Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable additional identity providers for machine accounts (GitHub Actions enablement) #5385

Merged
merged 14 commits into from
Feb 3, 2025
Merged

Enable additional identity providers for machine accounts (GitHub Actions enablement) #5385

merged 14 commits into from
Feb 3, 2025

Conversation

evankanderson
Copy link
Member

Summary

This cleans up #4317, and enables additional service account (machine identity) providers in internal/auth, starting with GitHub Actions. It's possible that this could be generalized to AWS, GCP, etc service accounts, but I wanted to start with a concrete example which enabled a number of other stories.

Usage (from #4317):

Fixes #5145

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Added unit tests for new modules, and tested manually.

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@evankanderson evankanderson requested a review from a team as a code owner January 30, 2025 03:45
evankanderson
evankanderson commented Jan 30, 2025
View reviewed changes
Copy link
Member Author

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about the size of the diff! I tried not to make it too large, but also not to leave too many things half-way (unlike #4317, which explicitly did that)

internal/auth/jwt/jwtauth.go
Comment on lines -109 to -110
// GetUserSubjectFromContext returns the user subject from the context, or nil
func GetUserSubjectFromContext(ctx context.Context) string {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this because an ID token with a sub but without the iss context seems dangerous, so I'd prefer to have our code explicitly get auth.Identity objects and reason about them.

@evankanderson
Copy link
Member Author

(Fixed lint and hopefully test failures)

@evankanderson
Copy link
Member Author

#5386 may help with the "unit test" leg of PRs timing out.

eleftherias
eleftherias reviewed Jan 30, 2025
View reviewed changes
internal/auth/githubactions/githubactions.go Outdated Show resolved Hide resolved
cmd/server/app/serve.go Show resolved Hide resolved
internal/auth/jwt/dynamic/dynamic_fetch.go Outdated Show resolved Hide resolved
cmd/server/app/serve.go Show resolved Hide resolved
@evankanderson evankanderson merged commit f9b49bf into mindersec:main Feb 3, 2025
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eleftherias eleftherias eleftherias approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Planned Work
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Finish #4317 and merge
2 participants
@evankanderson @eleftherias