Skip to content

Commit

Permalink
correct issuer and add commands claim
Browse files Browse the repository at this point in the history
  • Loading branch information
@ecrupper
ecrupper committed May 20, 2024
1 parent a595daf commit 5582b26
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 4 deletions.
3 changes: 3 additions & 0 deletions api/build/id_request_token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package build
import (
"fmt"
"net/http"
"strconv"
"time"

"github.com/gin-gonic/gin"
Expand Down Expand Up @@ -87,6 +88,7 @@ func GetIDRequestToken(c *gin.Context) {

image := c.Query("image")
request := c.Query("request")
commands, _ := strconv.ParseBool(c.Query("commands"))

// retrieve token manager from context
tm := c.MustGet("token-manager").(*token.Manager)
Expand All @@ -101,6 +103,7 @@ func GetIDRequestToken(c *gin.Context) {
TokenDuration: exp,
Image: image,
Request: request,
Commands: commands,
}

// mint token
Expand Down
1 change: 1 addition & 0 deletions api/build/id_token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ func GetIDToken(c *gin.Context) {
TokenDuration: tm.IDTokenDuration,
Image: cl.Image,
Request: cl.Request,
Commands: cl.Commands,
}

// if audience is provided, include that in claims
Expand Down
2 changes: 1 addition & 1 deletion api/oi_config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func GetOpenIDConfig(c *gin.Context) {
m := c.MustGet("metadata").(*internal.Metadata)

config := types.OpenIDConfig{
Issuer: m.Vela.Address,
Issuer: fmt.Sprintf("%s/_services/token", m.Vela.Address),
JWKSAddress: fmt.Sprintf("%s/%s", m.Vela.Address, "_services/token/.well-known/jwks"),
SupportedClaims: []string{
"sub",
Expand Down
4 changes: 3 additions & 1 deletion cmd/vela-server/token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
package main

import (
"fmt"

"github.com/sirupsen/logrus"
"github.com/urfave/cli/v2"

Expand All @@ -22,7 +24,7 @@ func setupTokenManager(c *cli.Context, db database.Interface) (*token.Manager, e
WorkerAuthTokenDuration: c.Duration("worker-auth-token-duration"),
WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"),
IDTokenDuration: c.Duration("id-token-duration"),
Issuer: c.String("server-addr"),
Issuer: fmt.Sprintf("%s/_services/token", c.String("server-addr")),
}

// generate a new RSA key pair
Expand Down
4 changes: 4 additions & 0 deletions internal/token/mint.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ type Claims struct {
TokenType string `json:"token_type,omitempty"`
Image string `json:"image,omitempty"`
Request string `json:"request,omitempty"`
Commands bool `json:"commands,omitempty"`
jwt.RegisteredClaims
}

Expand All @@ -43,6 +44,7 @@ type MintTokenOpts struct {
Audience []string
Image string
Request string
Commands bool
}

// MintToken mints a Vela JWT Token given a set of options.
Expand Down Expand Up @@ -105,6 +107,7 @@ func (tm *Manager) MintToken(mto *MintTokenOpts) (string, error) {
claims.BuildSender = mto.Build.GetSender()
claims.Image = mto.Image
claims.Request = mto.Request
claims.Commands = mto.Commands

default:
return "", errors.New("invalid token type")
Expand Down Expand Up @@ -152,6 +155,7 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin
claims.TokenType = mto.TokenType
claims.Image = mto.Image
claims.Request = mto.Request
claims.Commands = mto.Commands

// set standard claims
claims.IssuedAt = jwt.NewNumericDate(time.Now())
Expand Down
4 changes: 2 additions & 2 deletions router/router.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,8 @@ func Load(options ...gin.HandlerFunc) *gin.Engine {
r.POST("/webhook", webhook.PostWebhook)

// JWKS endpoints
r.GET("_services/token/.well-known/openid-configuration", api.GetOpenIDConfig)
r.GET("_services/token/.well-known/jwks", api.GetJWKS)
r.GET("/_services/token/.well-known/openid-configuration", api.GetOpenIDConfig)
r.GET("/_services/token/.well-known/jwks", api.GetJWKS)

// Authentication endpoints
authenticate := r.Group("/authenticate")
Expand Down

0 comments on commit 5582b26

Please sign in to comment.