get token

KiranSatyaRaj · Sep 14, 2024 · 107502a · 107502a
1 parent 071c7b7
commit 107502a
Show file tree

Hide file tree

Showing 4 changed files with 164 additions and 16 deletions.
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -29,8 +29,8 @@ jobs:
       - name: Install maven program
         run: mvn install
 
-      - name: Print Successfull
-        run: echo "SUCCESS"
-
       - name: Execute Main artifact
         run: mvn exec:java -Dexec.mainClass="ce.kiran.Main"
+
+      - name: Print Successful
+        run: echo "SUCCESS"
diff --git a/pom.xml b/pom.xml
@@ -14,6 +14,10 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
                 <version>3.13.0</version>
+                <configuration>
+                    <source>11</source>
+                    <target>11</target>
+                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
@@ -34,6 +38,36 @@
             <artifactId>sigstore-java</artifactId>
             <version>0.11.0</version>
         </dependency>
+        <!-- https://mvnrepository.com/artifact/com.google.http-client/google-http-client -->
+        <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client</artifactId>
+            <version>1.42.3</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.oauth-client</groupId>
+            <artifactId>google-oauth-client</artifactId>
+            <version>1.31.2</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/com.google.api-client/google-api-client-gson -->
+        <dependency>
+            <groupId>com.google.api-client</groupId>
+            <artifactId>google-api-client-gson</artifactId>
+            <version>2.6.0</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/com.google.api.client/google-api-client-json -->
+        <dependency>
+            <groupId>com.google.api.client</groupId>
+            <artifactId>google-api-client-json</artifactId>
+            <version>1.2.3-alpha</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/io.grpc/grpc-core -->
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-core</artifactId>
+            <version>1.66.0</version>
+        </dependency>
+
     </dependencies>
 
 </project>
diff --git a/src/main/java/ce/kiran/CustomOidcClient.java b/src/main/java/ce/kiran/CustomOidcClient.java
@@ -0,0 +1,121 @@
+package ce.kiran;
+
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpRequest;
+import com.google.api.client.json.GenericJson;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.client.json.webtoken.JsonWebSignature;
+import com.google.api.client.util.Key;
+import dev.sigstore.http.HttpClients;
+import dev.sigstore.http.HttpParams;
+import dev.sigstore.http.ImmutableHttpParams;
+import dev.sigstore.oidc.client.*;
+import io.grpc.Internal;
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.logging.Logger;
+
+public class CustomOidcClient implements OidcClient {
+    private static final Logger log = Logger.getLogger(GithubActionsOidcClient.class.getName());
+    static final String GITHUB_ACTIONS_KEY = "GITHUB_ACTIONS";
+    static final String REQUEST_TOKEN_KEY = "ACTIONS_ID_TOKEN_REQUEST_TOKEN";
+    static final String REQUEST_URL_KEY = "ACTIONS_ID_TOKEN_REQUEST_URL";
+    private static final String DEFAULT_AUDIENCE = "sigstore";
+    private final String audience;
+    private final HttpParams httpParams;
+    private String id_token;
+
+    public static Builder builder() {
+        return new CustomOidcClient.Builder();
+    }
+
+    private CustomOidcClient(HttpParams httpParams, String audience) {
+        this.audience = audience;
+        this.httpParams = httpParams;
+    }
+
+    public boolean isEnabled(Map<String, String> env) {
+        String githubActions = (String)env.get("GITHUB_ACTIONS");
+        if (githubActions != null && !githubActions.isEmpty()) {
+            String bearer = (String)env.get("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
+            String urlBase = (String)env.get("ACTIONS_ID_TOKEN_REQUEST_URL");
+            if (bearer != null && !bearer.isEmpty() && urlBase != null && !urlBase.isEmpty()) {
+                return true;
+            } else {
+                log.info("Github env detected, but github idtoken not found: skipping github actions oidc");
+                return false;
+            }
+        } else {
+            log.fine("Github env not detected: skipping github actions oidc");
+            return false;
+        }
+    }
+
+    public OidcToken getIDToken(Map<String, String> env) throws OidcException {
+        String bearer = (String)env.get("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
+        String urlBase = (String)env.get("ACTIONS_ID_TOKEN_REQUEST_URL");
+        if (bearer == null) {
+            throw new OidcException("Could not get github actions environment variable 'ACTIONS_ID_TOKEN_REQUEST_TOKEN'");
+        } else if (urlBase == null) {
+            throw new OidcException("Could not get github actions environment variable 'ACTIONS_ID_TOKEN_REQUEST_URL'");
+        } else {
+            GenericUrl url = new GenericUrl(urlBase + "&audience=" + this.audience);
+
+            try {
+                HttpRequest req = HttpClients.newRequestFactory(this.httpParams).buildGetRequest(url);
+                req.setParser((new GsonFactory()).createJsonObjectParser());
+                req.getHeaders().setAuthorization("Bearer " + bearer);
+                req.getHeaders().setAccept("application/json; api-version=2.0");
+                req.getHeaders().setContentType("application/json");
+                GithubActionsOidcClient.GithubOidcJsonResponse resp = (GithubActionsOidcClient.GithubOidcJsonResponse)req.execute().parseAs(GithubActionsOidcClient.GithubOidcJsonResponse.class);
+                String idToken = resp.toString();
+                this.id_token = idToken;
+                JsonWebSignature jws = JsonWebSignature.parse(new GsonFactory(), idToken);
+                return ImmutableOidcToken.builder().idToken(idToken).issuer(jws.getPayload().getIssuer()).subjectAlternativeName(jws.getPayload().getSubject()).build();
+            } catch (IOException var9) {
+                IOException e = var9;
+                throw new OidcException("Could not obtain github actions oidc token", e);
+            }
+        }
+    }
+
+    public String getIdToken() {
+        return this.id_token;
+    }
+
+    @Internal
+    public static class GithubOidcJsonResponse extends GenericJson {
+        @Key("value")
+        private String value;
+
+        public GithubOidcJsonResponse() {
+        }
+
+        String getValue() {
+            return this.value;
+        }
+    }
+
+    public static class Builder {
+        private HttpParams httpParams = ImmutableHttpParams.builder().build();
+        private String audience = "sigstore";
+
+        private Builder() {
+        }
+
+        public CustomOidcClient.Builder audience(String audience) {
+            this.audience = audience;
+            return this;
+        }
+
+        public CustomOidcClient.Builder httpParams(HttpParams httpParams) {
+            this.httpParams = httpParams;
+            return this;
+        }
+
+        public CustomOidcClient build() {
+            return new CustomOidcClient(this.httpParams, this.audience);
+        }
+    }
+}
diff --git a/src/main/java/ce/kiran/Main.java b/src/main/java/ce/kiran/Main.java
@@ -19,29 +19,22 @@
 import java.util.Map;
 
