Skip to content

Commit 9fd5c09

Browse files
authored
fix: removing surplus slash, making logs richer (#1762)
* fix: removing surplus slash, making logs richer Signed-off-by: Javan lacerda <[email protected]> * move trim to trimspace Signed-off-by: Javan lacerda <[email protected]> * improving logs Signed-off-by: Javan lacerda <[email protected]> --------- Signed-off-by: Javan lacerda <[email protected]>
1 parent 9e7d146 commit 9fd5c09

File tree

4 files changed

+54
-11
lines changed

4 files changed

+54
-11
lines changed

config/identity/config.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,7 @@ ci-issuer-metadata:
178178
# ref_type: The type of the ref
179179
# E.g. "branch", "tag"
180180
# ref: Git ref being built
181-
source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }}
181+
source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref }}
182182
# project_id: ID to the source repo
183183
source-repository-identifier: "project_id"
184184
# namespace_path: Owner of the source repo (mutable)

pkg/identity/ciprovider/issuer_test.go

+10-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"testing"
2121

2222
"github.com/coreos/go-oidc/v3/oidc"
23+
"github.com/sigstore/fulcio/pkg/certificate"
2324
"github.com/sigstore/fulcio/pkg/config"
2425
"github.com/sigstore/fulcio/pkg/identity"
2526
)
@@ -81,8 +82,16 @@ func TestIssuer(t *testing.T) {
8182
ClientID: "sigstore",
8283
},
8384
}
85+
template := "{{.foobar}}"
86+
ciissuerMetadata := make(map[string]config.IssuerMetadata)
87+
ciissuerMetadata["github-workflow"] = config.IssuerMetadata{
88+
ExtensionTemplates: certificate.Extensions{
89+
BuildTrigger: template,
90+
},
91+
}
8492
cfg := &config.FulcioConfig{
85-
OIDCIssuers: OIDCIssuers,
93+
OIDCIssuers: OIDCIssuers,
94+
CIIssuerMetadata: ciissuerMetadata,
8695
}
8796
ctx = config.With(ctx, cfg)
8897
identity.Authorize = func(_ context.Context, _ string, _ ...config.InsecureOIDCConfigOption) (*oidc.IDToken, error) {

pkg/identity/ciprovider/principal.go

+29-6
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
"bytes"
1919
"context"
2020
"crypto/x509"
21+
"encoding/json"
2122
"fmt"
2223
"html/template"
2324
"net/url"
@@ -47,7 +48,10 @@ func getTokenClaims(token *oidc.IDToken) (map[string]string, error) {
4748

4849
// It makes string interpolation for a given string by using the
4950
// templates syntax https://pkg.go.dev/text/template
50-
func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]string, issuerMetadata map[string]string) (string, error) {
51+
// logMetadata added as a parameter for having a richer log
52+
func applyTemplateOrReplace(
53+
extValueTemplate string, tokenClaims map[string]string,
54+
issuerMetadata map[string]string, logMetadata map[string]string) (string, error) {
5155

5256
// Here we merge the data from was claimed by the id token with the
5357
// default data provided by the yaml file.
@@ -81,7 +85,10 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
8185
}
8286
claimValue, ok := mergedData[extValueTemplate]
8387
if !ok {
84-
return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate)
88+
var jsonMetadata bytes.Buffer
89+
inrec, _ := json.Marshal(logMetadata)
90+
_ = json.Indent(&jsonMetadata, inrec, "", "\t")
91+
return "", fmt.Errorf("value <%s> not present in either claims or defaults. %s", extValueTemplate, jsonMetadata.String())
8592
}
8693
return claimValue, nil
8794
}
@@ -97,9 +104,13 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
97104
if !ok {
98105
return nil, fmt.Errorf("configuration can not be loaded for issuer %v", token.Issuer)
99106
}
107+
metadata, ok := cfg.CIIssuerMetadata[issuerCfg.CIProvider]
108+
if !ok {
109+
return nil, fmt.Errorf("metadata not found for ci provider %s", issuerCfg.CIProvider)
110+
}
100111
return ciPrincipal{
101112
token,
102-
cfg.CIIssuerMetadata[issuerCfg.CIProvider],
113+
metadata,
103114
}, nil
104115
}
105116

