From 98b5e95a0a78db4ec6699be6ac749bf516035e46 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 29 Nov 2023 11:04:40 +0000 Subject: [PATCH 01/10] modified `--signer-fulcio-token` flag to accept either a path to a token or a raw token string --- hack/test.token | 1 + signer/fulcio/fulcio.go | 22 ++++++++++++++++++++-- signer/fulcio/fulcio_test.go | 29 +++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 hack/test.token diff --git a/hack/test.token b/hack/test.token new file mode 100644 index 00000000..43eed6d1 --- /dev/null +++ b/hack/test.token @@ -0,0 +1 @@ +eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ.3Thp81rDFrKXr3WrY1MyMnNK8kKoZBX9lg-JwFznR-M diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 8983f8c0..d85a632c 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -93,7 +93,7 @@ func init() { ), registry.StringConfigOption( "token", - "Raw token to use for authentication", + "Raw token to use for authentication. The token or a path to the file containing the token is accepted", "", func(sp signer.SignerProvider, token string) (signer.SignerProvider, error) { fsp, ok := sp.(FulcioSignerProvider) @@ -211,7 +211,11 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, } case fsp.Token != "": - raw = fsp.Token + // reading from file if a path was supplied + raw, err = idToken(fsp.Token) + if err != nil { + return nil, err + } case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", "", oauthflow.DefaultIDTokenGetter) @@ -403,3 +407,17 @@ func newClient(ctx context.Context, fulcioURL string, fulcioPort int, isInsecure // Create the Fulcio client return fulciopb.NewCAClient(conn), nil } + +// idToken allows users to either pass in an identity token directly +// or a path to an identity token via the --identity-token flag +func idToken(s string) (string, error) { + // If this is a valid raw token or is empty, just return it + // NOTE: could be replaced with https://pkg.go.dev/go.step.sm/crypto/jose in future if features helpful + if _, err := jwt.ParseSigned(s); err == nil || s == "" { + return s, nil + } + + // Otherwise, if this is a path to a token return the contents + c, err := os.ReadFile(s) + return string(c), err +} diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 1a062821..07b5185c 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -24,6 +24,7 @@ import ( "fmt" "log" "net" + "os" "strings" "testing" "time" @@ -33,6 +34,7 @@ import ( fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/stretchr/testify/require" "go.step.sm/crypto/jose" + "path/filepath" "google.golang.org/grpc" "gopkg.in/square/go-jose.v2/jwt" @@ -76,6 +78,33 @@ func TestNewClient(t *testing.T) { require.NotNil(t, client) } +func TestIDToken(t *testing.T) { + // test when supplying a raw token, the same token is returned + tok := generateTestToken("test@example.com", "testsubject") + out, err := idToken(tok) + require.NoError(t, err) + require.Equal(t, tok, out) + + // test when supplying a path, a valid token is returned + // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, + // but unsure if this is the way we want to go for now + wd, err := os.Getwd() + if err != nil { + t.Fatalf("failed to get working directory: %v", err) + } + rootDir := filepath.Dir(filepath.Dir(wd)) + tok = filepath.Join(rootDir, "hack", "test.token") + testTok, err := os.ReadFile(tok) + if err != nil { + t.Fatalf("failed to read test token file: %v", err) + } + + out, err = idToken(tok) + require.NoError(t, err) + require.Equal(t, string(testTok), out) + +} + type dummyCAClientService struct { client fulciopb.CAClient server *grpc.Server From 1c2956015b35bf95c3fdef60c5656782f0bd57bf Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 29 Nov 2023 11:04:40 +0000 Subject: [PATCH 02/10] modified `--signer-fulcio-token` flag to accept either a path to a token or a raw token string Signed-off-by: chaosinthecrd --- hack/test.token | 1 + signer/fulcio/fulcio.go | 22 ++++++++++++++++++++-- signer/fulcio/fulcio_test.go | 29 +++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 hack/test.token diff --git a/hack/test.token b/hack/test.token new file mode 100644 index 00000000..43eed6d1 --- /dev/null +++ b/hack/test.token @@ -0,0 +1 @@ +eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ.3Thp81rDFrKXr3WrY1MyMnNK8kKoZBX9lg-JwFznR-M diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 8983f8c0..d85a632c 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -93,7 +93,7 @@ func init() { ), registry.StringConfigOption( "token", - "Raw token to use for authentication", + "Raw token to use for authentication. The token or a path to the file containing the token is accepted", "", func(sp signer.SignerProvider, token string) (signer.SignerProvider, error) { fsp, ok := sp.