From 50abb65f0bdcb2c0290b3afb535bc77e339e1a19 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 2 Sep 2024 16:53:18 +0200 Subject: [PATCH] =?UTF-8?q?Revert=20"If=20custom=20server=20url=20exists,?= =?UTF-8?q?=20use=20that=20instead=20of=20the=20default=20one.=20(#1?= =?UTF-8?q?=E2=80=A6"=20(#1791)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit bc852fd5991dfc9a0e301834004fa160840702e8. --- pkg/identity/github/principal.go | 10 +----- pkg/identity/github/principal_test.go | 47 --------------------------- 2 files changed, 1 insertion(+), 56 deletions(-) diff --git a/pkg/identity/github/principal.go b/pkg/identity/github/principal.go index da9e4442e..5eaa74a2d 100644 --- a/pkg/identity/github/principal.go +++ b/pkg/identity/github/principal.go @@ -18,7 +18,6 @@ import ( "context" "crypto/x509" "errors" - "fmt" "net/url" "github.com/coreos/go-oidc/v3/oidc" @@ -106,7 +105,6 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident WorkflowSha string `json:"workflow_sha"` RunID string `json:"run_id"` RunAttempt string `json:"run_attempt"` - Enterprise string `json:"enterprise"` } if err := token.Claims(&claims); err != nil { return nil, err @@ -161,16 +159,10 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident return nil, errors.New("missing run_attempt claim in ID token") } - baseURL := `https://github.com/` - - if claims.Enterprise != "" { - baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise) - } - return &workflowPrincipal{ subject: token.Subject, issuer: token.Issuer, - url: baseURL, + url: `https://github.com/`, sha: claims.Sha, eventName: claims.EventName, repository: claims.Repository, diff --git a/pkg/identity/github/principal_test.go b/pkg/identity/github/principal_test.go index 7368fefb0..3b1d01bec 100644 --- a/pkg/identity/github/principal_test.go +++ b/pkg/identity/github/principal_test.go @@ -84,53 +84,6 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) { }, WantErr: false, }, - `Valid token, custom base url authenticates with correct claims`: { - Claims: map[string]interface{}{ - "aud": "sigstore", - "event_name": "push", - "exp": 0, - "iss": "https://token.actions.githubusercontent.com", - "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - "job_workflow_sha": "example-sha", - "ref": "refs/heads/main", - "repository": "sigstore/fulcio", - "repository_id": "12345", - "repository_owner": "username", - "repository_owner_id": "345", - "repository_visibility": "public", - "run_attempt": "1", - "run_id": "42", - "runner_environment": "cloud-hosted", - "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - "sub": "repo:sigstore/fulcio:ref:refs/heads/main", - "workflow": "foo", - "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - "workflow_sha": "example-sha-other", - "enterprise": "test", - }, - ExpectPrincipal: workflowPrincipal{ - issuer: "https://token.actions.githubusercontent.com", - subject: "repo:sigstore/fulcio:ref:refs/heads/main", - url: "https://test.ghe.com/", - jobWorkflowRef: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", - sha: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", - eventName: "push", - repository: "sigstore/fulcio", - workflow: "foo", - ref: "refs/heads/main", - jobWorkflowSha: "example-sha", - runnerEnvironment: "cloud-hosted", - repositoryID: "12345", - repositoryOwner: "username", - repositoryOwnerID: "345", - repositoryVisibility: "public", - workflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", - workflowSha: "example-sha-other", - runID: "42", - runAttempt: "1", - }, - WantErr: false, - }, `Token missing job_workflow_ref claim should be rejected`: { Claims: map[string]interface{}{ "aud": "sigstore",