Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prefer GitHub OIDC provider if enabled #3044

Merged
merged 1 commit into from
Jun 11, 2023
Merged

fix: prefer GitHub OIDC provider if enabled #3044

merged 1 commit into from
Jun 11, 2023

Conversation

imjasonh
Copy link
Member

@imjasonh imjasonh commented Jun 9, 2023
edited
Loading

We've had reports of unusual behavior in cosign and other tools that use this idiom, when it's used in a GitHub self-hosted runner with id-token: write and when the environment it's hosted in also provides ambient OIDC credentials (e.g., GKE).

The issue is that both GitHub's ID token is available, and the GKE environment's credentials are as well. The way this code worked before, and due to Go's map iteration randomization, this code would randomly choose between GitHub and Google credentials, producing ...confusing behavior.

This PR addresses this issue by iterating through providers in the order they were underscore-imported, rather than randomly as the map is iterated. This also changes pkg/providers/all* to explicitly order the imports so that github comes first, so those credentials are consistently used before any others.

*This is gross. pkg/providers/all is gross. It's a dependency bomb, and it should not exist. I'd like to refactor this in a future set of changes to deprecate all, and encourage consumers to explicitly import only the providers they want, then do something like sigstore/sigstore#1115 where these providers are split into separate Go modules, so consumers of cosign as a library don't have to import all these heavy dependencies. That's a battle for another day though.

Demo that explicit import order changes the order of init execution: https://go.dev/play/p/TFqq6BRmLDz

@haydentherapper

@imjasonh
fix: prefer GitHub OIDC provider if enabled
4e3938b 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@codecov
Copy link

codecov bot commented Jun 9, 2023

Codecov Report

Merging #3044 (4e3938b) into main (d0cc985) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #3044   +/-   ##
=======================================
  Coverage   31.08%   31.08%           
=======================================
  Files         155      155           
  Lines        9739     9739           
=======================================
  Hits         3027     3027           
  Misses       6250     6250           
  Partials      462      462

haydentherapper
haydentherapper approved these changes Jun 9, 2023
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice fix!

In the meantime, we can also encourage using --oidc-provider if there are cases where someone wants to prefer a later-imported provider.

hectorj2f
hectorj2f approved these changes Jun 10, 2023
View reviewed changes
Copy link
Contributor

@hectorj2f hectorj2f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cpanato cpanato merged commit 4293942 into sigstore:main Jun 11, 2023
@github-actions github-actions bot added this to the v1.14.0 milestone Jun 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@cpanato cpanato cpanato approved these changes

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.14.0
Development

Successfully merging this pull request may close these issues.
4 participants
@imjasonh @hectorj2f @cpanato @haydentherapper