Add and expose job/trigger context as a JWT #2285
Replies: 8 comments
-
First of all thanks for writing this super detailed issue with all your thoughts and ideas. I recently read about authenticating CI jobs against external and internal (Woodpecker itself) pass systems. Linking #368 for the authentication of jobs against Woodpecker itself. As far as I can tell OpenID seems to be a pretty popular keyword in this context. The idea would be to add an OpenID identity provider to or next to the Woodpecker server and pass OpenID tokens to the pipeline jobs. Those tokens could then be checked by the third parties you are trying to access. Some related links from other CI systems: |
Beta Was this translation helpful? Give feedback.
-
I thought about using some kind of token for this at first, but then I noticed that it might not be possible for some forges to expose a token like that (at least if I understand go-gitea/gitea#20394 correctly), so then I thought that verifying webhooks seems more "universal" and readily available, and at least still could allow for some nifty things to get done. I am also not sure how one would actually use such a token to verify against Hashicorp Vault, as their OpenID Connect auth method appears to require user interaction via browser? |
Beta Was this translation helpful? Give feedback.
-
This is how it should work with Github and Vault: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault |
Beta Was this translation helpful? Give feedback.
-
The "Github Actions" flow seems to be similar to the one I suggested, but with the addition that they use "OIDC Discovery" for JWT verification instead of "Static keys". If I interpret their documentation correctly, that is. They still generate a JWT with job contextual information, which is similar to what Gitlab does and what I suggested, but from my understanding they also have implemented a discovery endpoint via the tokens If I understand you correctly, you are proposing that we should also implement OpenID Connect Discovery in addition to the JWT? In summary, the differences I'm seeing are:
|
Beta Was this translation helpful? Give feedback.
-
If it can be of any help, I have implemented this a while ago on Drone : https://github.com/sloonz/drone-env-signed and https://github.com/sloonz/drone-ssh-ca. That’s the thing that currently prevents me from migrating to Woodpecker. |
Beta Was this translation helpful? Give feedback.
-
Hi, Any news about this topic (eg. roadmap)? I think that this feature is relatively important from a security point of view because the latter brings Web Identity Federation capability which helps to secure the
As expressed in a previous post this feature is provided by a lot of CI tools.
|
Beta Was this translation helpful? Give feedback.
-
There is no eta. If a dev pick it up and it got reviewed nd merged, it's done |
Beta Was this translation helpful? Give feedback.
-
Since we’re migrating from drone to woodpecker, and this was the only blocking point, I implemented it as an environment plugin here : https://github.com/sloonz/woodpecker-signed-env |
Beta Was this translation helpful? Give feedback.
-
Clear and concise description of the problem
As a security-concerned devops engineer¹ I want to be able to provision short-lived SSH certificates² from a Trusted SSH Certificate Authority based on contextual information (who triggered the build, which project, which job) so that I can follow security best practices (e.g. Principle of least privilege, ability to revoke access etc) when configuring servers.
¹Hypothetical user, I'm just a paranoid developer/selfhoster.
²Other data may also be of interest to retrieve from the same system, e.g. user-based sudo password may be needed in cases where admins have their own accounts on the servers being configured. This appear to be a "best practice" at least regarding tracability/logging, and each admin may need to have their own SSH certificate/sudo password pair. Perhaps SSH certificates allows for some tracability even in shared account settings, but I haven't dabbled too much in this area.
Suggested solution
I should start by stating that the functionality of being a Trusted SSH Certificate Authority could/would/should be handled by an external system (i.e. out of scope for Woodpecker), and one would most likely use something like Hashicorp Vault's Signed SSH Certificates in this situation.
I don't really expect an "integration" to this particuar tool to be made for Woodpecker, but rather expose "good enough" credentials so that we at least can use their CLI tools to sign an SSH key manually inside a job. This would first require one to be able to authenticate via their API.
Requirements
/api/signature/public-key
introduced by Use asym key to sign webhooks #916?CI_JOB_JWT
contains and how their documentation suggests how to configure Vault policies.token
needed for Gitlab to send this header.secret
needed for Gitea to send this header.Alternative
Additional context
Validations
Beta Was this translation helpful? Give feedback.
All reactions