Skip to content

Commit 4d2c7c6

Browse files
mbgmbg
committed
Validate GCP OIDC configurations
1 parent 70b2658 commit 4d2c7c6

3 files changed

Lines changed: 63 additions & 2 deletions

File tree

lib/start-proxy-action.js

Lines changed: 17 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/start-proxy/types.test.ts

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -126,6 +126,21 @@ test("credentialToStr - pretty-prints valid Cloudsmith OIDC configurations", (t)
126126
);
127127
});
128128

129+
test("credentialToStr - pretty-prints valid GCP OIDC configurations", (t) => {
130+
const credential: types.Credential = {
131+
type: "maven_credential",
132+
url: "https://localhost",
133+
...(makeFromSchema(true, types.gcpConfigSchema) as types.GCPConfig),
134+
};
135+
136+
const str = types.credentialToStr(credential);
137+
138+
t.is(
139+
"Type: maven_credential; Url: https://localhost; GCP Workload Identity Provider: value-for-workload-identity-provider; GCP Service Account: value-for-service-account; GCP Audience: value-for-audience;",
140+
str,
141+
);
142+
});
143+
129144
test("credentialToStr - hides passwords", (t) => {
130145
const secret = "password123";
131146
const credential = {

src/start-proxy/types.ts

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,16 +135,39 @@ export function isCloudsmithConfig(
135135
return json.validateSchema(cloudsmithConfigSchema, config);
136136
}
137137

138+
/** A schema for GCP OIDC configurations. */
139+
export const gcpConfigSchema = {
140+
"workload-identity-provider": json.string,
141+
"service-account": json.optional(json.string),
142+
audience: json.optional(json.string),
143+
} as const satisfies json.Schema;
144+
145+
/** Configuration for GCP OIDC. */
146+
export type GCPConfig = json.FromSchema<typeof gcpConfigSchema>;
147+
148+
/** Decides whether `config` is a GCP OIDC configuration. */
149+
export function isGCPConfig(
150+
config: UnvalidatedObject<AuthConfig>,
151+
): config is GCPConfig {
152+
return json.validateSchema(gcpConfigSchema, config);
153+
}
154+
138155
/** An array of all OIDC configuration schemas along with output-friendly names. */
139156
export const oidcSchemas = [
140157
{ schema: azureConfigSchema, name: "Azure" },
141158
{ schema: awsConfigSchema, name: "AWS" },
142159
{ schema: jfrogConfigSchema, name: "JFrog" },
143160
{ schema: cloudsmithConfigSchema, name: "Cloudsmith" },
161+
{ schema: gcpConfigSchema, name: "GCP" },
144162
];
145163

146164
/** Represents all supported OIDC configurations. */
147-
export type OIDC = AzureConfig | AWSConfig | JFrogConfig | CloudsmithConfig;
165+
export type OIDC =
166+
| AzureConfig
167+
| AWSConfig
168+
| JFrogConfig
169+
| CloudsmithConfig
170+
| GCPConfig;
148171

149172
/** All authentication-related fields. */
150173
export type AuthConfig = UsernamePassword | Token | OIDC;
@@ -207,6 +230,13 @@ export function credentialToStr(credential: Credential): string {
207230
appendIfDefined("Cloudsmith Namespace", credential.namespace);
208231
appendIfDefined("Cloudsmith Service Slug", credential["service-slug"]);
209232
appendIfDefined("Cloudsmith API Host", credential["api-host"]);
233+
} else if (isGCPConfig(credential)) {
234+
appendIfDefined(
235+
"GCP Workload Identity Provider",
236+
credential["workload-identity-provider"],
237+
);
238+
appendIfDefined("GCP Service Account", credential["service-account"]);
239+
appendIfDefined("GCP Audience", credential.audience);
210240
}
211241

212242
return result;

0 commit comments

Comments
 (0)