If custom server url exists, use that instead of the default one. (#1776)

* If custom server url exists, use that instead of the default one.

Signed-off-by: Fredrik Skogman <[email protected]>

* Name variable baseURL to avoid linter errors.

Signed-off-by: Fredrik Skogman <[email protected]>

---------

Signed-off-by: Fredrik Skogman <[email protected]>

Author: kommendorkapten

pkg/identity/github/principal.go

@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"net/url"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -105,6 +106,7 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
 		WorkflowSha          string `json:"workflow_sha"`
 		RunID                string `json:"run_id"`
 		RunAttempt           string `json:"run_attempt"`
+		Enterprise           string `json:"enterprise"`
 	}
 	if err := token.Claims(&claims); err != nil {
 		return nil, err
@@ -159,10 +161,16 @@ func WorkflowPrincipalFromIDToken(_ context.Context, token *oidc.IDToken) (ident
 		return nil, errors.New("missing run_attempt claim in ID token")
 	}
 
+	baseURL := `https://github.com/`
+
+	if claims.Enterprise != "" {
+		baseURL = fmt.Sprintf("https://%s.ghe.com/", claims.Enterprise)
+	}
+
 	return &workflowPrincipal{
 		subject:              token.Subject,
 		issuer:               token.Issuer,
-		url:                  `https://github.com/`,
+		url:                  baseURL,
 		sha:                  claims.Sha,
 		eventName:            claims.EventName,
 		repository:           claims.Repository,

pkg/identity/github/principal_test.go

@@ -84,6 +84,53 @@ func TestWorkflowPrincipalFromIDToken(t *testing.T) {
 			},
 			WantErr: false,
 		},
+		`Valid token, custom base url authenticates with correct claims`: {
+			Claims: map[string]interface{}{
+				"aud":                   "sigstore",
+				"event_name":            "push",
+				"exp":                   0,
+				"iss":                   "https://token.actions.githubusercontent.com",
+				"job_workflow_ref":      "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
+				"job_workflow_sha":      "example-sha",
+				"ref":                   "refs/heads/main",
+				"repository":            "sigstore/fulcio",
+				"repository_id":         "12345",
+				"repository_owner":      "username",
+				"repository_owner_id":   "345",
+				"repository_visibility": "public",
+				"run_attempt":           "1",
+				"run_id":                "42",
+				"runner_environment":    "cloud-hosted",
+				"sha":                   "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+				"sub":                   "repo:sigstore/fulcio:ref:refs/heads/main",
+				"workflow":              "foo",
+				"workflow_ref":          "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
+				"workflow_sha":          "example-sha-other",
+				"enterprise":            "test",
+			},
+			ExpectPrincipal: workflowPrincipal{
+				issuer:               "https://token.actions.githubusercontent.com",
+				subject:              "repo:sigstore/fulcio:ref:refs/heads/main",
+				url:                  "https://test.ghe.com/",
+				jobWorkflowRef:       "sigstore/fulcio/.github/workflows/foo.yaml@refs/heads/main",
+				sha:                  "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+				eventName:            "push",
+				repository:           "sigstore/fulcio",
+				workflow:             "foo",
+				ref:                  "refs/heads/main",
+				jobWorkflowSha:       "example-sha",
+				runnerEnvironment:    "cloud-hosted",
+				repositoryID:         "12345",
+				repositoryOwner:      "username",
+				repositoryOwnerID:    "345",
+				repositoryVisibility: "public",
+				workflowRef:          "sigstore/other/.github/workflows/foo.yaml@refs/heads/main",
+				workflowSha:          "example-sha-other",
+				runID:                "42",
+				runAttempt:           "1",
+			},
+			WantErr: false,
+		},
 		`Token missing job_workflow_ref claim should be rejected`: {
 			Claims: map[string]interface{}{
 				"aud":                   "sigstore",