several modifies

Signed-off-by: Javan lacerda <javanlacerda@google.com>
javanlacerda · Jun 17, 2024 · 58f0de2 · 58f0de2
1 parent 68428d7
commit 58f0de2
Show file tree

Hide file tree

Showing 13 changed files with 113 additions and 153 deletions.
diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
@@ -20,86 +20,104 @@ data:
             "https://accounts.google.com": {
               "IssuerURL": "https://accounts.google.com",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://agent.buildkite.com": {
               "IssuerURL": "https://agent.buildkite.com",
               "ClientID": "sigstore",
-              "Type": "buildkite-job"
+              "Type": "buildkite-job",
+              "SubType": ""
             },
             "https://allow.pub": {
               "IssuerURL": "https://allow.pub",
               "ClientID": "sigstore",
               "Type": "spiffe",
+              "SubType": "",
               "SPIFFETrustDomain": "allow.pub"
             },
             "https://auth-staging.eclipse.org/realms/sigstore": {
               "IssuerURL": "https://auth-staging.eclipse.org/realms/sigstore",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://auth.eclipse.org/auth/realms/sigstore": {
               "IssuerURL": "https://auth.eclipse.org/auth/realms/sigstore",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://dev.gitlab.org": {
               "IssuerURL": "https://dev.gitlab.org",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://gitlab.archlinux.org": {
               "IssuerURL": "https://gitlab.archlinux.org",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://gitlab.com": {
               "IssuerURL": "https://gitlab.com",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://oauth2.sigstore.dev/auth": {
               "IssuerURL": "https://oauth2.sigstore.dev/auth",
               "ClientID": "sigstore",
               "Type": "email",
+              "SubType": "",
               "IssuerClaim": "$.federated_claims.connector_id"
             },
             "https://oidc.codefresh.io": {
               "IssuerURL": "https://oidc.codefresh.io",
               "ClientID": "sigstore",
-              "Type": "codefresh-workflow"
+              "Type": "codefresh-workflow",
+              "SubType": ""
             },
             "https://ops.gitlab.net": {
               "IssuerURL": "https://ops.gitlab.net",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://token.actions.githubusercontent.com": {
               "IssuerURL": "https://token.actions.githubusercontent.com",
               "ClientID": "sigstore",
-              "Type": "github-workflow"
+              "Type": "ci-provider",
+              "SubType": "github-workflow"
             }
           },
           "MetaIssuers": {
             "https://*.oic.prod-aks.azure.com/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://oidc.eks.*.amazonaws.com/id/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://oidc.prod-aks.azure.com/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://token.actions.githubusercontent.com/*": {
+              "IssuerURL": "https://token.actions.githubusercontent.com/*",
               "ClientID": "sigstore",
-              "Type": "github-workflow"
+              "Type": "ci-provider",
+              "SubType": "github-workflow"
             }
           }
         }

diff --git a/federation/config.yaml b/federation/config.yaml
diff --git a/federation/main.go b/federation/main.go
@@ -17,11 +17,9 @@ package main
 
 import (
 	"encoding/json"
-	"fmt"
 	"os"
 	"path/filepath"
 
-	"github.com/sigstore/fulcio/pkg/certificate"
 	"github.com/sigstore/fulcio/pkg/config"
 	"gopkg.in/yaml.v3"
 )
@@ -43,33 +41,6 @@ var boilerPlate = `#
 # limitations under the License.
 `
 
