From 4bffbd046af94f1513d8a63bedc99dd26e588120 Mon Sep 17 00:00:00 2001
From: Christian Kotzbauer <git@ckotzbauer.de>
Date: Tue, 4 Jan 2022 17:24:27 +0100
Subject: [PATCH] Extract additional claims  from github-workflow token

With reusable github-workflows the "job_workflow_ref" will reference the shared workflow instead the actual calling workflow.

Fixes #305

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
---
 OID_INFO.md                  |  7 ++++++-
 pkg/ca/x509ca/common.go      | 21 +++++++++++++++++++++
 pkg/challenges/challenges.go | 17 +++++++++++++----
 3 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/OID_INFO.md b/OID_INFO.md
index f15d1ae80..967a49398 100644
--- a/OID_INFO.md
+++ b/OID_INFO.md
@@ -15,4 +15,9 @@ Note that all values begin from the root OID 1.3.6.1.4.1.57264 [registered by Da
     - This contains the `event_name` claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
 - *1.3.6.1.4.1.57264.1.3*: (GithubWorkflowSha)
     - This contains the `sha` claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
-
+- *1.3.6.1.4.1.57264.1.4*: (GithubWorkflowName)
+    - This contains the `workflow` claim from the GitHub OIDC Identity token that contains the name of the executed workflow. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
+- *1.3.6.1.4.1.57264.1.5*: (GithubWorkflowRepository)
+    - This contains the `repository` claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
+- *1.3.6.1.4.1.57264.1.6*: (GithubWorkflowRef)
+    - This contains the `ref` claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon. [(docs)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
diff --git a/pkg/ca/x509ca/common.go b/pkg/ca/x509ca/common.go
index f0e55259f..aa05bea8f 100644
--- a/pkg/ca/x509ca/common.go
+++ b/pkg/ca/x509ca/common.go
@@ -115,6 +115,27 @@ func AdditionalExtensions(subject *challenges.ChallengeResult) []pkix.Extension
 				Value: []byte(sha),
 			})
 		}
+
+		if name, ok := subject.AdditionalInfo[challenges.GithubWorkflowName]; ok {
+			res = append(res, pkix.Extension{
+				Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4},
+				Value: []byte(name),
+			})
+		}
+
+		if repo, ok := subject.AdditionalInfo[challenges.GithubWorkflowRepository]; ok {
+			res = append(res, pkix.Extension{
+				Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5},
+				Value: []byte(repo),
+			})
+		}
+
+		if ref, ok := subject.AdditionalInfo[challenges.GithubWorkflowRef]; ok {
+			res = append(res, pkix.Extension{
+				Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6},
+				Value: []byte(ref),
+			})
+		}
 	}
 	return res
 }
diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go
index d3ad05bf1..db71f04c1 100644
--- a/pkg/challenges/challenges.go
+++ b/pkg/challenges/challenges.go
@@ -46,6 +46,9 @@ type AdditionalInfo int
 const (
 	GithubWorkflowTrigger AdditionalInfo = iota
 	GithubWorkflowSha
+	GithubWorkflowName
+	GithubWorkflowRepository
+	GithubWorkflowRef
 )
 
 type ChallengeResult struct {
@@ -254,8 +257,11 @@ func workflowFromIDToken(token *oidc.IDToken) (string, error) {
 func workflowInfoFromIDToken(token *oidc.IDToken) (map[AdditionalInfo]string, error) {
 	// Extract custom claims
 	var claims struct {
-		Sha     string `json:"sha"`
-		Trigger string `json:"event_name"`
+		Sha        string `json:"sha"`
+		Trigger    string `json:"event_name"`
+		Repository string `json:"repository"`
+		Workflow   string `json:"workflow"`
+		Ref        string `json:"ref"`
 		// The other fields that are present here seem to depend on the type
 		// of workflow trigger that initiated the action.
 	}
@@ -265,8 +271,11 @@ func workflowInfoFromIDToken(token *oidc.IDToken) (map[AdditionalInfo]string, er
 
 	// We use this in URIs, so it has to be a URI.
 	return map[AdditionalInfo]string{
-		GithubWorkflowSha:     claims.Sha,
-		GithubWorkflowTrigger: claims.Trigger}, nil
+		GithubWorkflowSha:        claims.Sha,
+		GithubWorkflowTrigger:    claims.Trigger,
+		GithubWorkflowName:       claims.Workflow,
+		GithubWorkflowRepository: claims.Repository,
+		GithubWorkflowRef:        claims.Ref}, nil
 }
 
 func isSpiffeIDAllowed(host, spiffeID string) bool {