moving github-workflows to configfile

Signed-off-by: Javan lacerda <javanlacerda@google.com>
javanlacerda · Jun 10, 2024 · 5fa4ac0 · 5fa4ac0
1 parent 9a26db0
commit 5fa4ac0
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 29 deletions.
diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
@@ -89,7 +89,7 @@ data:
               "IssuerURL": "https://token.actions.githubusercontent.com",
               "ClientID": "sigstore",
               "Type": "github-workflow",
-              "IsCiProvider": false
+              "IsCiProvider": true
             }
           },
           "MetaIssuers": {
@@ -116,7 +116,7 @@ data:
             "https://token.actions.githubusercontent.com/*": {
               "ClientID": "sigstore",
               "Type": "github-workflow",
-              "IsCiProvider": false
+              "IsCiProvider": true
             }
           }
         }

diff --git a/federation/config.yaml b/federation/config.yaml
@@ -0,0 +1,33 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+providers:
+    github-workflow:
+        extensions:
+            build-signer-digest: job_workflow_sha
+            source-repository-digest: sha
+            source-repository-ref: ref
+            source-repository-identifier: repository_id
+            run-invocation-uri: "{{.url}}/{{.repository}}/actions/runs/{{.run_id}}/"
+        uris:
+            - "{{.url}}/{{.job_workflow_ref}}"
+        defaults:
+            url: https://github.com
+        meta-issuers:
+            - issuer-url: "https://token.actions.githubusercontent.com/*"
+              client-id: "sigstore"
+        oidc-issuers:
+            - issuer-url: https://token.actions.githubusercontent.com
+              contact: tac@sigstore.dev
+              description: "GitHub Actions OIDC auth"
diff --git a/federation/main.go b/federation/main.go
@@ -17,9 +17,11 @@ package main
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 
+	"github.com/sigstore/fulcio/pkg/certificate"
 	"github.com/sigstore/fulcio/pkg/config"
 	"gopkg.in/yaml.v3"
 )
@@ -41,6 +43,34 @@ var boilerPlate = `#
 # limitations under the License.
 `
 
+type RootYaml struct {
+	Providers map[config.IssuerType]Provider
+}
+
+type Provider struct {
+	Subject     string
+	Extensions  certificate.Extensions
+	Uris        []string
+	Defaults    map[string]string
+	OIDCIssuers []config.OIDCIssuer `yaml:"oidc-issuers,omitempty"`
+	MetaIssuers []config.OIDCIssuer `yaml:"meta-issuers,omitempty"`
+}
+
+func readYaml() RootYaml {
+	var obj RootYaml
+
+	yamlFile, err := os.ReadFile("federation/config.yaml")
+	if err != nil {
+		fmt.Printf("yamlFile.Get err #%v\n", err)
+	}
+	err = yaml.Unmarshal(yamlFile, &obj)
+	if err != nil {
+		fmt.Printf("Unmarshal: %v\n", err)
+	}
+
+	return obj
+}
+
 type federationConfig struct {
 	URL               string
 	Type              string
@@ -109,6 +139,27 @@ func main() {
 		fulcioConfig.OIDCIssuers[cfg.URL] = fulcioCfg
 	}
 
+	conf := readYaml()
+	for providerType, provider := range conf.Providers {
+		for _, issuer := range provider.OIDCIssuers {
+			fulcioCfg := config.OIDCIssuer{
+				IssuerURL:    issuer.IssuerURL,
+				ClientID:     "sigstore",
+				Type:         config.IssuerType(providerType),
+				IssuerClaim:  issuer.IssuerClaim,
+				IsCiProvider: true,
+			}
+			fulcioConfig.OIDCIssuers[fulcioCfg.IssuerURL] = fulcioCfg
+		}
+		for _, issuer := range provider.MetaIssuers {
+			fulcioMetaCfg := config.OIDCIssuer{
+				ClientID:     "sigstore",
+				Type:         config.IssuerType(providerType),
+				IsCiProvider: true,
+			}
+			fulcioConfig.MetaIssuers[issuer.IssuerURL] = fulcioMetaCfg
+		}
+	}
 	m, err := json.MarshalIndent(fulcioConfig, "", "  ")
 	if err != nil {
 		panic(err)

diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go
@@ -69,69 +69,69 @@ type Extensions struct {
 	// Deprecated
 	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2
+	GithubWorkflowTrigger string `yaml:"github-workflow-trigger"` // OID 1.3.6.1.4.1.57264.1.2
 
 	// Deprecated
 	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3
+	GithubWorkflowSHA string `yaml:"github-workflow-sha"` // OID 1.3.6.1.4.1.57264.1.3
 
 	// Deprecated
 	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4
+	GithubWorkflowName string `yaml:"github-workflow-name"` // OID 1.3.6.1.4.1.57264.1.4
 
 	// Deprecated
 	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5
+	GithubWorkflowRepository string `yaml:"github-workflow-repository"` // OID 1.3.6.1.4.1.57264.1.5
 
 	// Deprecated
 	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
 	// from Github Actions
-	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
+	GithubWorkflowRef string `yaml:"github-workflow-ref"` // 1.3.6.1.4.1.57264.1.6
 
