CiProvider as a new OIDCIssuer type #1679
Conversation
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
e8c017c
to
128fb62
Compare
Sure! I apologize I hadn't do that already. I am working on this issue #1111. I'll put a more detailed description in the PR summary soon. |
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
90e39c8
to
a2a2bbc
Compare
|
@cpanato, the motivation is to simplify CI/CD OIDC provider onboarding. Rather than have each OIDC provider have to modify code to add a new provider, they instead should only need to modify a configuration file which will contain the mapping between OIDC claim and x509 extension value. |
that is nice! thanks for the clarification |
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
fb70b39
to
6281d87
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1679 +/- ##
==========================================
- Coverage 57.93% 49.62% -8.31%
==========================================
Files 50 71 +21
Lines 3119 4181 +1062
==========================================
+ Hits 1807 2075 +268
- Misses 1154 1878 +724
- Partials 158 228 +70 ☔ View full report in Codecov by Sentry. |
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
1ab3370
to
89d50e9
Compare
javanlacerda
changed the title
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
5 times, most recently
from
ea867b7
to
e3c0e82
Compare
javanlacerda
changed the title
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
51e0ce3
to
6aec89c
Compare
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
76bba00
to
fec9d4c
Compare
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
2 times, most recently
from
07c9a86
to
0a16f86
Compare
|
Once this PR is ready for review and all comments addressed, can you post here? |
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
pkg/config/config.go
Outdated
| } | ||
|
|
||
| for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata { | ||
| v := reflect.Indirect(reflect.ValueOf(&ciIssuerMetadata.ExtensionTemplates)) |
There was a problem hiding this comment.
Does reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates) work, or do we need the indirect reflection to resolve the pointer?
There was a problem hiding this comment.
Does
reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)work, or do we need the indirect reflection to resolve the pointer?
Exactly, we need it for resolving the pointer
There was a problem hiding this comment.
Do you need to take a pointer to ciIssuerMetadata.ExtensionTemplates though? Are reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates) and reflect.Indirect(reflect.ValueOf(&ciIssuerMetadata.ExtensionTemplates)) equivalent?
There was a problem hiding this comment.
It seems that reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates) works. I assumed that I should use indirect for this case, as I needed to do this for using SetString. Without the indirect I got reflect.Value.SetString using unaddressable value as an error
| err = validateCIIssuerMetadata(fulcioConfig) | ||
| if err == nil { | ||
| t.Error("It should raise an error") | ||
| } |
There was a problem hiding this comment.
Did you want to test for a valid SAN template as well?
There was a problem hiding this comment.
yep! just did. thanks!!
pkg/identity/ciprovider/principal.go
Outdated
| } | ||
| uris := []*url.URL{sanURL} | ||
| cert.URIs = uris | ||
| v := reflect.Indirect(reflect.ValueOf(&claimsTemplates)) |
There was a problem hiding this comment.
Same question here, is reflect.Indirect needed?
There was a problem hiding this comment.
In this case it is. As I mentioned, getting the pointer directly by reflect.ValueOf, I have an unaddressable value. Setting it as a reference and then using the indirect was the workaround I found for this.
| uris := []*url.URL{sanURL} | ||
| cert.URIs = uris | ||
| v := reflect.Indirect(reflect.ValueOf(&claimsTemplates)) | ||
| vType := v.Type() |
There was a problem hiding this comment.
Could you add a comment about why we need the Type, that it's needed access struct field names?
| "github.com/sigstore/fulcio/pkg/certificate" | ||
| "github.com/sigstore/fulcio/pkg/config" | ||
| ) | ||
|
|
There was a problem hiding this comment.
Are there any tests we can add for applyTemplateOrReplace, to check any edge cases?
There was a problem hiding this comment.
Sure! I added the test structure just with the happy path, I'll add more tests for edge cases soon
| @@ -1123,6 +1131,178 @@ func TestAPIWithGitHub(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| // Tests API for CiProvider subject types | |||
| func TestAPIWithCiProvider(t *testing.T) { | |||
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
javanlacerda
force-pushed
the
javan.oidc-provider-yaml
branch
from
ef14ccb
to
7455b87
Compare
Signed-off-by: Javan lacerda <[email protected]>
|
In terms of release, I'm planning to cut 1.5 from before this PR, then we'll merge this and the other related changes and cut v1.6 |
This reverts commit 66485b6.
This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over. Ref: #1111 Add back #1679 Signed-off-by: Javan lacerda [email protected]
Contribute towards #1111
Summary
It adds CiProvider as a new OIDCIssuer type. We will migrate all ci providers to use a generic principal by changing their types to this new type.
It should not change any current behavior.
Release Note
Documentation
cc @haydentherapper