Update GitLab claim mappings for build configs

[marshall007]

Summary

Assigns new pipeline_ref/sha claims to Build Config and Build Signer related OIDs.

Note this depends on addition of new claims upstream, which should land in GitLab v16.1: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121597

Related to discussion in #1182

Release Note

Documentation

[marshall007]

@wlynch @feelepxyz I believe this captures everything we discussed in our sync call last week:

• Map pipeline_ref to Build Config URI + Build Signer URI
• Map pipeline_sha to Build Config Digest + Build Signer Digest
• Map job URL to Run Invocation URI (instead of the pipeline URL)

Let me know if I missed anything!

[aladh]

Should we update the mapping table as part of this PR? https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#mapping-oidc-token-claims-to-fulcio-oids

[feelepxyz]

@wlynch @feelepxyz I believe this captures everything we discussed in our sync call last week:

• Map pipeline_ref to Build Config URI + Build Signer URI
• Map pipeline_sha to Build Config Digest + Build Signer Digest
• Map job URL to Run Invocation URI (instead of the pipeline URL)

Let me know if I missed anything!

@marshall007 yes this sounds right to me! Thanks for putting this together so quick. Do you have a timeline for enabling the pipeline_* feature flag once the changes are in the release?

Should we update the mapping table as part of this PR? https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#mapping-oidc-token-claims-to-fulcio-oids

👍

[wlynch]

Mostly LGTM pending Build Signer URI timing + doc updates.

[marshall007]

@marshall007 yes this sounds right to me! Thanks for putting this together so quick. Do you have a timeline for enabling the pipeline_* feature flag once the changes are in the release?

@feelepxyz I responded in #1206 (comment). Should be 16.1 which is in about two weeks.

[haydentherapper]

Let's circle back in a week or two then for approving and merging this once it's in GitLab?

[marshall007]

The corresponding change on the GitLab side has been merged: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122373

@feelepxyz @haydentherapper we started enabling the feature flag in non-production environments today and expect rollout to production gitlab.com to be completed by the end of the week.

[haydentherapper]

Fantastic! Can you test this against the non-production environment to confirm the certificates generated contain the expected values?

We'll get this merged once the change is out in production.

[feelepxyz]

@haydentherapper do you have rights to approve the ci runs?

[feelepxyz]

LGTM 💯

[aladh]

@marshall007 Some changes are required in pkg/server/grpc_server_test.go to make the tests pass:

diff --git a/pkg/server/grpc_server_test.go b/pkg/server/grpc_server_test.go
index 854d87a..6b477b1 100644
--- a/pkg/server/grpc_server_test.go
+++ b/pkg/server/grpc_server_test.go
@@ -956,6 +956,8 @@ type gitlabClaims struct {
 	ProjectID         string `json:"project_id"`
 	PipelineSource    string `json:"pipeline_source"`
 	PipelineID        string `json:"pipeline_id"`
+	CiConfigRefURI    string `json:"ci_config_ref_uri"`
+	CiConfigSha       string `json:"ci_config_sha"`
 	NamespacePath     string `json:"namespace_path"`
 	NamespaceID       string `json:"namespace_id"`
 	JobID             string `json:"job_id"`
@@ -989,6 +991,8 @@ func TestAPIWithGitLab(t *testing.T) {
 		ProjectID:         "42831435",
 		PipelineSource:    "push",
 		PipelineID:        "757451528",
+		CiConfigRefURI:    "gitlab.com/cpanato/testing-cosign//.gitlab-ci.yml@refs/heads/main",
+		CiConfigSha:       "714a629c0b401fdce83e847fc9589983fc6f46bc",
 		NamespacePath:     "cpanato",
 		NamespaceID:       "1730270",
 		JobID:             "3659681386",
@@ -1051,7 +1055,7 @@ func TestAPIWithGitLab(t *testing.T) {
 		t.Fatalf("unexpected length of leaf certificate URIs, expected 1, got %d", len(leafCert.URIs))
 	}
 
