Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

If custom server url exists, use that instead of the default one. #1776

Merged
merged 2 commits into from
Aug 19, 2024
+56 −1
Merged

If custom server url exists, use that instead of the default one. #1776

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b14c815
If custom server url exists, use that instead of the default one.
kommendorkapten Aug 16, 2024
4a3edea
Name variable baseURL to avoid linter errors.
kommendorkapten Aug 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion pkg/identity/github/principal.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"context"
"crypto/x509"
"errors"
"fmt"
"net/url"

"github.com/coreos/go-oidc/v3/oidc"
Expand Down Expand Up @@ -105,6 +106,7 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
WorkflowSha string `json:"workflow_sha"`
RunID string `json:"run_id"`
RunAttempt string `json:"run_attempt"`
Enterprise string `json:"enterprise"`
}
if err := token.Claims(&claims); err != nil {
return nil, err
Expand Down Expand Up @@ -159,10 +161,16 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
return nil, errors.New("missing run_attempt claim in ID token")
}

baseURL := `https://github.com/`

if claims.Enterprise != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javanlacerda Is this something we can add for the new configuration?

@kommendorkapten Is this something you want enabled for the public instance or is this just for the GitHub deployment?

Copy link
Contributor

@javanlacerda javanlacerda Aug 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think this template {{if .enterprise }}https://{{ .enterprise }.ghe.com{{else}}{{ .url }}{{end}} should replace every place that the default {{url}} is used for github on identity/config.yaml.
Also, It could be defined in a variable for avoiding replicating it into the config.

And btw, I saw that this PR was recently merged, but this modifies will not work as we migrated github to use the new generic logic that is in pkg/identity/ciprovider/principal.go

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@haydentherapper this is only needed for our internal deployments as of now.

baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise)
}

return &workflowPrincipal{
subject: token.Subject,
issuer: token.Issuer,
url: `https://github.com/`,
url: baseURL,
sha: claims.Sha,
eventName: claims.EventName,
repository: claims.Repository,
Expand Down
47 changes: 47 additions & 0 deletions pkg/identity/github/principal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,53 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) {
},
WantErr: false,
},
`Valid token, custom base url authenticates with correct claims`: {
Claims: map[string]interface{}{
"aud": "sigstore",
"event_name": "push",
"exp": 0,
"iss": "https://token.actions.githubusercontent.com",
"job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
"job_workflow_sha": "example-sha",
"ref": "refs/heads/main",
"repository": "sigstore/fulcio",
"repository_id": "12345",
"repository_owner": "username",
"repository_owner_id": "345",
"repository_visibility": "public",
"run_attempt": "1",
"run_id": "42",
"runner_environment": "cloud-hosted",
"sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"sub": "repo:sigstore/fulcio:ref:refs/heads/main",
"workflow": "foo",
"workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
"workflow_sha": "example-sha-other",
"enterprise": "test",
},
ExpectPrincipal: workflowPrincipal{
issuer: "https://token.actions.githubusercontent.com",
subject: "repo:sigstore/fulcio:ref:refs/heads/main",
url: "https://test.ghe.com/",
jobWorkflowRef: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
sha: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
eventName: "push",
repository: "sigstore/fulcio",
workflow: "foo",
ref: "refs/heads/main",
jobWorkflowSha: "example-sha",
runnerEnvironment: "cloud-hosted",
repositoryID: "12345",
repositoryOwner: "username",
repositoryOwnerID: "345",
repositoryVisibility: "public",
workflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
workflowSha: "example-sha-other",
runID: "42",
runAttempt: "1",
},
WantErr: false,
},
`Token missing job_workflow_ref claim should be rejected`: {
Claims: map[string]interface{}{
"aud": "sigstore",
Expand Down
Loading