set claimed data to have priority over defaults

Signed-off-by: Javan lacerda <[email protected]>
sigstore · Jul 31, 2024 · 464ea89 · 464ea89
1 parent 78a2495
commit 464ea89
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 14 deletions.
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -168,12 +168,16 @@ ci-issuer-metadata:
     subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}"
   *codefresh-type:
     default-template-values:
-        url: "https://g.codefresh.io"
+        # We are setting the default value for "platform_url" as the ci-provider
+        # principal gives priority to the claimed value over the default
+        # when they have the same name. Then it will use the default "platform_url" value
+        # for cases that the claimed data doesn't exist.
+        platform_url: "https://g.codefresh.io"
     extension-templates:
         # platform_url: Codefresh platform url
         # workflow_id: The ID of the specific workflow authorized in the claim.
         # For example, 64f447c02199f903000gh20.
-        build-signer-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
+        build-signer-uri: "{{.platform_url}}/build/{{ .workflow_id }}"
         # runner_environment: Whether the build took place in cloud or self-hosted infrastructure
         runner-environment: "runner_environment"
         # scm_repo_url: Applies to Git push, PR, and manual Git trigger types.
@@ -185,12 +189,12 @@ ci-issuer-metadata:
         # for which the workflow should execute. For example, main or v1.0.0.
         source-repository-ref: "scm_ref"
         # pipeline_id: Codefresh Pipeline id
-        build-config-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}"
+        build-config-uri: "{{.platform_url}}/api/pipelines/{{ .pipeline_id }}"
         # account_name: Codefresh account name
         # pipeline_name: Codefresh pipline name (project/pipeline)
         # account_id: Codefresh account id
-        run-invocation-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}"
-    subject-alternative-name-template: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}"
+        run-invocation-uri: "{{.platform_url}}/build/{{ .workflow_id }}"
+    subject-alternative-name-template: "{{.platform_url}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}"
   *buildkite-type:
     default-template-values:
         url: "https://buildkite.com"

diff --git a/docs/oidc.md b/docs/oidc.md
@@ -12,7 +12,7 @@ To add a new OIDC issuer:
 
 * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml).
   * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)).
-  * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one.
+  * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the claimed value will have priority over the default one.
 * If your issuer is not for a CI provider, you need to follow the next steps:
   * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
   * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)

diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go
@@ -53,20 +53,20 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
 	// default data provided by the yaml file.
 	// The order here matter because we want to override the claimed data
 	// with the default data.
-	// The default data will have priority over the claimed data.
+	// The claimed data will have priority over the default data.
 	mergedData := make(map[string]string)
-	for k, v := range tokenClaims {
+	for k, v := range issuerMetadata {
 		mergedData[k] = v
 	}
-	for k, v := range issuerMetadata {
+	for k, v := range tokenClaims {
 		mergedData[k] = v
 	}
 
 	if strings.Contains(extValueTemplate, "{{") {
 		var doc bytes.Buffer
 		// This option forces to having the claim that is required
 		// for the template
-		t := template.New("").Option("missingkey=zero")
+		t := template.New("").Option("missingkey=error")
 		// It shouldn't raise error since we already checked all
 		// templates in validateCIIssuerMetadata functions in config.go
 		p, err := t.Parse(extValueTemplate)
@@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri
 	}
 	claimValue, ok := mergedData[extValueTemplate]
 	if !ok {
-		return "", nil
+		return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate)
 	}
 	return claimValue, nil
 }

diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
@@ -256,12 +256,12 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		`Missing key for template`: {
 			Template:       "{{ .foo }}",
 			ExpectedResult: "",
-			ExpectErr:      false,
+			ExpectErr:      true,
 		},
 		`Empty string`: {
 			Template:       "",
 			ExpectedResult: "",
-			ExpectErr:      false,
+			ExpectErr:      true,
 		},
 		`Replaceable string`: {
 			Template:       "job_workflow_ref",
@@ -271,7 +271,7 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		`Missing string`: {
 			Template:       "bar",
 			ExpectedResult: "",
-			ExpectErr:      false,
+			ExpectErr:      true,
 		},
 		`If else template`: {
 			Template:       `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`,