Skip to content

Commit ff35657

Browse files
authored
fix: remote state support for federated tokens (#1886)
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
1 parent a32df58 commit ff35657

1 file changed

Lines changed: 10 additions & 0 deletions

File tree

app/controlplane/internal/service/attestationstate.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424

2525
cpAPI "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
2626
"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext"
27+
"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext/attjwtmiddleware"
2728
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
2829

2930
errors "github.com/go-kratos/kratos/v2/errors"
@@ -158,6 +159,15 @@ func (s *AttestationStateService) Reset(ctx context.Context, req *cpAPI.Attestat
158159
// NOTE: Using the robot-account as JWT is not ideal but it's a start
159160
// TODO: look into using some identifier from the actual client like machine-uuid
160161
func encryptionPassphrase(ctx context.Context) (string, error) {
162+
robotAccount := usercontext.CurrentRobotAccount(ctx)
163+
if robotAccount == nil {
164+
return "", errors.NotFound("not found", "robot account not found")
165+
// If we are using a federated provider, we'll use the provider key as the passphrase since we can not guarantee the stability of the token
166+
// In practice this means disabling the state encryption at rest but this state in practice is a subset of the resulting attestation that we end up storing
167+
} else if robotAccount.ProviderKey == attjwtmiddleware.FederatedProviderKey {
168+
return robotAccount.ProviderKey, nil
169+
}
170+
161171
header, ok := transport.FromServerContext(ctx)
162172
if !ok {
163173
return "", errors.NotFound("not found", "transport not found")

0 commit comments

Comments
 (0)