diff --git a/api/build/id_token.go b/api/build/id_token.go index 253caef3a..a54040df1 100644 --- a/api/build/id_token.go +++ b/api/build/id_token.go @@ -77,15 +77,16 @@ func GetIDToken(c *gin.Context) { // capture middleware values b := build.Retrieve(c) cl := claims.Retrieve(c) + ctx := c.Request.Context() // update engine logger with API metadata // // https://pkg.go.dev/github.com/sirupsen/logrus?tab=doc#Entry.WithFields logrus.WithFields(logrus.Fields{ - "build": b.GetNumber(), - "org": b.GetRepo().GetOrg(), - "repo": b.GetRepo().GetName(), - "user": cl.Subject, + "build": b.GetNumber(), + "org": b.GetRepo().GetOrg(), + "repo": b.GetRepo().GetName(), + "subject": cl.Subject, }).Infof("generating ID token for build %s/%d", b.GetRepo().GetFullName(), b.GetNumber()) // retrieve token manager from context @@ -108,7 +109,7 @@ func GetIDToken(c *gin.Context) { } // mint token - idt, err := tm.MintIDToken(idmto, database.FromContext(c)) + idt, err := tm.MintIDToken(ctx, idmto, database.FromContext(c)) if err != nil { retErr := fmt.Errorf("unable to generate build token: %w", err) util.HandleError(c, http.StatusInternalServerError, retErr) diff --git a/api/types/oidc.go b/api/types/oidc.go index 63e8c0573..fa5f45cbb 100644 --- a/api/types/oidc.go +++ b/api/types/oidc.go @@ -21,7 +21,9 @@ type OpenIDConfig struct { // includes information relevant to OIDC services. type OpenIDClaims struct { BuildNumber int `json:"build_number,omitempty"` + BuildID int64 `json:"build_id,omitempty"` Actor string `json:"actor,omitempty"` + ActorID string `json:"actor_id,omitempty"` Repo string `json:"repo,omitempty"` TokenType string `json:"token_type,omitempty"` Image string `json:"image,omitempty"` diff --git a/internal/token/mint.go b/internal/token/mint.go index 3768629e7..d7dfb676c 100644 --- a/internal/token/mint.go +++ b/internal/token/mint.go @@ -6,6 +6,7 @@ import ( "context" "errors" "fmt" + "strconv" "time" "github.com/golang-jwt/jwt/v5" @@ -129,7 +130,7 @@ func (tm *Manager) MintToken(mto *MintTokenOpts) (string, error) { } // MintIDToken mints a Vela JWT ID Token for a build. -func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (string, error) { +func (tm *Manager) MintIDToken(ctx context.Context, mto *MintTokenOpts, db database.Interface) (string, error) { // initialize claims struct var claims = new(api.OpenIDClaims) @@ -146,9 +147,22 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin return "", errors.New("missing build id for ID token") } + if len(mto.Build.GetSender()) == 0 { + return "", errors.New("missing build sender for ID token") + } + // set claims based on input claims.BuildNumber = mto.Build.GetNumber() + claims.BuildID = mto.Build.GetID() claims.Actor = mto.Build.GetSender() + + // retrieve the user id for the actor + u, err := db.GetUserForName(ctx, mto.Build.GetSender()) + if err != nil { + return "", errors.New("unable to retrieve build sender user ID for ID token") + } + + claims.ActorID = strconv.Itoa(int(u.GetID())) claims.Repo = mto.Repo claims.Event = fmt.Sprintf("%s:%s", mto.Build.GetEvent(), mto.Build.GetEventAction()) claims.SHA = mto.Build.GetCommit() @@ -168,7 +182,7 @@ func (tm *Manager) MintIDToken(mto *MintTokenOpts, db database.Interface) (strin tk := jwt.NewWithClaims(jwt.SigningMethodRS256, claims) // verify key is active in the database before signing - _, err := db.GetActiveJWK(context.TODO(), tm.RSAKeySet.KID) + _, err = db.GetActiveJWK(context.TODO(), tm.RSAKeySet.KID) if err != nil { if !errors.Is(err, gorm.ErrRecordNotFound) { return "", fmt.Errorf("unable to get active public key: %w", err)