Add GetIdentityToken() function to the promoter implementation

This commit adds a new function GetIdentityToken to the promoter implementation. This function allows the current workload identity to impersonate a GCP service account and obtain an identity token from it. In order for the tests to work, the workload id that runs the test has to have the needed permissions to impersonate the test SA. Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
kubernetes-sigs · Feb 23, 2022 · 50f1e4e · 50f1e4e
1 parent 1698cab
commit 50f1e4e
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -35,11 +35,12 @@ require (
 	sigs.k8s.io/yaml v1.3.0
 )
 
+require cloud.google.com/go/iam v0.2.0
+
 require (
 	bitbucket.org/creachadair/shell v0.0.6 // indirect
 	cloud.google.com/go v0.100.2 // indirect
 	cloud.google.com/go/compute v1.3.0 // indirect
-	cloud.google.com/go/iam v0.2.0 // indirect
 	cloud.google.com/go/kms v1.3.0 // indirect
 	cuelang.org/go v0.4.2 // indirect
 	github.com/Azure/azure-sdk-for-go v61.3.0+incompatible // indirect

diff --git a/internal/promoter/image/sign.go b/internal/promoter/image/sign.go
@@ -17,17 +17,24 @@ limitations under the License.
 package imagepromoter
 
 import (
+	"context"
 	"fmt"
 	"os"
 
+	credentials "cloud.google.com/go/iam/credentials/apiv1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	credentialspb "google.golang.org/genproto/googleapis/iam/credentials/v1"
 
 	reg "sigs.k8s.io/promo-tools/v3/legacy/dockerregistry"
 	options "sigs.k8s.io/promo-tools/v3/promoter/image/options"
 	"sigs.k8s.io/release-sdk/sign"
 )
 
+const (
+	TestSigningAccount = ""
+)
+
 // ValidateStagingSignatures checks if edges (images) have a signature
 // applied during its staging run. If they do it verifies them and
 // returns an error if they are not valid.
@@ -98,3 +105,29 @@ func (di *DefaultPromoterImplementation) WriteSBOMs(
 ) error {
 	return nil
 }
+
+// GetIdentityToken returns an identity token for the selected service account
+// in order for this function to work, an account has to be already logged. This
+// can be achieved using the
+func (di *DefaultPromoterImplementation) GetIdentityToken(
+	opts *options.Options, serviceAccount string,
+) (tok string, err error) {
+	ctx := context.Background()
+	c, err := credentials.NewIamCredentialsClient(ctx)
+	if err != nil {
+		return tok, errors.Wrap(err, "creating credentials token")
+	}
+	defer c.Close()
+	req := &credentialspb.GenerateIdTokenRequest{
+		Name:         fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount),
+		Audience:     "sigstore",
+		IncludeEmail: true,
+	}
+
+	resp, err := c.GenerateIdToken(ctx, req)
+	if err != nil {
+		return tok, errors.Wrap(err, "getting error account")
+	}
+
+	return resp.Token, nil
+}
diff --git a/internal/promoter/image/sign_test.go b/internal/promoter/image/sign_test.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package imagepromoter
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	options "sigs.k8s.io/promo-tools/v3/promoter/image/options"
+	"sigs.k8s.io/release-utils/env"
+)
+
+// TestGetIdentityToken tests the identity token generation logic. By default
+// it will test using the testSigningAccount defined in sign.go. For local testing
+// purposes you can override the target account with another one you have access
+// to setting TEST_SERVICE_ACCOUNT to the service account's address.
+func TestGetIdentityToken(t *testing.T) {
+	di := DefaultPromoterImplementation{}
+	_, err := di.GetIdentityToken(&options.Options{}, "fakeAccount@iam.project..")
+	require.Error(t, err)
+
+	tok, err := di.GetIdentityToken(&options.Options{}, env.Default("TEST_SERVICE_ACCOUNT", TestSigningAccount))
+	require.NoError(t, err)
+	require.NotEmpty(t, tok)
+}