-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CiProvider as a new OIDCIssuer type #1679
CiProvider as a new OIDCIssuer type #1679
Conversation
e8c017c
to
128fb62
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and when you have time can you describe the PR and why we need that?
thanks!
Sure! I apologize I hadn't do that already. I am working on this issue #1111. I'll put a more detailed description in the PR summary soon. |
90e39c8
to
a2a2bbc
Compare
@cpanato, the motivation is to simplify CI/CD OIDC provider onboarding. Rather than have each OIDC provider have to modify code to add a new provider, they instead should only need to modify a configuration file which will contain the mapping between OIDC claim and x509 extension value. |
that is nice! thanks for the clarification |
fb70b39
to
6281d87
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1679 +/- ##
==========================================
- Coverage 57.93% 49.62% -8.31%
==========================================
Files 50 71 +21
Lines 3119 4181 +1062
==========================================
+ Hits 1807 2075 +268
- Misses 1154 1878 +724
- Partials 158 228 +70 ☔ View full report in Codecov by Sentry. |
1ab3370
to
89d50e9
Compare
ea867b7
to
e3c0e82
Compare
51e0ce3
to
6aec89c
Compare
76bba00
to
fec9d4c
Compare
07c9a86
to
0a16f86
Compare
Once this PR is ready for review and all comments addressed, can you post here? |
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments mostly around testing, this is coming together well!
pkg/config/config.go
Outdated
} | ||
|
||
for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata { | ||
v := reflect.Indirect(reflect.ValueOf(&ciIssuerMetadata.ExtensionTemplates)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
work, or do we need the indirect reflection to resolve the pointer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does
reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
work, or do we need the indirect reflection to resolve the pointer?
Exactly, we need it for resolving the pointer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need to take a pointer to ciIssuerMetadata.ExtensionTemplates
though? Are reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
and reflect.Indirect(reflect.ValueOf(&ciIssuerMetadata.ExtensionTemplates))
equivalent?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
works. I assumed that I should use indirect for this case, as I needed to do this for using SetString
. Without the indirect I got reflect.Value.SetString using unaddressable value
as an error
err = validateCIIssuerMetadata(fulcioConfig) | ||
if err == nil { | ||
t.Error("It should raise an error") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you want to test for a valid SAN template as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep! just did. thanks!!
pkg/identity/ciprovider/principal.go
Outdated
} | ||
uris := []*url.URL{sanURL} | ||
cert.URIs = uris | ||
v := reflect.Indirect(reflect.ValueOf(&claimsTemplates)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question here, is reflect.Indirect
needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this case it is. As I mentioned, getting the pointer directly by reflect.ValueOf
, I have an unaddressable value
. Setting it as a reference and then using the indirect
was the workaround I found for this.
uris := []*url.URL{sanURL} | ||
cert.URIs = uris | ||
v := reflect.Indirect(reflect.ValueOf(&claimsTemplates)) | ||
vType := v.Type() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment about why we need the Type
, that it's needed access struct field names?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! thanks
"github.com/sigstore/fulcio/pkg/certificate" | ||
"github.com/sigstore/fulcio/pkg/config" | ||
) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any tests we can add for applyTemplateOrReplace
, to check any edge cases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure! I added the test structure just with the happy path, I'll add more tests for edge cases soon
@@ -1123,6 +1131,178 @@ func TestAPIWithGitHub(t *testing.T) { | |||
} | |||
} | |||
|
|||
// Tests API for CiProvider subject types | |||
func TestAPIWithCiProvider(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice test!
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
Signed-off-by: Javan lacerda <[email protected]>
ef14ccb
to
7455b87
Compare
Signed-off-by: Javan lacerda <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥳
In terms of release, I'm planning to cut 1.5 from before this PR, then we'll merge this and the other related changes and cut v1.6 |
This reverts commit 66485b6.
This adds a new generic CI provider so that new CI providers can be added via configuration without any code changes. The existing CI providers will be migrated over. Ref: #1111 Add back #1679 Signed-off-by: Javan lacerda [email protected]
Contribute towards #1111
Summary
It adds CiProvider as a new OIDCIssuer type. We will migrate all ci providers to use a generic principal by changing their types to this new type.
It should not change any current behavior.
Release Note
Documentation
cc @haydentherapper