-
Notifications
You must be signed in to change notification settings - Fork 28
/
id_token.go
131 lines (112 loc) · 3.1 KB
/
id_token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
// SPDX-License-Identifier: Apache-2.0
package build
import (
"fmt"
"net/http"
"github.com/gin-gonic/gin"
"github.com/sirupsen/logrus"
"github.com/go-vela/server/constants"
"github.com/go-vela/server/database"
"github.com/go-vela/server/internal/token"
"github.com/go-vela/server/router/middleware/build"
"github.com/go-vela/server/router/middleware/claims"
"github.com/go-vela/server/util"
"github.com/go-vela/types/library"
)
// swagger:operation GET /api/v1/repos/{org}/{repo}/builds/{build}/id_token builds GetIDToken
//
// Get a Vela OIDC token for a build
//
// ---
// produces:
// - application/json
// parameters:
// - in: path
// name: org
// description: Name of the organization
// required: true
// type: string
// - in: path
// name: repo
// description: Name of the repository
// required: true
// type: string
// - in: path
// name: build
// description: Build number
// required: true
// type: integer
// - in: query
// name: audience
// description: Add audience to token claims
// type: array
// items:
// type: string
// collectionFormat: multi
// security:
// - ApiKeyAuth: []
// responses:
// '200':
// description: Successfully retrieved ID token
// schema:
// "$ref": "#/definitions/Token"
// '400':
// description: Invalid request payload or path
// schema:
// "$ref": "#/definitions/Error"
// '401':
// description: Unauthorized
// schema:
// "$ref": "#/definitions/Error"
// '404':
// description: Not found
// schema:
// "$ref": "#/definitions/Error"
// '500':
// description: Unexpected server error
// schema:
// "$ref": "#/definitions/Error"
// GetIDToken represents the API handler to generate a id token.
func GetIDToken(c *gin.Context) {
// capture middleware values
l := c.MustGet("logger").(*logrus.Entry)
b := build.Retrieve(c)
cl := claims.Retrieve(c)
ctx := c.Request.Context()
l.Infof("generating ID token for build %s/%d", b.GetRepo().GetFullName(), b.GetNumber())
// retrieve token manager from context
tm := c.MustGet("token-manager").(*token.Manager)
// set mint token options
idmto := &token.MintTokenOpts{
Build: b,
Repo: b.GetRepo().GetFullName(),
TokenType: constants.IDTokenType,
TokenDuration: tm.IDTokenDuration,
Image: cl.Image,
Request: cl.Request,
Commands: cl.Commands,
}
// if audience is provided, include that in claims
audience := []string{}
if len(c.QueryArray("audience")) > 0 {
for _, a := range c.QueryArray("audience") {
if len(a) > 0 {
audience = append(audience, util.Sanitize(a))
}
}
}
if len(audience) == 0 {
retErr := fmt.Errorf("unable to generate ID token: %s", "no audience provided")
util.HandleError(c, http.StatusBadRequest, retErr)
return
}
idmto.Audience = audience
// mint token
idt, err := tm.MintIDToken(ctx, idmto, database.FromContext(c))
if err != nil {
retErr := fmt.Errorf("unable to generate ID token: %w", err)
util.HandleError(c, http.StatusInternalServerError, retErr)
return
}
c.JSON(http.StatusOK, library.Token{Token: &idt})
}