Skip to content

Commit

Permalink
fix: adding ci provider for meta-issuers (#1767)
Browse files Browse the repository at this point in the history
* adding ci provider for meta-issuers

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* adding tests

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* improve tests

Signed-off-by: Javan lacerda <javanlacerda@google.com>

* adding issuer to error log

Signed-off-by: Javan lacerda <javanlacerda@google.com>

---------

Signed-off-by: Javan lacerda <javanlacerda@google.com>
  • Loading branch information
javanlacerda authored Aug 15, 2024
1 parent ddc294b commit 8acbceb
Show file tree
Hide file tree
Showing 5 changed files with 63 additions and 4 deletions.
1 change: 1 addition & 0 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool) {
Type: iss.Type,
IssuerClaim: iss.IssuerClaim,
SubjectDomain: iss.SubjectDomain,
CIProvider: iss.CIProvider,
}, true
}
}
Expand Down
24 changes: 24 additions & 0 deletions pkg/config/config_network_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,18 @@ func TestLoadYamlConfig(t *testing.T) {
t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
}

// Checking that the ci provider meta issuer has been set correctly
got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
if !ok {
t.Error("expected true, got false")
}
if got.Type != "ci-provider" {
t.Errorf("expected ci-provider, got %s", got.Type)
}
if got.CIProvider != "github-workflow" {
t.Errorf("expected github-workflow, got %s", got.CIProvider)
}

if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
t.Error("no error returned from an unconfigured issuer")
}
Expand Down Expand Up @@ -105,6 +117,18 @@ func TestLoadJsonConfig(t *testing.T) {
t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
}

// Checking that the ci provider meta issuer has been set correctly
got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
if !ok {
t.Error("expected true, got false")
}
if got.Type != "ci-provider" {
t.Errorf("expected ci-provider, got %s", got.Type)
}
if got.CIProvider != "github-workflow" {
t.Errorf("expected github-workflow, got %s", got.CIProvider)
}

if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
t.Error("no error returned from an unconfigured issuer")
}
Expand Down
9 changes: 9 additions & 0 deletions pkg/config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ meta-issuers:
https://oidc.eks.*.amazonaws.com/id/*:
client-id: bar
type: kubernetes
https://oidc.foo.*.bar.com/id/*:
client-id: bar
type: ci-provider
ci-provider: github-workflow
`

var validJSONCfg = `
Expand All @@ -54,6 +58,11 @@ var validJSONCfg = `
"https://oidc.eks.*.amazonaws.com/id/*": {
"ClientID": "bar",
"Type": "kubernetes"
},
"https://oidc.foo.*.bar.com/id/*": {
"ClientID": "bar",
"Type": "ci-provider",
"CiProvider": "github-workflow"
}
}
}
Expand Down
30 changes: 27 additions & 3 deletions pkg/config/fulcio_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"os"
"path/filepath"
"runtime"
"strings"
"testing"
)

Expand Down Expand Up @@ -68,9 +69,32 @@ func TestLoadFulcioConfig(t *testing.T) {
}
}

for _, metaIssuer := range fulcioConfig.MetaIssuers {
if metaIssuer.ClientID != "sigstore" {
t.Errorf("expected sigstore, got %s", metaIssuer.ClientID)
for metaIssuerURLRegex := range fulcioConfig.MetaIssuers {
metaIssuerURL := strings.ReplaceAll(metaIssuerURLRegex, "*", "foo")
got, ok := fulcioConfig.GetIssuer(metaIssuerURL)
if !ok {
t.Errorf("expected true, got false, %s", metaIssuerURL)
}
if got.ClientID != "sigstore" {
t.Errorf("expected sigstore, got %s", got.ClientID)
}
if got.IssuerURL != metaIssuerURL {
t.Errorf("expected %s, got %s", metaIssuerURL, got.IssuerURL)
}

if string(got.Type) == "" {
t.Errorf("issuer Type should not be empty")
}
if got.Type == IssuerTypeCIProvider {
if got.CIProvider == "" {
t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider")
}
if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok {
t.Error("issuer with type ci-provider should have the same CI provider name as key for CIIssuerMetadata")
}
}
if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {
t.Error("no error returned from an unconfigured issuer")
}
}
}
3 changes: 2 additions & 1 deletion pkg/identity/ciprovider/principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,8 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
}
metadata, ok := cfg.CIIssuerMetadata[issuerCfg.CIProvider]
if !ok {
return nil, fmt.Errorf("metadata not found for ci provider %s", issuerCfg.CIProvider)
return nil, fmt.Errorf(
"metadata not found for ci provider %s, issuer: %s", issuerCfg.CIProvider, token.Issuer)
}
return ciPrincipal{
token,
Expand Down

0 comments on commit 8acbceb

Please sign in to comment.