(FulcioSignerProvider) @@ -211,7 +211,11 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, } case fsp.Token != "": - raw = fsp.Token + // reading from file if a path was supplied + raw, err = idToken(fsp.Token) + if err != nil { + return nil, err + } case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", "", oauthflow.DefaultIDTokenGetter) @@ -403,3 +407,17 @@ func newClient(ctx context.Context, fulcioURL string, fulcioPort int, isInsecure // Create the Fulcio client return fulciopb.NewCAClient(conn), nil } + +// idToken allows users to either pass in an identity token directly +// or a path to an identity token via the --identity-token flag +func idToken(s string) (string, error) { + // If this is a valid raw token or is empty, just return it + // NOTE: could be replaced with https://pkg.go.dev/go.step.sm/crypto/jose in future if features helpful + if _, err := jwt.ParseSigned(s); err == nil || s == "" { + return s, nil + } + + // Otherwise, if this is a path to a token return the contents + c, err := os.ReadFile(s) + return string(c), err +} diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 1a062821..07b5185c 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -24,6 +24,7 @@ import ( "fmt" "log" "net" + "os" "strings" "testing" "time" @@ -33,6 +34,7 @@ import ( fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/stretchr/testify/require" "go.step.sm/crypto/jose" + "path/filepath" "google.golang.org/grpc" "gopkg.in/square/go-jose.v2/jwt" @@ -76,6 +78,33 @@ func TestNewClient(t *testing.T) { require.NotNil(t, client) } +func TestIDToken(t *testing.T) { + // test when supplying a raw token, the same token is returned + tok := generateTestToken("test@example.com", "testsubject") + out, err := idToken(tok) + require.NoError(t, err) + require.Equal(t, tok, out) + + // test when supplying a path, a valid token is returned + // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, + // but unsure if this is the way we want to go for now + wd, err := os.Getwd() + if err != nil { + t.Fatalf("failed to get working directory: %v", err) + } + rootDir := filepath.Dir(filepath.Dir(wd)) + tok = filepath.Join(rootDir, "hack", "test.token") + testTok, err := os.ReadFile(tok) + if err != nil { + t.Fatalf("failed to read test token file: %v", err) + } + + out, err = idToken(tok) + require.NoError(t, err) + require.Equal(t, string(testTok), out) + +} + type dummyCAClientService struct { client fulciopb.CAClient server *grpc.Server From f364321d4c2e8d048989cb0c22f3c6842cc1540b Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 29 Nov 2023 11:09:51 +0000 Subject: [PATCH 03/10] adding an unhappy path to the tests Signed-off-by: chaosinthecrd --- signer/fulcio/fulcio_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 07b5185c..8e2c0333 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -103,6 +103,11 @@ func TestIDToken(t *testing.T) { require.NoError(t, err) require.Equal(t, string(testTok), out) + // test that when neither valid token nor a path is supplied, an error is returned + tok = "test" + out, err = idToken(tok) + require.Error(t, err) + } type dummyCAClientService struct { From e38018847df3f95a05ff4a805633a7c0d5c4b70b Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 29 Nov 2023 11:26:51 +0000 Subject: [PATCH 04/10] updated function and description --- signer/fulcio/fulcio.