Push signing config through all our clients

sigstore-gradle now delegates to oidc config is sigstore-java
for the default case.

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -111,7 +111,8 @@ public Integer call() throws Exception {
     if (identityToken != null) {
       // If we've explicitly provided an identity token, customize the signer to only use the token
       // string OIDC client.
-      signerBuilder.oidcClients(OidcClients.of(TokenStringOidcClient.from(identityToken)));
+      signerBuilder.forceCredentialProviders(
+          OidcClients.of(TokenStringOidcClient.from(identityToken)));
     }
     var signer = signerBuilder.build();
     var bundle = signer.signFile(artifact);

sigstore-gradle/README.md

@@ -53,15 +53,17 @@ dependencies {
 
 sigstoreSign {
     oidcClient {
+        // oidcClient configuration should very rarely be configured, it should be
+        // inferred from a sigstore deployment's config obtained from a TUF repository
+        // with a default set of ambient credential providers
         gitHub {
             audience.set("sigstore")
         }
         web {
             clientId.set("sigstore")
             issuer.set("https://oauth2.sigstore.dev/auth")
         }
-        // By default, gitHub client is used if ACTIONS_ID_TOKEN_REQUEST_URL environment variable exists
-        // This setting would enforce web OIDC client
+        // override the client config to a specific provider
         client.set(web)
         // or
         client(web)

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/OidcClientExtension.kt

@@ -50,12 +50,8 @@ abstract class OidcClientExtension @Inject constructor(
         if (actionsOidcAvailable) {
             clients.register<GitHubActionsOidc>(GITHUB_ACTIONS_CLIENT_NAME)
         }
-
-        client.convention(
-            clients.named(
-                if (actionsOidcAvailable) GITHUB_ACTIONS_CLIENT_NAME else WEB_CLIENT_NAME
-            )
-        )
+        // do not assign a default convention for client, that is delegated to KeylessSigner in
+        // the default case.
     }
 
     private inline fun <reified T : OidcClientConfiguration> setup(

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/WebOidc.kt

@@ -17,9 +17,13 @@
 package dev.sigstore.sign
 
 import dev.sigstore.oidc.client.WebOidcClient
+import dev.sigstore.trustroot.ImmutableService
+import dev.sigstore.trustroot.ImmutableValidFor
 import org.gradle.api.provider.Property
 import org.gradle.util.GradleVersion
 import java.io.Serializable
+import java.net.URI
+import java.time.Instant
 import javax.inject.Inject
 
 abstract class WebOidc @Inject constructor() : OidcClientConfiguration, Serializable {
@@ -30,7 +34,7 @@ abstract class WebOidc @Inject constructor() : OidcClientConfiguration, Serializ
     init {
         try {
             clientId.convention("sigstore")
-            issuer.convention(WebOidcClient.PUBLIC_DEX_ISSUER)
+            issuer.convention("https://oauth2.sigstore.dev/auth")
         } catch (e: NullPointerException) {
             // NPE here means Gradle tries to isolate WebOidc for passing it to WorkerAction parameters
             // Gradle 7.5.1 does not have such an issue, so rethrow unexpected NPEs
@@ -43,7 +47,13 @@ abstract class WebOidc @Inject constructor() : OidcClientConfiguration, Serializ
     override fun build(): Any =
         WebOidcClient.builder()
             .setClientId(clientId.get())
-            .setIssuer(issuer.get())
+            .setIssuer(
+                ImmutableService.builder().apiVersion(1).url(URI.create(issuer.get())).validFor(
+                    ImmutableValidFor.builder().start(
+                        Instant.now()
+                    ).build()
+                ).build()
+            )
             .build()
 
     override fun key(): Any = Pair(clientId.get(), issuer.get())

