Skip to content

Commit

Permalink
If custom server url exists, use that instead of the default one. (si…
Browse files Browse the repository at this point in the history
…gstore#1776)

* If custom server url exists, use that instead of the default one.

Signed-off-by: Fredrik Skogman <[email protected]>

* Name variable baseURL to avoid linter errors.

Signed-off-by: Fredrik Skogman <[email protected]>

---------

Signed-off-by: Fredrik Skogman <[email protected]>
  • Loading branch information
kommendorkapten authored Aug 19, 2024
1 parent 77325fa commit bc852fd
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 1 deletion.
10 changes: 9 additions & 1 deletion pkg/identity/github/principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"context"
"crypto/x509"
"errors"
"fmt"
"net/url"

"github.com/coreos/go-oidc/v3/oidc"
Expand Down Expand Up @@ -105,6 +106,7 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
WorkflowSha string `json:"workflow_sha"`
RunID string `json:"run_id"`
RunAttempt string `json:"run_attempt"`
Enterprise string `json:"enterprise"`
}
if err := token.Claims(&claims); err != nil {
return nil, err
Expand Down Expand Up @@ -159,10 +161,16 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
return nil, errors.New("missing run_attempt claim in ID token")
}

baseURL := `https://github.com/`

if claims.Enterprise != "" {
baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise)
}

return &workflowPrincipal{
subject: token.Subject,
issuer: token.Issuer,
url: `https://github.com/`,
url: baseURL,
sha: claims.Sha,
eventName: claims.EventName,
repository: claims.Repository,
Expand Down
47 changes: 47 additions & 0 deletions pkg/identity/github/principal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,53 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) {
},
WantErr: false,
},
`Valid token, custom base url authenticates with correct claims`: {
Claims: map[string]interface{}{
"aud": "sigstore",
"event_name": "push",
"exp": 0,
"iss": "https://token.actions.githubusercontent.com",
"job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
"job_workflow_sha": "example-sha",
"ref": "refs/heads/main",
"repository": "sigstore/fulcio",
"repository_id": "12345",
"repository_owner": "username",
"repository_owner_id": "345",
"repository_visibility": "public",
"run_attempt": "1",
"run_id": "42",
"runner_environment": "cloud-hosted",
"sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"sub": "repo:sigstore/fulcio:ref:refs/heads/main",
"workflow": "foo",
"workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
"workflow_sha": "example-sha-other",
"enterprise": "test",
},
ExpectPrincipal: workflowPrincipal{
issuer: "https://token.actions.githubusercontent.com",
subject: "repo:sigstore/fulcio:ref:refs/heads/main",
url: "https://test.ghe.com/",
jobWorkflowRef: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
sha: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
eventName: "push",
repository: "sigstore/fulcio",
workflow: "foo",
ref: "refs/heads/main",
jobWorkflowSha: "example-sha",
runnerEnvironment: "cloud-hosted",
repositoryID: "12345",
repositoryOwner: "username",
repositoryOwnerID: "345",
repositoryVisibility: "public",
workflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
workflowSha: "example-sha-other",
runID: "42",
runAttempt: "1",
},
WantErr: false,
},
`Token missing job_workflow_ref claim should be rejected`: {
Claims: map[string]interface{}{
"aud": "sigstore",
Expand Down

0 comments on commit bc852fd

Please sign in to comment.