refactoring

Signed-off-by: Javan lacerda <javanlacerda@google.com>

cmd/app/serve.go

@@ -214,6 +214,10 @@ func runServeCmd(cmd *cobra.Command, args []string) { //nolint: revive
 	if err != nil {
 		log.Logger.Fatalf("error loading --config-path=%s: %v", cp, err)
 	}
+	cfg, err = config.LoadCiProvidersConfig(cfg)
+	if err != nil {
+		log.Logger.Fatalf("error loading CiProviderConfig: %v", err)
+	}
 
 	var baseca certauth.CertificateAuthority
 	switch viper.GetString("ca") {

config/fulcio-config.yaml

@@ -20,88 +20,106 @@ data:
             "https://accounts.google.com": {
               "IssuerURL": "https://accounts.google.com",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://agent.buildkite.com": {
               "IssuerURL": "https://agent.buildkite.com",
               "ClientID": "sigstore",
-              "Type": "buildkite-job"
+              "Type": "buildkite-job",
+              "SubType": ""
             },
             "https://allow.pub": {
               "IssuerURL": "https://allow.pub",
               "ClientID": "sigstore",
               "Type": "spiffe",
+              "SubType": "",
               "SPIFFETrustDomain": "allow.pub"
             },
             "https://auth-staging.eclipse.org/realms/sigstore": {
               "IssuerURL": "https://auth-staging.eclipse.org/realms/sigstore",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://auth.eclipse.org/auth/realms/sigstore": {
               "IssuerURL": "https://auth.eclipse.org/auth/realms/sigstore",
               "ClientID": "sigstore",
-              "Type": "email"
+              "Type": "email",
+              "SubType": ""
             },
             "https://dev.gitlab.org": {
               "IssuerURL": "https://dev.gitlab.org",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://gitlab.archlinux.org": {
               "IssuerURL": "https://gitlab.archlinux.org",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://gitlab.com": {
               "IssuerURL": "https://gitlab.com",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://oauth2.sigstore.dev/auth": {
               "IssuerURL": "https://oauth2.sigstore.dev/auth",
               "ClientID": "sigstore",
               "Type": "email",
+              "SubType": "",
               "IssuerClaim": "$.federated_claims.connector_id"
             },
             "https://oidc.codefresh.io": {
               "IssuerURL": "https://oidc.codefresh.io",
               "ClientID": "sigstore",
-              "Type": "codefresh-workflow"
+              "Type": "codefresh-workflow",
+              "SubType": ""
             },
             "https://ops.gitlab.net": {
               "IssuerURL": "https://ops.gitlab.net",
               "ClientID": "sigstore",
-              "Type": "gitlab-pipeline"
+              "Type": "gitlab-pipeline",
+              "SubType": ""
             },
             "https://token.actions.githubusercontent.com": {
               "IssuerURL": "https://token.actions.githubusercontent.com",
               "ClientID": "sigstore",
-              "Type": "github-workflow"
+              "Type": "github-workflow",
+              "SubType": ""
             }
           },
           "MetaIssuers": {
             "https://*.oic.prod-aks.azure.com/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://container.googleapis.com/v1/projects/*/locations/*/clusters/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://oidc.eks.*.amazonaws.com/id/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://oidc.prod-aks.azure.com/*": {
               "ClientID": "sigstore",
-              "Type": "kubernetes"
+              "Type": "kubernetes",
+              "SubType": ""
             },
             "https://token.actions.githubusercontent.com/*": {
               "ClientID": "sigstore",
-              "Type": "github-workflow"
+              "Type": "github-workflow",
+              "SubType": ""
             }
-          }
+          },
+          "IssuersMetadata": null
         }
     server.yaml: |-
         host: 0.0.0.0

pkg/challenges/challenges.go

@@ -27,6 +27,7 @@ import (
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/identity"
 	"github.com/sigstore/fulcio/pkg/identity/buildkite"
+	"github.com/sigstore/fulcio/pkg/identity/ciprovider"
 	"github.com/sigstore/fulcio/pkg/identity/email"
 	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
@@ -75,6 +76,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 		principal, err = uri.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeUsername:
 		principal, err = username.PrincipalFromIDToken(ctx, tok)
+	case config.IssuerTypeCiProvider:
+		principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok)
 	default:
 		return nil, fmt.Errorf("unsupported issuer: %s", iss.Type)
 	}

pkg/config/config.go

@@ -24,13 +24,16 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"reflect"
 	"regexp"
+	"runtime"
 	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	lru "github.com/hashicorp/golang-lru"
+	"github.com/sigstore/fulcio/pkg/certificate"
 	fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@@ -60,12 +63,21 @@ type FulcioConfig struct {
 	// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
 	MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"`
 
+	// defines the metadata for the issuers
+	IssuersMetadata map[string]IssuersMetadata
+
 	// verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers.
 	verifiers map[string][]*verifierWithConfig
 	// lru is an LRU cache of recently used verifiers for our meta issuers.
 	lru *lru.TwoQueueCache
 }
 
