diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 298d89c20..6132ce3bb 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -12,57 +12,93 @@ # See the License for the specific language governing permissions and # limitations under the License. +define: + - &github-type "github-workflow" + - &gitlab-type "gitlab-pipeline" + - &codefresh-type "codefresh-workflow" + - &buildkite-type "buildkite-job" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com client-id: sigstore type: email + contact: tac@sigstore.dev + description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore - type: buildkite-job + type: ci-provider + ci-provider: *buildkite-type + contact: support@buildkite.com + description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub + contact: evan@phx.io + description: "Server side signing support for the OCI registry vcr.pub" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email + contact: security@eclipse-foundation.org + description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type + contact: sigstore@archlinux.org + description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type + contact: support@gitlab.com + description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity + contact: mattmoor@chainguard.dev + description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id + contact: tac@sigstore.dev + description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore - type: codefresh-workflow + type: ci-provider + ci-provider: *codefresh-type + contact: support@codefresh.io + description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type + contact: distribution-be@gitlab.com + description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore - type: github-workflow + type: ci-provider + ci-provider: *github-type + contact: tac@sigstore.dev + description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore @@ -78,4 +114,64 @@ meta-issuers: type: kubernetes https://token.actions.githubusercontent.com/*: client-id: sigstore - type: github-workflow + type: ci-provider + ci-provider: *github-type +ci-issuer-metadata: + *github-type: + default-template-values: + url: "https://github.com" + extension-templates: + github-workflow-trigger: "event_name" + github-workflow-sha: "sha" + github-workflow-name: "workflow" + github-workflow-repository: "repository" + github-workflow-ref: "ref" + build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" + build-signer-digest: "job_workflow_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "repository_id" + source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" + source-repository-owner-identifier: "repository_owner_id" + build-config-uri: "{{ .url }}/{{ .workflow_ref }}" + build-config-digest: "workflow_sha" + build-trigger: "event_name" + run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" + *gitlab-type: + default-template-values: + url: "https://gitlab.com" + extension-templates: + build-signer-uri: "https://{{ .ci_config_ref_uri }}" + build-signer-digest: "ci_config_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "project_id" + source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + source-repository-owner-identifier: "namespace_id" + build-config-uri: "https://{{ .ci_config_ref_uri }}" + build-config-digest: "ci_config_sha" + build-trigger: "pipeline_source" + run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" + *codefresh-type: + default-template-values: + url: "https://g.codefresh.io" + extension-templates: + build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + runner-environment: "runner_environment" + source-repository-uri: "scm_repo_url" + source-repository-ref: "scm_ref" + build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" + run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" + *buildkite-type: + default-template-values: + url: "https://buildkite.com" + subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" diff --git a/docs/oidc.md b/docs/oidc.md index a58bc4aad..798a6f119 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -10,13 +10,18 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: -* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. -* Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) -* Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. -* Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) -* Update the end-to-end gRPC tests: - * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) - * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) +* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). + * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one. +* If your issuer is not for a CI provider, you need to follow the next steps: + * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. + * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) + * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. + * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) +* These next steps are required only for non-ci issuers, as it is already tested for generically. Although, you are welcome to add tests for your provider if you