Skip to content

Commit 1ed3dad

Browse files
committed
Add SIGSTORE_JAVA_ID_TOKEN for passing id token
- has highest priority in default configuarion for grabbing id token - examples at dev version can use this Signed-off-by: Appu <appu@google.com>
1 parent 67503fc commit 1ed3dad

7 files changed

Lines changed: 111 additions & 10 deletions

File tree

.github/workflows/examples.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -56,9 +56,6 @@ jobs:
5656
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os }}-dev
5757
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
5858

59-
permissions:
60-
id-token: write
61-
6259
steps:
6360
- name: Enable long paths in Git
6461
if: runner.os == 'Windows'

examples/hello-world/test.sh

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,12 @@
11
#!/usr/bin/env bash
22
set -Eeo pipefail
3-
export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
3+
MAVEN_GPG_KEY=$(cat ../pgp/private.key)
4+
export MAVEN_GPG_KEY
45
export MAVEN_GPG_PASSPHRASE=pass123
56
export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY
67
export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE
8+
SIGSTORE_JAVA_ID_TOKEN=$(curl -f https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt)
9+
export SIGSTORE_JAVA_ID_TOKEN
710
set -x
811
# gradle
912
./gradlew clean publishMavenPublicationToExamplesRepository --stacktrace $@
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
package dev.sigstore.oidc.client;
2+
3+
import java.util.Map;
4+
5+
public class EnvTokenProvider implements TokenStringOidcClient.TokenStringProvider {
6+
static final String ENV_VAR_NAME="SIGSTORE_JAVA_ID_TOKEN";
7+
8+
static EnvTokenProvider of() {
9+
return new EnvTokenProvider();
10+
}
11+
12+
private EnvTokenProvider() {}
13+
14+
@Override
15+
public boolean isEnabled(Map<String, String> env) {
16+
return env.containsKey(ENV_VAR_NAME);
17+
}
18+
19+
@Override
20+
public String getTokenString(Map<String, String> env) throws Exception {
21+
var token = env.get(ENV_VAR_NAME);
22+
if (token == null) {
23+
throw new IllegalStateException(ENV_VAR_NAME + " was not set");
24+
}
25+
return token;
26+
}
27+
}

sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcClients.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ public static OidcClients of(OidcClient... clients) {
3838
*/
3939
public static OidcClients from(Service oidcService) {
4040
return of(
41+
TokenStringOidcClient.from(EnvTokenProvider.of()),
4142
GithubActionsOidcClient.builder().build(),
4243
WebOidcClient.builder().setIssuer(oidcService).build());
4344
}

sigstore-java/src/main/java/dev/sigstore/oidc/client/TokenStringOidcClient.java

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,18 +42,28 @@ public static TokenStringOidcClient from(TokenStringProvider provider) {
4242
}
4343

4444
public static TokenStringOidcClient from(String token) {
45-
return new TokenStringOidcClient(() -> token);
45+
return new TokenStringOidcClient(new TokenStringProvider() {
46+
@Override
47+
public String getTokenString(Map<String, String> env) throws Exception {
48+
return token;
49+
}
50+
51+
@Override
52+
public boolean isEnabled(Map<String, String> env) {
53+
return true;
54+
}
55+
});
4656
}
4757

4858
@Override
4959
public boolean isEnabled(Map<String, String> env) {
50-
return true;
60+
return idTokenProvider.isEnabled(env);
5161
}
5262

5363
@Override
5464
public OidcToken getIDToken(Map<String, String> env) throws OidcException {
5565
try {
56-
var idToken = idTokenProvider.getTokenString();
66+
var idToken = idTokenProvider.getTokenString(env);
5767
var jws = JsonWebSignature.parse(new GsonFactory(), idToken);
5868
String email = (String) jws.getPayload().get("email");
5969
String san;
@@ -83,8 +93,8 @@ public OidcToken getIDToken(Map<String, String> env) throws OidcException {
8393
}
8494
}
8595

86-
@FunctionalInterface
8796
public interface TokenStringProvider {
88-
String getTokenString() throws Exception;
97+
String getTokenString(Map<String, String> env) throws Exception;
98+
boolean isEnabled(Map<String, String> env);
8999
}
90100
}
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
/*
2+
* Copyright 2026 The Sigstore Authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
package dev.sigstore.oidc.client;
17+
18+
import java.util.Map;
19+
import org.junit.jupiter.api.Assertions;
20+
import org.junit.jupiter.api.Test;
21+
22+
public class EnvTokenProviderTest {
23+
24+
@Test
25+
public void isEnabled_true() {
26+
var provider = EnvTokenProvider.of();
27+
var env = Map.of(EnvTokenProvider.ENV_VAR_NAME, "some-token");
28+
Assertions.assertTrue(provider.isEnabled(env));
29+
}
30+
31+
@Test
32+
public void isEnabled_false() {
33+
var provider = EnvTokenProvider.of();
34+
Assertions.assertFalse(provider.isEnabled(Map.of()));
35+
}
36+
37+
@Test
38+
public void getTokenString_present() throws Exception {
39+
var provider = EnvTokenProvider.of();
40+
var env = Map.of(EnvTokenProvider.ENV_VAR_NAME, "some-token");
41+
Assertions.assertEquals("some-token", provider.getTokenString(env));
42+
}
43+
44+
@Test
45+
public void getTokenString_missing() {
46+
var provider = EnvTokenProvider.of();
47+
var env = Map.of("OTHER_ENV_VAR", "some-token");
48+
var exception =
49+
Assertions.assertThrows(
50+
IllegalStateException.class,
51+
() -> {
52+
provider.getTokenString(env);
53+
});
54+
Assertions.assertEquals(
55+
EnvTokenProvider.ENV_VAR_NAME + " was not set", exception.getMessage());
56+
}
57+
}

sigstore-testkit/src/main/java/dev/sigstore/testkit/oidc/ConformanceTestingTokenProvider.java

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
import java.net.http.HttpRequest;
2323
import java.net.http.HttpResponse;
2424
import java.nio.charset.StandardCharsets;
25+
import java.util.Map;
2526

2627
/**
2728
* A token provider that will grab the "unsafe" token from sigstore github conformance testing. This
@@ -47,7 +48,12 @@ private ConformanceTestingTokenProvider(String tokenUrl) {
4748
}
4849

4950
@Override
50-
public String getTokenString() throws Exception {
51+
public boolean isEnabled(Map<String, String> env) {
52+
return true;
53+
}
54+
55+
@Override
56+
public String getTokenString(Map<String, String> env) throws Exception {
5157
HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build();
5258
URI fileUri = new URI(tokenUrl);
5359
HttpRequest request =

0 commit comments

Comments
 (0)