Revert "CiProvider as a new OIDCIssuer type (#1679)" (#1727)

This reverts commit 66485b6.

pkg/certificate/extensions.go

@@ -69,69 +69,69 @@ type Extensions struct {
 	// Deprecated
 	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowTrigger string `json:"GithubWorkflowTrigger,omitempty" yaml:"github-workflow-trigger,omitempty"` // OID 1.3.6.1.4.1.57264.1.2
+	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2
 
 	// Deprecated
 	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
 	// tokens from Github Actions
-	GithubWorkflowSHA string `json:"GithubWorkflowSHA,omitempty" yaml:"github-workflow-sha,omitempty"` // OID 1.3.6.1.4.1.57264.1.3
+	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3
 
 	// Deprecated
 	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowName string `json:"GithubWorkflowName,omitempty" yaml:"github-workflow-name,omitempty"` // OID 1.3.6.1.4.1.57264.1.4
+	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4
 
 	// Deprecated
 	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
 	// tokens from Github Actions
-	GithubWorkflowRepository string `json:"GithubWorkflowRepository,omitempty" yaml:"github-workflow-repository,omitempty"` // OID 1.3.6.1.4.1.57264.1.5
+	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5
 
 	// Deprecated
 	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
 	// from Github Actions
-	GithubWorkflowRef string `json:"GithubWorkflowRef,omitempty" yaml:"github-workflow-ref,omitempty"` // 1.3.6.1.4.1.57264.1.6
+	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
 
 	// Reference to specific build instructions that are responsible for signing.
-	BuildSignerURI string `json:"BuildSignerURI,omitempty" yaml:"build-signer-uri,omitempty"` // 1.3.6.1.4.1.57264.1.9
+	BuildSignerURI string // 1.3.6.1.4.1.57264.1.9
 
 	// Immutable reference to the specific version of the build instructions that is responsible for signing.
-	BuildSignerDigest string `json:"BuildSignerDigest,omitempty" yaml:"build-signer-digest,omitempty"` // 1.3.6.1.4.1.57264.1.10
+	BuildSignerDigest string // 1.3.6.1.4.1.57264.1.10
 
 	// Specifies whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure.
-	RunnerEnvironment string `json:"RunnerEnvironment,omitempty" yaml:"runner-environment,omitempty"` // 1.3.6.1.4.1.57264.1.11
+	RunnerEnvironment string // 1.3.6.1.4.1.57264.1.11
 
 	// Source repository URL that the build was based on.
-	SourceRepositoryURI string `json:"SourceRepositoryURI,omitempty" yaml:"source-repository-uri,omitempty"` // 1.3.6.1.4.1.57264.1.12
+	SourceRepositoryURI string // 1.3.6.1.4.1.57264.1.12
 
 	// Immutable reference to a specific version of the source code that the build was based upon.
-	SourceRepositoryDigest string `json:"SourceRepositoryDigest,omitempty" yaml:"source-repository-digest,omitempty"` // 1.3.6.1.4.1.57264.1.13
+	SourceRepositoryDigest string // 1.3.6.1.4.1.57264.1.13
 
 	// Source Repository Ref that the build run was based upon.
-	SourceRepositoryRef string `json:"SourceRepositoryRef,omitempty" yaml:"source-repository-ref,omitempty"` // 1.3.6.1.4.1.57264.1.14
+	SourceRepositoryRef string // 1.3.6.1.4.1.57264.1.14
 
 	// Immutable identifier for the source repository the workflow was based upon.
-	SourceRepositoryIdentifier string `json:"SourceRepositoryIdentifier,omitempty" yaml:"source-repository-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.15
+	SourceRepositoryIdentifier string // 1.3.6.1.4.1.57264.1.15
 
 	// Source repository owner URL of the owner of the source repository that the build was based on.
-	SourceRepositoryOwnerURI string `json:"SourceRepositoryOwnerURI,omitempty" yaml:"source-repository-owner-uri,omitempty"` // 1.3.6.1.4.1.57264.1.16
+	SourceRepositoryOwnerURI string // 1.3.6.1.4.1.57264.1.16
 
 	// Immutable identifier for the owner of the source repository that the workflow was based upon.
-	SourceRepositoryOwnerIdentifier string `json:"SourceRepositoryOwnerIdentifier,omitempty" yaml:"source-repository-owner-identifier,omitempty"` // 1.3.6.1.4.1.57264.1.17
+	SourceRepositoryOwnerIdentifier string // 1.3.6.1.4.1.57264.1.17
 
 	// Build Config URL to the top-level/initiating build instructions.
-	BuildConfigURI string `json:"BuildConfigURI,omitempty" yaml:"build-config-uri,omitempty"` // 1.3.6.1.4.1.57264.1.18
+	BuildConfigURI string // 1.3.6.1.4.1.57264.1.18
 
