Move gitlab to ci-provider (#1740)

* move fulcio config from json to yaml Signed-off-by: Javan lacerda <javanlacerda@google.com> * move fulcio-config to a new file Signed-off-by: Javan lacerda <javanlacerda@google.com> * updating test for check-config workflow Signed-off-by: Javan lacerda <javanlacerda@google.com> * set verify k8s workflow for get configg directly Signed-off-by: Javan lacerda <javanlacerda@google.com> * migrate gitlab to ci provider Signed-off-by: Javan lacerda <javanlacerda@google.com> * set gitlab ref for using a conditional template Signed-off-by: Javan lacerda <javanlacerda@google.com> --------- Signed-off-by: Javan lacerda <javanlacerda@google.com>
sigstore · Jul 25, 2024 · 9acf076 · 9acf076
1 parent 9f02ba2
commit 9acf076
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 11 deletions.
diff --git a/config/identity/config.yaml b/config/identity/config.yaml
@@ -12,8 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-define: &github-type "github-workflow"
-
+define:
+  - &github-type "github-workflow"
+  - &gitlab-type "gitlab-pipeline"
 oidc-issuers:
   https://accounts.google.com:
     issuer-url: https://accounts.google.com
@@ -43,19 +44,22 @@ oidc-issuers:
   https://dev.gitlab.org:
     issuer-url: https://dev.gitlab.org
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
     contact: distribution-be@gitlab.com
     description: "GitLab OIDC tokens for job identity"
   https://gitlab.archlinux.org:
     issuer-url: https://gitlab.archlinux.org
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
     contact: sigstore@archlinux.org
     description: "GitLab OIDC tokens for job identity"
   https://gitlab.com:
     issuer-url: https://gitlab.com
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
     contact: support@gitlab.com
     description: "GitLab OIDC tokens for job identity"
   https://issuer.enforce.dev:
@@ -86,7 +90,8 @@ oidc-issuers:
   https://ops.gitlab.net:
     issuer-url: https://ops.gitlab.net
     client-id: sigstore
-    type: gitlab-pipeline
+    type: ci-provider
+    ci-provider: *gitlab-type
     contact: distribution-be@gitlab.com
     description: "GitLab OIDC tokens for job identity"
   https://token.actions.githubusercontent.com:
@@ -117,7 +122,7 @@ ci-issuer-metadata:
   *github-type:
       default-template-values:
           url: "https://github.com"
-      extension-templates: 
+      extension-templates:
           github-workflow-trigger: "event_name"
           github-workflow-sha: "sha"
           github-workflow-name: "workflow"
@@ -138,3 +143,22 @@ ci-issuer-metadata:
           run-invocation-uri: "{{ .url }}/{{ .repository }}/actions/runs/{{ .run_id }}/attempts/{{ .run_attempt }}"
           source-repository-visibility-at-signing: "repository_visibility"
       subject-alternative-name-template: "{{ .url }}/{{ .job_workflow_ref }}"
+  *gitlab-type:
+    default-template-values:
+        url: "https://gitlab.com"
+    extension-templates:
+        build-signer-uri: "https://{{ .ci_config_ref_uri }}"
+        build-signer-digest: "ci_config_sha"
+        runner-environment: "runner_environment"
+        source-repository-uri: "{{ .url }}/{{ .repository }}"
+        source-repository-digest: "sha"
+        source-repository-ref: refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}/{{ .ref }}
+        source-repository-identifier: "project_id"
+        source-repository-owner-uri: "{{ .url }}/{{ .namespace_path }}"
+        source-repository-owner-identifier: "namespace_id"
+        build-config-uri: "https://{{ .ci_config_ref_uri }}"
+        build-config-digest: "ci_config_sha"
+        build-trigger: "pipeline_source"
+        run-invocation-uri: "{{ .url }}/{{ .project_path }}/-/jobs/{{ .job_id }}"
+        source-repository-visibility-at-signing: "repository_visibility"
+    subject-alternative-name-template: "https://{{ .ci_config_ref_uri }}"
diff --git a/pkg/identity/ciprovider/principal_test.go b/pkg/identity/ciprovider/principal_test.go
@@ -229,6 +229,10 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 		"workflow":              "foo",
 		"workflow_ref":          "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
 		"workflow_sha":          "example-sha-other",
+		"ref_type":              "branch",
+		"ref_gitlab":            "main",
+		"ref_type_tag":          "tag",
+		"ref_tag":               "1.0.0",
 	}
 	issuerMetadata := map[string]string{
 		"url": "https://github.com",
@@ -269,18 +273,28 @@ func TestApplyTemplateOrReplace(t *testing.T) {
 			ExpectedResult: "",
 			ExpectErr:      true,
 		},
+		`If else template`: {
+			Template:       `refs/{{if eq .ref_type "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_gitlab }}`,
+			ExpectedResult: "refs/heads/main",
+			ExpectErr:      false,
+		},
+		`If else template using else condition`: {
+			Template:       `refs/{{if eq .ref_type_tag "branch"}}heads/{{ else }}tags/{{end}}{{ .ref_tag }}`,
+			ExpectedResult: "refs/tags/1.0.0",
+			ExpectErr:      false,
+		},
 	}
 
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
 			res, err := applyTemplateOrReplace(test.Template, tokenClaims, issuerMetadata)
 			if res != test.ExpectedResult {
-				t.Errorf("expected result don't matches: Expected %s, received: %s",
-					test.ExpectedResult, res)
+				t.Errorf("expected result don't matches: Expected %s, received: %s, error: %v",
+					test.ExpectedResult, res, err)
 			}
 			if (err != nil) != test.ExpectErr {
-				t.Errorf("should raise an error don't matches: Expected %v, received: %v",
-					test.ExpectErr, err != nil)
+				t.Errorf("should raise an error don't matches: Expected %v, received: %v, error: %v",
+					test.ExpectErr, err != nil, err)
 			}
 		})
 	}