fix: adding ci provider for meta-issuers (#1767)

* adding ci provider for meta-issuers

Signed-off-by: Javan lacerda <[email protected]>

* adding tests

Signed-off-by: Javan lacerda <[email protected]>

* improve tests

Signed-off-by: Javan lacerda <[email protected]>

* adding issuer to error log

Signed-off-by: Javan lacerda <[email protected]>

---------

Signed-off-by: Javan lacerda <[email protected]>

Author: javanlacerda

pkg/config/config.go

@@ -156,6 +156,7 @@ func (fc *FulcioConfig) GetIssuer(issuerURL string) (OIDCIssuer, bool) {
 				Type:          iss.Type,
 				IssuerClaim:   iss.IssuerClaim,
 				SubjectDomain: iss.SubjectDomain,
+				CIProvider:    iss.CIProvider,
 			}, true
 		}
 	}

pkg/config/config_network_test.go

@@ -64,6 +64,18 @@ func TestLoadYamlConfig(t *testing.T) {
 		t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
 	}
 
+	// Checking that the ci provider meta issuer has been set correctly
+	got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
+	if !ok {
+		t.Error("expected true, got false")
+	}
+	if got.Type != "ci-provider" {
+		t.Errorf("expected ci-provider, got %s", got.Type)
+	}
+	if got.CIProvider != "github-workflow" {
+		t.Errorf("expected github-workflow, got %s", got.CIProvider)
+	}
+
 	if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
 		t.Error("no error returned from an unconfigured issuer")
 	}
@@ -105,6 +117,18 @@ func TestLoadJsonConfig(t *testing.T) {
 		t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
 	}
 
+	// Checking that the ci provider meta issuer has been set correctly
+	got, ok = cfg.GetIssuer("https://oidc.foo.foobar.bar.com/id/CLUSTERIDENTIFIER")
+	if !ok {
+		t.Error("expected true, got false")
+	}
+	if got.Type != "ci-provider" {
+		t.Errorf("expected ci-provider, got %s", got.Type)
+	}
+	if got.CIProvider != "github-workflow" {
+		t.Errorf("expected github-workflow, got %s", got.CIProvider)
+	}
+
 	if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
 		t.Error("no error returned from an unconfigured issuer")
 	}

pkg/config/config_test.go

@@ -38,6 +38,10 @@ meta-issuers:
   https://oidc.eks.*.amazonaws.com/id/*:
     client-id: bar
     type: kubernetes
+  https://oidc.foo.*.bar.com/id/*:
+    client-id: bar
+    type: ci-provider
+    ci-provider: github-workflow
 `
 
 var validJSONCfg = `
@@ -54,6 +58,11 @@ var validJSONCfg = `
 		"https://oidc.eks.*.amazonaws.com/id/*": {
 			"ClientID": "bar",
 			"Type": "kubernetes"
+		},
+		"https://oidc.foo.*.bar.com/id/*": {
+			"ClientID": "bar",
+			"Type": "ci-provider",
+			"CiProvider": "github-workflow"
 		}
 	}
 }

pkg/config/fulcio_config_test.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
 	"testing"
 )
 
@@ -68,9 +69,32 @@ func TestLoadFulcioConfig(t *testing.T) {
 		}
 	}
 
-	for _, metaIssuer := range fulcioConfig.MetaIssuers {
-		if metaIssuer.ClientID != "sigstore" {
-			t.Errorf("expected sigstore, got %s", metaIssuer.ClientID)
+	for metaIssuerURLRegex := range fulcioConfig.MetaIssuers {
+		metaIssuerURL := strings.ReplaceAll(metaIssuerURLRegex, "*", "foo")
+		got, ok := fulcioConfig.GetIssuer(metaIssuerURL)
+		if !ok {
+			t.Errorf("expected true, got false, %s", metaIssuerURL)
+		}
+		if got.ClientID != "sigstore" {
+			t.Errorf("expected sigstore, got %s", got.ClientID)
+		}
+		if got.IssuerURL != metaIssuerURL {
+			t.Errorf("expected %s, got %s", metaIssuerURL, got.IssuerURL)
+		}
+
+		if string(got.Type) == "" {
+			t.Errorf("issuer Type should not be empty")
+		}
+		if got.Type == IssuerTypeCIProvider {
+			if got.CIProvider == "" {
+				t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider")
+			}
+			if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok {
+				t.Error("issuer with type ci-provider should have the same CI provider name as key for CIIssuerMetadata")
+			}
+		}
+		if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {
+			t.Error("no error returned from an unconfigured issuer")
 		}
 	}
 }

pkg/identity/ciprovider/principal.go

@@ -106,7 +106,8 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
 	}
 	metadata, ok := cfg.CIIssuerMetadata[issuerCfg.CIProvider]
 	if !ok {
-		return nil, fmt.Errorf("metadata not found for ci provider %s", issuerCfg.CIProvider)
+		return nil, fmt.Errorf(
+			"metadata not found for ci provider %s, issuer: %s", issuerCfg.CIProvider, token.Issuer)
 	}
 	return ciPrincipal{
 		token,