From 9acf0762233aeab6ddf8beba89d3a3d52716c543 Mon Sep 17 00:00:00 2001 From: Javan Lacerda Date: Thu, 25 Jul 2024 17:37:55 -0500 Subject: [PATCH] Move gitlab to ci-provider (#1740) * move fulcio config from json to yaml Signed-off-by: Javan lacerda * move fulcio-config to a new file Signed-off-by: Javan lacerda * updating test for check-config workflow Signed-off-by: Javan lacerda * set verify k8s workflow for get configg directly Signed-off-by: Javan lacerda * migrate gitlab to ci provider Signed-off-by: Javan lacerda * set gitlab ref for using a conditional template Signed-off-by: Javan lacerda --------- Signed-off-by: Javan lacerda --- config/identity/config.yaml | 38 ++++++++++++++++++----- pkg/identity/ciprovider/principal_test.go | 22 ++++++++++--- 2 files changed, 49 insertions(+), 11 deletions(-) diff --git a/config/identity/config.yaml b/config/identity/config.yaml index 672f25c00..d9fb56fec 100644 --- a/config/identity/config.yaml +++ b/config/identity/config.yaml @@ -12,8 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -define: &github-type "github-workflow" - +define: + - &github-type "github-workflow" + - &gitlab-type "gitlab-pipeline" oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -43,19 +44,22 @@ oidc-issuers: https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: distribution-be@gitlab.com description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: sigstore@archlinux.org description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: support@gitlab.com description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: @@ -86,7 +90,8 @@ oidc-issuers: https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore - type: gitlab-pipeline + type: ci-provider + ci-provider: *gitlab-type contact: distribution-be@gitlab.com description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: @@ -117,7 +122,7 @@ ci-issuer-metadata: *github-type: default-template-values: url: "https://github.com" - extension-templates: + extension-templates: github-workflow-trigger: "event_name" github-workflow-sha: "sha" github-workflow-name: "workflow" @@ -138,3 +143,22 @@ ci-issuer-metadata: run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}" source-repository-visibility-at-signing: "repository_visibility" subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}" + *gitlab-type: + default-template-values: + url: "https://gitlab.com" + extension-templates: + build-signer-uri: "https://{{ .ci_config_ref_uri }}" + build-signer-digest: "ci_config_sha" + runner-environment: "runner_environment" + source-repository-uri: "{{ .url }}/{{ .repository }}" + source-repository-digest: "sha" + source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }} + source-repository-identifier: "project_id" + source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}" + source-repository-owner-identifier: "namespace_id" + build-config-uri: "https://{{ .ci_config_ref_uri }}" + build-config-digest: "ci_config_sha" + build-trigger: "pipeline_source" + run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}" + source-repository-visibility-at-signing: "repository_visibility" + subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}" diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go index aa387f995..e60b216b6 100644 --- a/pkg/identity/ciprovider/principal_test.go +++ b/pkg/identity/ciprovider/principal_test.go @@ -229,6 +229,10 @@ func TestApplyTemplateOrReplace(t *testing.T) { "workflow": "foo", "workflow_ref": "sigstore/other/.github/workflows/foo.yaml@refs/heads/main", "workflow_sha": "example-sha-other", + "ref_type": "branch", + "ref_gitlab": "main", + "ref_type_tag": "tag", + "ref_tag": "1.0.0", } issuerMetadata := map[string]string{ "url": "https://github.com", @@ -269,18 +273,28 @@ func TestApplyTemplateOrReplace(t *testing.T) { ExpectedResult: "", ExpectErr: true, }, + `If else template`: { + Template: `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`, + ExpectedResult: "refs/heads/main", + ExpectErr: false, + }, + `If else template using else condition`: { + Template: `refs/{{if eq .ref_type_tag "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_tag }}`, + ExpectedResult: "refs/tags/1.0.0", + ExpectErr: false, + }, } for name, test := range tests { t.Run(name, func(t *testing.T) { res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata) if res != test.ExpectedResult { - t.Errorf("expected result don't matches: Expected %s, received: %s", - test.ExpectedResult, res) + t.Errorf("expected result don't matches: Expected %s, received: %s, error: %v", + test.ExpectedResult, res, err) } if (err != nil) != test.ExpectErr { - t.Errorf("should raise an error don't matches: Expected %v, received: %v", - test.ExpectErr, err != nil) + t.Errorf("should raise an error don't matches: Expected %v, received: %v, error: %v", + test.ExpectErr, err != nil, err) } }) }