mirror of https://github.com/actions/toolkit
fix bug with customized oidc issuer
Signed-off-by: Brian DeHamer <bdehamer@github.com>pull/1823/head
parent
6c4e082c18
commit
2a07de1333
|
@ -1,5 +1,8 @@
|
||||||
# @actions/attest Releases
|
# @actions/attest Releases
|
||||||
|
|
||||||
|
### 1.4.2
|
||||||
|
|
||||||
|
- Fix bug in `buildSLSAProvenancePredicate`/`attestProvenance` when generating provenance statement for enterprise account using customized OIDC issuer value [#1823](https://github.com/actions/toolkit/pull/1823)
|
||||||
### 1.4.1
|
### 1.4.1
|
||||||
|
|
||||||
- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
|
- Bump @actions/http-client from 2.2.1 to 2.2.3 [#1805](https://github.com/actions/toolkit/pull/1805)
|
||||||
|
@ -8,7 +11,6 @@
|
||||||
|
|
||||||
- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
|
- Add new `headers` parameter to the `attest` and `attestProvenance` functions [#1790](https://github.com/actions/toolkit/pull/1790)
|
||||||
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)
|
- Update `buildSLSAProvenancePredicate`/`attestProvenance` to automatically derive default OIDC issuer URL from current execution context [#1796](https://github.com/actions/toolkit/pull/1796)
|
||||||
|
|
||||||
### 1.3.1
|
### 1.3.1
|
||||||
|
|
||||||
- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)
|
- Fix bug with proxy support when retrieving JWKS for OIDC issuer [#1776](https://github.com/actions/toolkit/pull/1776)
|
||||||
|
|
|
@ -68,6 +68,55 @@ describe('getIDTokenClaims', () => {
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
describe('when ID token is valid (w/ enterprise slug)', () => {
|
||||||
|
const claims = {
|
||||||
|
iss: `${issuer}/foo-bar`,
|
||||||
|
aud: audience,
|
||||||
|
ref: 'ref',
|
||||||
|
sha: 'sha',
|
||||||
|
repository: 'repo',
|
||||||
|
event_name: 'push',
|
||||||
|
job_workflow_ref: 'job_workflow_ref',
|
||||||
|
workflow_ref: 'workflow',
|
||||||
|
repository_id: '1',
|
||||||
|
repository_owner_id: '1',
|
||||||
|
runner_environment: 'github-hosted',
|
||||||
|
run_id: '1',
|
||||||
|
run_attempt: '1'
|
||||||
|
}
|
||||||
|
|
||||||
|
beforeEach(async () => {
|
||||||
|
const jwt = await new jose.SignJWT(claims)
|
||||||
|
.setProtectedHeader({alg: 'PS256'})
|
||||||
|
.sign(key.privateKey)
|
||||||
|
|
||||||
|
nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
|
||||||
|
})
|
||||||
|
|
||||||
|
it('returns the ID token claims', async () => {
|
||||||
|
const result = await getIDTokenClaims(issuer)
|
||||||
|
expect(result).toEqual(claims)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
describe('when ID token is missing the "iss" claim', () => {
|
||||||
|
const claims = {
|
||||||
|
aud: audience
|
||||||
|
}
|
||||||
|
|
||||||
|
beforeEach(async () => {
|
||||||
|
const jwt = await new jose.SignJWT(claims)
|
||||||
|
.setProtectedHeader({alg: 'PS256'})
|
||||||
|
.sign(key.privateKey)
|
||||||
|
|
||||||
|
nock(issuer).get(tokenPath).query({audience}).reply(200, {value: jwt})
|
||||||
|
})
|
||||||
|
|
||||||
|
it('throws an error', async () => {
|
||||||
|
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/missing "iss"/i)
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
describe('when ID token is missing required claims', () => {
|
describe('when ID token is missing required claims', () => {
|
||||||
const claims = {
|
const claims = {
|
||||||
iss: issuer,
|
iss: issuer,
|
||||||
|
@ -99,7 +148,9 @@ describe('getIDTokenClaims', () => {
|
||||||
})
|
})
|
||||||
|
|
||||||
it('throws an error', async () => {
|
it('throws an error', async () => {
|
||||||
await expect(getIDTokenClaims(issuer)).rejects.toThrow(/unexpected "iss"/)
|
await expect(getIDTokenClaims(issuer)).rejects.toThrow(
|
||||||
|
/unexpected "iss"/i
|
||||||
|
)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
{
|
{
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.4.1",
|
"version": "1.4.2",
|
||||||
"lockfileVersion": 2,
|
"lockfileVersion": 2,
|
||||||
"requires": true,
|
"requires": true,
|
||||||
"packages": {
|
"packages": {
|
||||||
"": {
|
"": {
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.4.1",
|
"version": "1.4.2",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"@actions/core": "^1.10.1",
|
"@actions/core": "^1.10.1",
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "@actions/attest",
|
"name": "@actions/attest",
|
||||||
"version": "1.4.1",
|
"version": "1.4.2",
|
||||||
"description": "Actions attestation lib",
|
"description": "Actions attestation lib",
|
||||||
"keywords": [
|
"keywords": [
|
||||||
"github",
|
"github",
|
||||||
|
|
|
@ -49,10 +49,19 @@ const decodeOIDCToken = async (
|
||||||
// Verify and decode token
|
// Verify and decode token
|
||||||
const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
|
const jwks = jose.createLocalJWKSet(await getJWKS(issuer))
|
||||||
const {payload} = await jose.jwtVerify(token, jwks, {
|
const {payload} = await jose.jwtVerify(token, jwks, {
|
||||||
audience: OIDC_AUDIENCE,
|
audience: OIDC_AUDIENCE
|
||||||
issuer
|
|
||||||
})
|
})
|
||||||
|
|
||||||
|
if (!payload.iss) {
|
||||||
|
throw new Error('Missing "iss" claim')
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that the issuer STARTS WITH the expected issuer URL to account for
|
||||||
|
// the fact that the value may include an enterprise-specific slug
|
||||||
|
if (!payload.iss.startsWith(issuer)) {
|
||||||
|
throw new Error(`Unexpected "iss" claim: ${payload.iss}`)
|
||||||
|
}
|
||||||
|
|
||||||
return payload
|
return payload
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue