Skip to content

Commit 43ecf94

Browse files
Turbo87Turbo87
committed
trustpub/exchange: Save JWT claims subset in the trustpub_data column
1 parent be5f0a0 commit 43ecf94

File tree

2 files changed

+48
-10
lines changed
  • crates/crates_io_trustpub/src/github
  • src/controllers/trustpub/tokens/exchange

2 files changed

+48
-10
lines changed

crates/crates_io_trustpub/src/github/claims.rs

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ pub struct GitHubClaims {
2525
pub repository: String,
2626
pub workflow_ref: String,
2727
pub environment: Option<String>,
28+
pub run_id: String,
29+
pub sha: String,
2830
}
2931

3032
impl GitHubClaims {
@@ -116,7 +118,9 @@ mod tests {
116118
"repository_owner_id": "65",
117119
"repository": "octo-org/octo-repo",
118120
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
119-
"environment": "prod"
121+
"environment": "prod",
122+
"run_id": "example-run-id",
123+
"sha": "example-sha"
120124
}
121125
"#);
122126

@@ -132,6 +136,8 @@ mod tests {
132136
"aud": AUDIENCE,
133137
"repository": "octo-org/octo-repo",
134138
"repository_owner_id": "65",
139+
"run_id": "example-run-id",
140+
"sha": "example-sha",
135141
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
136142
"iss": "https://token.actions.githubusercontent.com",
137143
"exp": now + 30,
@@ -148,7 +154,9 @@ mod tests {
148154
"repository_owner_id": "65",
149155
"repository": "octo-org/octo-repo",
150156
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
151-
"environment": null
157+
"environment": null,
158+
"run_id": "example-run-id",
159+
"sha": "example-sha"
152160
}
153161
"#);
154162

@@ -163,14 +171,16 @@ mod tests {
163171
"aud": AUDIENCE,
164172
"repository": "octo-org/octo-repo",
165173
"repository_owner_id": "65",
174+
"run_id": "example-run-id",
175+
"sha": "example-sha",
166176
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
167177
"iss": "https://token.actions.githubusercontent.com",
168178
"exp": now + 30,
169179
"iat": now,
170180
}))?;
171181

172182
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
173-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `jti`", line: 1, column: 251)))"#);
183+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `jti`", line: 1, column: 297)))"#);
174184

175185
Ok(())
176186
}
@@ -184,6 +194,8 @@ mod tests {
184194
"aud": "somebody-else",
185195
"repository": "octo-org/octo-repo",
186196
"repository_owner_id": "65",
197+
"run_id": "example-run-id",
198+
"sha": "example-sha",
187199
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
188200
"iss": "https://token.actions.githubusercontent.com",
189201
"exp": now + 30,
@@ -205,6 +217,8 @@ mod tests {
205217
"aud": [AUDIENCE, "somebody-else"],
206218
"repository": "octo-org/octo-repo",
207219
"repository_owner_id": "65",
220+
"run_id": "example-run-id",
221+
"sha": "example-sha",
208222
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
209223
"iss": "https://token.actions.githubusercontent.com",
210224
"exp": now + 30,
@@ -224,14 +238,16 @@ mod tests {
224238
"jti": "example-id",
225239
"aud": AUDIENCE,
226240
"repository_owner_id": "65",
241+
"run_id": "example-run-id",
242+
"sha": "example-sha",
227243
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
228244
"iss": "https://token.actions.githubusercontent.com",
229245
"exp": now + 30,
230246
"iat": now,
231247
}))?;
232248

233249
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
234-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `repository`", line: 1, column: 236)))"#);
250+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `repository`", line: 1, column: 282)))"#);
235251

236252
Ok(())
237253
}
@@ -243,14 +259,16 @@ mod tests {
243259
"jti": "example-id",
244260
"aud": AUDIENCE,
245261
"repository": "octo-org/octo-repo",
262+
"run_id": "example-run-id",
263+
"sha": "example-sha",
246264
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
247265
"iss": "https://token.actions.githubusercontent.com",
248266
"exp": now + 30,
249267
"iat": now,
250268
}))?;
251269

252270
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
253-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `repository_owner_id`", line: 1, column: 243)))"#);
271+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `repository_owner_id`", line: 1, column: 289)))"#);
254272

255273
Ok(())
256274
}
@@ -263,13 +281,15 @@ mod tests {
263281
"aud": AUDIENCE,
264282
"repository": "octo-org/octo-repo",
265283
"repository_owner_id": "65",
284+
"run_id": "example-run-id",
285+
"sha": "example-sha",
266286
"iss": "https://token.actions.githubusercontent.com",
267287
"exp": now + 30,
268288
"iat": now,
269289
}))?;
270290

