcCAServer).CreateSigningCertificate
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/server/grpc_server.go:199
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler.func1
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:147
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-prometheus.(*ServerMetrics).UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/server_metrics.go:108
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/cmd/app.PassFulcioConfigThruContext.func1
fulcio-fulcio-server-1        |         /opt/app-root/src/cmd/app/grpc.go:64
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware/logging/zap.UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/logging/zap/server_interceptors.go:31
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1        | github.com/goadesign/goa/grpc/middleware.UnaryRequestID.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/goadesign/[email protected]+incompatible/grpc/middleware/requestid.go:34
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:48
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware/recovery.UnaryServerInterceptor.func1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/recovery/interceptors.go:33
fulcio-fulcio-server-1        | github.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func2
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/github.com/grpc-ecosystem/[email protected]/chain.go:53
fulcio-fulcio-server-1        | github.com/sigstore/fulcio/pkg/generated/protobuf._CA_CreateSigningCertificate_Handler
fulcio-fulcio-server-1        |         /opt/app-root/src/pkg/generated/protobuf/fulcio_grpc.pb.go:149
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).processUnaryRPC
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:1337
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).handleStream
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:1714
fulcio-fulcio-server-1        | google.golang.org/grpc.(*Server).serveStreams.func1.1
fulcio-fulcio-server-1        |         /opt/app-root/pkg/mod/google.golang.org/[email protected]/server.go:959
fulcio-fulcio-server-1        | 2023-05-23T23:16:23.228Z        DEBUG   log/log.go:106  finished unary call with code Internal  {"grpc.start_time": "2023-05-23T23:16:23Z", "system": "grpc", "span.kind": "server", "grpc.service": "dev.sigstore.fulcio.v2.CA", "grpc.method": "CreateSigningCertificate", "error": "rpc error: code = Internal desc = Error entering certificate in CTL", "grpc.code": "Internal", "requestID": "rcBeWTJI", "grpc.time_ms": 2.567}

[haydentherapper]

Could be that the log failed to start up, sometimes it’s a little finicky. The easiest solution is with go run if docker compose isn’t working.

[haydentherapper]

Moving to draft while there are ongoing conversations

[ChevronTango]

Gitpod have updated their docs now that they are providing tokens of the correct format: https://www.gitpod.io/docs/configure/workspaces/oidc

Not every token that you can create for Gitpod will be valid from the looks of it:

Important: email_verified is only true if you are signed in to Gitpod via an SSO provider. If you’re only signed in with an SCM authentication provider, this field will be false.

I'll update the code I submitted in sigstore/cosign#2998 originally to include logic to make sure only valid tokens are submitted automatically.

[haydentherapper]

@ChevronTango sorry I just realized this was updated to just add an email provider, missed that update! Is this something you'd still like to see supported? If so, just need to update the PR to add it to the new config file, or I can do it.