Skip to content

feat(confidentialhttp): AuthConfig for pluggable signing #341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wentzeld wants to merge 2 commits into
base: main
Choose a base branch
from
+290 −0
Draft

feat(confidentialhttp): AuthConfig for pluggable signing #341

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c1be802
feat(confidentialhttp): add AuthConfig for pluggable request signing
wentzeld Apr 18, 2026
42bbf05
Auto-fix: buf format, gofmt, go generate, go mod tidy
app-token-issuer-engops[bot] Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
145 changes: 145 additions & 0 deletions cre/capabilities/networking/confidentialhttp/v1alpha/client.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,151 @@ message HTTPResponse {
message ConfidentialHTTPRequest {
repeated SecretIdentifier vault_don_secrets = 1;
HTTPRequest request = 2;
// auth, when set, instructs the enclave to sign the outbound request using
// the specified method. Every secret_name referenced inside AuthConfig must
// also appear in vault_don_secrets (enforced by the capability validator).
// When auth is nil, the request is sent with only the headers/body the
// caller provided — preserving the legacy "{{.SECRET_NAME}}" header-template
// behavior.
optional AuthConfig auth = 3;
}

// AuthConfig selects one of the supported request-signing methods.
// Each variant carries the method-specific parameters and references
// the names of the Vault-DON secrets it needs.
message AuthConfig {
oneof method {
ApiKeyAuth api_key = 1;
BasicAuth basic = 2;
BearerAuth bearer = 3;
HmacAuth hmac = 4;
OAuth2Auth oauth2 = 5;
}
}

// ApiKeyAuth attaches a secret value to a chosen header.
// Renders as: <header_name>: <value_prefix><secret-value>
// Example (header_name="x-api-key", secret_name="coingecko", value_prefix=""):
// x-api-key: <secret>
message ApiKeyAuth {
string header_name = 1; // required, e.g. "x-api-key", "Authorization"
string secret_name = 2; // required; key into ConfidentialHTTPRequest.vault_don_secrets
string value_prefix = 3; // optional, e.g. "ApiKey ", "Token "
}

// BasicAuth renders: Authorization: Basic base64(username ":" password).
message BasicAuth {
string username_secret_name = 1; // required
string password_secret_name = 2; // required
Comment on lines +97 to +98
Copy link
Copy Markdown
Contributor

@nolag nolag Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

username can be either a secret, or a value. It's not necessarily private.

The secret for the password can't just be a string, it should be SecretIdentifier.

Same for the rest of the secret and non-nessesarily secret values.

}

// BearerAuth attaches a pre-issued long-lived token.
// Default behavior: Authorization: Bearer <token>
// header_name and value_prefix allow rare overrides (e.g. GitHub's
// "Authorization: token <pat>").
message BearerAuth {
string token_secret_name = 1; // required
string header_name = 2; // optional override, default "Authorization"
string value_prefix = 3; // optional override, default "Bearer "
}

// HmacAuth groups all HMAC-family signing variants.
message HmacAuth {
oneof variant {
HmacSha256 sha256 = 1;
AwsSigV4 aws_sig_v4 = 2;
HmacCustom custom = 3;
}
}

// HmacSha256 implements a generic canonical-string HMAC-SHA256 signature.
// Canonical string: method "\n" url "\n" sha256(body) "\n" timestamp
// Signature is attached via signature_header, timestamp via timestamp_header.
message HmacSha256 {
string secret_name = 1; // required shared secret
string signature_header = 2; // default "X-Signature"
string timestamp_header = 3; // default "X-Timestamp"
bool include_query = 4; // if true, include the query string in the canonical url
string encoding = 5; // "hex" (default) or "base64"
}

// AwsSigV4 implements AWS Signature Version 4.
// Uses github.com/aws/aws-sdk-go-v2/aws/signer/v4 under the hood.
message AwsSigV4 {
string access_key_id_secret_name = 1; // required
string secret_access_key_secret_name = 2; // required
string session_token_secret_name = 3; // optional (for STS creds)
string region = 4; // required, e.g. "us-east-1"
string service = 5; // required, e.g. "execute-api", "s3"
// Signed headers (comma-separated lowercase). Optional; defaults to
// "host;x-amz-date" plus "x-amz-security-token" if session_token_secret_name
// is set.
repeated string signed_headers = 6;
// If true, uses X-Amz-Content-Sha256: UNSIGNED-PAYLOAD (useful for large S3
// uploads). Default false.
bool unsigned_payload = 7;
}

// HmacCustom lets workflow authors specify the canonical string via a
// Go text/template string. Available template vars:
// {{.method}} {{.url}} {{.path}} {{.query}} {{.body}} {{.body_sha256}}
// {{.timestamp}} {{.nonce}} {{header "X-Foo"}}
message HmacCustom {
string secret_name = 1; // required
string canonical_template = 2; // required
enum Hash {
HASH_SHA256 = 0;
HASH_SHA512 = 1;
}
Hash hash = 3;
string signature_header = 4; // required
string signature_prefix = 5; // e.g. "HMAC-SHA256 "
string timestamp_header = 6; // optional; if set, timestamp header injected
string nonce_header = 7; // optional; if set, random nonce header injected
string encoding = 8; // "hex" (default) or "base64"
}

// OAuth2Auth groups headless OAuth 2.0 flows.
// Interactive flows (Authorization Code, PKCE, Device Code) are NOT supported —
// they require browser consent that a headless TEE cannot perform.
message OAuth2Auth {
oneof variant {
OAuth2ClientCredentials client_credentials = 1;
OAuth2RefreshToken refresh_token = 2;
}
}

// OAuth2ClientCredentials: machine-to-machine grant.
// The enclave POSTs to token_url with client_id/client_secret, caches the
// resulting access_token per (workflow_owner, token_url, client_id, scopes),
// and attaches "Authorization: Bearer <access_token>" to the outbound request.
message OAuth2ClientCredentials {
string token_url = 1; // required, must be https://
string client_id_secret_name = 2; // required
string client_secret_secret_name = 3; // required
repeated string scopes = 4; // optional
string audience = 5; // optional (Auth0-style)
// "basic_auth" (default) or "request_body" — where to put client creds
// on the token request.
string client_auth_method = 6;
// Extra form params to send with the token request.
map<string, string> extra_params = 7;
}

// OAuth2RefreshToken: the workflow stores a long-lived refresh_token in Vault
// (obtained out-of-band during an interactive consent). The enclave exchanges
// it for an access_token on cache miss.
//
// Important: if the IdP rotates refresh tokens on each exchange, the enclave
// cannot persist the new refresh_token back to Vault. Disable refresh-token
// rotation at the IdP, or prefer client_credentials where possible.
message OAuth2RefreshToken {
string token_url = 1; // required, must be https://
string refresh_token_secret_name = 2; // required
string client_id_secret_name = 3; // optional (some IdPs require)
string client_secret_secret_name = 4; // optional (some IdPs require)
repeated string scopes = 5; // optional
map<string, string> extra_params = 6;
}

service Client {
Expand Down
145 changes: 145 additions & 0 deletions cre/go/installer/pkg/embedded_gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading