Start to stand up eventing plumbing for Octo STS. (#69)

Signed-off-by: Matt Moore <[email protected]>
octo-sts · Feb 2, 2024 · 7bd54cb · 7bd54cb
1 parent d3ec2fe
commit 7bd54cb
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 8 deletions.
diff --git a/cmd/app/main.go b/cmd/app/main.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 
 	"chainguard.dev/go-grpc-kit/pkg/duplex"
 	pboidc "chainguard.dev/sdk/proto/platform/oidc/v1"
@@ -15,15 +16,20 @@ import (
 	"github.com/chainguard-dev/clog"
 	"github.com/chainguard-dev/octo-sts/pkg/gcpkms"
 	"github.com/chainguard-dev/octo-sts/pkg/octosts"
+	cloudevents "github.com/cloudevents/sdk-go/v2"
+	cehttp "github.com/cloudevents/sdk-go/v2/protocol/http"
 	"github.com/kelseyhightower/envconfig"
+	"google.golang.org/api/idtoken"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	"knative.dev/pkg/logging"
 )
 
 type envConfig struct {
-	Port   int    `envconfig:"PORT" required:"true"`
-	KMSKey string `envconfig:"KMS_KEY" required:"true"`
-	AppID  int64  `envconfig:"GITHUB_APP_ID" required:"true"`
+	Port            int    `envconfig:"PORT" required:"true"`
+	KMSKey          string `envconfig:"KMS_KEY" required:"true"`
+	AppID           int64  `envconfig:"GITHUB_APP_ID" required:"true"`
+	EventingIngress string `envconfig:"EVENT_INGRESS_URI" required:"true"`
 }
 
 func main() {
@@ -59,7 +65,12 @@ func main() {
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	)
 
-	pboidc.RegisterSecurityTokenServiceServer(d.Server, octosts.NewSecurityTokenServiceServer(atr))
+	ceclient, err := cloudevents.NewClientHTTP(WithTarget(ctx, env.EventingIngress)...)
+	if err != nil {
+		log.Panicf("failed to create cloudevents client: %v", err)
+	}
+
+	pboidc.RegisterSecurityTokenServiceServer(d.Server, octosts.NewSecurityTokenServiceServer(atr, ceclient))
 	if err := d.RegisterHandler(ctx, pboidc.RegisterSecurityTokenServiceHandlerFromEndpoint); err != nil {
 		log.Panicf("failed to register gateway endpoint: %v", err)
 	}
@@ -71,3 +82,20 @@ func main() {
 	// This will block until a signal arrives.
 	<-ctx.Done()
 }
+
+// WithTarget wraps cloudevents.WithTarget to authenticate requests with an
+// identity token when the target is an HTTPS URL.
+func WithTarget(ctx context.Context, url string) []cehttp.Option {
+	opts := make([]cehttp.Option, 0, 2)
+
+	if strings.HasPrefix(url, "https://") {
+		idc, err := idtoken.NewClient(ctx, url)
+		if err != nil {
+			logging.FromContext(ctx).Panicf("failed to create idtoken client: %v", err)
+		}
+		opts = append(opts, cloudevents.WithRoundTripper(idc.Transport))
+	}
+
+	opts = append(opts, cehttp.WithTarget(url))
+	return opts
+}
diff --git a/go.mod b/go.mod
@@ -8,13 +8,15 @@ require (
 	cloud.google.com/go/kms v1.15.6
 	github.com/bradleyfalzon/ghinstallation/v2 v2.9.1-0.20240116154122-7838128b61c6
 	github.com/chainguard-dev/clog v1.3.0
+	github.com/cloudevents/sdk-go/v2 v2.14.0
 	github.com/coreos/go-oidc/v3 v3.9.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/go-github/v58 v58.0.0
 	github.com/hashicorp/golang-lru v1.0.2
 	github.com/kelseyhightower/envconfig v1.4.0
 	google.golang.org/api v0.161.0
 	google.golang.org/grpc v1.61.0
+	knative.dev/pkg v0.0.0-20231101193506-b09d4f2a2845
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -36,6 +38,7 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.5.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
@@ -79,7 +82,6 @@ require (
 	k8s.io/apimachinery v0.28.4 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106 // indirect
-	knative.dev/pkg v0.0.0-20231101193506-b09d4f2a2845 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -30,6 +30,8 @@ github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chainguard-dev/clog v1.3.0 h1:L/ey0VNH958YpzQa5OO2e2q+iOENxtLAhqkmgzh03e0=
 github.com/chainguard-dev/clog v1.3.0/go.mod h1:cV516KZWqYc/phZsCNwF36u/KMGS+Gj5Uqeb8Hlp95Y=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudevents/sdk-go/v2 v2.14.0 h1:Nrob4FwVgi5L4tV9lhjzZcjYqFVyJzsA56CwPaPfv6s=
+github.com/cloudevents/sdk-go/v2 v2.14.0/go.mod h1:xDmKfzNjM8gBvjaF8ijFjM1VYOVUEeUfapHMUX1T5To=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101 h1:7To3pQ+pZo0i3dsWEbinPNFs5gPSBOsJtx3wTT94VBY=
 github.com/cncf/xds/go v0.0.0-20231109132714-523115ebc101/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
@@ -102,6 +104,8 @@ github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
 github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
 github.com/googleapis/gax-go/v2 v2.12.0 h1:A+gCJKdRfqXkr+BIRGtZLibNXf0m1f9E4HG56etFpas=
@@ -173,6 +177,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

