adding test for ci provider WorkflowPrincipalFromIDToken

Signed-off-by: Javan lacerda <[email protected]>
javanlacerda · Jun 14, 2024 · 6aec89c · 6aec89c
1 parent e4fbff2
commit 6aec89c
Show file tree

Hide file tree

Showing 2 changed files with 125 additions and 21 deletions.
diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go
@@ -69,69 +69,69 @@ type Extensions struct {
 	// Deprecated
 	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2
+	GithubWorkflowTrigger string `yaml:"github-workflow-trigger"` // OID 1.3.6.1.4.1.57264.1.2
 
 	// Deprecated
 	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3
+	GithubWorkflowSHA string `yaml:"github-workflow-sha"` // OID 1.3.6.1.4.1.57264.1.3
 
 	// Deprecated
 	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4
+	GithubWorkflowName string `yaml:"github-workflow-name"` // OID 1.3.6.1.4.1.57264.1.4
 
 	// Deprecated
 	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5
+	GithubWorkflowRepository string `yaml:"github-workflow-repository"` // OID 1.3.6.1.4.1.57264.1.5
 
 	// Deprecated
 	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
 	// from Github Actions
-	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
+	GithubWorkflowRef string `yaml:"github-workflow-ref"` // 1.3.6.1.4.1.57264.1.6
 
 	// Reference to specific build instructions that are responsible for signing.
-	BuildSignerURI string // 1.3.6.1.4.1.57264.1.9
+	BuildSignerURI string `yaml:"build-signer-uri"` // 1.3.6.1.4.1.57264.1.9
 
 	// Immutable reference to the specific version of the build instructions that is responsible for signing.
-	BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10
+	BuildSignerDigest string `yaml:"build-signer-digest"` // 1.3.6.1.4.1.57264.1.10
 
 	// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
-	RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11
+	RunnerEnvironment string `yaml:"runner-environment"` // 1.3.6.1.4.1.57264.1.11
 
 	// Source repository URL that the build was based on.
-	SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12
+	SourceRepositoryURI string `yaml:"source-repository-uri"` // 1.3.6.1.4.1.57264.1.12
 
 	// Immutable reference to a specific version of the source code that the build was based upon.
-	SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13
+	SourceRepositoryDigest string `yaml:"source-repository-digest"` // 1.3.6.1.4.1.57264.1.13
 
 	// Source Repository Ref that the build run was based upon.
-	SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14
+	SourceRepositoryRef string `yaml:"source-repository-ref"` // 1.3.6.1.4.1.57264.1.14
 
 	// Immutable identifier for the source repository the workflow was based upon.
-	SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15
+	SourceRepositoryIdentifier string `yaml:"source-repository-identifier"` // 1.3.6.1.4.1.57264.1.15
 
 	// Source repository owner URL of the owner of the source repository that the build was based on.
-	SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16
+	SourceRepositoryOwnerURI string `yaml:"source-repository-owner-uri"` // 1.3.6.1.4.1.57264.1.16
 
 	// Immutable identifier for the owner of the source repository that the workflow was based upon.
-	SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17
+	SourceRepositoryOwnerIdentifier string `yaml:"source-repository-owner-identifier"` // 1.3.6.1.4.1.57264.1.17
 
 	// Build Config URL to the top-level/initiating build instructions.
-	BuildConfigURI string // 1.3.6.1.4.1.57264.1.18
+	BuildConfigURI string `yaml:"build-config-uri"` // 1.3.6.1.4.1.57264.1.18
 
 	// Immutable reference to the specific version of the top-level/initiating build instructions.
-	BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19
+	BuildConfigDigest string `yaml:"build-config-digest"` // 1.3.6.1.4.1.57264.1.19
 
 	// Event or action that initiated the build.
-	BuildTrigger string // 1.3.6.1.4.1.57264.1.20
+	BuildTrigger string `yaml:"build-trigger"` // 1.3.6.1.4.1.57264.1.20
 
 	// Run Invocation URL to uniquely identify the build execution.
-	RunInvocationURI string // 1.3.6.1.4.1.57264.1.21
+	RunInvocationURI string `yaml:"run-invocation-uri"` // 1.3.6.1.4.1.57264.1.21
 
