autograph
autograph copied to clipboard
mozilla-services
Support being able to pin, restrict, or reify allowed options for an authorization
We want to be able to issue creds that only work with specific signer params (i.e. make sure they're least privileged) to protect against misuse and reduce the blast radius to audit if they are compromised or leaked.
Use cases:
- private autograph-edge creds where creds should only work for a specific XPI ID
- migrations e.g. to disallow weak hash algs in prod config for XPI signing
Proposal:
Turn each authorization signers into a hash with keys:
id (string) the current value
required_options a string->string hash of request options for each signer e.g.
# The keys below are testing keys that do not grant any power
signers:
- id: webextensions-rsa
type: xpi
mode: add-on
certificate: |
....
authorizations:
- id: alice
key: fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu
signers:
- appkey1
- appkey2
- appkey3
- normankey
- id: webextensions-rsa
required_options:
id: "[email protected]"
- extensions-ecdsa
- testapp-android
- testmar
- testmarecdsa
Autograph will check that the request options have values matching the required value and returns 403 Forbidden if they all do not.
Other unspecified options can vary.
The options must be valid for the signer type i.e. autograph should exit if an APK signer gets XPI options. The options will be validated on server start.
cc @ajvb @jvehent for feedback
@g-k This looks good to me. Apologies for the delay, needed to read through some docs to try and gather enough context to feel alright with responding.
No worries @ajvb it's all speculatively and a ways out at this point. Do you have access to the context in https://bugzilla.mozilla.org/show_bug.cgi?id=1480596 ?