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index d85a632c..f0cd93cb 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -408,12 +408,12 @@ func newClient(ctx context.Context, fulcioURL string, fulcioPort int, isInsecure return fulciopb.NewCAClient(conn), nil } -// idToken allows users to either pass in an identity token directly -// or a path to an identity token via the --identity-token flag +// idToken tries to parse a string as a token in JWS form. If it fails, +// it treats the string as a path and tries to open the file at that path func idToken(s string) (string, error) { - // If this is a valid raw token or is empty, just return it + // If this is a valid raw token, just return it // NOTE: could be replaced with https://pkg.go.dev/go.step.sm/crypto/jose in future if features helpful - if _, err := jwt.ParseSigned(s); err == nil || s == "" { + if _, err := jwt.ParseSigned(s); err == nil { return s, nil } From 89e5584b65e736b87a77d4be9a75e2643cc3334b Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Wed, 29 Nov 2023 11:26:51 +0000 Subject: [PATCH 05/10] updated function and description Signed-off-by: chaosinthecrd --- signer/fulcio/fulcio.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index d85a632c..f0cd93cb 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -408,12 +408,12 @@ func newClient(ctx context.Context, fulcioURL string, fulcioPort int, isInsecure return fulciopb.NewCAClient(conn), nil } -// idToken allows users to either pass in an identity token directly -// or a path to an identity token via the --identity-token flag +// idToken tries to parse a string as a token in JWS form. If it fails, +// it treats the string as a path and tries to open the file at that path func idToken(s string) (string, error) { - // If this is a valid raw token or is empty, just return it + // If this is a valid raw token, just return it // NOTE: could be replaced with https://pkg.go.dev/go.step.sm/crypto/jose in future if features helpful - if _, err := jwt.ParseSigned(s); err == nil || s == "" { + if _, err := jwt.ParseSigned(s); err == nil { return s, nil } From 70d18d0f4dcd106722a9cc38d1f7ac58296763d5 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Mon, 4 Dec 2023 17:40:31 +0000 Subject: [PATCH 06/10] removing ineffectual assignment in test Signed-off-by: chaosinthecrd --- signer/fulcio/fulcio_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index bcd77ed7..bbfa65c9 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -105,7 +105,7 @@ func TestIDToken(t *testing.T) { // test that when neither valid token nor a path is supplied, an error is returned tok = "test" - out, err = idToken(tok) + _, err = idToken(tok) require.Error(t, err) } From d9e960fffa91a71ffcc940535db59f32e56fc085 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Thu, 7 Dec 2023 15:44:29 +0000 Subject: [PATCH 07/10] updated to add token path flag and remove idToken function magic Signed-off-by: chaosinthecrd --- hack/test.token | 2 +- signer/fulcio/fulcio.go | 52 ++++++++++++++++++++++-------------- signer/fulcio/fulcio_test.go | 50 +++++++++++++--------------------- 3 files changed, 52 insertions(+), 52 deletions(-) diff --git a/hack/test.token b/hack/test.token index 43eed6d1..fbcb3807 100644 --- a/hack/test.token +++ b/hack/test.token @@ -1 +1 @@ -eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ.3Thp81rDFrKXr3WrY1MyMnNK8kKoZBX9lg-JwFznR-M +eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJmb29iYXIiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjIsIkVtYWlsIjoidGVzdEBpbi10b3RvLmlvIn0.IswtNc6aJL3zAf-lSGvuz7Okf2tBr-I3ulJ_SRUMt0k diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index f0cd93cb..8bef1e4d 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -93,7 +93,7 @@ func init() { ), registry.StringConfigOption( "token", - "Raw token to use for authentication. The token or a path to the file containing the token is accepted", + "Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)", "", func(sp signer.SignerProvider, token string) (signer.SignerProvider, error) { fsp, ok := sp.(FulcioSignerProvider) @@ -105,6 +105,20 @@ func init() { return fsp, nil }, ), + registry.StringConfigOption( + "token-path", + "Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)", + "", + func(sp signer.SignerProvider, tokenPath string) (signer.SignerProvider, error) { + fsp, ok := sp.