 public class Main {
+    private static String token;
     private static OidcClients retrieveOidcClients() {
         GithubActionsOidcClient client = GithubActionsOidcClient.builder().build();
         return OidcClients.of(client);
     }
 
     private static Bundle signPayload() throws InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, KeylessSignerException {
         Path filePath = Paths.get("src/main/java/ce/kiran/hello.txt");
-        KeylessSigner signer = new SetDefaults().setOidcClients(retrieveOidcClients());
+        CustomOidcClient client = CustomOidcClient.builder().build();
+        token = client.getIdToken();
+        KeylessSigner signer = new SetDefaults().setOidcClients(OidcClients.of(client));
         return signer.signFile(filePath);
     }
     public static void main(String[] args) throws InvalidAlgorithmParameterException, CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, KeylessSignerException, OidcException {
         Bundle result = signPayload();
-        OidcClients clients = retrieveOidcClients();
-//        System.out.println("Oidc info: " + clients);
-//        System.out.println("Signature is " + result.getCertPath().getCertificates().getFirst().toString());
-        GithubActionsOidcClient client = GithubActionsOidcClient.builder().build();
-        Map<String, String> env = System.getenv();
-        OidcToken token = client.getIDToken(env);
-//        System.out.printf("Oidc token is %s\n", token.getIdToken());
-//        System.out.printf("Issuer is %s\n", token.getIssuer());
-//        System.out.printf("Subject is %s\n", token.getSubjectAlternativeName());
-        System.out.println("Github Actions : " + env.get("GITHUB_ACTIONS"));
-        System.out.println("Token : " + env.get("ACTIONS_ID_TOKEN_REQUEST_TOKEN"));
-        System.out.println("URL : " + env.get("ACTIONS_ID_TOKEN_REQUEST_URL"));
+        System.out.println(token);
+        System.out.println(result.toJson());
     }
 }