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/work/SignWorkAction.kt

@@ -17,12 +17,12 @@
 package dev.sigstore.sign.work
 
 import dev.sigstore.KeylessSigner
-import dev.sigstore.bundle.Bundle
 import dev.sigstore.oidc.client.OidcClient
 import dev.sigstore.oidc.client.OidcClients
 import dev.sigstore.sign.OidcClientConfiguration
 import org.gradle.api.file.RegularFileProperty
 import org.gradle.api.provider.Property
+import org.gradle.internal.impldep.org.hamcrest.core.AnyOf
 import org.gradle.workers.WorkAction
 import org.gradle.workers.WorkParameters
 import org.slf4j.LoggerFactory
@@ -39,6 +39,9 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         private val logger = LoggerFactory.getLogger(SignWorkAction::class.java)
 
         private val clients = ConcurrentHashMap<Any, KeylessSigner>()
+
+        // the default key that delegates to KeylessSigners set of default OIDC providers
+        const val DEFAULT_KEY = "_default"
     }
 
     abstract val parameters: SignWorkParameters
@@ -47,11 +50,13 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         val inputFile = parameters.inputFile.get().asFile
         logger.info("Signing in Sigstore: {}", inputFile)
 
-        val oidcClient = parameters.oidcClient.get()
-        val signer = clients.computeIfAbsent(oidcClient.key()) {
+        val signerKey = if (parameters.oidcClient.isPresent) parameters.oidcClient.get().key() else DEFAULT_KEY
+        val signer = clients.computeIfAbsent(signerKey) {
             KeylessSigner.builder().apply {
                 sigstorePublicDefaults()
-                oidcClients(OidcClients.of(oidcClient.build() as OidcClient))
+                if (signerKey != DEFAULT_KEY) {
+                    forceCredentialProviders(OidcClients.of(parameters.oidcClient.get().build() as OidcClient))
+                }
             }.build()
         }
 

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/OidcDslTest.kt

@@ -27,6 +27,8 @@ class OidcDslTest: BaseGradleTest() {
     fun `configure GitHub OIDC client explicitly`(gradle: TestedGradle) {
         writeBuildGradle(
             """
+            import dev.sigstore.sign.GitHubActionsOidc
+
             plugins {
                 id("java")
                 id("dev.sigstore.sign-base")
@@ -35,19 +37,48 @@ class OidcDslTest: BaseGradleTest() {
             sigstoreSign {
                 oidcClient {
                     gitHub()
+                    client.set(gitHub)
                 }
             }
-            tasks.create('printConfig') {
+            tasks.create('checkConfig') {
                 def oidcClient = project.sigstoreSign.oidcClient.client
                 doLast {
+                    if (!oidcClient.isPresent()) {
+                        throw GradleException("oidc client was unexpectadly not present")
+                    }
                     println("s: ${'$'}{oidcClient.get()}")
                 }
             }
             """.trimIndent()
         )
         enableConfigurationCache(gradle)
         enableProjectIsolation(gradle)
-        prepare(gradle.version, "printConfig", "-s")
+        prepare(gradle.version, "checkConfig", "-s")
+            .build()
+    }
+    @ParameterizedTest
+    @MethodSource("gradleVersionAndSettings")
+    fun `unconfigured GitHub OIDC client is empty`(gradle: TestedGradle) {
+        writeBuildGradle(
+            """
+            plugins {
+                id("java")
+                id("dev.sigstore.sign-base")
+            }
+            group = "dev.sigstore.test"
+            tasks.create('checkConfig') {
+                def oidcClient = project.sigstoreSign.oidcClient.client
+                doLast {
+                    if (oidcClient.isPresent()) {
+                        throw GradleException("gradle specific oidc client configured, when it should be delegating to lib:sigstore-java")
+                    }
+                }
+            }
+            """.trimIndent()
+        )
+        enableConfigurationCache(gradle)
+        enableProjectIsolation(gradle)
+        prepare(gradle.version, "checkConfig", "-s")
             .build()
     }
 }