(FulcioSignerProvider) + if !ok { + return sp, fmt.Errorf("provided signer provider is not a fulcio signer provider") + } + + WithTokenPath(tokenPath)(&fsp) + return fsp, nil + }, + ), ) } @@ -113,6 +127,7 @@ type FulcioSignerProvider struct { OidcIssuer string OidcClientID string Token string + TokenPath string } type Option func(*FulcioSignerProvider) @@ -141,6 +156,12 @@ func WithToken(tokenOption string) Option { } } +func WithTokenPath(tokenPathOption string) Option { + return func(fsp *FulcioSignerProvider) { + fsp.TokenPath = tokenPathOption + } +} + func New(opts ...Option) FulcioSignerProvider { fsp := FulcioSignerProvider{} for _, opt := range opts { @@ -210,13 +231,18 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, return nil, err } - case fsp.Token != "": - // reading from file if a path was supplied - raw, err = idToken(fsp.Token) + // we want to fail if both flags used (they're mutually exclusive) + case fsp.TokenPath != "" && fsp.Token != "": + return nil, errors.New("only one of --fulcio-token-path or --fulcio-raw-token can be used") + case fsp.Token != "" && fsp.TokenPath == "": + raw = fsp.Token + case fsp.TokenPath != "" && fsp.Token == "": + f, err := os.ReadFile(fsp.TokenPath) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to read fulcio token from filepath %s: %w", fsp.TokenPath, err) } + raw = string(f) case fsp.Token == "" && isatty.IsTerminal(os.Stdin.Fd()): tok, err := oauthflow.OIDConnect(fsp.OidcIssuer, fsp.OidcClientID, "", "", oauthflow.DefaultIDTokenGetter) if err != nil { @@ -285,7 +311,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, func getCert(ctx context.Context, key *rsa.PrivateKey, fc fulciopb.CAClient, token string) (*fulciopb.SigningCertificate, error) { t, err := jwt.ParseSigned(token) if err != nil { - return nil, err + return nil, fmt.Errorf("Failed to parse jwt token for fulcio: %w", err) } var claims struct { @@ -407,17 +433,3 @@ func newClient(ctx context.Context, fulcioURL string, fulcioPort int, isInsecure // Create the Fulcio client return fulciopb.NewCAClient(conn), nil } - -// idToken tries to parse a string as a token in JWS form. If it fails, -// it treats the string as a path and tries to open the file at that path -func idToken(s string) (string, error) { - // If this is a valid raw token, just return it - // NOTE: could be replaced with https://pkg.go.dev/go.step.sm/crypto/jose in future if features helpful - if _, err := jwt.ParseSigned(s); err == nil { - return s, nil - } - - // Otherwise, if this is a path to a token return the contents - c, err := os.ReadFile(s) - return string(c), err -} diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index bbfa65c9..435ab5b7 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -78,37 +78,6 @@ func TestNewClient(t *testing.T) { require.NotNil(t, client) } -func TestIDToken(t *testing.T) { - // test when supplying a raw token, the same token is returned - tok := generateTestToken("test@example.com", "testsubject") - out, err := idToken(tok) - require.NoError(t, err) - require.Equal(t, tok, out) - - // test when supplying a path, a valid token is returned - // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, - // but unsure if this is the way we want to go for now - wd, err := os.Getwd() - if err != nil { - t.Fatalf("failed to get working directory: %v", err) - } - rootDir := filepath.Dir(filepath.Dir(wd)) - tok = filepath.Join(rootDir, "hack", "test.token") - testTok, err := os.ReadFile(tok) - if err != nil { - t.Fatalf("failed to read test token file: %v", err) - } - - out, err = idToken(tok) - require.NoError(t, err) - require.Equal(t, string(testTok), out) - - // test that when neither valid token nor a path is supplied, an error is returned - tok = "test" - _, err = idToken(tok) - require.Error(t, err) -} - type dummyCAClientService struct { client fulciopb.CAClient server *grpc.Server @@ -231,6 +200,25 @@ func TestSigner(t *testing.T) { _, err = provider.Signer(ctx) //this should be a tranport err since we cant actually test on 443 which