treewide: Replace ambient credential detection with id (#535)

tetsuo-cpp · di · web-flow · commit b3fee1fd86b3 · 2023-03-09T10:06:08.000-05:00
* treewide: Replace ambient credential detection with `id`

Signed-off-by: Alex Cameron &lt;asc@tetsuo.sh&gt;

* CHANGELOG: Update changelog

Signed-off-by: Alex Cameron &lt;asc@tetsuo.sh&gt;

* README: Amend docs to reflect that we are using `id` for ambient credentials

Signed-off-by: Alex Cameron &lt;asc@tetsuo.sh&gt;

* README: Wording

Signed-off-by: Alex Cameron &lt;asc@tetsuo.sh&gt;

---------

Signed-off-by: Alex Cameron &lt;asc@tetsuo.sh&gt;
Co-authored-by: Dustin Ingram &lt;di@users.noreply.github.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,11 @@ All versions prior to 0.9.0 are untracked.
 
 ## [1.1.1]
 
+### Changed
+
+* Replaced ambient credential detection logic with the `id` package
+  ([#535](https://github.com/sigstore/sigstore-python/pull/535))
+
 ### Fixed
 
 * Fixed a bug in TUF target handling revealed by changes to the production
diff --git a/README.md b/README.md
@@ -338,15 +338,8 @@ provided below.
 ### Signing with ambient credentials
 
 For environments that support OpenID Connect, natively `sigstore` supports ambient credential
-detection. This includes many popular CI platforms and cloud providers.
-
-| Service                     | Status    | Notes                                                                                                                                                                                                                                                                                                                  |
-|-----------------------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| GitHub Actions              | Supported | Requires the `id-token` permission; see [the docs](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) and [this example](https://github.com/sigstore/sigstore-python/blob/main/.github/workflows/release.yml)                             |
-| Google Compute Engine (GCE) | Supported | Automatic                                                                                                                                                                                                                                                                                                              |
-| Google Cloud Build (GCB)    | Supported | Requires setting `GOOGLE_SERVICE_ACCOUNT_NAME` to an appropriately configured service account name; see [the docs](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-direct) and [this example](https://github.com/sigstore/sigstore-python/blob/main/cloudbuild.yaml) |
-| GitLab CI                   | Planned   | See [#31](https://github.com/sigstore/sigstore-python/issues/31)                                                                                                                                                                                                                                                       |
-| CircleCI                    | Planned   | See [#31](https://github.com/sigstore/sigstore-python/issues/31)                                                                                                                                                                                                                                                       |
+detection. This includes many popular CI platforms and cloud providers. See the full list of
+supported environments [here](https://github.com/di/id#supported-environments).
 
 Sign a single file (`foo.txt`) using an ambient OpenID Connect credential,
 saving the signature and certificate to `foo.txt.sig` and `foo.txt.crt`:
diff --git a/pyproject.toml b/pyproject.toml
@@ -28,6 +28,7 @@ classifiers = [
 dependencies = [
   "appdirs ~= 1.4",
   "cryptography >= 39",
+  "id >= 1.0.0",
   "importlib_resources ~= 5.7; python_version < '3.11'",
   "pydantic ~= 1.10",
   "pyjwt >= 2.1",
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -24,12 +24,14 @@
 from typing import Optional, TextIO, Union, cast
 
 from cryptography.x509 import load_pem_x509_certificates
+from id import GitHubOidcPermissionCredentialError, detect_credential
 from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle
 
 from sigstore import __version__
 from sigstore._internal.ctfe import CTKeyring
 from sigstore._internal.fulcio.client import DEFAULT_FULCIO_URL, FulcioClient
 from sigstore._internal.keyring import Keyring
+from sigstore._internal.oidc import DEFAULT_AUDIENCE
 from sigstore._internal.rekor.client import (
     DEFAULT_REKOR_URL,
     RekorClient,
@@ -40,9 +42,7 @@
 from sigstore.oidc import (
     DEFAULT_OAUTH_ISSUER_URL,
     STAGING_OAUTH_ISSUER_URL,
-    GitHubOidcPermissionCredentialError,
     Issuer,
-    detect_credential,
 )
 from sigstore.sign import Signer
 from sigstore.transparency import LogEntry
@@ -1012,7 +1012,7 @@ def _get_identity_token(args: argparse.Namespace) -> Optional[str]:
     token = None
     if not args.oidc_disable_ambient_providers:
         try:
-            token = detect_credential()
+            token = detect_credential(DEFAULT_AUDIENCE)
         except GitHubOidcPermissionCredentialError as exception:
             # Provide some common reasons for why we hit permission errors in
             # GitHub Actions.
diff --git a/sigstore/_internal/oidc/__init__.py b/sigstore/_internal/oidc/__init__.py
@@ -17,8 +17,7 @@
 """
 
 import jwt
-
-from sigstore.oidc import IdentityError
+from id import IdentityError
 