271291
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
272-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `workflow_ref`", line: 1, column: 185)))"#);
292+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `workflow_ref`", line: 1, column: 231)))"#);
273293

274294
Ok(())
275295
}
@@ -283,6 +303,8 @@ mod tests {
283303
"aud": AUDIENCE,
284304
"repository": "octo-org/octo-repo",
285305
"repository_owner_id": "65",
306+
"run_id": "example-run-id",
307+
"sha": "example-sha",
286308
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
287309
"exp": now + 30,
288310
"iat": now,
@@ -303,6 +325,8 @@ mod tests {
303325
"aud": AUDIENCE,
304326
"repository": "octo-org/octo-repo",
305327
"repository_owner_id": "65",
328+
"run_id": "example-run-id",
329+
"sha": "example-sha",
306330
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
307331
"iss": "https://gitlab.com",
308332
"exp": now + 30,
@@ -324,13 +348,15 @@ mod tests {
324348
"aud": AUDIENCE,
325349
"repository": "octo-org/octo-repo",
326350
"repository_owner_id": "65",
351+
"run_id": "example-run-id",
352+
"sha": "example-sha",
327353
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
328354
"iss": "https://token.actions.githubusercontent.com",
329355
"iat": now,
330356
}))?;
331357

332358
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
333-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `exp`", line: 1, column: 253)))"#);
359+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `exp`", line: 1, column: 299)))"#);
334360

335361
Ok(())
336362
}
@@ -344,6 +370,8 @@ mod tests {
344370
"aud": AUDIENCE,
345371
"repository": "octo-org/octo-repo",
346372
"repository_owner_id": "65",
373+
"run_id": "example-run-id",
374+
"sha": "example-sha",
347375
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
348376
"iss": "https://token.actions.githubusercontent.com",
349377
"exp": now - 3000,
@@ -365,13 +393,15 @@ mod tests {
365393
"aud": AUDIENCE,
366394
"repository": "octo-org/octo-repo",
367395
"repository_owner_id": "65",
396+
"run_id": "example-run-id",
397+
"sha": "example-sha",
368398
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
369399
"iss": "https://token.actions.githubusercontent.com",
370400
"exp": now + 30,
371401
}))?;
372402

373403
let error = GitHubClaims::decode(&jwt, AUDIENCE, &DECODING_KEY).unwrap_err();
374-
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `iat`", line: 1, column: 253)))"#);
404+
assert_compact_debug_snapshot!(error, @r#"Error(Json(Error("missing field `iat`", line: 1, column: 299)))"#);
375405

376406
Ok(())
377407
}
@@ -385,6 +415,8 @@ mod tests {
385415
"aud": AUDIENCE,
386416
"repository": "octo-org/octo-repo",
387417
"repository_owner_id": "65",
418+
"run_id": "example-run-id",
419+
"sha": "example-sha",
388420
"workflow_ref": "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main",
389421
"iss": "https://token.actions.githubusercontent.com",
390422
"exp": now + 300,

src/controllers/trustpub/tokens/exchange/mod.rs

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ use super::json;
22
use crate::app::AppState;
33
use crate::util::errors::{AppResult, bad_request, server_error};
44
use axum::Json;
5-
use crates_io_database::models::trustpub::{NewToken, NewUsedJti};
5+
use crates_io_database::models::trustpub::{NewToken, NewUsedJti, TrustpubData};
66
use crates_io_database::schema::trustpub_configs_github;
77
use crates_io_diesel_helpers::lower;
88
use crates_io_trustpub::access_token::AccessToken;
@@ -130,11 +130,17 @@ pub async fn exchange_trustpub_token(
130130

131131
let new_token = AccessToken::generate();
132132

133+
let trustpub_data = TrustpubData::GitHub {
134+
repository: signed_claims.repository,
135+
run_id: signed_claims.run_id,
136+
sha: signed_claims.sha,
137+
};
138+
133139
let new_token_model = NewToken {
134140
expires_at: chrono::Utc::now() + chrono::Duration::minutes(30),
135141
hashed_token: &new_token.sha256(),
136142
crate_ids: &crate_ids,
137-
trustpub_data: None,
143+
trustpub_data: Some(&trustpub_data),
138144
};
139145

140146
new_token_model.insert(conn).await?;

0 commit comments

Comments
 (0)