add tests for using if else on templates, missing key set zero value

javanlacerda · Jul 17, 2024 · 629149a · 629149a
1 parent c81ba17
commit 629149a
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 23 deletions.
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -162,18 +162,10 @@ ci-issuer-metadata:
     default-template-values:
         url: "https://g.codefresh.io"
     extension-templates:
-        build-signer-uri: "https://{{ .ci_config_ref_uri }}"
-        build-signer-digest: "ci_config_sha"
+        build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
         runner-environment: "runner_environment"
-        source-repository-uri: "{{ .url }}/{{ .repository }}"
-        source-repository-digest: "sha"
-        source-repository-ref: "ref"
-        source-repository-identifier: "project_id"
-        source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}"
-        source-repository-owner-identifier: "namespace_id"
-        build-config-uri: "https://{{ .ci_config_ref_uri }}"
-        build-config-digest: "ci_config_sha"
-        build-trigger: "pipeline_source"
-        run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}"
-        source-repository-visibility-at-signing: "repository_visibility"
-    subject-alternative-name-template: "{{ .url }}/{{ .account_name }}/{{ .pipeline_name }}:{{ .account_id }}/{{ .pipeline_id }}"
+        source-repository-uri: "scm_repo_url"
+        source-repository-ref: "scm_ref"
+        build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}"
+        run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
+    subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}"
diff --git a/docs/oidc.md b/docs/oidc.md
@@ -12,7 +12,7 @@ To add a new OIDC issuer:
 
 * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml).
   * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)).
-  * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this.
+  * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one.
 * If your issuer is not for a CI provider, you need to follow the next steps:
   * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
   * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)

diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go
@@ -66,7 +66,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
 		var doc bytes.Buffer
 		// This option forces to having the claim that is required
 		// for the template
-		t := template.New("").Option("missingkey=error")
+		t := template.New("").Option("missingkey=zero")
 		// It shouldn't raise error since we already checked all
 		// templates in validateCIIssuerMetadata functions in config.go
 		p, err := t.Parse(extValueTemplate)
@@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
 	}
 	claimValue, ok := mergedData[extValueTemplate]
 	if !ok {
-		return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate)
+		return "", nil
 	}
 	return claimValue, nil
 }

diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
@@ -229,9 +229,11 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		"workflow":              "foo",
 		"workflow_ref":          "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
 		"workflow_sha":          "example-sha-other",
+		"workflow_id":           "1",
 	}
 	issuerMetadata := map[string]string{
-		"url": "https://github.com",
+		"url":                  "https://github.com",
+		"default_platform_url": "https://g.codefresh.io",
 	}
 
 	tests := map[string]struct {
@@ -252,12 +254,12 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		`Missing key for template`: {
 			Template:       "{{ .foo }}",
 			ExpectedResult: "",
-			ExpectErr:      true,
+			ExpectErr:      false,
 		},
 		`Empty string`: {
 			Template:       "",
 			ExpectedResult: "",
-			ExpectErr:      true,
+			ExpectErr:      false,
 		},
 		`Replaceable string`: {
 			Template:       "job_workflow_ref",
@@ -267,7 +269,17 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		`Missing string`: {
 			Template:       "bar",
 			ExpectedResult: "",
-			ExpectErr:      true,
+			ExpectErr:      false,
+		},
+		`If else template`: {
+			Template:       "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}",
+			ExpectedResult: "https://g.codefresh.io/build/1",
+			ExpectErr:      false,
+		},
+		`If else template using else condition`: {
+			Template:       "{{if .iss}}{{.iss}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}",
+			ExpectedResult: "https://token.actions.githubusercontent.com/build/1",
+			ExpectErr:      false,
 		},
 	}
 
@@ -279,8 +291,8 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 					test.ExpectedResult, res)
 			}
 			if (err != nil) != test.ExpectErr {
-				t.Errorf("should raise an error don't matches: Expected %v, received: %v",
-					test.ExpectErr, err != nil)
+				t.Errorf("should raise an error don't matches: Expected %v, received: %v, %v",
+					test.ExpectErr, err != nil, name)
 			}
 		})
 	}