Affected by GO-2025-4193 and 1 other vulnerabilities

GO-2025-4193: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

GO-2026-4311: Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass in github.com/sigstore/fulcio

config

package

v0.2.0 Latest Latest Go to latest Published: Mar 8, 2022 License: Apache-2.0 Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/fulcio

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func With(ctx context.Context, cfg *FulcioConfig) context.Context
type FulcioConfig
- func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool)
- func (fc *FulcioConfig) GetVerifier(issuerURL string) (*oidc.IDTokenVerifier, bool)
type IssuerType
type OIDCIssuer

Constants ¶

View Source

const (
	IssuerTypeEmail          = "email"
	IssuerTypeGithubWorkflow = "github-workflow"
	IssuerTypeKubernetes     = "kubernetes"
	IssuerTypeSpiffe         = "spiffe"
)

Variables ¶

View Source

var DefaultConfig = &FulcioConfig{
	OIDCIssuers: map[string]OIDCIssuer{
		"https://oauth2.sigstore.dev/auth": {
			IssuerURL:   "https://oauth2.sigstore.dev/auth",
			ClientID:    "sigstore",
			IssuerClaim: "$.federated_claims.connector_id",
			Type:        IssuerTypeEmail,
		},
		"https://accounts.google.com": {
			IssuerURL: "https://accounts.google.com",
			ClientID:  "sigstore",
			Type:      IssuerTypeEmail,
		},
		"https://token.actions.githubusercontent.com": {
			IssuerURL: "https://token.actions.githubusercontent.com",
			ClientID:  "sigstore",
			Type:      IssuerTypeGithubWorkflow,
		},
	},
}

Functions ¶

func With ¶ added in v0.2.0

func With(ctx context.Context, cfg *FulcioConfig) context.Context

Types ¶

type FulcioConfig ¶

type FulcioConfig struct {
	OIDCIssuers map[string]OIDCIssuer `json:"OIDCIssuers,omitempty"`

	// A meta issuer has a templated URL of the form:
	//   https://oidc.eks.*.amazonaws.com/id/*
	// Where * can match a single hostname or URI path parts
	// (in particular, no '.' or '/' are permitted, among
	// other special characters)  Some examples we want to match:
	// * https://oidc.eks.us-west-2.amazonaws.com/id/B02C93B6A2D30341AD01E1B6D48164CB
	// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
	MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty"`
	// contains filtered or unexported fields
}

func FromContext ¶ added in v0.2.0

func FromContext(ctx context.Context) *FulcioConfig

func Load ¶

func Load(configPath string) (*FulcioConfig, error)

Load a config from disk, or use defaults

func Read ¶ added in v0.2.0

func Read(b []byte) (*FulcioConfig, error)

Read parses the bytes of a config

func (*FulcioConfig) GetIssuer ¶ added in v0.2.0

func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool)

GetIssuer looks up the issuer configuration for an `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.

func (*FulcioConfig) GetVerifier ¶ added in v0.2.0

func (fc *FulcioConfig) GetVerifier(issuerURL string) (*oidc.IDTokenVerifier, bool)

GetVerifier fetches a token verifier for the given `issuerURL` coming from an incoming OIDC token. If no matching configuration is found, then it returns `false`.

type IssuerType ¶

type IssuerType string

type OIDCIssuer ¶

type OIDCIssuer struct {
	IssuerURL   string     `json:"IssuerURL,omitempty"`
	ClientID    string     `json:"ClientID"`
	Type        IssuerType `json:"Type"`
	IssuerClaim string     `json:"IssuerClaim,omitempty"`
}

Source Files ¶

View all Source files

config.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL