Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions .github/workflows/examples.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,6 @@ jobs:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.os }}-dev
cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

permissions:
id-token: write

steps:
- name: Enable long paths in Git
if: runner.os == 'Windows'
Expand Down
5 changes: 4 additions & 1 deletion examples/hello-world/test.sh
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
#!/usr/bin/env bash
set -Eeo pipefail
export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
MAVEN_GPG_KEY=$(cat ../pgp/private.key)
export MAVEN_GPG_KEY
export MAVEN_GPG_PASSPHRASE=pass123
export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY
export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE
SIGSTORE_JAVA_ID_TOKEN=$(curl -f https://storage.googleapis.com/sigstore-conformance-testing-token/untrusted-testing-token.txt)
export SIGSTORE_JAVA_ID_TOKEN
set -x
# gradle
./gradlew clean publishMavenPublicationToExamplesRepository --stacktrace $@
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Copyright 2026 The Sigstore Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package dev.sigstore.oidc.client;

import java.util.Map;

public class EnvTokenProvider implements TokenStringOidcClient.TokenStringProvider {
static final String ENV_VAR_NAME = "SIGSTORE_JAVA_ID_TOKEN";

static EnvTokenProvider of() {
return new EnvTokenProvider();
}

private EnvTokenProvider() {}

@Override
public boolean isEnabled(Map<String, String> env) {
return env.containsKey(ENV_VAR_NAME);
}

@Override
public String getTokenString(Map<String, String> env) throws Exception {
var token = env.get(ENV_VAR_NAME);
if (token == null) {
throw new IllegalStateException(ENV_VAR_NAME + " was not set");
}
return token;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ public static OidcClients of(OidcClient... clients) {
*/
public static OidcClients from(Service oidcService) {
return of(
TokenStringOidcClient.from(EnvTokenProvider.of()),
GithubActionsOidcClient.builder().build(),
WebOidcClient.builder().setIssuer(oidcService).build());
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,18 +42,29 @@ public static TokenStringOidcClient from(TokenStringProvider provider) {
}

public static TokenStringOidcClient from(String token) {
return new TokenStringOidcClient(() -> token);
return new TokenStringOidcClient(
new TokenStringProvider() {
@Override
public String getTokenString(Map<String, String> env) throws Exception {
return token;
}

@Override
public boolean isEnabled(Map<String, String> env) {
return true;
}
});
}

@Override
public boolean isEnabled(Map<String, String> env) {
return true;
return idTokenProvider.isEnabled(env);
}

@Override
public OidcToken getIDToken(Map<String, String> env) throws OidcException {
try {
var idToken = idTokenProvider.getTokenString();
var idToken = idTokenProvider.getTokenString(env);
var jws = JsonWebSignature.parse(new GsonFactory(), idToken);
String email = (String) jws.getPayload().get("email");
String san;
Expand Down Expand Up @@ -83,8 +94,9 @@ public OidcToken getIDToken(Map<String, String> env) throws OidcException {
}
}

@FunctionalInterface
public interface TokenStringProvider {
String getTokenString() throws Exception;
String getTokenString(Map<String, String> env) throws Exception;

boolean isEnabled(Map<String, String> env);
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
/*
* Copyright 2026 The Sigstore Authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package dev.sigstore.oidc.client;

import java.util.Map;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

public class EnvTokenProviderTest {

@Test
public void isEnabled_true() {
var provider = EnvTokenProvider.of();
var env = Map.of(EnvTokenProvider.ENV_VAR_NAME, "some-token");
Assertions.assertTrue(provider.isEnabled(env));
}

@Test
public void isEnabled_false() {
var provider = EnvTokenProvider.of();
Assertions.assertFalse(provider.isEnabled(Map.of()));
}

@Test
public void getTokenString_present() throws Exception {
var provider = EnvTokenProvider.of();
var env = Map.of(EnvTokenProvider.ENV_VAR_NAME, "some-token");
Assertions.assertEquals("some-token", provider.getTokenString(env));
}

@Test
public void getTokenString_missing() {
var provider = EnvTokenProvider.of();
var env = Map.of("OTHER_ENV_VAR", "some-token");
var exception =
Assertions.assertThrows(
IllegalStateException.class,
() -> {
provider.getTokenString(env);
});
Assertions.assertEquals(EnvTokenProvider.ENV_VAR_NAME + " was not set", exception.getMessage());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.util.Map;

/**
* A token provider that will grab the "unsafe" token from sigstore github conformance testing. This
Expand All @@ -47,7 +48,12 @@ private ConformanceTestingTokenProvider(String tokenUrl) {
}

@Override
public String getTokenString() throws Exception {
public boolean isEnabled(Map<String, String> env) {
return true;
}

@Override
public String getTokenString(Map<String, String> env) throws Exception {
HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build();
URI fileUri = new URI(tokenUrl);
HttpRequest request =
Expand Down
Loading