From 704ce08af38c353b2e726871131fb247947b6ec4 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 2 Jul 2024 20:29:50 +0000 Subject: [PATCH 1/7] migrating codefresh and buildkite to ci provider Signed-off-by: Javan lacerda --- config/identity/config.yaml | 23 +++++++++++++++++++++-- docs/oidc.md | 2 +- pkg/identity/ciprovider/principal.go | 4 ++-- pkg/identity/ciprovider/principal_test.go | 6 +++--- 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index d9fb56fec..a75664321 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -15,6 +15,8 @@ define: - &github-type "github-workflow" - &gitlab-type "gitlab-pipeline" + - &codefresh-type "codefresh-workflow" + - &buildkite-type "buildkite-job" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -25,7 +27,8 @@ oidc-issuers: https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore - type: buildkite-job + type: ci-provider + ci-provider: *buildkite-type contact: support@buildkite.com description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: @@ -84,7 +87,8 @@ oidc-issuers: https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore - type: codefresh-workflow + type: ci-provider + ci-provider: *codefresh-type contact: support@codefresh.io description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: @@ -162,3 +166,18 @@ ci-issuer-metadata: run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" + *codefresh-type: + default-template-values: + url: "https://g.codefresh.io" + extension-templates: + build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + runner-environment: "runner_environment" + source-repository-uri: "scm_repo_url" + source-repository-ref: "scm_ref" + build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" + run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" + *buildkite-type: + default-template-values: + url: "https://buildkite.com" + subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" diff --git a/docs/oidc.md b/docs/oidc.md index 653644e33..798a6f119 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -12,7 +12,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). - * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one. * If your issuer is not for a CI provider, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index fb94df3bd..8bb57c965 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -66,7 +66,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri var doc bytes.Buffer // This option forces to having the claim that is required // for the template - t := template.New("").Option("missingkey=error") + t := template.New("").Option("missingkey=zero") // It shouldn't raise error since we already checked all // templates in validateCIIssuerMetadata functions in config.go p, err := t.Parse(extValueTemplate) @@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri } claimValue, ok := mergedData[extValueTemplate] if !ok { - return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) + return "", nil } return claimValue, nil } diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index e60b216b6..b67bd6041 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -256,12 +256,12 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing key for template`: { Template: "{{ .foo }}", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Empty string`: { Template: "", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `Replaceable string`: { Template: "job_workflow_ref", @@ -271,7 +271,7 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing string`: { Template: "bar", ExpectedResult: "", - ExpectErr: true, + ExpectErr: false, }, `If else template`: { Template: `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`, From 50680d55b9c7531d0a3e0596b834e11a28c896ad Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Tue, 30 Jul 2024 19:38:59 +0000 Subject: [PATCH 2/7] adding test case for comparing with empty key Signed-off-by: Javan lacerda --- pkg/identity/ciprovider/principal_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index b67bd6041..cf4e10ebe 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -283,6 +283,11 @@ func TestApplyTemplateOrReplace(t *testing.T) { ExpectedResult: "refs/tags/1.0.0", ExpectErr: false, }, + `Raise error for empty key in comparison`: { + Template: `{{if eq . ""}}foo{{else}}bar{{end}}`, + ExpectedResult: "", + ExpectErr: true, + }, } for name, test := range tests { From 78a2495e8b75ba37aea4885988a5f70d4aa095c5 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 31 Jul 2024 19:32:33 +0000 Subject: [PATCH 3/7] add comments for codefresh extensions Signed-off-by: Javan lacerda --- config/identity/config.yaml | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index a75664321..1c6851ed4 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -170,13 +170,27 @@ ci-issuer-metadata: default-template-values: url: "https://g.codefresh.io" extension-templates: - build-signer-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + # platform_url: Codefresh platform url + # workflow_id: The ID of the specific workflow authorized in the claim. + # For