want to. + * Update the end-to-end gRPC tests: + * Update the [configuration test](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L175) + * Add a test for the new issuer ([example](https://github.com/sigstore/fulcio/blob/572b7c8496c29a04721f608dd0307ba08773c60c/pkg/server/grpc_server_test.go#L331)) See [this example](https://github.com/sigstore/fulcio/pull/890), although it is out of date as you'll now need to create an issuer type. diff --git a/federation/README.md b/federation/README.md deleted file mode 100644 index 3d9e575cd..000000000 --- a/federation/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# OIDC Federation Configs - -This directory contains configurations for individual OIDC endpoints that the public good instance of Fulcio should accept identity tokens from. - -## Usage - -To update the k8s `ConfigMap`, run `go run federation/main.go` from the root directory of this repository. - -## Adding New Entries - -We'll happily accept new entries here in the form of a pull request! -Open one up with your endpoint, filling in a directory and a `config.yaml` with the following structure: - -```yaml -url: -contact: -description: -type: -``` - -You'll then have to regenerate the ConfigMap with `go run federation/main.go`, and then send your PR. - -We'll discuss your use-case with you over the pull request, and merge! diff --git a/federation/accounts.google.com/config.yaml b/federation/accounts.google.com/config.yaml deleted file mode 100644 index b21c89a31..000000000 --- a/federation/accounts.google.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://accounts.google.com -contact: tac@sigstore.dev -description: "Google OIDC auth" -type: "email" diff --git a/federation/agent.buildkite.com/config.yaml b/federation/agent.buildkite.com/config.yaml deleted file mode 100644 index bc1d46425..000000000 --- a/federation/agent.buildkite.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://agent.buildkite.com -contact: support@buildkite.com -description: "Buildkite Agent OIDC tokens for job identity" -type: "buildkite-job" diff --git a/federation/auth-staging.eclipse.org/config.yaml b/federation/auth-staging.eclipse.org/config.yaml deleted file mode 100644 index 11c0f91cb..000000000 --- a/federation/auth-staging.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth-staging.eclipse.org/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Staging OIDC provider" -type: "email" diff --git a/federation/auth.eclipse.org/config.yaml b/federation/auth.eclipse.org/config.yaml deleted file mode 100644 index be7a4b2d5..000000000 --- a/federation/auth.eclipse.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://auth.eclipse.org/auth/realms/sigstore -contact: security@eclipse-foundation.org -description: "Eclipse Foundation Production OIDC provider" -type: "email" diff --git a/federation/dev.gitlab.org/config.yaml b/federation/dev.gitlab.org/config.yaml deleted file mode 100644 index 1fe70bccc..000000000 --- a/federation/dev.gitlab.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://dev.gitlab.org -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/external/allow.pub/config.yaml b/federation/external/allow.pub/config.yaml deleted file mode 100644 index 69b164896..000000000 --- a/federation/external/allow.pub/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://allow.pub -contact: evan@phx.io -description: "Server side signing support for the OCI registry vcr.pub" -type: "spiffe" -spiffetrustdomain: "allow.pub" diff --git a/federation/gitlab.archlinux.org/config.yaml b/federation/gitlab.archlinux.org/config.yaml deleted file mode 100644 index e7796b0b0..000000000 --- a/federation/gitlab.archlinux.org/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.archlinux.org -contact: sigstore@archlinux.org -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/gitlab.com/config.yaml b/federation/gitlab.com/config.yaml deleted file mode 100644 index 8fb05c85b..000000000 --- a/federation/gitlab.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://gitlab.com -contact: support@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/issuer.enforce.dev/config.yaml b/federation/issuer.enforce.dev/config.yaml deleted file mode 100644 index 45e252a88..000000000 --- a/federation/issuer.enforce.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2024 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://issuer.enforce.dev -# TODO(mattmoor): Change to a group. -contact: mattmoor@chainguard.dev -description: "Chainguard identity tokens" -type: "chainguard-identity" diff --git a/federation/oauth2.sigstore.dev/config.yaml b/federation/oauth2.sigstore.dev/config.yaml deleted file mode 100644 index a5782a26c..000000000 --- a/federation/oauth2.sigstore.dev/config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oauth2.sigstore.dev/auth -issuerclaim: $.federated_claims.connector_id -contact: tac@sigstore.dev -description: "dex address for fulcio" -type: "email" diff --git a/federation/oidc.codefresh.io/config.yaml b/federation/oidc.codefresh.io/config.yaml deleted file mode 100644 index 8d51a8adb..000000000 --- a/federation/oidc.codefresh.io/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://oidc.codefresh.io -contact: support@codefresh.io -description: "Codefresh OIDC tokens for job identity" -type: "codefresh-workflow" diff --git a/federation/ops.gitlab.net/config.yaml b/federation/ops.gitlab.net/config.yaml deleted file mode 100644 index 7984c576f..000000000 --- a/federation/ops.gitlab.net/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2023 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://ops.gitlab.net -contact: distribution-be@gitlab.com -description: "GitLab OIDC tokens for job identity" -type: "gitlab-pipeline" diff --git a/federation/token.actions.githubusercontent.com/config.yaml b/federation/token.actions.githubusercontent.com/config.yaml deleted file mode 100644 index a8208db01..000000000 --- a/federation/token.actions.githubusercontent.com/config.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright 2021 The Sigstore Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -url: https://token.actions.githubusercontent.com -contact: tac@sigstore.dev -description: "GitHub Actions OIDC auth" -type: "github-workflow" diff --git a/pkg/config/config.go b/pkg/config/config.go index 6b5f01f9a..a2296147e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -111,6 +111,11 @@ type OIDCIssuer struct { // Optional, the challenge claim expected for the issuer // Set if using a custom issuer ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"` + // Optional, the description for the issuer + Description string `json:"Description,omitempty" yaml:"description,omitempty"` + // Optional, the contact for the issuer team + // Usually it is a email + Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"` } func metaRegex(issuer string) (*regexp.Regexp, error) { diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index c0c464523..f5a6fd3b2 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -53,11 +53,14 @@ func TestLoadFulcioConfig(t *testing.T) { t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL) } if string(got.Type) == "" { - t.Errorf("Issuer Type should not be empty") + t.Errorf("issuer Type should not be empty") } if got.Type == IssuerTypeCIProvider { if got.CIProvider == "" { - t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider") + t.Errorf("issuer that is CIProvider field shouldn't be empty when Type is ci-provider") + } + if _, ok := fulcioConfig.CIIssuerMetadata[got.CIProvider]; !ok { + t.Error("isseuer with type ci provider should has the same ci provider name as key for CIIssuerMetadata") } } if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index fb94df3bd..8bb57c965 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -66,7 +66,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri var doc bytes.Buffer // This option forces to having the claim that is required // for the template - t := template.New("").Option("missingkey=error") + t := template.New("").Option("missingkey=zero") // It shouldn't raise error since we already checked all // templates in validateCIIssuerMetadata functions in config.go p, err := t.Parse(extValueTemplate) @@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri } claimValue, ok := mergedData[extValueTemplate] if !ok { - return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) + return "", nil } return claimValue, nil } diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index aa387f995..776cde4dd 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -229,9 +229,11 @@ func TestApplyTemplateOrReplace(t *testing.T) { "workflow": "foo", "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", "workflow_sha": "example-sha-other", + "workflow_id": "1", } issuerMetadata := map[string]string{ - "url": "https://github.com", + "url": "https://github.com", + "default_platform_url": "https://g.codefresh.io", } tests := map[string]struct { @@ -252,12 +254,12 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing key for template`: { Template: "{{ .foo }}", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Empty string`: { Template: "", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Replaceable string`: { Template: "job_workflow_ref", @@ -267,7 +269,17 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing string`: { Template: "bar", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, + }, + `If else template`: { + Template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}", + ExpectedResult: "https://g.codefresh.io/build/1", + ExpectErr: false, + }, + `If else template using else condition`: { + Template: "{{if .iss}}{{.iss}}{{ else }}{{.default_platform_url}}{{end}}/build/{{ .workflow_id }}", + ExpectedResult: "https://token.actions.githubusercontent.com/build/1", + ExpectErr: false, }, } @@ -279,8 +291,8 @@ func TestApplyTemplateOrReplace(t *testing.T) { test.ExpectedResult, res) } if (err != nil) != test.ExpectErr { - t.Errorf("should raise an error don't matches: Expected %v, received: %v", - test.ExpectErr, err != nil) + t.Errorf("should raise an error don't matches: Expected %v, received: %v, %v", + test.ExpectErr, err != nil, name) } }) }