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/PluginSmokeTest.kt

@@ -61,11 +61,9 @@ class PluginSmokeTest : BaseGradleTest() {
                 oidcClient {
                     // Note: the code is red in IDEA because it does not understand
                     // there's sam-with-receiver plugin for Action<.>
-                    gitHub {
-                        audience.set("sigstore-test")
-                    }
+                    gitHub {}
                     web {
-                        clientId.set("sigstore-test")
+                        issuer.set("https://sigstore-test.example.com")
                     }
                 }
             }

sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java

@@ -54,10 +54,11 @@
 import dev.sigstore.timestamp.client.TimestampResponse;
 import dev.sigstore.timestamp.client.TimestampVerificationException;
 import dev.sigstore.timestamp.client.TimestampVerifier;
+import dev.sigstore.trustroot.LegacySigningConfig;
+import dev.sigstore.trustroot.Service;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
-import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.security.InvalidAlgorithmParameterException;
@@ -160,40 +161,39 @@ public static Builder builder() {
 
   public static class Builder {
     private TrustedRootProvider trustedRootProvider;
+    private SigningConfigProvider signingConfigProvider;
     private OidcClients oidcClients;
     private List<OidcTokenMatcher> oidcIdentities = Collections.emptyList();
     private Signer signer;
     private Duration minSigningCertificateLifetime = DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;
-    private URI fulcioUri;
-    private URI rekorUri;
-    private URI timestampUri;
 
     @CanIgnoreReturnValue
-    public Builder fulcioUrl(URI uri) {
-      this.fulcioUri = uri;
-      return this;
-    }
-
-    @CanIgnoreReturnValue
-    public Builder rekorUrl(URI uri) {
-      this.rekorUri = uri;
+    public Builder trustedRootProvider(TrustedRootProvider trustedRootProvider) {
+      this.trustedRootProvider = trustedRootProvider;
       return this;
     }
 
     @CanIgnoreReturnValue
-    public Builder timestampUrl(URI uri) {
-      this.timestampUri = uri;
+    public Builder signingConfigProvider(SigningConfigProvider signingConfigProvider) {
+      this.signingConfigProvider = signingConfigProvider;
       return this;
     }
 
-    @CanIgnoreReturnValue
-    public Builder trustedRootProvider(TrustedRootProvider trustedRootProvider) {
-      this.trustedRootProvider = trustedRootProvider;
-      return this;
+    /**
+     * Deprecated, use {@link #forceCredentialProviders}. sigstore-gradle requires a one version
+     * deprecation window, so keep this in here until we've done another release.
+     */
+    @Deprecated(forRemoval = true)
+    public Builder oidcClients(OidcClients oidcClients) {
+      return forceCredentialProviders(oidcClients);
     }
 
+    /**
+     * Override the default set of credential providers (ambient + signingConfig). It should be very
+     * unusual for anyone to override this outside of testing scenarios.
+     */
     @CanIgnoreReturnValue
-    public Builder oidcClients(OidcClients oidcClients) {
+    public Builder forceCredentialProviders(OidcClients oidcClients) {
       this.oidcClients = oidcClients;
       return this;
     }
@@ -244,22 +244,51 @@ public KeylessSigner build()
             SigstoreConfigurationException {
       Preconditions.checkNotNull(trustedRootProvider);
       var trustedRoot = trustedRootProvider.get();
-      Preconditions.checkNotNull(fulcioUri);
-      Preconditions.checkNotNull(rekorUri);
-      Preconditions.checkNotNull(oidcClients);
+      Preconditions.checkNotNull(signingConfigProvider);
+      var signingConfig = signingConfigProvider.get();
       Preconditions.checkNotNull(oidcIdentities);
       Preconditions.checkNotNull(signer);
       Preconditions.checkNotNull(minSigningCertificateLifetime);
-      var fulcioClient = FulcioClientGrpc.builder().setUri(fulcioUri).build();
+      var fulcioService = Service.select(signingConfig.getCas(), List.of(1));
+      if (fulcioService.isEmpty()) {
+        throw new SigstoreConfigurationException(
+            "No suitable fulcio target was found in signing config");
+      }
+      var fulcioClient = FulcioClientGrpc.builder().setService(fulcioService.get()).build();
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
-      var rekorClient = RekorClientHttp.builder().setUri(rekorUri).build();
+
+      var rekorService = Service.select(signingConfig.getTLogs(), List.of(1));
+      if (rekorService.isEmpty()) {
+        throw new SigstoreConfigurationException(
+            "No suitable rekor target was found in signing config");
+      }
+      var rekorClient = RekorClientHttp.builder().setService(rekorService.get()).build();
       var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
+
       TimestampClient timestampClient = null;
       TimestampVerifier timestampVerifier = null;
-      if (timestampUri != null) { // Building with staging defaults
-        timestampClient = TimestampClientHttp.builder().setUri(timestampUri).build();
+      var timestampService = Service.select(signingConfig.getTsas(), List.of(1));
+      if (timestampService.isEmpty()) {
+        if (rekorService.get().getApiVersion() != 1) {
+          // only throw exception for rekor v2+ which will require time
+          throw new SigstoreConfigurationException(
+              "No suitable tsa target was found in signing config");
+        }
+      } else {
+        timestampClient = TimestampClientHttp.builder().setService(timestampService.get()).build();
         timestampVerifier = TimestampVerifier.newTimestampVerifier(trustedRoot);
       }
+
+      // if the client hasn't overridden the oidc provider, determine it from the service config
+      if (oidcClients == null) {
+        var oidcService = Service.select(signingConfig.getOidcProviders(), List.of(1));
+        if (oidcService.isEmpty()) {
+          throw new SigstoreConfigurationException(
+              "No suitable oidc target was found in signing config");
+        }
+        oidcClients = OidcClients.from(oidcService.get());
+      }
+
       return new KeylessSigner(
           fulcioClient,
           fulcioVerifier,
@@ -281,9 +310,10 @@ public KeylessSigner build()
     public Builder sigstorePublicDefaults() {
       var sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();
       trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
-      fulcioUri = FulcioClient.PUBLIC_GOOD_URI;
-      rekorUri = RekorClient.PUBLIC_GOOD_URI;
-      oidcClients(OidcClients.PUBLIC_GOOD);
+      // TODO: signing config is not pushed to prod yet
+      signingConfigProvider =
+          SigningConfigProvider.fromOrDefault(
+              sigstoreTufClientBuilder, LegacySigningConfig.PUBLIC_GOOD);
       signer(Signers.newEcdsaSigner());
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
       return this;
@@ -297,10 +327,7 @@ public Builder sigstorePublicDefaults() {
     public Builder sigstoreStagingDefaults() {
       var sigstoreTufClientBuilder = SigstoreTufClient.builder().useStagingInstance();
       trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
-      fulcioUri = FulcioClient.STAGING_URI;
-      rekorUri = RekorClient.STAGING_URI;
-      timestampUri = TimestampClient.STAGING_URI;
-      oidcClients(OidcClients.STAGING);
+      signingConfigProvider = SigningConfigProvider.from(sigstoreTufClientBuilder);
       signer(Signers.newEcdsaSigner());
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
       return this;

sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java

@@ -89,11 +89,11 @@ public static class Builder {
     private TrustedRootProvider trustedRootProvider;
 
     public KeylessVerifier build()
-        throws SigstoreConfigurationException,
-            InvalidAlgorithmParameterException,
+        throws InvalidAlgorithmParameterException,
             CertificateException,
             InvalidKeySpecException,
-            NoSuchAlgorithmException {
+            NoSuchAlgorithmException,
+            SigstoreConfigurationException {
       Preconditions.checkNotNull(trustedRootProvider);
       var trustedRoot = trustedRootProvider.get();
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);