@@ -115,7 +126,15 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
115126
if err != nil {
116127
return err
117128
}
118-
subjectAlternativeName, err := applyTemplateOrReplace(principal.ClaimsMetadata.SubjectAlternativeNameTemplate, claims, defaults)
129+
if strings.TrimSpace(principal.ClaimsMetadata.SubjectAlternativeNameTemplate) == "" {
130+
return fmt.Errorf("SubjectAlternativeNameTemplate should not be empty. Issuer: %s", principal.Token.Issuer)
131+
}
132+
subjectAlternativeName, err := applyTemplateOrReplace(
133+
principal.ClaimsMetadata.SubjectAlternativeNameTemplate, claims, defaults,
134+
map[string]string{
135+
"Issuer": principal.Token.Issuer,
136+
"ExtensionName": "SubjectAlternativeName",
137+
})
119138
if err != nil {
120139
return err
121140
}
@@ -135,10 +154,14 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
135154
s := v.Field(i).String() // value of each field, e.g the template string
136155
// We check the field name to avoid to apply the template for the Issuer
137156
// Issuer field should always come from the token issuer
138-
if s == "" || vType.Field(i).Name == "Issuer" {
157+
if strings.TrimSpace(s) == "" || vType.Field(i).Name == "Issuer" {
139158
continue
140159
}
141-
extValue, err := applyTemplateOrReplace(s, claims, defaults)
160+
extValue, err := applyTemplateOrReplace(s, claims, defaults,
161+
map[string]string{
162+
"Issuer": principal.Token.Issuer,
163+
"ExtensionName": vType.Field(i).Name,
164+
})
142165
if err != nil {
143166
return err
144167
}

pkg/identity/ciprovider/principal_test.go

+14-3
Original file line numberDiff line numberDiff line change
@@ -180,17 +180,25 @@ func TestName(t *testing.T) {
180180
}
181181
withClaims(token, claims)
182182
ctx := context.TODO()
183+
template := "{{.foobar}}"
184+
ciissuerMetadata := make(map[string]config.IssuerMetadata)
185+
ciissuerMetadata["github-workflow"] = config.IssuerMetadata{
186+
ExtensionTemplates: certificate.Extensions{
187+
BuildTrigger: template,
188+
},
189+
}
183190
OIDCIssuers :=
184191
map[string]config.OIDCIssuer{
185192
token.Issuer: {
186193
IssuerURL: token.Issuer,
187194
Type: config.IssuerTypeCIProvider,
188-
CIProvider: "ci-provider",
195+
CIProvider: "github-workflow",
189196
ClientID: "sigstore",
190197
},
191198
}
192199
cfg := &config.FulcioConfig{
193-
OIDCIssuers: OIDCIssuers,
200+
OIDCIssuers: OIDCIssuers,
201+
CIIssuerMetadata: ciissuerMetadata,
194202
}
195203
ctx = config.With(ctx, cfg)
196204
principal, err := WorkflowPrincipalFromIDToken(ctx, token)
@@ -305,7 +313,10 @@ func TestApplyTemplateOrReplace(t *testing.T) {
305313

306314
for name, test := range tests {
307315
t.Run(name, func(t *testing.T) {
308-
res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata)
316+
res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata,
317+
map[string]string{
318+
"Issuer": "https://token.actions.githubusercontent.com",
319+
})
309320
if res != test.ExpectedResult {
310321
t.Errorf("expected result don't matches: Expected %s, received: %s, error: %v",
311322
test.ExpectedResult, res, err)

0 commit comments

Comments
 (0)