diff --git a/iac/broker.tf b/iac/broker.tf
@@ -0,0 +1,9 @@
+// Create the Broker abstraction.
+module "cloudevent-broker" {
+  source  = "chainguard-dev/common/infra//modules/cloudevent-broker"
+  version = "0.4.3"
+
+  name       = "octo-sts"
+  project_id = var.project_id
+  regions    = module.networking.regional-networks
+}
diff --git a/iac/main.tf b/iac/main.tf
@@ -80,6 +80,19 @@ resource "google_service_account" "octo-sts" {
   description  = "Dedicated service account for the Octo STS service."
 }
 
+// Authorize the "octo-sts" service account to publish events.
+module "sts-emits-events" {
+  for_each = module.networking.regional-networks
+
+  source = "chainguard-dev/common/infra//modules/authorize-private-service"
+
+  project_id = var.project_id
+  region     = each.key
+  name       = module.cloudevent-broker.ingress.name
+
+  service-account = google_service_account.octo-sts.email
+}
+
 module "sts-service" {
   source  = "chainguard-dev/common/infra//modules/regional-go-service"
   version = "0.4.3"
@@ -111,6 +124,10 @@ module "sts-service" {
           value = local.kms_key
         }
       ]
+      regional-env = [{
+        name  = "EVENT_INGRESS_URI"
+        value = { for k, v in module.sts-emits-events : k => v.uri }
+      }]
     }
   }
 }

diff --git a/pkg/octosts/octosts.go b/pkg/octosts/octosts.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 
 	"github.com/bradleyfalzon/ghinstallation/v2"
+	cloudevents "github.com/cloudevents/sdk-go/v2"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/google/go-github/v58/github"
 	lru "github.com/hashicorp/golang-lru"
@@ -30,8 +31,11 @@ import (
 	"github.com/chainguard-dev/octo-sts/pkg/provider"
 )
 
-func NewSecurityTokenServiceServer(atr *ghinstallation.AppsTransport) pboidc.SecurityTokenServiceServer {
-	return &sts{atr: atr}
+func NewSecurityTokenServiceServer(atr *ghinstallation.AppsTransport, ceclient cloudevents.Client) pboidc.SecurityTokenServiceServer {
+	return &sts{
+		atr:      atr,
+		ceclient: ceclient,
+	}
 }
 
 var (
@@ -42,7 +46,8 @@ var (
 type sts struct {
 	pboidc.UnimplementedSecurityTokenServiceServer
 
-	atr *ghinstallation.AppsTransport
+	atr      *ghinstallation.AppsTransport
+	ceclient cloudevents.Client
 }
 
 // Exchange implements pboidc.SecurityTokenServiceServer
@@ -80,6 +85,13 @@ func (s *sts) Exchange(ctx context.Context, request *pboidc.ExchangeRequest) (*p
 		return nil, status.Errorf(codes.Unauthenticated, "unable to validate token: %v", err)
 	}
 
+	// TODO(mattmoor): Surface events with:
+	//  - the actor,
+	//  - the trust policy,
+	//  - the installation id,
+	//  - the org/repo, and
+	//  - whether the trust policy was satisfied!
+
 	id, tp, err := s.lookupInstallAndTrustPolicy(ctx, request.Scope, request.Identity)
 	if err != nil {
 		return nil, err