README
¶
ciauth
This module is used to authenticate CI services which support OIDC. The service this powers has a trust relationship with the CI service, so the CI service can be trusted to provide the owner and repository, or project information.
supported services
- GitHub Actions
- GitLab CI
- Buildkite
usage
This module provides an Interceptor which can be used to authenticate a request with connectrpc.
Documentation
¶
Index ¶
Constants ¶
View Source
const ( Unspecified = "unspecified" Buildkite = "buildkite" GitHubActions = "github_actions" GitLab = "gitlab" )
Variables ¶
View Source
var ( ErrInvalidProvider = errors.New("invalid provider") DefaultOIDCProviders = map[string]OIDCProvider{ GitHubActions: { Issuer: "https://token.actions.githubusercontent.com", JWKSURL: "https://token.actions.githubusercontent.com/.well-known/jwks", }, GitLab: { Issuer: "https://gitlab.com", JWKSURL: "https://gitlab.com/oauth/discovery/keys", }, Buildkite: { Issuer: "https://agent.buildkite.com", JWKSURL: "https://agent.buildkite.com/.well-known/jwks", }, } DefaultProviderNames = []string{ GitHubActions, GitLab, Buildkite, } )
Functions ¶
func NewOIDCAuthInterceptor ¶ added in v1.8.0
func NewOIDCAuthInterceptor(audience string, validator *OIDCCachingValidator) connect.UnaryInterceptorFunc
Types ¶
type BuildkiteClaims ¶ added in v1.8.0
type BuildkiteClaims struct {
OrganizationSlug string `json:"organization_slug"`
OrganizationID string `json:"organization_id"`
PipelineSlug string `json:"pipeline_slug"`
BuildBranch string `json:"build_branch"`
BuildTag string `json:"build_tag"`
BuildCommit string `json:"build_commit"`
StepKey string `json:"step_key"`
JobId string `json:"job_id"`
AgentId string `json:"agent_id"`
BuildSource string `json:"build_source"`
RunnerEnvironment string `json:"runner_environment"`
BuildNumber int `json:"build_number"`
}
BuildkiteClaims is the struct for the claims in the Buildkite OIDC token
type GitHubActionsClaims ¶ added in v1.8.0
type GitHubActionsClaims struct {
Ref string `json:"ref"`
Sha string `json:"sha"`
Repository string `json:"repository"`
RepositoryOwner string `json:"repository_owner"`
RepositoryOwnerID string `json:"repository_owner_id"`
RunId string `json:"run_id"`
RunNumber string `json:"run_number"`
RunAttempt string `json:"run_attempt"`
RepositoryVisibility string `json:"repository_visibility"`
RepositoryID string `json:"repository_id"`
ActorId string `json:"actor_id"`
Actor string `json:"actor"`
Workflow string `json:"workflow"`
HeadRef string `json:"head_ref"`
BaseRef string `json:"base_ref"`
EventName string `json:"event_name"`
RefProtected string `json:"ref_protected"`
RefType string `json:"ref_type"`
WorkflowRef string `json:"workflow_ref"`
WorkflowSha string `json:"workflow_sha"`
JobWorkflowRef string `json:"job_workflow_ref"`
JobWorkflowSha string `json:"job_workflow_sha"`
RunnerEnvironment string `json:"runner_environment"`
}
type OIDCCachingValidator ¶ added in v1.8.0
type OIDCCachingValidator struct {
// contains filtered or unexported fields
}
OIDCValidator manages OIDC token validation
func NewOIDCValidator ¶ added in v1.8.0
func NewOIDCValidator(ctx context.Context, oidcProviders map[string]OIDCProvider) (*OIDCCachingValidator, error)
func (*OIDCCachingValidator) ValidateToken ¶ added in v1.8.0
func (v *OIDCCachingValidator) ValidateToken(ctx context.Context, tokenStr, expectedAudience string) (OIDCIdentity, error)
type OIDCIdentity ¶ added in v1.8.0
type OIDCIdentity interface {
Provider() string
Claims() any
Owner() string
Subject() string
Issuer() string
}
func GetOIDCIdentity ¶ added in v1.8.0
func GetOIDCIdentity(ctx context.Context) OIDCIdentity
type OIDCProvider ¶ added in v1.8.0
type ZeroLogErrorSink ¶ added in v1.8.0
type ZeroLogErrorSink struct {
}
Source Files
Click to show internal directories.
Click to hide internal directories.