 # See: https://github.com/sigstore/fulcio/blob/b2186c0/pkg/config/config.go#L182-L201
 _KNOWN_OIDC_ISSUERS = {
diff --git a/sigstore/_internal/oidc/ambient.py b/sigstore/_internal/oidc/ambient.py
diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
@@ -28,8 +28,10 @@
 import uuid
 from typing import Any, Dict, List, Optional, cast
 
+from id import IdentityError
+
 from sigstore._utils import B64Str
-from sigstore.oidc import IdentityError, Issuer
+from sigstore.oidc import Issuer
 
 logger = logging.getLogger(__name__)
 
diff --git a/sigstore/oidc.py b/sigstore/oidc.py
@@ -23,9 +23,9 @@
 import time
 import urllib.parse
 import webbrowser
-from typing import Callable, List, Optional
 
 import requests
+from id import IdentityError
 from pydantic import BaseModel, StrictStr
 
 DEFAULT_OAUTH_ISSUER_URL = "https://oauth2.sigstore.dev/auth"
@@ -169,47 +169,3 @@ def identity_token(  # nosec: B107
             raise IdentityError(f"Error response from token endpoint: {token_error}")
 
         return str(token_json["access_token"])
-
-
-class IdentityError(Exception):
-    """
-    Raised on any OIDC token format or claim error.
-    """
-
-    pass
-
-
-class AmbientCredentialError(IdentityError):
-    """
-    Raised when an ambient credential should be present, but
-    can't be retrieved (e.g. network failure).
-    """
-
-    pass
-
-
-class GitHubOidcPermissionCredentialError(AmbientCredentialError):
-    """
-    Raised when the current GitHub Actions environment doesn't have permission
-    to retrieve an OIDC token.
-    """
-
-    pass
-
-
-def detect_credential() -> Optional[str]:
-    """
-    Try each ambient credential detector, returning the first one to succeed
-    or `None` if all fail.
-
-    Raises `AmbientCredentialError` if any detector fails internally (i.e.
-    detects a credential, but cannot retrieve it).
-    """
-    from sigstore._internal.oidc.ambient import detect_gcp, detect_github
-
-    detectors: List[Callable[..., Optional[str]]] = [detect_github, detect_gcp]
-    for detector in detectors:
-        credential = detector()
-        if credential is not None:
-            return credential
-    return None
diff --git a/test/unit/conftest.py b/test/unit/conftest.py
@@ -20,16 +20,17 @@
 from typing import Iterator
 
 import pytest
+from id import (
+    AmbientCredentialError,
+    GitHubOidcPermissionCredentialError,
+    detect_credential,
+)
 from sigstore_protobuf_specs.dev.sigstore.bundle.v1 import Bundle
 from tuf.api.exceptions import DownloadHTTPError
 from tuf.ngclient import FetcherInterface
 
 from sigstore._internal import tuf
-from sigstore.oidc import (
-    AmbientCredentialError,
-    GitHubOidcPermissionCredentialError,
-    detect_credential,
-)
+from sigstore._internal.oidc import DEFAULT_AUDIENCE
 from sigstore.verify import VerificationMaterials
 from sigstore.verify.policy import VerificationSuccess
 
@@ -42,7 +43,7 @@
 
 def _is_ambient_env():
     try:
-        token = detect_credential()
+        token = detect_credential(DEFAULT_AUDIENCE)
         if token is None:
             return False
     except GitHubOidcPermissionCredentialError:
diff --git a/test/unit/internal/oidc/test_ambient.py b/test/unit/internal/oidc/test_ambient.py
diff --git a/test/unit/internal/oidc/test_issuer.py b/test/unit/internal/oidc/test_issuer.py
diff --git a/test/unit/test_sign.py b/test/unit/test_sign.py