 	// Immutable reference to the specific version of the top-level/initiating build instructions.
-	BuildConfigDigest string `json:"BuildConfigDigest,omitempty" yaml:"build-config-digest,omitempty"` // 1.3.6.1.4.1.57264.1.19
+	BuildConfigDigest string // 1.3.6.1.4.1.57264.1.19
 
 	// Event or action that initiated the build.
-	BuildTrigger string `json:"BuildTrigger,omitempty" yaml:"build-trigger,omitempty"` // 1.3.6.1.4.1.57264.1.20
+	BuildTrigger string // 1.3.6.1.4.1.57264.1.20
 
 	// Run Invocation URL to uniquely identify the build execution.
-	RunInvocationURI string `json:"RunInvocationURI,omitempty" yaml:"run-invocation-uri,omitempty"` // 1.3.6.1.4.1.57264.1.21
+	RunInvocationURI string // 1.3.6.1.4.1.57264.1.21
 
 	// Source repository visibility at the time of signing the certificate.
-	SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22
+	SourceRepositoryVisibilityAtSigning string // 1.3.6.1.4.1.57264.1.22
 }
 
 func (e Extensions) Render() ([]pkix.Extension, error) {

pkg/challenges/challenges.go

@@ -27,7 +27,6 @@ import (
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/identity"
 	"github.com/sigstore/fulcio/pkg/identity/buildkite"
-	"github.com/sigstore/fulcio/pkg/identity/ciprovider"
 	"github.com/sigstore/fulcio/pkg/identity/email"
 	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/gitlabcom"
@@ -76,8 +75,6 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 		principal, err = uri.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeUsername:
 		principal, err = username.PrincipalFromIDToken(ctx, tok)
-	case config.IssuerTypeCIProvider:
-		principal, err = ciprovider.WorkflowPrincipalFromIDToken(ctx, tok)
 	default:
 		return nil, fmt.Errorf("unsupported issuer: %s", iss.Type)
 	}

pkg/config/config.go

@@ -21,7 +21,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"html/template"
 	"net/http"
 	"net/url"
 	"os"
@@ -32,7 +31,6 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	lru "github.com/hashicorp/golang-lru"
-	"github.com/sigstore/fulcio/pkg/certificate"
 	fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@@ -62,33 +60,12 @@ type FulcioConfig struct {
 	// * https://container.googleapis.com/v1/projects/mattmoor-credit/locations/us-west1-b/clusters/tenant-cluster
 	MetaIssuers map[string]OIDCIssuer `json:"MetaIssuers,omitempty" yaml:"meta-issuers,omitempty"`
 
-	// It defines metadata to be used for the CIProvider identity provider principal.
-	// The CI provider has a generic logic for ci providers, this metadata is used
-	// to define the right behavior for each ci provider that is defined
-	// on the configuration file
-	CIIssuerMetadata map[string]IssuerMetadata `json:"CIIssuerMetadata,omitempty" yaml:"ci-issuer-metadata,omitempty"`
-
 	// verifiers is a fixed mapping from our OIDCIssuers to their OIDC verifiers.
 	verifiers map[string][]*verifierWithConfig
 	// lru is an LRU cache of recently used verifiers for our meta issuers.
 	lru *lru.TwoQueueCache
 }
 
-type IssuerMetadata struct {
-	// Defaults contains key-value pairs that can be used for filling the templates from ExtensionTemplates
-	// If a key cannot be found on the token claims, the template will use the defaults
-	DefaultTemplateValues map[string]string `json:"DefaultTemplateValues,omitempty" yaml:"default-template-values,omitempty"`
-	// ExtensionTemplates contains a mapping between certificate extension and token claim
-	// Provide either strings following https://pkg.go.dev/text/template syntax,
-	// e.g "{{ .url }}/{{ .repository }}"
-	// or non-templated strings with token claim keys to be replaced,
-	// e.g "job_workflow_sha"
-	ExtensionTemplates certificate.Extensions `json:"ExtensionTemplates,omitempty" yaml:"extension-templates,omitempty"`
-	// Template for the Subject Alternative Name extension
-	// It's typically the same value as Build Signer URI
-	SubjectAlternativeNameTemplate string `json:"SubjectAlternativeNameTemplate,omitempty" yaml:"subject-alternative-name-template,omitempty"`
-}
-
 type OIDCIssuer struct {
 	// The expected issuer of an OIDC token
 	IssuerURL string `json:"IssuerURL,omitempty" yaml:"issuer-url,omitempty"`
@@ -97,8 +74,6 @@ type OIDCIssuer struct {
 	// Used to determine the subject of the certificate and if additional
 	// certificate values are needed
 	Type IssuerType `json:"Type" yaml:"type,omitempty"`
-	// CIProvider is an optional configuration to map token claims to extensions for CI workflows
-	CIProvider string `json:"CIProvider,omitempty" yaml:"ci-provider,omitempty"`
 	// Optional, if the issuer is in a different claim in the OIDC token
 	IssuerClaim string `json:"IssuerClaim,omitempty" yaml:"issuer-claim,omitempty"`
 	// The domain that must be present in the subject for 'uri' issuer types
@@ -309,7 +284,6 @@ const (
 	IssuerTypeSpiffe            = "spiffe"
 	IssuerTypeURI               = "uri"
 	IssuerTypeUsername          = "username"
-	IssuerTypeCIProvider        = "ci-provider"
 )
 
 func parseConfig(b []byte) (cfg *FulcioConfig, err error) {
@@ -417,7 +391,7 @@ func validateConfig(conf *FulcioConfig) error {
 		}
 	}
 