 	// Source repository visibility at the time of signing the certificate.
-	SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22
+	SourceRepositoryVisibilityAtSigning string `yaml:"source-repository-visibility-at-signing"` // 1.3.6.1.4.1.57264.1.22
 }
 
 func (e Extensions) Render() ([]pkix.Extension, error) {

diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
@@ -32,9 +32,113 @@ import (
 	"github.com/sigstore/fulcio/pkg/identity"
 )
 
-// TO BE IMPLEMENTED. Just kept as a guide
-func TestWorkflowPrincipalFromIDToken(_ *testing.T) {
+func TestWorkflowPrincipalFromIDToken(t *testing.T) {
+	tests := map[string]struct {
+		Claims            map[string]interface{}
+		ExpectedPrincipal Provider
+	}{
+		`Valid token authenticates with correct claims`: {
+			Claims: map[string]interface{}{
+				"issuer":                "https://token.actions.githubusercontent.com",
+				"event_name":            "trigger",
+				"sha":                   "sha",
+				"workflow":              "workflowname",
+				"repository":            "repository",
+				"ref":                   "ref",
+				"job_workflow_sha":      "jobWorkflowSha",
+				"job_workflow_ref":      "jobWorkflowRef",
+				"runner_environment":    "runnerEnv",
+				"repository_id":         "repoID",
+				"repository_owner":      "repoOwner",
+				"repository_owner_id":   "repoOwnerID",
+				"workflow_ref":          "workflowRef",
+				"workflow_sha":          "workflowSHA",
+				"run_id":                "runID",
+				"run_attempt":           "runAttempt",
+				"repository_visibility": "public",
+			},
+			ExpectedPrincipal: Provider{
+				Subject: "subject-test",
+				Extensions: certificate.Extensions{
+					BuildSignerDigest:          "job_workflow_sha",
+					SourceRepositoryDigest:     "sha",
+					SourceRepositoryRef:        "ref",
+					SourceRepositoryIdentifier: "repository_id",
+					RunInvocationURI:           "{{.url}}/{{.repository}}/actions/runs/{{.run_id}}/",
+				},
+				Uris: []string{
+					"{{.url}}/{{.job_workflow_ref}}",
+				},
+				Defaults: map[string]string{
+					"url": "https://github.com",
+				},
+				OIDCIssuers: []config.OIDCIssuer{
+					{
+						IssuerURL: "https://token.actions.githubusercontent.com",
+					},
+				},
+				MetaIssuers: []config.OIDCIssuer{
+					{
+						IssuerURL: "https://token.actions.githubusercontent.com/*",
+						ClientID:  "sigstore",
+					},
+				},
+				Claims: map[string]interface{}{
+					"event_name":            "trigger",
+					"issuer":                "https://token.actions.githubusercontent.com",
+					"job_workflow_ref":      "jobWorkflowRef",
+					"job_workflow_sha":      "jobWorkflowSha",
+					"ref":                   "ref",
+					"repository":            "repository",
+					"repository_id":         "repoID",
+					"repository_owner":      "repoOwner",
+					"repository_owner_id":   "repoOwnerID",
+					"repository_visibility": "public",
+					"run_attempt":           "runAttempt",
+					"run_id":                "runID",
+					"runner_environment":    "runnerEnv",
+					"sha":                   "sha",
+					"workflow":              "workflowname",
+					"workflow_ref":          "workflowRef",
+					"workflow_sha":          "workflowSHA",
+				},
+			},
+		},
+	}
+
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			token := &oidc.IDToken{
+				Subject: "subject-test",
+			}
+			claims, err := json.Marshal(test.Claims)
+			if err != nil {
+				t.Fatal(err)
+			}
+			withClaims(token, claims)
+			ctx := context.TODO()
+			OIDCIssuers :=
+				map[string]config.OIDCIssuer{
+					token.Issuer: {
+						IssuerURL: token.Issuer,
+						Type:      config.IssuerTypeGithubWorkflow,
+						ClientID:  "sigstore",
+					},
+				}
+			cfg := &config.FulcioConfig{
+				OIDCIssuers: OIDCIssuers,
+			}
+			ctx = config.With(ctx, cfg)
+			principal, err := WorkflowPrincipalFromIDToken(ctx, token)
+			if err != nil {
+				t.Fatal(err)
+			}
 
+			if !reflect.DeepEqual(principal, test.ExpectedPrincipal) {
+				t.Error("Principals should be equals")
+			}
+		})
+	}
 }
 
 // reflect hack because "claims" field is unexported by oidc IDToken