diff --git a/pkg/config/config.go b/pkg/config/config.go index a2296147e..3d134d0fa 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -156,6 +156,7 @@ func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool) { Type: iss.Type, IssuerClaim: iss.IssuerClaim, SubjectDomain: iss.SubjectDomain, + CIProvider: iss.CIProvider, }, true } } diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 00f139824..d53a8e906 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -64,6 +64,18 @@ func TestLoadYamlConfig(t *testing.T) { t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL) } + // Checking that the ci provider meta issuer has been set correctly + got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER") + if !ok { + t.Error("expected true, got false") + } + if got.Type != "ci-provider" { + t.Errorf("expected ci-provider, got %s", got.Type) + } + if got.CIProvider != "github-workflow" { + t.Errorf("expected github-workflow, got %s", got.CIProvider) + } + if _, ok := cfg.GetIssuer("not_an_issuer"); ok { t.Error("no error returned from an unconfigured issuer") } @@ -105,6 +117,18 @@ func TestLoadJsonConfig(t *testing.T) { t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL) } + // Checking that the ci provider meta issuer has been set correctly + got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER") + if !ok { + t.Error("expected true, got false") + } + if got.Type != "ci-provider" { + t.Errorf("expected ci-provider, got %s", got.Type) + } + if got.CIProvider != "github-workflow" { + t.Errorf("expected github-workflow, got %s", got.CIProvider) + } + if _, ok := cfg.GetIssuer("not_an_issuer"); ok { t.Error("no error returned from an unconfigured issuer") } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 042fe9b8f..7e6564c82 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -38,6 +38,10 @@ meta-issuers: https://oidc.eks.*.amazonaws.com/id/*: client-id: bar type: kubernetes + https://oidc.foo.*.bar.com/id/*: + client-id: bar + type: ci-provider + ci-provider: github-workflow ` var validJSONCfg = ` @@ -54,6 +58,11 @@ var validJSONCfg = ` "https://oidc.eks.*.amazonaws.com/id/*": { "ClientID": "bar", "Type": "kubernetes" + }, + "https://oidc.foo.*.bar.com/id/*": { + "ClientID": "bar", + "Type": "ci-provider", + "CiProvider": "github-workflow" } } } diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index e32bd0455..57651fbb0 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -21,6 +21,7 @@ import ( "os" "path/filepath" "runtime" + "strings" "testing" ) @@ -68,9 +69,32 @@ func TestLoadFulcioConfig(t *testing.T) { } } - for _, metaIssuer := range fulcioConfig.MetaIssuers { - if metaIssuer.ClientID != "sigstore" { - t.Errorf("expected sigstore, got %s", metaIssuer.ClientID) + for metaIssuerURLRegex := range fulcioConfig.MetaIssuers { + metaIssuerURL := strings.ReplaceAll(metaIssuerURLRegex, "*", "foo") + got, ok := fulcioConfig.GetIssuer(metaIssuerURL) + if !ok { + t.Errorf("expected true, got false, %s", metaIssuerURL) + } + if got.ClientID != "sigstore" { + t.Errorf("expected sigstore, got %s", got.ClientID) + } + if got.IssuerURL != metaIssuerURL { + t.Errorf("expected %s, got %s", metaIssuerURL, got.IssuerURL) + } + + if string(got.Type) == "" { + t.Errorf("issuer Type should not be empty") + } + if got.Type == IssuerTypeCIProvider { + if got.CIProvider == "" { + t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider") + } + if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok { + t.Error("issuer with type ci-provider should have the same CI provider name as key for CIIssuerMetadata") + } + } + if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { + t.Error("no error returned from an unconfigured issuer") } } } diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index 2066a04e6..a12f44ced 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -106,7 +106,8 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide } metadata, ok := cfg.CIIssuerMetadata[issuerCfg.CIProvider] if !ok { - return nil, fmt.Errorf("metadata not found for ci provider %s", issuerCfg.CIProvider) + return nil, fmt.Errorf( + "metadata not found for ci provider %s, issuer: %s", issuerCfg.CIProvider, token.Issuer) } return ciPrincipal{ token,