-
Notifications
You must be signed in to change notification settings - Fork 50
/
Copy pathgithub_oidc_authorizer.go
197 lines (158 loc) · 6.13 KB
/
github_oidc_authorizer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
// Copyright (c) HashiCorp Inc. All rights reserved.
// Licensed under the MPL-2.0 License. See NOTICE.txt in the project root for license information.
package auth
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"github.com/hashicorp/go-azure-sdk/sdk/environments"
"golang.org/x/oauth2"
)
type GitHubOIDCAuthorizerOptions struct {
// Api describes the Azure API being used
Api environments.Api
// ClientId is the client ID used when authenticating
ClientId string
// Environment is the Azure environment/cloud being targeted
Environment environments.Environment
// TenantId is the tenant to authenticate against
TenantId string
// AuxiliaryTenantIds lists additional tenants to authenticate against, currently only
// used for Resource Manager when auxiliary tenants are needed.
// e.g. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant
AuxiliaryTenantIds []string
// IdTokenRequestUrl is the URL for the OIDC provider from which to request an ID token.
// Usually exposed via the ACTIONS_ID_TOKEN_REQUEST_URL environment variable when running in GitHub Actions
IdTokenRequestUrl string
// IdTokenRequestToken is the bearer token for the request to the OIDC provider.
// Usually exposed via the ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable when running in GitHub Actions
IdTokenRequestToken string
}
// NewGitHubOIDCAuthorizer returns an authorizer which acquires a client assertion from a GitHub endpoint, then uses client assertion authentication to obtain an access token.
func NewGitHubOIDCAuthorizer(ctx context.Context, options GitHubOIDCAuthorizerOptions) (Authorizer, error) {
scope, err := environments.Scope(options.Api)
if err != nil {
return nil, fmt.Errorf("determining scope for %q: %+v", options.Api.Name(), err)
}
conf := gitHubOIDCConfig{
Environment: options.Environment,
TenantID: options.TenantId,
AuxiliaryTenantIDs: options.AuxiliaryTenantIds,
ClientID: options.ClientId,
IDTokenRequestURL: options.IdTokenRequestUrl,
IDTokenRequestToken: options.IdTokenRequestToken,
Scopes: []string{
*scope,
},
}
return conf.TokenSource(ctx)
}
var _ Authorizer = &GitHubOIDCAuthorizer{}
type GitHubOIDCAuthorizer struct {
conf *gitHubOIDCConfig
}
func (a *GitHubOIDCAuthorizer) githubAssertion(ctx context.Context, _ *http.Request) (*string, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, a.conf.IDTokenRequestURL, http.NoBody)
if err != nil {
return nil, fmt.Errorf("githubAssertion: failed to build request: %+v", err)
}
query, err := url.ParseQuery(req.URL.RawQuery)
if err != nil {
return nil, fmt.Errorf("githubAssertion: cannot parse URL query")
}
if query.Get("audience") == "" {
query.Set("audience", "api://AzureADTokenExchange")
req.URL.RawQuery = query.Encode()
}
req.Header.Set("Accept", "application/json")
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", a.conf.IDTokenRequestToken))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := Client.Do(req)
if err != nil {
return nil, fmt.Errorf("githubAssertion: cannot request token: %v", err)
}
defer resp.Body.Close()
body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
if err != nil {
return nil, fmt.Errorf("githubAssertion: cannot parse response: %v", err)
}
if c := resp.StatusCode; c < 200 || c > 299 {
return nil, fmt.Errorf("githubAssertion: received HTTP status %d with response: %s", resp.StatusCode, body)
}
var tokenRes struct {
Count *int `json:"count"`
Value *string `json:"value"`
}
if err := json.Unmarshal(body, &tokenRes); err != nil {
return nil, fmt.Errorf("githubAssertion: cannot unmarshal response: %v", err)
}
return tokenRes.Value, nil
}
func (a *GitHubOIDCAuthorizer) tokenSource(ctx context.Context, req *http.Request) (Authorizer, error) {
assertion, err := a.githubAssertion(ctx, req)
if err != nil {
return nil, err
}
if assertion == nil {
return nil, fmt.Errorf("GitHubOIDCAuthorizer: nil JWT assertion received from GitHub")
}
conf := clientCredentialsConfig{
Environment: a.conf.Environment,
TenantID: a.conf.TenantID,
AuxiliaryTenantIDs: a.conf.AuxiliaryTenantIDs,
ClientID: a.conf.ClientID,
FederatedAssertion: *assertion,
Scopes: a.conf.Scopes,
TokenURL: a.conf.TokenURL,
Audience: a.conf.Audience,
}
source, err := conf.TokenSource(ctx, clientCredentialsAssertionType)
if err != nil {
return nil, fmt.Errorf("GitHubOIDCAuthorizer: building Authorizer: %+v", err)
}
return source, nil
}
func (a *GitHubOIDCAuthorizer) Token(ctx context.Context, req *http.Request) (*oauth2.Token, error) {
source, err := a.tokenSource(ctx, req)
if err != nil {
return nil, err
}
return source.Token(ctx, req)
}
func (a *GitHubOIDCAuthorizer) AuxiliaryTokens(ctx context.Context, req *http.Request) ([]*oauth2.Token, error) {
source, err := a.tokenSource(ctx, req)
if err != nil {
return nil, err
}
return source.AuxiliaryTokens(ctx, req)
}
type gitHubOIDCConfig struct {
// Environment is the national cloud environment to use
Environment environments.Environment
// TenantID is the required tenant ID for the primary token
TenantID string
// AuxiliaryTenantIDs is an optional list of tenant IDs for which to obtain additional tokens
AuxiliaryTenantIDs []string
// ClientID is the application's ID.
ClientID string
// IDTokenRequestURL is the URL for GitHub's OIDC provider.
IDTokenRequestURL string
// IDTokenRequestToken is the bearer token for the request to the OIDC provider.
IDTokenRequestToken string
// Scopes specifies a list of requested permission scopes (used for v2 tokens)
Scopes []string
// TokenURL is the clientCredentialsToken endpoint, which overrides the default endpoint constructed from a tenant ID
TokenURL string
// Audience optionally specifies the intended audience of the
// request. If empty, the value of TokenURL is used as the
// intended audience.
Audience string
}
func (c *gitHubOIDCConfig) TokenSource(ctx context.Context) (Authorizer, error) {
return NewCachedAuthorizer(&GitHubOIDCAuthorizer{
conf: c,
})
}