example, 64f447c02199f903000gh20. + build-signer-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + # runner_environment: Whether the build took place in cloud or self-hosted infrastructure runner-environment: "runner_environment" + # scm_repo_url: Applies to Git push, PR, and manual Git trigger types. + # The SCM URL specifying the Git repository’s location. + # For example, https://github.com/codefresh-user/oidc-test source-repository-uri: "scm_repo_url" + # scm_ref: Applies to Git push, PR, and manual Git trigger types. + # The SCM name of the branch or tag within the Git repository + # for which the workflow should execute. For example, main or v1.0.0. source-repository-ref: "scm_ref" - build-config-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" - run-invocation-uri: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" - subject-alternative-name-template: "{{if .platform_url}}{{.platform_ur}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" + # pipeline_id: Codefresh Pipeline id + build-config-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" + # account_name: Codefresh account name + # pipeline_name: Codefresh pipline name (project/pipeline) + # account_id: Codefresh account id + run-invocation-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + subject-alternative-name-template: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" *buildkite-type: default-template-values: url: "https://buildkite.com" From 464ea8997a9ee30570fd27d72d4efd36d9c0488e Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Wed, 31 Jul 2024 22:19:55 +0000 Subject: [PATCH 4/7] set claimed data to have priority over defaults Signed-off-by: Javan lacerda --- config/identity/config.yaml | 14 +++++++++----- docs/oidc.md | 2 +- pkg/identity/ciprovider/principal.go | 10 +++++----- pkg/identity/ciprovider/principal_test.go | 6 +++--- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 1c6851ed4..eb1728b08 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -168,12 +168,16 @@ ci-issuer-metadata: subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" *codefresh-type: default-template-values: - url: "https://g.codefresh.io" + # We are setting the default value for "platform_url" as the ci-provider + # principal gives priority to the claimed value over the default + # when they have the same name. Then it will use the default "platform_url" value + # for cases that the claimed data doesn't exist. + platform_url: "https://g.codefresh.io" extension-templates: # platform_url: Codefresh platform url # workflow_id: The ID of the specific workflow authorized in the claim. # For example, 64f447c02199f903000gh20. - build-signer-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" + build-signer-uri: "{{.platform_url}}/build/{{ .workflow_id }}" # runner_environment: Whether the build took place in cloud or self-hosted infrastructure runner-environment: "runner_environment" # scm_repo_url: Applies to Git push, PR, and manual Git trigger types. @@ -185,12 +189,12 @@ ci-issuer-metadata: # for which the workflow should execute. For example, main or v1.0.0. source-repository-ref: "scm_ref" # pipeline_id: Codefresh Pipeline id - build-config-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/api/pipelines/{{ .pipeline_id }}" + build-config-uri: "{{.platform_url}}/api/pipelines/{{ .pipeline_id }}" # account_name: Codefresh account name # pipeline_name: Codefresh pipline name (project/pipeline) # account_id: Codefresh account id - run-invocation-uri: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/build/{{ .workflow_id }}" - subject-alternative-name-template: "{{if .platform_url}}{{.platform_url}}{{ else }}{{.url}}{{end}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" + run-invocation-uri: "{{.platform_url}}/build/{{ .workflow_id }}" + subject-alternative-name-template: "{{.platform_url}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" *buildkite-type: default-template-values: url: "https://buildkite.com" diff --git a/docs/oidc.md b/docs/oidc.md index 798a6f119..61b354e44 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -12,7 +12,7 @@ To add a new OIDC issuer: * Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). * Attention: If your issuer is for a CI provider, you should set the `type` as `ci-provider` and set the field `ci-provider` with the name of your provider. You should also fill the `ci-issuer-metadata` with the `default-template-values`, `extension-templates` and `subject-alternative-name-template`, following the pattern defined on the example ([example](tbd after migrating the github to ci-provider)). - * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the default value will have priority over the claimed one. + * Important notes: The `extension-templates` and the `subject-alternative-name-template` follows the templates [pattern](https://pkg.go.dev/text/template). The name used to fill the `ci-provider` field has to be the same used as key for `ci-issuer-metadata`, we suggest to use a variable for this. If you set a `default-template-value` with the same