diff --git a/pkg/identity/github/principal.go b/pkg/identity/github/principal.go index 5eaa74a2d..da9e4442e 100644 --- a/pkg/identity/github/principal.go +++ b/pkg/identity/github/principal.go @@ -18,6 +18,7 @@ import ( "context" "crypto/x509" "errors" + "fmt" "net/url" "github.com/coreos/go-oidc/v3/oidc" @@ -105,6 +106,7 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident WorkflowSha string `json:"workflow_sha"` RunID string `json:"run_id"` RunAttempt string `json:"run_attempt"` + Enterprise string `json:"enterprise"` } if err := token.Claims(&claims); err != nil { return nil, err @@ -159,10 +161,16 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident return nil, errors.New("missing run_attempt claim in ID token") } + baseURL := `https://github.com/` + + if claims.Enterprise != "" { + baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise) + } + return &workflowPrincipal{ subject: token.Subject, issuer: token.Issuer, - url: `https://github.com/`, + url: baseURL, sha: claims.Sha, eventName: claims.EventName, repository: claims.Repository, diff --git a/pkg/identity/github/principal_test.go b/pkg/identity/github/principal_test.go index 3b1d01bec..7368fefb0 100644 --- a/pkg/identity/github/principal_test.go +++ b/pkg/identity/github/principal_test.go @@ -84,6 +84,53 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) { }, WantErr: false, }, + `Valid token, custom base url authenticates with correct claims`: { + Claims: map[string]interface{}{ + "aud": "sigstore", + "event_name": "push", + "exp": 0, + "iss": "https://token.actions.githubusercontent.com", + "job_workflow_ref": "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + "job_workflow_sha": "example-sha", + "ref": "refs/heads/main", + "repository": "sigstore/fulcio", + "repository_id": "12345", + "repository_owner": "username", + "repository_owner_id": "345", + "repository_visibility": "public", + "run_attempt": "1", + "run_id": "42", + "runner_environment": "cloud-hosted", + "sha": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "sub": "repo:sigstore/fulcio:ref:refs/heads/main", + "workflow": "foo", + "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + "workflow_sha": "example-sha-other", + "enterprise": "test", + }, + ExpectPrincipal: workflowPrincipal{ + issuer: "https://token.actions.githubusercontent.com", + subject: "repo:sigstore/fulcio:ref:refs/heads/main", + url: "https://test.ghe.com/", + jobWorkflowRef: "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main", + sha: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + eventName: "push", + repository: "sigstore/fulcio", + workflow: "foo", + ref: "refs/heads/main", + jobWorkflowSha: "example-sha", + runnerEnvironment: "cloud-hosted", + repositoryID: "12345", + repositoryOwner: "username", + repositoryOwnerID: "345", + repositoryVisibility: "public", + workflowRef: "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", + workflowSha: "example-sha-other", + runID: "42", + runAttempt: "1", + }, + WantErr: false, + }, `Token missing job_workflow_ref claim should be rejected`: { Claims: map[string]interface{}{ "aud": "sigstore",