-type RootYaml struct {
-	Providers map[config.IssuerType]Provider
-}
-
-type Provider struct {
-	Subject     string
-	Extensions  certificate.Extensions
-	Uris        []string
-	Defaults    map[string]string
-	OIDCIssuers []config.OIDCIssuer `yaml:"oidc-issuers,omitempty"`
-	MetaIssuers []config.OIDCIssuer `yaml:"meta-issuers,omitempty"`
-}
-
-func readYaml() RootYaml {
-	var obj RootYaml
-
-	yamlFile, err := os.ReadFile("federation/config.yaml")
-	if err != nil {
-		fmt.Printf("yamlFile.Get err #%v\n", err)
-	}
-	err = yaml.Unmarshal(yamlFile, &obj)
-	if err != nil {
-		fmt.Printf("Unmarshal: %v\n", err)
-	}
-	return obj
-}
-
 type federationConfig struct {
 	URL               string
 	Type              string
@@ -109,11 +80,6 @@ func main() {
 				ClientID: "sigstore",
 				Type:     "kubernetes",
 			},
-			// GitHub Actions OIDC unique enterprise issuers
-			"https://token.actions.githubusercontent.com/*": {
-				ClientID: "sigstore",
-				Type:     "github-workflow",
-			},
 		},
 	}
 	for _, m := range matches {
@@ -138,23 +104,25 @@ func main() {
 		fulcioConfig.OIDCIssuers[cfg.URL] = fulcioCfg
 	}
 
-	// We have to start to set IsCiProvider as true as default
-	// after moving the ci providers to the config.yaml
-	conf := readYaml()
+	conf := config.ReadConfig()
 	for providerType, provider := range conf.Providers {
 		for _, issuer := range provider.OIDCIssuers {
 			fulcioCfg := config.OIDCIssuer{
 				IssuerURL:   issuer.IssuerURL,
 				ClientID:    "sigstore",
-				Type:        config.IssuerType(providerType),
+				Type:        config.IssuerCiProvider,
 				IssuerClaim: issuer.IssuerClaim,
+				SubType:     providerType,
 			}
 			fulcioConfig.OIDCIssuers[fulcioCfg.IssuerURL] = fulcioCfg
 		}
 		for _, issuer := range provider.MetaIssuers {
 			fulcioMetaCfg := config.OIDCIssuer{
-				ClientID: "sigstore",
-				Type:     config.IssuerType(providerType),
+				IssuerURL:   issuer.IssuerURL,
+				ClientID:    "sigstore",
+				Type:        config.IssuerCiProvider,
+				IssuerClaim: issuer.IssuerClaim,
+				SubType:     providerType,
 			}
 			fulcioConfig.MetaIssuers[issuer.IssuerURL] = fulcioMetaCfg
 		}

diff --git a/pkg/challenges/challenges.go b/pkg/challenges/challenges.go
@@ -27,8 +27,8 @@ import (
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/identity"
 	"github.com/sigstore/fulcio/pkg/identity/buildkite"
+	"github.com/sigstore/fulcio/pkg/identity/ciprovider"
 	"github.com/sigstore/fulcio/pkg/identity/email"
-	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
 	"github.com/sigstore/fulcio/pkg/identity/kubernetes"
 	"github.com/sigstore/fulcio/pkg/identity/spiffe"
@@ -67,8 +67,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 		principal, err = email.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeSpiffe:
 		principal, err = spiffe.PrincipalFromIDToken(ctx, tok)
-	case config.IssuerTypeGithubWorkflow:
-		principal, err = github.WorkflowPrincipalFromIDToken(ctx, tok)
+	case config.IssuerCiProvider:
+		principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeKubernetes:
 		principal, err = kubernetes.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeURI:

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -24,13 +24,16 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"regexp"
+	"runtime"
 	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	lru "github.com/hashicorp/golang-lru"
+	"github.com/sigstore/fulcio/pkg/certificate"
 	fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@@ -70,10 +73,13 @@ type OIDCIssuer struct {
 	// The expected issuer of an OIDC token
 	IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
 	// The expected client ID of the OIDC token
-	ClientID string `json:"ClientID" yaml:"client-id,omitempty"`
+	ClientID string `json:"ClientID,omitempty" yaml:"client-id,omitempty"`
 	// Used to determine the subject of the certificate and if additional
 	// certificate values are needed
-	Type IssuerType `json:"Type" yaml:"type,omitempty"`
+	Type IssuerType `json:"Type,omitempty" yaml:"type,omitempty"`
+	// Used to determine the subject of the certificate and if additional
+	// certificate values are needed
+	SubType string `json:"SubType,omitempty" yaml:"sub-type,omitempty"`
 	// Optional, if the issuer is in a different claim in the OIDC token
 	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
 	// The domain that must be present in the subject for 'uri' issuer types
@@ -103,6 +109,34 @@ func metaRegex(issuer string) (*regexp.Regexp, error) {
 	return regexp.Compile(replaced)
 }
 
