Skip to content

cf cli assertion support #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vchrisb merged 1 commit into from
Apr 2, 2025
Merged

cf cli assertion support #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 92 additions & 13 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ See [action.yml](action.yml)
```yaml
steps:
- uses: actions/checkout@v4
- uses: vchrisb/setup-cf@v1
- uses: vchrisb/setup-cf@v2
with:
api: ${{ secrets.CF_API }}
username: ${{ secrets.CF_USERNAME }}
Expand All @@ -33,9 +33,7 @@ steps:
* Url of the cloud controller api
* required
* `audience`
* audience for requesting the Github `id_token` used for JWT Bearer Token Grant
* required
* default: `uaa`
* audience for requesting the GitHub `id_token`
* `client_id`
* client id for `client_credentals` or `jwt-bearer`
* `client_secret`
Expand All @@ -47,40 +45,121 @@ steps:
* valid values:
* `password`
* `client_credentals`
* `private_key_jwt`
* `jwt-bearer`
* `jwt`
* jwt for usage with `private_key_jwt` or `jwt-bearer`. If none is specified for `jwt-bearer`, a Github `id_token` will be requested
* jwt for usage with `client_credentals` or `jwt-bearer`. If omitted, a GitHub `id_token` will be requested
* `username`
* username for `password` grant
* `password`
* password for `password` grant
* `org`
* Cloud Foundry organization name
* `skip_ssl_validation`
* Skip verification of the API endpoint
* default: `false`
* `space`
* Cloud Foundry space name
* `version`
* cf cli version
* required
* default: `8.8.3`
* default: `8.12.0`

## Advanced

### setup UAA for JWT Bearer Token Grant
Requires at least UAA `77.20.4`.

### GitHub id_token

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect

To allow a workflow to request an `id_token`, the workflow needs to have the correct permissions:

```
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
```

> The `sub` may not be used for the `user_name` attribute mapping, as it can include unsupported characters like `/` and `:`.

The sub can be customized https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-subject-claims-for-an-organization-or-repository

### setup UAA for JWT Bearer Token Grant with GitHub

Add the GitHub OIDC provider and use e.g. the `repository_owner` claim as the `user_name`:

```
uaac curl /identity-providers -X POST -H "Content-Type: application/json" -d '{"type": "oidc1.0", "name": "GitHub", "originKey": "github", "config": {"discoveryUrl": "https://token.actions.githubusercontent.com/.well-known/openid-configuration", "scopes": ["read:user", "user:email"], "linkText": "Login with GitHub", "showLinkText": false, "addShadowUserOnLogin": true, "clientAuthInBody": true, "relyingPartyId": "uaa", "addShadowUserOnLogin": true, "attributeMappings" : {"given_name": "repository_owner", "family_name": "repository_owner_id", "user_name": "repository_owner"}}}'
```

Add the Github OIDC provider using non existing credentials and use e.g. the `repository_owner` claimm as the `user_name`:
The UAA client used does need to include `urn:ietf:params:oauth:grant-type:jwt-bearer` in the `authorized_grant_types`.
This can be the default `cf` client, but also a dedicated one:

```
uaa curl /identity-providers -X POST -H "Content-Type: application/json" -d '{"type": "oidc1.0", "name": "Github", "originKey": "github", "config": {"discoveryUrl": "https://token.actions.githubusercontent.com/.well-known/openid-configuration", "scopes": ["read:user", "user:email"], "linkText": "Login with Github", "showLinkText": false, "addShadowUserOnLogin": true, "clientAuthInBody": true, "relyingPartyId": "uaa", "relyingPartySecret": "uaa", "addShadowUserOnLogin": true, "attributeMappings" : {"given_name": "repository_owner", "family_name": "repository_owner_id", "user_name": "repository_owner"}}}'
uaac curl /oauth/clients -X POST -H "Content-Type: application/json" -d '{"client_id" : "jwt-bearer-client", "access_token_validity": 1800, "authorities" : [ "uaa.resource" ], "authorized_grant_types" : [ "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "scope": ["openid", "cloud_controller.read"], "allowedproviders" : [ "github" ], "name" : "JWT Bearer Client"}'
```

```yaml
name: Jwt Bearer Flow using GitHub id_token
on: [push]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: vchrisb/setup-cf@v2
with:
api: ${{ secrets.CF_API }}
grant_type: jwt-bearer
org: test
space: dev
- name: run cf command
run: cf apps
```

> The `sub` can't be used for the `user_name`, as it includes unsupported characters like `/` and `:`.
The cf cli will be authenticated as an user, which username is defined by the `attributeMappings`.

### setup UAA for JWT client credentials

The UAA client used does need to include `client_credentials` in the `authorized_grant_types`.

UAA client required for authentication:
```
uaa curl /oauth/clients -X POST -H "Content-Type: application/json" -d '{"client_id" : "jwt-bearer-client", "client_secret" : "secret", "access_token_validity": 1800, "authorities" : [ "uaa.resource" ], "authorized_grant_types" : [ "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "scope": ["openid", "cloud_controller.read"], "allowedproviders" : [ "github" ], "name" : "JWT Bearer Client"}'
uaac client add setup-cf --scope uaa.none --authorities cloud_controller.read --authorized_grant_type "client_credentials"
```

Add the jwt configuration to the client.
The following example is for GitHub. You can also pass a different token using `jwt` parameter, but will need to adapt the configuration to your idp.
```
uaac client jwt add setup-cf --issuer https://token.actions.githubusercontent.com --subject repo:vchrisb/setup-cf:environment:Production --aud https://github.com/vchrisb
```

```yaml
name: Client Credentials using GitHub id_token
on: [push]
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: vchrisb/setup-cf@v2
with:
api: ${{ secrets.CF_API }}
client_id: setup-cf
grant_type: client_credentials
org: test
space: dev
- name: run cf command
run: cf apps
```

The cf cli will be authenticated as the client `setup-cf`.

## Developmet

### update action
Expand Down
9 changes: 6 additions & 3 deletions action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ inputs:
audience:
description: "github id_token audience"
required: false
default: "uaa"
client_id:
description: "client id"
required: false
Expand All @@ -23,7 +22,7 @@ inputs:
required: true
default: "password"
jwt:
description: "jwt for usage with `private_key_jwt` or `jwt-bearer`."
description: "jwt for usage with `client_credentials` or `jwt-bearer`."
required: false
username:
description: "username"
Expand All @@ -34,13 +33,17 @@ inputs:
org:
description: "org"
required: false
skip_ssl_validation:
description: "skip_ssl_validation"
required: false
default: "false"
space:
description: "space"
required: false
version:
description: "cf cli version"
required: true
default: "8.11.0"
default: "8.12.0"
runs:
using: "node20"
main: "dist/index.js"
Loading