+type IssuersMetadata struct {
+	Defaults               map[string]string
+	ClaimsMapper           certificate.Extensions
+	SubjectAlternativeName string
+}
+
 type OIDCIssuer struct {
 	// The expected issuer of an OIDC token
 	IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
@@ -74,6 +86,8 @@ type OIDCIssuer struct {
 	// Used to determine the subject of the certificate and if additional
 	// certificate values are needed
 	Type IssuerType `json:"Type" yaml:"type,omitempty"`
+	// Issuers subtype
+	SubType string `json:"SubType" yaml:"sub-type,omitempty"`
 	// Optional, if the issuer is in a different claim in the OIDC token
 	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
 	// The domain that must be present in the subject for 'uri' issuer types
@@ -283,6 +297,7 @@ const (
 	IssuerTypeSpiffe            = "spiffe"
 	IssuerTypeURI               = "uri"
 	IssuerTypeUsername          = "username"
+	IssuerTypeCiProvider        = "ci-provider"
 )
 
 func parseConfig(b []byte) (cfg *FulcioConfig, err error) {
@@ -431,6 +446,52 @@ func FromContext(ctx context.Context) *FulcioConfig {
 	return untyped.(*FulcioConfig)
 }
 
+type CiProvidersConfig struct {
+	Providers map[string]Provider
+}
+type Provider struct {
+	Extensions             certificate.Extensions `yaml:"extensions,omitempty"`
+	SubjectAlternativeName string                 `yaml:"subject-alternative-name,omitempty"`
+	Defaults               map[string]string      `yaml:"defaults,omitempty"`
+	OIDCIssuers            []OIDCIssuer           `yaml:"oidc-issuers,omitempty"`
+	MetaIssuers            []OIDCIssuer           `yaml:"meta-issuers,omitempty"`
+}
+
+func LoadCiProvidersConfig(cfg *FulcioConfig) (*FulcioConfig, error) {
+	var ciProvidersConfig CiProvidersConfig
+	_, path, _, _ := runtime.Caller(0)
+	basepath := filepath.Dir(path)
+	providersConfigFile, err := os.ReadFile(basepath + "/providers_config.yaml")
+
+	if err != nil {
+		fmt.Printf("yamlFile.Get err #%v ", err)
+	}
+	err = yaml.Unmarshal(providersConfigFile, &ciProvidersConfig)
+	if err != nil {
+		fmt.Printf("Unmarshal: %v", err)
+	}
+
+	cfg.IssuersMetadata = make(map[string]IssuersMetadata)
+	for k, v := range ciProvidersConfig.Providers {
+		cfg.IssuersMetadata[k] = IssuersMetadata{
+			v.Defaults,
+			v.Extensions,
+			v.SubjectAlternativeName,
+		}
+		for _, issuer := range v.OIDCIssuers {
+			issuer.SubType = k
+			issuer.Type = IssuerTypeCiProvider
+			cfg.OIDCIssuers[issuer.IssuerURL] = issuer
+		}
+		for _, issuer := range v.MetaIssuers {
+			issuer.SubType = k
+			issuer.Type = IssuerTypeCiProvider
+			cfg.MetaIssuers[issuer.IssuerURL] = issuer
+		}
+	}
+	return cfg, err
+}
+
 // Load a config from disk, or use defaults
 func Load(configPath string) (*FulcioConfig, error) {
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
@@ -445,7 +506,12 @@ func Load(configPath string) (*FulcioConfig, error) {
 	if err != nil {
 		return nil, fmt.Errorf("read file: %w", err)
 	}
-	return Read(b)
+	fulcioConfig, err := Read(b)
+	if err != nil {
+		return fulcioConfig, err
+	}
+
+	return fulcioConfig, err
 }
 
 // Read parses the bytes of a config
@@ -515,6 +581,8 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 		return "email"
 	case IssuerTypeGithubWorkflow:
 		return "sub"
+	case IssuerTypeCiProvider:
+		return "sub"
 	case IssuerTypeCodefreshWorkflow:
 		return "sub"
 	case IssuerTypeKubernetes:

pkg/config/config_test.go

@@ -492,6 +492,9 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}
+	if claim := issuerToChallengeClaim(IssuerTypeCiProvider, ""); claim != "sub" {
+		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
+	}
 	if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)
 	}

pkg/identity/ciprovider/providers_config.yaml → pkg/config/providers_config.yaml

@@ -20,8 +20,7 @@ providers:
             source-repository-ref: ref
             source-repository-identifier: repository_id
             run-invocation-uri: "{{.url}}/{{.repository}}/actions/runs/{{.run_id}}/"
-        uris:
-            - "{{.url}}/{{.job_workflow_ref}}"
+        subject-alternative-name: "{{.url}}/{{.job_workflow_ref}}"
         defaults:
             url: https://github.com
         meta-issuers:

pkg/identity/ciprovider/issuer_test.go

@@ -76,7 +76,8 @@ func TestIssuer(t *testing.T) {
 			map[string]config.OIDCIssuer{
 				token.Issuer: {
 					IssuerURL: token.Issuer,
-					Type:      config.IssuerTypeGithubWorkflow,
+					Type:      config.IssuerTypeCiProvider,
+					SubType:   "github-workflow",
 					ClientID:  "sigstore",
 				},
 			}