name of a claim key, the claimed value will have priority over the default one. * If your issuer is not for a CI provider, you need to follow the next steps: * Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/email)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index 8bb57c965..dce9227cb 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -53,12 +53,12 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri // default data provided by the yaml file. // The order here matter because we want to override the claimed data // with the default data. - // The default data will have priority over the claimed data. + // The claimed data will have priority over the default data. mergedData := make(map[string]string) - for k, v := range tokenClaims { + for k, v := range issuerMetadata { mergedData[k] = v } - for k, v := range issuerMetadata { + for k, v := range tokenClaims { mergedData[k] = v } @@ -66,7 +66,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri var doc bytes.Buffer // This option forces to having the claim that is required // for the template - t := template.New("").Option("missingkey=zero") + t := template.New("").Option("missingkey=error") // It shouldn't raise error since we already checked all // templates in validateCIIssuerMetadata functions in config.go p, err := t.Parse(extValueTemplate) @@ -81,7 +81,7 @@ func applyTemplateOrReplace(extValueTemplate string, tokenClaims map[string]stri } claimValue, ok := mergedData[extValueTemplate] if !ok { - return "", nil + return "", fmt.Errorf("value <%s> not present in either claims or defaults", extValueTemplate) } return claimValue, nil } diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index cf4e10ebe..62d00f2d2 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -256,12 +256,12 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing key for template`: { Template: "{{ .foo }}", ExpectedResult: "", - ExpectErr: false, + ExpectErr: true, }, `Empty string`: { Template: "", ExpectedResult: "", - ExpectErr: false, + ExpectErr: true, }, `Replaceable string`: { Template: "job_workflow_ref", @@ -271,7 +271,7 @@ func TestApplyTemplateOrReplace(t *testing.T) { `Missing string`: { Template: "bar", ExpectedResult: "", - ExpectErr: false, + ExpectErr: true, }, `If else template`: { Template: `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`, From 542695421ebcf69dc1d43626e2ce81ae66cee2f6 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Fri, 2 Aug 2024 16:54:15 +0000 Subject: [PATCH 5/7] fix identation Signed-off-by: Javan lacerda --- config/identity/config.yaml | 128 ++++++++++++++++++------------------ 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index eb1728b08..ca6006f41 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -124,78 +124,78 @@ meta-issuers: ci-provider: *github-type ci-issuer-metadata: *github-type: - default-template-values: - url: "https://github.com" - extension-templates: - github-workflow-trigger: "event_name" - github-workflow-sha: "sha" - github-workflow-name: "workflow" - github-workflow-repository: "repository" - github-workflow-ref: "ref" - build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" - build-signer-digest: "job_workflow_sha" - runner-environment: "runner_environment" - source-repository-uri: "{{ .url }}/{{ .repository }}" - source-repository-digest: "sha" - source-repository-ref: "ref" - source-repository-identifier: "repository_id" - source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" - source-repository-owner-identifier: "repository_owner_id" - build-config-uri: "{{ .url }}/{{ .workflow_ref }}" - build-config-digest: "workflow_sha" - build-trigger: "event_name" - run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" - source-repository-visibility-at-signing: "repository_visibility" - subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" + default-template-values: + url: "https://github.com" + extension-templates: + github-workflow-trigger: "event_name" + github-workflow-sha: "sha" + github-workflow-name: "workflow" + github-workflow-repository: "repository" + github-workflow-ref: "ref" + build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" + build-signer-digest: "job_workflow_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: "ref" + source-repository-identifier: "repository_id" + source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" + source-repository-owner-identifier: "repository_owner_id" + build-config-uri: "{{ .url }}/{{ .workflow_ref }}" + build-config-digest: "workflow_sha" + build-trigger: "event_name" + run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" *gitlab-type: default-template-values: - url: "https://gitlab.com" + url: "https://gitlab.com" extension-templates: - build-signer-uri: "https://{{ .ci_config_ref_uri }}" - build-signer-digest: "ci_config_sha" - runner-environment: "runner_environment" - source-repository-uri: "{{ .url }}/{{ .repository }}" - source-repository-digest: "sha" - source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }} - source-repository-identifier: "project_id" - source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" - source-repository-owner-identifier: "namespace_id" - build-config-uri: "https://{{ .ci_config_ref_uri }}" - build-config-digest: "ci_config_sha" - build-trigger: "pipeline_source" - run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" - source-repository-visibility-at-signing: "repository_visibility" + build-signer-uri: "https://{{ .ci_config_ref_uri }}" + build-signer-digest: "ci_config_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }} + source-repository-identifier: "project_id" + source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + source-repository-owner-identifier: "namespace_id" + build-config-uri: "https://{{ .ci_config_ref_uri }}" + build-config-digest: "ci_config_sha" + build-trigger: "pipeline_source" + run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" + source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" *codefresh-type: default-template-values: - # We are setting the default value for "platform_url" as the ci-provider - # principal gives priority to the claimed value over the default - # when they have the same name. Then it will use the default "platform_url" value - # for cases that the claimed data doesn't exist. - platform_url: "https://g.codefresh.io" + # We are setting the default value for "platform_url" as the ci-provider + # principal gives priority to the claimed value over the default + # when they have the same name. Then it will use the default "platform_url" value + # for cases that the claimed data doesn't exist. + platform_url: "https://g.codefresh.io" extension-templates: - # platform_url: Codefresh platform url - # workflow_id: The ID of the specific workflow authorized in the claim. - # For example, 64f447c02199f903000gh20. - build-signer-uri: "{{.platform_url}}/build/{{ .workflow_id }}" - # runner_environment: Whether the build took place in cloud or self-hosted infrastructure - runner-environment: "runner_environment" - # scm_repo_url: Applies to Git push, PR, and manual Git trigger types. - # The SCM URL specifying the Git repository’s location. - # For example, https://github.com/codefresh-user/oidc-test - source-repository-uri: "scm_repo_url" - # scm_ref: Applies to Git push, PR, and manual Git trigger types. - # The SCM name of the branch or tag within the Git repository - # for which the workflow should execute. For example, main or v1.0.0. - source-repository-ref: "scm_ref" - # pipeline_id: Codefresh Pipeline id - build-config-uri: "{{.platform_url}}/api/pipelines/{{ .pipeline_id }}" - # account_name: Codefresh account name - # pipeline_name: Codefresh pipline name (project/pipeline) - # account_id: Codefresh account id - run-invocation-uri: "{{.platform_url}}/build/{{ .workflow_id }}" + # platform_url: Codefresh platform url + # workflow_id: The ID of the specific workflow authorized in the claim. + # For example, 64f447c02199f903000gh20. + build-signer-uri: "{{.platform_url}}/build/{{ .workflow_id }}" + # runner_environment: Whether the build took place in cloud or self-hosted infrastructure + runner-environment: "runner_environment" + # scm_repo_url: Applies to Git push, PR, and manual Git trigger types. + # The SCM URL specifying the Git repository’s location. + # For example, https://github.com/codefresh-user/oidc-test + source-repository-uri: "scm_repo_url" + # scm_ref: Applies to Git push, PR, and manual Git trigger types. + # The SCM name of the branch or tag within the Git repository + # for which the workflow should execute. For example, main or v1.0.0. + source-repository-ref: "scm_ref" + # pipeline_id: Codefresh Pipeline id + build-config-uri: "{{.platform_url}}/api/pipelines/{{ .pipeline_id }}" + # account_name: Codefresh account name + # pipeline_name: Codefresh pipline name (project/pipeline) + # account_id: Codefresh account id + run-invocation-uri: "{{.platform_url}}/build/{{ .workflow_id }}" subject-alternative-name-template: "{{.platform_url}}/{{.account_name}}/{{.pipeline_name}}:{{.account_id}}/{{.pipeline_id}}" *buildkite-type: default-template-values: - url: "https://buildkite.com" + url: "https://buildkite.com" subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" From b3877fa53e25015c83b11d199a61f98fa45299d7 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 5 Aug 2024 19:17:52 +0000 Subject: [PATCH 6/7] adding comments for github and gitlab in config file Signed-off-by: Javan lacerda --- config/identity/config.yaml | 40 +++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index ca6006f41..1c7685cf6 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -125,46 +125,82 @@ meta-issuers: ci-issuer-metadata: *github-type: default-template-values: + # url: URL of issuer, https://github.com url: "https://github.com" extension-templates: + # event_name: Event that triggered this workflow run. E.g "push", "tag" github-workflow-trigger: "event_name" + # sha: Commit SHA being built github-workflow-sha: "sha" + # workflow (Deprecated): Name of workflow that is running (mutable) github-workflow-name: "workflow" + # repository: Name of repository being built github-workflow-repository: "repository" + # ref: Git ref being built github-workflow-ref: "ref" + # job_workflow_ref: Specific build instructions (i.e. reusable workflow) build-signer-uri: "{{ .url }}/{{ .job_workflow_ref }}" + # job_workflow_sha: Commit SHA to specific build instructions build-signer-digest: "job_workflow_sha" + # runner_environment: Whether the build took place in cloud or self-hosted infrastructure runner-environment: "runner_environment" + # repository: Name of repository being built source-repository-uri: "{{ .url }}/{{ .repository }}" source-repository-digest: "sha" source-repository-ref: "ref" + # repository_id: ID to the source repo source-repository-identifier: "repository_id" + # repository_owner: Owner of the source repo (mutable) source-repository-owner-uri: "{{ .url }}/{{ .repository_owner }}" + # repository_owner_id: ID of the source repo source-repository-owner-identifier: "repository_owner_id" + # workflow_ref: Ref of top-level workflow that is running build-config-uri: "{{ .url }}/{{ .workflow_ref }}" + # workflow_sha: Commit SHA of top-level workflow that is running build-config-digest: "workflow_sha" build-trigger: "event_name" + # run_id: ID of workflow run + # run_attempt: Attempt number of workflow run run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" + # repository_visibility: Visibility of the source repo source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" *gitlab-type: default-template-values: url: "https://gitlab.com" extension-templates: + # url: The URL of the GitLab instance. https://gitlab.com + # ci_config_ref_uri: Ref of top-level pipeline definition. + # E.g. gitlab.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main build-signer-uri: "https://{{ .ci_config_ref_uri }}" + # ci_config_sha: Commit sha of top-level pipeline definition, and is + # only populated when `ciConfigRefURI` is local to the GitLab instance build-signer-digest: "ci_config_sha" + # runner_environment: The type of runner used by the job. May be one of gitlab-hosted or self-hosted. runner-environment: "runner_environment" + # repository: Repository building built source-repository-uri: "{{ .url }}/{{ .repository }}" + # sha: Commit SHA being built source-repository-digest: "sha" + # ref_type: The type of the ref + # E.g. "branch", "tag" + # ref: Git ref being built source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }} + # project_id: ID to the source repo source-repository-identifier: "project_id" + # namespace_path: Owner of the source repo (mutable) source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + # namespace_id: ID of the source repo source-repository-owner-identifier: "namespace_id" build-config-uri: "https://{{ .ci_config_ref_uri }}" build-config-digest: "ci_config_sha" + # pipeline_source: Event that triggered this workflow run. E.g "push", "tag" etc build-trigger: "pipeline_source" + # project_path: Repository building built + # job_id: job ID run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" - source-repository-visibility-at-signing: "repository_visibility" + # project_visibility: Visibility of the source project + source-repository-visibility-at-signing: "project_visibility" subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" *codefresh-type: default-template-values: @@ -172,9 +208,9 @@ ci-issuer-metadata: # principal gives priority to the claimed value over the default # when they have the same name. Then it will use the default "platform_url" value # for cases that the claimed data doesn't exist. + # platform_url: Codefresh platform url platform_url: "https://g.codefresh.io" extension-templates: - # platform_url: Codefresh platform url # workflow_id: The ID of the specific workflow authorized in the claim. # For example, 64f447c02199f903000gh20. build-signer-uri: "{{.platform_url}}/build/{{ .workflow_id }}" From 2e44e993646a2e2c6cb555f21ae9093993020902 Mon Sep 17 00:00:00 2001 From: Javan lacerda Date: Mon, 5 Aug 2024 19:39:20 +0000 Subject: [PATCH 7/7] adding tests for check claims priority over defaults Signed-off-by: Javan lacerda --- pkg/identity/ciprovider/principal_test.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index 62d00f2d2..4e51d06dc 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -233,9 +233,12 @@ func TestApplyTemplateOrReplace(t *testing.T) { "ref_gitlab": "main", "ref_type_tag": "tag", "ref_tag": "1.0.0", + "claim_foo": "bar", } issuerMetadata := map[string]string{ - "url": "https://github.com", + "url": "https://github.com", + "claim_foo": "default", + "default_foo": "default_bar", } tests := map[string]struct { @@ -288,6 +291,16 @@ func TestApplyTemplateOrReplace(t *testing.T) { ExpectedResult: "", ExpectErr: true, }, + `Should use default when claim doesn't exist`: { + Template: "default_foo", + ExpectedResult: "default_bar", + ExpectErr: false, + }, + `Should prior claims over defaults when they has the same name`: { + Template: "claim_foo", + ExpectedResult: "bar", + ExpectErr: false, + }, } for name, test := range tests {