Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Gitpod workspaces #3601

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support Gitpod workspaces #3601

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
69d0c37
Adding Gitpod Provider
ChevronTango May 19, 2023
f46de86
adding checks for gitpod tokens
ChevronTango Mar 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
adding checks for gitpod tokens 
Signed-off-by: Edward Brough <[email protected]>
  • Loading branch information
@ChevronTango
ChevronTango committed Mar 15, 2024
commit f46de86ddf37fe5b701df8323f52d7eadfc99972
30 changes: 28 additions & 2 deletions pkg/providers/gitpod/gitpod.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@
package gitpod

import (
"bytes"
"context"
"encoding/json"
"os/exec"

"github.com/sigstore/cosign/v2/pkg/cosign/env"
Expand All @@ -33,12 +35,36 @@ var _ providers.Interface = (*gitpod)(nil)

// Enabled implements providers.Interface
func (ga *gitpod) Enabled(_ context.Context) bool {
return env.Getenv(env.VariableGitpodWorkspaceId) != ""
// Check we are in a Gitpod Workspace
if env.Getenv(env.VariableGitpodWorkspaceId) != "" {

//Check we are able to generate tokens with a verified email address
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//Check we are able to generate tokens with a verified email address
// Check we are able to generate tokens with a verified email address

(golangci-lint run will catch this)

output, err := exec.Command("gp", "idp", "token", "--audience", "example.org", "--decode").Output()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How necessary is this check, if the workspace variable is known to be set? The github provider, for example, only bothers to check the variable.

Is there a timeout option for this command?

All the providers are looped through when a new signer is created, so if this command doesn't exit quickly when not enabled, it will stall keyless signing.

if err != nil {
return false
}

var token struct {
Payload *struct {
Email *string `json:"email"`
EmailVerified bool `json:"email_verified"`
} `json:"Payload"`
}
dec := json.NewDecoder(bytes.NewBuffer(output))
if err := dec.Decode(&token); err != nil {
return false
}

if token.Payload != nil {
return token.Payload.Email != nil && token.Payload.EmailVerified
}
}
return false
}

// Provide implements providers.Interface
func (ga *gitpod) Provide(ctx context.Context, audience string) (string, error) {
token, err := exec.Command("gp idp token --audience " + audience).Output()
token, err := exec.Command("gp", "idp", "token", "--audience", audience).Output()
if err != nil {
return "", err
}
Expand Down