feat!: Vela OIDC provider

[ecrupper]

go-vela/community#976

How it works

1. Compiler generates VELA_ID_TOKEN_REQUEST_URL (nothing unique about it, just for convenience.. the path is /api/v1/repos/ORG/REPO/builds/BUILD/id_token).
2. The worker will request the VELA_ID_TOKEN_REQUEST_TOKEN if the user specifies any value for the id_request YAML step tag. This request is secured by the MustBuildAccess() permissions check. The reason this token isn't generated at compile time is because part of the claims involve build_id, which isn't created during compilation due to potential errors.
3. The token manager will generate an RSA key pair at start up. The private key is stored in memory, and the public key (converted to a JWK object) is stored in the database with the KID as the primary key. That KID is generated using UUID v7 whenever the key pair is generated.
4. The Vela server router loads in an OpenID config and a JWKs endpoint. These are used to validate ID tokens signed by the token manager's private key.
5. A user will request an ID token using the ID_TOKEN_REQUEST_TOKEN. This request must be made while the build is running, else it will be denied for security reasons.
6. Key rotation involves dropping all inactive JWKs and setting all active JWKs to inactive. The inactive JWKs can still be used to validate already-signed tokens, but their corresponding private keys will not sign any new tokens. This is because the token manager will verify its private key in-memory is still OK to sign tokens. If not, it will generate a new pair.

Example

version: "1"

steps:
  - name: request token
    image: alpine:latest
    id_request: write  # becomes a claim in token `request`
    commands:
      - apk add curl
      - 'curl -H "Authorization: Bearer $VELA_ID_TOKEN_REQUEST_TOKEN" $VELA_ID_TOKEN_REQUEST_URL'

[codecov]

Codecov Report

Attention: Patch coverage is 35.90504% with 216 lines in your changes missing coverage. Please review.

Project coverage is 67.27%. Comparing base (4f81558) to head (922ffd0).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1120      +/-   ##
==========================================
- Coverage   68.04%   67.27%   -0.78%     
==========================================
  Files         411      422      +11     
  Lines       13752    14083     +331     
==========================================
+ Hits         9358     9474     +116     
- Misses       3859     4064     +205     
- Partials      535      545      +10     

Files	Coverage Δ
compiler/native/environment.go	85.82% <100.00%> (+0.11%)	⬆️
database/database.go	58.00% <ø> (ø)
database/jwk/create.go	100.00% <100.00%> (ø)
database/jwk/get.go	100.00% <100.00%> (ø)
database/jwk/opts.go	100.00% <100.00%> (ø)
database/jwk/table.go	100.00% <100.00%> (ø)
internal/token/parse.go	88.23% <100.00%> (ø)
api/build/token.go	0.00% <0.00%> (ø)
database/jwk/list.go	85.71% <85.71%> (ø)
database/resource.go	78.41% <75.00%> (-0.21%)	⬇️
... and 11 more

[wass3r]

spotted a couple of small-ish tings. looks good overall