From 5582b2698eed8cd9c2e7dc3487fb2a5488be962f Mon Sep 17 00:00:00 2001 From: ecrupper Date: Mon, 20 May 2024 08:51:31 -0500 Subject: [PATCH] correct issuer and add commands claim --- api/build/id_request_token.go | 3 +++ api/build/id_token.go | 1 + api/oi_config.go | 2 +- cmd/vela-server/token.go | 4 +++- internal/token/mint.go | 4 ++++ router/router.go | 4 ++-- 6 files changed, 14 insertions(+), 4 deletions(-) diff --git a/api/build/id_request_token.go b/api/build/id_request_token.go index f0c6fcd9b..7d8586e89 100644 --- a/api/build/id_request_token.go +++ b/api/build/id_request_token.go @@ -5,6 +5,7 @@ package build import ( "fmt" "net/http" + "strconv" "time" "github.com/gin-gonic/gin" @@ -87,6 +88,7 @@ func GetIDRequestToken(c *gin.Context) { image := c.Query("image") request := c.Query("request") + commands, _ := strconv.ParseBool(c.Query("commands")) // retrieve token manager from context tm := c.MustGet("token-manager").(*token.Manager) @@ -101,6 +103,7 @@ func GetIDRequestToken(c *gin.Context) { TokenDuration: exp, Image: image, Request: request, + Commands: commands, } // mint token diff --git a/api/build/id_token.go b/api/build/id_token.go index 90ff119d8..8a6a412b7 100644 --- a/api/build/id_token.go +++ b/api/build/id_token.go @@ -88,6 +88,7 @@ func GetIDToken(c *gin.Context) { TokenDuration: tm.IDTokenDuration, Image: cl.Image, Request: cl.Request, + Commands: cl.Commands, } // if audience is provided, include that in claims diff --git a/api/oi_config.go b/api/oi_config.go index 32e68bd2f..2390b750a 100644 --- a/api/oi_config.go +++ b/api/oi_config.go @@ -34,7 +34,7 @@ func GetOpenIDConfig(c *gin.Context) { m := c.MustGet("metadata").(*internal.Metadata) config := types.OpenIDConfig{ - Issuer: m.Vela.Address, + Issuer: fmt.Sprintf("%s/_services/token", m.Vela.Address), JWKSAddress: fmt.Sprintf("%s/%s", m.Vela.Address, "_services/token/.well-known/jwks"), SupportedClaims: []string{ "sub", diff --git a/cmd/vela-server/token.go b/cmd/vela-server/token.go index bf98025f4..9853c6c2c 100644 --- a/cmd/vela-server/token.go +++ b/cmd/vela-server/token.go @@ -3,6 +3,8 @@ package main import ( + "fmt" + "github.com/sirupsen/logrus" "github.com/urfave/cli/v2" @@ -22,7 +24,7 @@ func setupTokenManager(c *cli.Context, db database.Interface) (*token.Manager, e WorkerAuthTokenDuration: c.Duration("worker-auth-token-duration"), WorkerRegisterTokenDuration: c.Duration("worker-register-token-duration"), IDTokenDuration: c.Duration("id-token-duration"), - Issuer: c.String("server-addr"), + Issuer: fmt.Sprintf("%s/_services/token", c.String("server-addr")), } // generate a new RSA key pair diff --git a/internal/token/mint.go b/internal/token/mint.go index d3a89b4ac..8b4f12a90 100644 --- a/internal/token/mint.go +++ b/internal/token/mint.go @@ -28,6 +28,7 @@ type Claims struct { TokenType string `json:"token_type,omitempty"` Image string `json:"image,omitempty"` Request string `json:"request,omitempty"` + Commands bool `json:"commands,omitempty"` jwt.RegisteredClaims } @@ -43,6 +44,7 @@ type MintTokenOpts struct { Audience []string Image string Request string + Commands bool } // MintToken mints a Vela JWT Token given a set of options. @@ -105,6 +107,7 @@ func (tm *Manager) MintToken(mto *MintTokenOpts) (string, error) { claims.BuildSender = mto.Build.GetSender() claims.Image = mto.Image claims.Request = mto.Request + claims.Commands = mto.Commands default: return "", errors.New("invalid token type") @@ -152,6 +155,7 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin claims.TokenType = mto.TokenType claims.Image = mto.Image claims.Request = mto.Request + claims.Commands = mto.Commands // set standard claims claims.IssuedAt = jwt.NewNumericDate(time.Now()) diff --git a/router/router.go b/router/router.go index d271e44f2..2e7aebbb2 100644 --- a/router/router.go +++ b/router/router.go @@ -90,8 +90,8 @@ func Load(options ...gin.HandlerFunc) *gin.Engine { r.POST("/webhook", webhook.PostWebhook) // JWKS endpoints - r.GET("_services/token/.well-known/openid-configuration", api.GetOpenIDConfig) - r.GET("_services/token/.well-known/jwks", api.GetJWKS) + r.GET("/_services/token/.well-known/openid-configuration", api.GetOpenIDConfig) + r.GET("/_services/token/.well-known/jwks", api.GetJWKS) // Authentication endpoints authenticate := r.Group("/authenticate")