is the default require.ErrorContains(t, err, "lookup test") + + // Test signer with token read from file + // NOTE: this function could be refactored to accept a fileSystem or io.Reader so reading the file can be mocked, + // but unsure if this is the way we want to go for now + wd, err := os.Getwd() + if err != nil { + t.Fatalf("failed to get working directory: %v", err) + } + rootDir := filepath.Dir(filepath.Dir(wd)) + tp := filepath.Join(rootDir, "hack", "test.token") + + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp)) + signer, err = provider.Signer(ctx) + require.NoError(t, err) + + // Test signer with both token read from file and raw token + provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp), WithToken(token)) + signer, err = provider.Signer(ctx) + require.ErrorContains(t, err, "only one of --fulcio-token-path or --fulcio-raw-token can be used") } func generateCertChain(t *testing.T) []string { From 51ac258a6aa8a7a7eec3d59d3e42c3fded972717 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Thu, 7 Dec 2023 16:59:03 +0000 Subject: [PATCH 08/10] removing ineffectual assignments Signed-off-by: chaosinthecrd --- signer/fulcio/fulcio_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/signer/fulcio/fulcio_test.go b/signer/fulcio/fulcio_test.go index 435ab5b7..8f5a3dae 100644 --- a/signer/fulcio/fulcio_test.go +++ b/signer/fulcio/fulcio_test.go @@ -212,12 +212,12 @@ func TestSigner(t *testing.T) { tp := filepath.Join(rootDir, "hack", "test.token") provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp)) - signer, err = provider.Signer(ctx) + _, err = provider.Signer(ctx) require.NoError(t, err) // Test signer with both token read from file and raw token provider = New(WithFulcioURL(fmt.Sprintf("http://%v:%v", hostname, port)), WithTokenPath(tp), WithToken(token)) - signer, err = provider.Signer(ctx) + _, err = provider.Signer(ctx) require.ErrorContains(t, err, "only one of --fulcio-token-path or --fulcio-raw-token can be used") } From 990446e506de60d7aa2ada3abbf8271068fa4410 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Thu, 7 Dec 2023 17:01:05 +0000 Subject: [PATCH 09/10] removing whitespace Signed-off-by: chaosinthecrd --- signer/fulcio/fulcio.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 8bef1e4d..4ad8ad61 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -230,8 +230,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, if err != nil { return nil, err } - - // we want to fail if both flags used (they're mutually exclusive) + // we want to fail if both flags used (they're mutually exclusive) case fsp.TokenPath != "" && fsp.Token != "": return nil, errors.New("only one of --fulcio-token-path or --fulcio-raw-token can be used") case fsp.Token != "" && fsp.TokenPath == "": From e63d8e7832c342e50de3ec9d612099abead60b4f Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Thu, 7 Dec 2023 17:23:53 +0000 Subject: [PATCH 10/10] fixing small issue and adding test to makefile to speed things up Signed-off-by: chaosinthecrd --- Makefile | 6 ++++++ signer/fulcio/fulcio.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f717d8a7..2738f0f0 100644 --- a/Makefile +++ b/Makefile @@ -18,3 +18,9 @@ controller-gen: $(CONTROLLER_GEN) ## Download controller-gen locally if necessar $(CONTROLLER_GEN): $(LOCALBIN) test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) + +test: ## Run the go unit tests + go test -v -coverprofile=profile.cov -covermode=atomic ./... + +help: ## Display this help screen + @grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/signer/fulcio/fulcio.go b/signer/fulcio/fulcio.go index 4ad8ad61..449e7553 100644 --- a/signer/fulcio/fulcio.go +++ b/signer/fulcio/fulcio.go @@ -215,7 +215,7 @@ func (fsp FulcioSignerProvider) Signer(ctx context.Context) (cryptoutil.Signer, var raw string switch { - case fsp.Token == "" && os.Getenv("GITHUB_ACTIONS") == "true": + case fsp.Token == "" && fsp.TokenPath == "" && os.Getenv("GITHUB_ACTIONS") == "true": tokenURL := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") if tokenURL == "" { return nil, errors.New("ACTIONS_ID_TOKEN_REQUEST_URL is not set")