Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: enforce host checking before exchanging a refresh token #2069

Merged
merged 5 commits into from
Jan 27, 2025
Merged

fix: enforce host checking before exchanging a refresh token #2069

merged 5 commits into from
Jan 27, 2025

Conversation

binbin-li
Copy link
Collaborator

@binbin-li binbin-li commented Jan 26, 2025
edited
Loading

Description

What this PR does / why we need it:

  1. For Azure Workload Identity and managed identity setup, customers would need to add host scopes to restrict the access token exchange. If it's not set, the default ACR host will be set: *.azurecr.io
  2. In Azure auth providers, we add the enforcement to check the host for each artifact request. If it's not in scope, Ratify will stop exchanging for a refresh token.
  3. Added azureContainerRegistryEndpoints to helm chart.
  4. Adding unit tests.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@codecov Codecov
Copy link

codecov bot commented Jan 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 69.04762% with 13 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...n/oras/authprovider/azure/azureworkloadidentity.go 12.50% 5 Missing and 2 partials ⚠️
...kg/common/oras/authprovider/azure/azureidentity.go 0.00% 5 Missing and 1 partial ⚠️
Files with missing lines Coverage Δ
pkg/common/oras/authprovider/azure/helper.go 92.50% <100.00%> (+17.50%) ⬆️
...kg/common/oras/authprovider/azure/azureidentity.go 57.65% <0.00%> (-2.72%) ⬇️
...n/oras/authprovider/azure/azureworkloadidentity.go 68.10% <12.50%> (-4.12%) ⬇️

shizhMSFT
shizhMSFT requested changes Jan 26, 2025
View reviewed changes
Copy link
Collaborator

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

scope using regex is problematic because ^.*.azurecr.io$matches maliciou.anotherazurecr.io since . does not just mean . as it means any character.

I'd suggest using wildcard DNS records.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 26, 2025
View reviewed changes
pkg/common/oras/authprovider/azure/azureworkloadidentity.go Outdated

var predicates []*regexp.Regexp
if len(hostScope) == 0 {
re, err := regexp.Compile("^" + defaultHostScope + "$")

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This regular expression has an unescaped dot before 'azurecr.io', so it might match more hosts than expected when [the regular expression is used](1).
@binbin-li binbin-li force-pushed the fix-azure-auth branch 2 times, most recently from 623838f to 965a1cf Compare January 26, 2025 13:13
@binbin-li
fix: address comments
429f09b 
Signed-off-by: Binbin Li <[email protected]>
shizhMSFT
shizhMSFT approved these changes Jan 26, 2025
View reviewed changes
Copy link
Collaborator

@shizhMSFT shizhMSFT left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with suggestions

pkg/common/oras/authprovider/azure/azureworkloadidentity.go Outdated Show resolved Hide resolved
shizhMSFT
shizhMSFT approved these changes Jan 27, 2025
View reviewed changes
Copy link
Collaborator

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@binbin-li
chore: address comments
632e9cb 
Signed-off-by: Binbin Li <[email protected]>
akashsinghal
akashsinghal approved these changes Jan 27, 2025
View reviewed changes
Copy link
Collaborator

@akashsinghal akashsinghal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix

@binbin-li binbin-li mentioned this pull request Jan 27, 2025
Open
1 task
@binbin-li binbin-li merged commit b6ad5d8 into ratify-project:dev Jan 27, 2025
19 of 20 checks passed
binbin-li added a commit that referenced this pull request Jan 27, 2025
@binbin-li
fix: enforce host checking before exchanging a refresh token (#2069)
ae4a245 
Signed-off-by: Binbin Li <[email protected]>
binbin-li added a commit that referenced this pull request Jan 27, 2025
@binbin-li
fix: enforce host checking before exchanging a refresh token (#2069) (#…
6d62a55 
…2071)

Signed-off-by: Binbin Li <[email protected]>
binbin-li added a commit that referenced this pull request Jan 27, 2025
@binbin-li
fix: enforce host checking before exchanging a refresh token (#2069)
92a760f 
Signed-off-by: Binbin Li <[email protected]>
binbin-li added a commit that referenced this pull request Jan 27, 2025
@binbin-li
fix: enforce host checking before exchanging a refresh token (#2069)
5111a60 
Signed-off-by: Binbin Li <[email protected]>
akashsinghal pushed a commit that referenced this pull request Jan 27, 2025
@binbin-li
fix: enforce host checking before exchanging a refresh token (#2069) (#…
84c7c48 
…2081)

Signed-off-by: Binbin Li <[email protected]>
akashsinghal added a commit that referenced this pull request Jan 27, 2025
@binbin-li @akashsinghal
@shahramk64 @dependabot
fix: enforce host checking before exchanging a refresh token (#2069) (#…
0ec0c08 
…2072)

Signed-off-by: Binbin Li <[email protected]>
Signed-off-by: Akash Singhal <[email protected]>
Signed-off-by: Shahram Kalantari <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Akash Singhal <[email protected]>
Co-authored-by: Shahram Kalantari <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akashsinghal akashsinghal akashsinghal approved these changes

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@binbin-li @akashsinghal @shizhMSFT