@@ -18,6 +18,7 @@ import (
18
18
"bytes"
19
19
"context"
20
20
"crypto/x509"
21
+ "encoding/json"
21
22
"fmt"
22
23
"html/template"
23
24
"net/url"
@@ -47,7 +48,10 @@ func getTokenClaims(token *oidc.IDToken) (map[string]string, error) {
47
48
48
49
// It makes string interpolation for a given string by using the
49
50
// templates syntax https://pkg.go.dev/text/template
50
- func applyTemplateOrReplace (extValueTemplate string , tokenClaims map [string ]string , issuerMetadata map [string ]string ) (string , error ) {
51
+ // logMetadata added as a parameter for having a richer log
52
+ func applyTemplateOrReplace (
53
+ extValueTemplate string , tokenClaims map [string ]string ,
54
+ issuerMetadata map [string ]string , logMetadata map [string ]string ) (string , error ) {
51
55
52
56
// Here we merge the data from was claimed by the id token with the
53
57
// default data provided by the yaml file.
@@ -81,7 +85,10 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
81
85
}
82
86
claimValue , ok := mergedData [extValueTemplate ]
83
87
if ! ok {
84
- return "" , fmt .Errorf ("value <%s> not present in either claims or defaults" , extValueTemplate )
88
+ var jsonMetadata bytes.Buffer
89
+ inrec , _ := json .Marshal (logMetadata )
90
+ _ = json .Indent (& jsonMetadata , inrec , "" , "\t " )
91
+ return "" , fmt .Errorf ("value <%s> not present in either claims or defaults. %s" , extValueTemplate , jsonMetadata .String ())
85
92
}
86
93
return claimValue , nil
87
94
}
@@ -97,9 +104,13 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
97
104
if ! ok {
98
105
return nil , fmt .Errorf ("configuration can not be loaded for issuer %v" , token .Issuer )
99
106
}
107
+ metadata , ok := cfg .CIIssuerMetadata [issuerCfg .CIProvider ]
108
+ if ! ok {
109
+ return nil , fmt .Errorf ("metadata not found for ci provider %s" , issuerCfg .CIProvider )
110
+ }
100
111
return ciPrincipal {
101
112
token ,
102
- cfg . CIIssuerMetadata [ issuerCfg . CIProvider ] ,
113
+ metadata ,
103
114
}, nil
104
115
}
105
116
@@ -115,7 +126,15 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
115
126
if err != nil {
116
127
return err
117
128
}
118
- subjectAlternativeName , err := applyTemplateOrReplace (principal .ClaimsMetadata .SubjectAlternativeNameTemplate , claims , defaults )
129
+ if strings .TrimSpace (principal .ClaimsMetadata .SubjectAlternativeNameTemplate ) == "" {
130
+ return fmt .Errorf ("SubjectAlternativeNameTemplate should not be empty. Issuer: %s" , principal .Token .Issuer )
131
+ }
132
+ subjectAlternativeName , err := applyTemplateOrReplace (
133
+ principal .ClaimsMetadata .SubjectAlternativeNameTemplate , claims , defaults ,
134
+ map [string ]string {
135
+ "Issuer" : principal .Token .Issuer ,
136
+ "ExtensionName" : "SubjectAlternativeName" ,
137
+ })
119
138
if err != nil {
120
139
return err
121
140
}
@@ -135,10 +154,14 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
135
154
s := v .Field (i ).String () // value of each field, e.g the template string
136
155
// We check the field name to avoid to apply the template for the Issuer
137
156
// Issuer field should always come from the token issuer
138
- if s == "" || vType .Field (i ).Name == "Issuer" {
157
+ if strings . TrimSpace ( s ) == "" || vType .Field (i ).Name == "Issuer" {
139
158
continue
140
159
}
141
- extValue , err := applyTemplateOrReplace (s , claims , defaults )
160
+ extValue , err := applyTemplateOrReplace (s , claims , defaults ,
161
+ map [string ]string {
162
+ "Issuer" : principal .Token .Issuer ,
163
+ "ExtensionName" : vType .Field (i ).Name ,
164
+ })
142
165
if err != nil {
143
166
return err
144
167
}
0 commit comments