feat: Add organization-wide trusted token issuers functionality #901
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a827ba0 to
9cf9c42
Compare
12175e9 to
c9027fc
Compare
…nd implement related functionality - Updated README.md to include a new section on Organization Trusted Token Issuers, detailing how to configure trusted OIDC issuers for enhanced security. - Introduced org_trusted_token_issuers.go and org_trusted_token_issuers_test.go files to implement and test the new feature, allowing organizations to validate OIDC issuers against a trusted list before trust policy evaluation. - Added example configuration for trusted issuers in YAML format to the documentation.
- Removed the regex pattern for GitHub Actions from the issuer_patterns section in README.md, streamlining the documentation for trusted OIDC issuers.
- Added a new LRU cache for trusted token issuers in `octosts.go` to improve management of trusted OIDC issuers. - Updated tests in `org_trusted_token_issuers_test.go` to validate the new configuration parsing and issuer validation logic. - Refactored the cache handling in `org_trusted_token_issuers.go` to utilize the shared cache for improved performance and consistency. - Removed unused code and tests related to previous cache implementation, streamlining the codebase.
…suers - Added tests for cache eviction behavior in `org_trusted_token_issuers_test.go`, ensuring that the cache correctly evicts entries when full and maintains consistency across validations. - Enhanced logging in `org_trusted_token_issuers.go` to track cache hits and evictions, improving observability of cache operations. - Verified that the cache size remains within limits and that the least recently used (LRU) entries are evicted as expected.
- Updated the go-github dependency from v71 to v72 in org_trusted_token_issuers.go and org_trusted_token_issuers_test.go. - Enhanced error handling by changing error formatting from `%v` to `%w` for better error wrapping in multiple locations within org_trusted_token_issuers.go.
- Updated the struct tags in OrgTrustedTokenIssuersConfig from YAML to JSON format for better compatibility with JSON serialization. - Enhanced the parsing method to use `yaml.UnmarshalStrict` for stricter validation of the configuration input.
- Renamed test functions for consistency by removing underscores. - Introduced helper functions `assertParseConfigResult` and `assertValidationResult` to reduce cognitive complexity in tests. - Updated test cases to utilize the new helper functions for improved readability and maintainability.
…_token_issuers_test.go - Introduced constants for error messages and configuration file names to improve clarity and reduce duplication. - Updated test cases to utilize these constants, enhancing consistency across tests. - Refactored issuer validation tests to use defined constants for expected values, improving maintainability and readability.
…hanced DoS protection - Integrate organization trusted issuer validation into main Exchange flow with proper GitHub client setup - Fix test initialization to use NewSecurityTokenServiceServer constructor preventing nil pointer dereference - Align cache and DoS protections: increase cache size to 100 orgs, reduce per-org limits to 25 issuers/5 patterns - Add memory-based validation: 512 char URL limit, 256 char pattern limit, 5KB total config limit - Modernize code with Go 1.24.2 features: slices.Contains, range-over-integers, error constants - Optimize memory allocation with pre-allocated slice capacity and improved regex compilation - Enhance cache performance with better hit rates and predictable memory footprint (~950KB max) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
c9027fc to
34e74db
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new feature for organization-wide trusted token issuer validation in Octo-STS, enhancing security by allowing organizations to centrally manage and validate OIDC issuers. The changes include updates to the documentation, implementation of the validation logic, and caching mechanisms for efficiency.
Documentation Updates
README.mddetailing the organization-wide trusted token issuers feature, including configuration examples and its purpose for defense-in-depth security.README.mdto recommend using the trusted token issuers feature for an additional security layer.Feature Implementation
OrgTrustedTokenIssuersValidatorinpkg/octosts/org_trusted_token_issuers.go, including methods for loading configurations, validating issuers, and managing a cache for efficiency. This includes support for exact issuer URLs and regex patterns for flexible matching.