+type Config struct {
+	Providers map[string]Provider
+}
+type Provider struct {
+	Subject     string
+	Extensions  certificate.Extensions
+	Uris        []string
+	Defaults    map[string]string
+	OIDCIssuers []OIDCIssuer `yaml:"oidc-issuers,omitempty"`
+	MetaIssuers []OIDCIssuer `yaml:"meta-issuers,omitempty"`
+	Claims      map[string]interface{}
+}
+
+func ReadConfig() Config {
+	var obj Config
+	_, b, _, _ := runtime.Caller(0)
+	basepath := filepath.Dir(b)
+	configFile, err := os.ReadFile(basepath + "/providers_config.yaml")
+	if err != nil {
+		fmt.Printf("yamlFile.Get err #%v ", err)
+	}
+	err = yaml.Unmarshal(configFile, &obj)
+	if err != nil {
+		fmt.Printf("Unmarshal: %v", err)
+	}
+	return obj
+}
+
 // GetIssuer looks up the issuer configuration for an `issuerURL`
 // coming from an incoming OIDC token.  If no matching configuration
 // is found, then it returns `false`.
@@ -276,13 +310,13 @@ type IssuerType string
 const (
 	IssuerTypeBuildkiteJob      = "buildkite-job"
 	IssuerTypeEmail             = "email"
-	IssuerTypeGithubWorkflow    = "github-workflow"
 	IssuerTypeCodefreshWorkflow = "codefresh-workflow"
 	IssuerTypeGitLabPipeline    = "gitlab-pipeline"
 	IssuerTypeKubernetes        = "kubernetes"
 	IssuerTypeSpiffe            = "spiffe"
 	IssuerTypeURI               = "uri"
 	IssuerTypeUsername          = "username"
+	IssuerCiProvider            = "ci-provider"
 )
 
 func parseConfig(b []byte) (cfg *FulcioConfig, err error) {
@@ -406,11 +440,6 @@ var DefaultConfig = &FulcioConfig{
 			ClientID:  "sigstore",
 			Type:      IssuerTypeEmail,
 		},
-		"https://token.actions.githubusercontent.com": {
-			IssuerURL: "https://token.actions.githubusercontent.com",
-			ClientID:  "sigstore",
-			Type:      IssuerTypeGithubWorkflow,
-		},
 	},
 }
 
@@ -513,7 +542,7 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 		return "sub"
 	case IssuerTypeEmail:
 		return "email"
-	case IssuerTypeGithubWorkflow:
+	case IssuerCiProvider:
 		return "sub"
 	case IssuerTypeCodefreshWorkflow:
 		return "sub"

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -489,7 +489,7 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeBuildkiteJob, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for Buildkite issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
+	if claim := issuerToChallengeClaim(IssuerCiProvider, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}
 	if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {

diff --git a/...identity/ciprovider/providers_config.yaml → pkg/config/providers_config.yaml b/...identity/ciprovider/providers_config.yaml → pkg/config/providers_config.yaml
@@ -26,8 +26,7 @@ providers:
             url: https://github.com
         meta-issuers:
             - issuer-url: "https://token.actions.githubusercontent.com/*"
-              client-id: "sigstore"
         oidc-issuers:
             - issuer-url: https://token.actions.githubusercontent.com
               contact: tac@sigstore.dev
-              description: "GitHub Actions OIDC auth"
+              description: "GitHub Actions OIDC auth"
diff --git a/pkg/identity/ciprovider/issuer_test.go b/pkg/identity/ciprovider/issuer_test.go
@@ -76,8 +76,9 @@ func TestIssuer(t *testing.T) {
 			map[string]config.OIDCIssuer{
 				token.Issuer: {
 					IssuerURL: token.Issuer,
-					Type:      config.IssuerTypeGithubWorkflow,
+					Type:      config.IssuerCiProvider,
 					ClientID:  "sigstore",
+					SubType:   "github-workflow",
 				},
 			}
 		cfg := &config.FulcioConfig{