Skip to content

Commit 8acbceb

Browse files
authored
fix: adding ci provider for meta-issuers (#1767)
* adding ci provider for meta-issuers Signed-off-by: Javan lacerda <[email protected]> * adding tests Signed-off-by: Javan lacerda <[email protected]> * improve tests Signed-off-by: Javan lacerda <[email protected]> * adding issuer to error log Signed-off-by: Javan lacerda <[email protected]> --------- Signed-off-by: Javan lacerda <[email protected]>
1 parent ddc294b commit 8acbceb

File tree

5 files changed

+63
-4
lines changed

5 files changed

+63
-4
lines changed

pkg/config/config.go

+1
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,7 @@ func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool) {
156156
Type: iss.Type,
157157
IssuerClaim: iss.IssuerClaim,
158158
SubjectDomain: iss.SubjectDomain,
159+
CIProvider: iss.CIProvider,
159160
}, true
160161
}
161162
}

pkg/config/config_network_test.go

+24
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,18 @@ func TestLoadYamlConfig(t *testing.T) {
6464
t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
6565
}
6666

67+
// Checking that the ci provider meta issuer has been set correctly
68+
got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
69+
if !ok {
70+
t.Error("expected true, got false")
71+
}
72+
if got.Type != "ci-provider" {
73+
t.Errorf("expected ci-provider, got %s", got.Type)
74+
}
75+
if got.CIProvider != "github-workflow" {
76+
t.Errorf("expected github-workflow, got %s", got.CIProvider)
77+
}
78+
6779
if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
6880
t.Error("no error returned from an unconfigured issuer")
6981
}
@@ -105,6 +117,18 @@ func TestLoadJsonConfig(t *testing.T) {
105117
t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
106118
}
107119

120+
// Checking that the ci provider meta issuer has been set correctly
121+
got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
122+
if !ok {
123+
t.Error("expected true, got false")
124+
}
125+
if got.Type != "ci-provider" {
126+
t.Errorf("expected ci-provider, got %s", got.Type)
127+
}
128+
if got.CIProvider != "github-workflow" {
129+
t.Errorf("expected github-workflow, got %s", got.CIProvider)
130+
}
131+
108132
if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
109133
t.Error("no error returned from an unconfigured issuer")
110134
}

pkg/config/config_test.go

+9
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,10 @@ meta-issuers:
3838
https://oidc.eks.*.amazonaws.com/id/*:
3939
client-id: bar
4040
type: kubernetes
41+
https://oidc.foo.*.bar.com/id/*:
42+
client-id: bar
43+
type: ci-provider
44+
ci-provider: github-workflow
4145
`
4246

4347
var validJSONCfg = `
@@ -54,6 +58,11 @@ var validJSONCfg = `
5458
"https://oidc.eks.*.amazonaws.com/id/*": {
5559
"ClientID": "bar",
5660
"Type": "kubernetes"
61+
},
62+
"https://oidc.foo.*.bar.com/id/*": {
63+
"ClientID": "bar",
64+
"Type": "ci-provider",
65+
"CiProvider": "github-workflow"
5766
}
5867
}
5968
}

pkg/config/fulcio_config_test.go

+27-3
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ import (
2121
"os"
2222
"path/filepath"
2323
"runtime"
24+
"strings"
2425
"testing"
2526
)
2627

@@ -68,9 +69,32 @@ func TestLoadFulcioConfig(t *testing.T) {
6869
}
6970
}
7071

71-
for _, metaIssuer := range fulcioConfig.MetaIssuers {
72-
if metaIssuer.ClientID != "sigstore" {
73-
t.Errorf("expected sigstore, got %s", metaIssuer.ClientID)
72+
for metaIssuerURLRegex := range fulcioConfig.MetaIssuers {
73+
metaIssuerURL := strings.ReplaceAll(metaIssuerURLRegex, "*", "foo")
74+
got, ok := fulcioConfig.GetIssuer(metaIssuerURL)
75+
if !ok {
76+
t.Errorf("expected true, got false, %s", metaIssuerURL)
77+
}
78+
if got.ClientID != "sigstore" {
79+
t.Errorf("expected sigstore, got %s", got.ClientID)
80+
}
81+
if got.IssuerURL != metaIssuerURL {
82+
t.Errorf("expected %s, got %s", metaIssuerURL, got.IssuerURL)
83+
}
84+
85+
if string(got.Type) == "" {
86+
t.Errorf("issuer Type should not be empty")
87+
}
88+
if got.Type == IssuerTypeCIProvider {
89+
if got.CIProvider == "" {
90+
t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider")
91+
}
92+
if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok {
93+
t.Error("issuer with type ci-provider should have the same CI provider name as key for CIIssuerMetadata")
94+
}
95+
}
96+
if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {
97+
t.Error("no error returned from an unconfigured issuer")
7498
}
7599
}
76100
}

pkg/identity/ciprovider/principal.go

+2-1
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,8 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
106106
}
107107
metadata, ok := cfg.CIIssuerMetadata[issuerCfg.CIProvider]
108108
if !ok {
109-
return nil, fmt.Errorf("metadata not found for ci provider %s", issuerCfg.CIProvider)
109+
return nil, fmt.Errorf(
110+
"metadata not found for ci provider %s, issuer: %s", issuerCfg.CIProvider, token.Issuer)
110111
}
111112
return ciPrincipal{
112113
token,

0 commit comments

Comments
 (0)