 	// Reference to specific build instructions that are responsible for signing.
-	BuildSignerURI string // 1.3.6.1.4.1.57264.1.9
+	BuildSignerURI string `yaml:"build-signer-uri"` // 1.3.6.1.4.1.57264.1.9
 
 	// Immutable reference to the specific version of the build instructions that is responsible for signing.
-	BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10
+	BuildSignerDigest string `yaml:"build-signer-digest"` // 1.3.6.1.4.1.57264.1.10
 
 	// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
-	RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11
+	RunnerEnvironment string `yaml:"runner-environment"` // 1.3.6.1.4.1.57264.1.11
 
 	// Source repository URL that the build was based on.
-	SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12
+	SourceRepositoryURI string `yaml:"source-repository-uri"` // 1.3.6.1.4.1.57264.1.12
 
 	// Immutable reference to a specific version of the source code that the build was based upon.
-	SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13
+	SourceRepositoryDigest string `yaml:"source-repository-digest"` // 1.3.6.1.4.1.57264.1.13
 
 	// Source Repository Ref that the build run was based upon.
-	SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14
+	SourceRepositoryRef string `yaml:"source-repository-ref"` // 1.3.6.1.4.1.57264.1.14
 
 	// Immutable identifier for the source repository the workflow was based upon.
-	SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15
+	SourceRepositoryIdentifier string `yaml:"source-repository-identifier"` // 1.3.6.1.4.1.57264.1.15
 
 	// Source repository owner URL of the owner of the source repository that the build was based on.
-	SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16
+	SourceRepositoryOwnerURI string `yaml:"source-repository-owner-uri"` // 1.3.6.1.4.1.57264.1.16
 
 	// Immutable identifier for the owner of the source repository that the workflow was based upon.
-	SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17
+	SourceRepositoryOwnerIdentifier string `yaml:"source-repository-owner-identifier"` // 1.3.6.1.4.1.57264.1.17
 
 	// Build Config URL to the top-level/initiating build instructions.
-	BuildConfigURI string // 1.3.6.1.4.1.57264.1.18
+	BuildConfigURI string `yaml:"build-config-uri"` // 1.3.6.1.4.1.57264.1.18
 
 	// Immutable reference to the specific version of the top-level/initiating build instructions.
-	BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19
+	BuildConfigDigest string `yaml:"build-config-digest"` // 1.3.6.1.4.1.57264.1.19
 
 	// Event or action that initiated the build.
-	BuildTrigger string // 1.3.6.1.4.1.57264.1.20
+	BuildTrigger string `yaml:"build-trigger"` // 1.3.6.1.4.1.57264.1.20
 
 	// Run Invocation URL to uniquely identify the build execution.
-	RunInvocationURI string // 1.3.6.1.4.1.57264.1.21
+	RunInvocationURI string `yaml:"run-invocation-uri"` // 1.3.6.1.4.1.57264.1.21
 
 	// Source repository visibility at the time of signing the certificate.
-	SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22
+	SourceRepositoryVisibilityAtSigning string `yaml:"source-repository-visibility-at-signing"` // 1.3.6.1.4.1.57264.1.22
 }
 
 func (e Extensions) Render() ([]pkix.Extension, error) {

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -67,26 +67,26 @@ type FulcioConfig struct {
 
 type OIDCIssuer struct {
 	// The expected issuer of an OIDC token
-	IssuerURL string `json:"IssuerURL,omitempty"`
+	IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
 	// The expected client ID of the OIDC token
-	ClientID string `json:"ClientID"`
+	ClientID string `json:"ClientID" yaml:"client-id,omitempty"`
 	// Used to determine the subject of the certificate and if additional
 	// certificate values are needed
-	Type IssuerType `json:"Type"`
+	Type IssuerType `json:"Type" yaml:"type,omitempty"`
 	// Optional, if the issuer is in a different claim in the OIDC token
-	IssuerClaim string `json:"IssuerClaim,omitempty"`
+	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
 	// The domain that must be present in the subject for 'uri' issuer types
 	// Also used to create an email for 'username' issuer types
-	SubjectDomain string `json:"SubjectDomain,omitempty"`
+	SubjectDomain string `json:"SubjectDomain,omitempty" yaml:"subject-domain,omitempty"`
 	// SPIFFETrustDomain specifies the trust domain that 'spiffe' issuer types
 	// issue ID tokens for. Tokens with a different trust domain will be
 	// rejected.
-	SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty"`
+	SPIFFETrustDomain string `json:"SPIFFETrustDomain,omitempty" yaml:"spiffe-trust-domain,omitempty"`
 	// Optional, the challenge claim expected for the issuer
 	// Set if using a custom issuer
-	ChallengeClaim string `json:"ChallengeClaim,omitempty"`
+	ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"`
 	// Defines that the issuer is for a ci provider
-	IsCiProvider bool `json:"IsCiProvider"`
+	IsCiProvider bool `json:"IsCiProvider" yaml:"is-ci-provider"`
 }
 
 func metaRegex(issuer string) (*regexp.Regexp, error) {