-	return validateCIIssuerMetadata(conf)
+	return nil
 }
 
 var DefaultConfig = &FulcioConfig{
@@ -458,34 +432,6 @@ func FromContext(ctx context.Context) *FulcioConfig {
 	return untyped.(*FulcioConfig)
 }
 
-// It checks that the templates defined are parseable
-// We should check it during the service bootstrap to avoid errors further
-func validateCIIssuerMetadata(fulcioConfig *FulcioConfig) error {
-
-	checkParse := func(temp string) error {
-		t := template.New("").Option("missingkey=error")
-		_, err := t.Parse(temp)
-		return err
-	}
-
-	for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata {
-		v := reflect.ValueOf(ciIssuerMetadata.ExtensionTemplates)
-		for i := 0; i < v.NumField(); i++ {
-			s := v.Field(i).String()
-			err := checkParse(s)
-			if err != nil {
-				return err
-			}
-		}
-
-		err := checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // Load a config from disk, or use defaults
 func Load(configPath string) (*FulcioConfig, error) {
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
@@ -570,8 +516,6 @@ func issuerToChallengeClaim(issType IssuerType, challengeClaim string) string {
 		return "email"
 	case IssuerTypeGithubWorkflow:
 		return "sub"
-	case IssuerTypeCIProvider:
-		return "sub"
 	case IssuerTypeCodefreshWorkflow:
 		return "sub"
 	case IssuerTypeChainguard:

pkg/config/config_network_test.go

@@ -25,7 +25,6 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
-	"github.com/sigstore/fulcio/pkg/certificate"
 )
 
 func TestLoad(t *testing.T) {
@@ -69,61 +68,6 @@ func TestLoad(t *testing.T) {
 	}
 }
 
-func TestParseTemplate(t *testing.T) {
-
-	validTemplate := "{{.foobar}}"
-	invalidTemplate := "{{.foobar}"
-	ciissuerMetadata := make(map[string]IssuerMetadata)
-	ciissuerMetadata["github"] = IssuerMetadata{
-		ExtensionTemplates: certificate.Extensions{
-			BuildTrigger: invalidTemplate,
-		},
-	}
-	fulcioConfig := &FulcioConfig{
-		CIIssuerMetadata: ciissuerMetadata,
-	}
-	// BuildTrigger as a invalid template should raise an error
-	err := validateCIIssuerMetadata(fulcioConfig)
-	if err == nil {
-		t.Error("invalid template should raise an error")
-	}
-	ciissuerMetadata["github"] = IssuerMetadata{
-		ExtensionTemplates: certificate.Extensions{
-			BuildTrigger: validTemplate,
-		},
-	}
-	fulcioConfig = &FulcioConfig{
-		CIIssuerMetadata: ciissuerMetadata,
-	}
-	// BuildTrigger as a valid template shouldn't raise an error
-	err = validateCIIssuerMetadata(fulcioConfig)
-	if err != nil {
-		t.Error("valid template shouldn't raise an error, error: %w", err)
-	}
-	ciissuerMetadata["github"] = IssuerMetadata{
-		SubjectAlternativeNameTemplate: invalidTemplate,
-	}
-	fulcioConfig = &FulcioConfig{
-		CIIssuerMetadata: ciissuerMetadata,
-	}
-	// A SAN as a invalid template should raise an error
-	err = validateCIIssuerMetadata(fulcioConfig)
-	if err == nil {
-		t.Error("invalid SAN should raise an error")
-	}
-	ciissuerMetadata["github"] = IssuerMetadata{
-		SubjectAlternativeNameTemplate: invalidTemplate,
-	}
-	fulcioConfig = &FulcioConfig{
-		CIIssuerMetadata: ciissuerMetadata,
-	}
-	// A SAN as a valid template should raise an error
-	err = validateCIIssuerMetadata(fulcioConfig)
-	if err == nil {
-		t.Error("valid SAN shouldn't raise an error")
-	}
-}
-
 func TestLoadDefaults(t *testing.T) {
 	td := t.TempDir()
 

pkg/config/config_test.go

@@ -492,9 +492,6 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}
-	if claim := issuerToChallengeClaim(IssuerTypeCIProvider, ""); claim != "sub" {
-		t.Fatalf("expected sub subject claim for CI issuer, got %s", claim)
-	}
 	if claim := issuerToChallengeClaim(IssuerTypeGitLabPipeline, ""); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitLab issuer, got %s", claim)
 	}