rename issuers metadata

Signed-off-by: Javan lacerda <javanlacerda@google.com>
javanlacerda · Jun 24, 2024 · 07c9a86 · 07c9a86
1 parent e40bb8f
commit 07c9a86
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 30 deletions.
diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
@@ -102,7 +102,7 @@ data:
               "Type": "github-workflow"
             }
           },
-          "IssuersMetadata": null
+          "DefaultTemplateValues": null
         }
     server.yaml: |-
         host: 0.0.0.0

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -64,17 +64,23 @@ type FulcioConfig struct {
 	MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"`
 
 	// defines the metadata for the issuers
-	IssuersMetadata map[string]IssuersMetadata
+	CIIssuerMetadata map[string]DefaultTemplateValues
 
 	// verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers.
 	verifiers map[string][]*verifierWithConfig
 	// lru is an LRU cache of recently used verifiers for our meta issuers.
 	lru *lru.TwoQueueCache
 }
 
-type IssuersMetadata struct {
-	Defaults               map[string]string
-	ClaimsMapper           certificate.Extensions
+type DefaultTemplateValues struct {
+	// Default key and values that can be used for filling the templates
+	// If a key cannot be found on the token claims, the template will use the defaults
+	Defaults map[string]string
+	// It is the mapper from the id token claims to the Extensions.
+	// It expects strings with templates syntax https://pkg.go.dev/text/template
+	// or raw strings with claims keys to be replaced
+	ClaimsMapper certificate.Extensions
+	// A alternative name for the issuer subject
 	SubjectAlternativeName string
 }
 
@@ -86,8 +92,8 @@ type OIDCIssuer struct {
 	// Used to determine the subject of the certificate and if additional
 	// certificate values are needed
 	Type IssuerType `json:"Type" yaml:"type,omitempty"`
-	// Issuers subtype
-	SubType string `json:"SubType,omitempty" yaml:"sub-type,omitempty"`
+	// Issuers CiProvider type
+	CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"`
 	// Optional, if the issuer is in a different claim in the OIDC token
 	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
 	// The domain that must be present in the subject for 'uri' issuer types
@@ -471,20 +477,20 @@ func LoadCiProvidersConfig(cfg *FulcioConfig) (*FulcioConfig, error) {
 		fmt.Printf("Unmarshal: %v", err)
 	}
 
-	cfg.IssuersMetadata = make(map[string]IssuersMetadata)
+	cfg.CIIssuerMetadata = make(map[string]DefaultTemplateValues)
 	for k, v := range ciProvidersConfig.Providers {
-		cfg.IssuersMetadata[k] = IssuersMetadata{
+		cfg.CIIssuerMetadata[k] = DefaultTemplateValues{
 			v.Defaults,
 			v.Extensions,
 			v.SubjectAlternativeName,
 		}
 		for _, issuer := range v.OIDCIssuers {
-			issuer.SubType = k
+			issuer.CIProvider = k
 			issuer.Type = IssuerTypeCiProvider
 			cfg.OIDCIssuers[issuer.IssuerURL] = issuer
 		}
 		for _, issuer := range v.MetaIssuers {
-			issuer.SubType = k
+			issuer.CIProvider = k
 			issuer.Type = IssuerTypeCiProvider
 			cfg.MetaIssuers[issuer.IssuerURL] = issuer
 		}

diff --git a/pkg/identity/ciprovider/issuer_test.go b/pkg/identity/ciprovider/issuer_test.go
@@ -75,10 +75,10 @@ func TestIssuer(t *testing.T) {
 		OIDCIssuers :=
 			map[string]config.OIDCIssuer{
 				token.Issuer: {
-					IssuerURL: token.Issuer,
-					Type:      config.IssuerTypeCiProvider,
-					SubType:   "github-workflow",
-					ClientID:  "sigstore",
+					IssuerURL:  token.Issuer,
+					Type:       config.IssuerTypeCiProvider,
+					CIProvider: "github-workflow",
+					ClientID:   "sigstore",
 				},
 			}
 		cfg := &config.FulcioConfig{

diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go
@@ -73,7 +73,7 @@ func applyTemplateOrReplace(path string, data map[string]string, defaultData map
 
 type Config struct {
 	Token    *oidc.IDToken
-	Metadata config.IssuersMetadata
+	Metadata config.DefaultTemplateValues
 }
 
 func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) {
@@ -85,7 +85,7 @@ func WorkflowPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (ide
 
 	return Config{
 		token,
-		cfg.IssuersMetadata[issuer.SubType],
+		cfg.CIIssuerMetadata[issuer.CIProvider],
 	}, nil
 }
 

diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
@@ -37,7 +37,7 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) {
 	}{
 		`Github workflow challenge should have all Github workflow extensions and issuer set`: {
 			ExpectedPrincipal: Config{
-				Metadata: config.IssuersMetadata{
+				Metadata: config.DefaultTemplateValues{
 					ClaimsMapper: certificate.Extensions{
 						Issuer:                              "issuer",
 						GithubWorkflowTrigger:               "event_name",
@@ -101,17 +101,17 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) {
 			OIDCIssuers :=
 				map[string]config.OIDCIssuer{
 					token.Issuer: {
-						IssuerURL: token.Issuer,
-						Type:      config.IssuerTypeCiProvider,
-						SubType:   "github-workflow",
-						ClientID:  "sigstore",
+						IssuerURL:  token.Issuer,
+						Type:       config.IssuerTypeCiProvider,
+						CIProvider: "github-workflow",
+						ClientID:   "sigstore",
 					},
 				}
-			meta := make(map[string]config.IssuersMetadata)
+			meta := make(map[string]config.DefaultTemplateValues)
 			meta["github-workflow"] = test.ExpectedPrincipal.Metadata
 			cfg := &config.FulcioConfig{
-				OIDCIssuers:     OIDCIssuers,
-				IssuersMetadata: meta,
+				OIDCIssuers:      OIDCIssuers,
+				CIIssuerMetadata: meta,
 			}
 			ctx = config.With(ctx, cfg)
 			principal, err := WorkflowPrincipalFromIDToken(ctx, token)
@@ -183,10 +183,10 @@ func TestName(t *testing.T) {
 			OIDCIssuers :=
 				map[string]config.OIDCIssuer{
 					token.Issuer: {
-						IssuerURL: token.Issuer,
-						Type:      config.IssuerTypeCiProvider,
-						SubType:   "ci-provider",
-						ClientID:  "sigstore",
+						IssuerURL:  token.Issuer,
+						Type:       config.IssuerTypeCiProvider,
+						CIProvider: "ci-provider",
+						ClientID:   "sigstore",
 					},
 				}
 			cfg := &config.FulcioConfig{
@@ -236,7 +236,7 @@ func TestEmbed(t *testing.T) {
 				`Certificate has correct source repository visibility extension`: factExtensionIs(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 22}, "public"),
 			},
 			Principal: Config{
-				Metadata: config.IssuersMetadata{
+				Metadata: config.DefaultTemplateValues{
 					ClaimsMapper: certificate.Extensions{
 						Issuer:                              "issuer",
 						GithubWorkflowTrigger:               "event_name",