-	gitLabURL := fmt.Sprintf("https://gitlab.com/%s@refs/heads/%s", claims.ProjectPath, claims.Ref)
+	gitLabURL := fmt.Sprintf("https://gitlab.com/%s//.gitlab-ci.yml@refs/heads/%s", claims.ProjectPath, claims.Ref)
 	gitLabURI, err := url.Parse(gitLabURL)
 	if err != nil {
 		t.Fatalf("failed to parse expected url")
@@ -1061,7 +1065,8 @@ func TestAPIWithGitLab(t *testing.T) {
 	}
 	url := "https://gitlab.com/"
 	expectedExts := map[int]string{
-		9:  url + claims.ProjectPath + "/-/jobs/" + claims.JobID,
+		9:  gitLabURL,
+		10: claims.CiConfigSha,
 		11: claims.RunnerEnvironment,
 		12: url + claims.ProjectPath,
 		13: claims.Sha,
@@ -1069,8 +1074,10 @@ func TestAPIWithGitLab(t *testing.T) {
 		15: claims.ProjectID,
 		16: url + claims.NamespacePath,
 		17: claims.NamespaceID,
+		18: gitLabURL,
+		19: claims.CiConfigSha,
 		20: claims.PipelineSource,
-		21: url + claims.ProjectPath + "/-/pipelines/" + claims.PipelineID,
+		21: url + claims.ProjectPath + "/-/jobs/" + claims.JobID,
 	}
 	for o, value := range expectedExts {
 		ext, found := findCustomExtension(leafCert, asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, o})

[aladh]

The corresponding change on the GitLab side has been merged: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/122373

@feelepxyz @haydentherapper we started enabling the feature flag in non-production environments today and expect rollout to production gitlab.com to be completed by the end of the week.

This change is now live on GitLab.com.

[feelepxyz]

This change is now live on GitLab.com.

Awesome! Excited to get this in.

[haydentherapper]

Can you check out the test failure @marshall007 ?

[marshall007]

@feelepxyz @haydentherapper sorry for the delay! I was out for the holiday weekend and got sick back-to-back. I've applied @aladh's patch and the tests are passing locally.

Fantastic! Can you test this against the non-production environment to confirm the certificates generated contain the expected values?

@haydentherapper I believe last time we merged first and then tested GitLab CI against the staging Fulcio instance. Is that an option this time around? I won't have the bandwidth to standup the required infrastructure and run a manual e2e test on my own this week or next.

If you insist I can see if others on my team can support that. I'm told these docs are a good starting point, is that right? https://github.com/sigstore/scaffolding

[bobcallaway]

the linter isn't happy with baseUrl, perhaps just switch to baseURL?

I'm about to cut a new release and roll out to staging so if we can turn this around quickly it can be included in that.

[aladh]

Suggested change

	baseUrl := "https://gitlab.com/"
	baseURL := "https://gitlab.com/"

[haydentherapper]

@marshall007 Just one question and a linter failure.

If you could update the linter failure, I'll get this merged and we'll cut a new release to test in staging.

[codecov]

Codecov Report

Merging #1206 (83dcc1f) into main (d2286c6) will increase coverage by 0.15%.
The diff coverage is 73.91%.

❗ Current head 83dcc1f differs from pull request most recent head 7fe4f31. Consider uploading reports for the commit 7fe4f31 to get more accurate results

@@            Coverage Diff             @@
##             main    #1206      +/-   ##
==========================================
+ Coverage   56.18%   56.34%   +0.15%     
==========================================
  Files          50       50              
  Lines        2903     2941      +38     
==========================================
+ Hits         1631     1657      +26     
- Misses       1129     1138       +9     
- Partials      143      146       +3     

Impacted Files	Coverage Δ
pkg/identity/gitlabcom/principal.go	63.49% <73.91%> (+1.22%)	⬆️

... and 3 files with indirect coverage changes