Unify safe dialer use#128
Open
joniumGit wants to merge 3 commits into
Open
Conversation
Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com>
Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com>
Signed-off-by: joniumGit <52005121+joniumGit@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR threads a shared http.RoundTripper/http.Client through OIDC token acquisition and multiple registry handlers so outbound OIDC exchanges can use the proxy’s configured transport.
Changes:
- Add
transport http.RoundTripperto many handler constructors and pass it fromproxy.go. - Extend
OIDCRegistryandCreateOIDCCredentialto carry/create an HTTP client using the provided transport. - Update Actions OIDC token-exchange helpers to accept an injected
*http.Client, and adjust tests accordingly.
Reviewed changes
Copilot reviewed 33 out of 33 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| proxy.go | Passes the shared transport into more registry handlers. |
| internal/oidc/oidc_registry.go | Stores transport in the registry and uses it when creating OIDC credentials. |
| internal/oidc/oidc_registry_test.go | Updates registry construction for new transport parameter. |
| internal/oidc/oidc_credential.go | Adds an HTTP client to OIDC credentials and routes token fetches through it. |
| internal/oidc/oidc_credential_test.go | Updates credential creation calls for new transport parameter. |
| internal/oidc/actions_oidc.go | Injects *http.Client into token-exchange functions instead of creating local clients. |
| internal/oidc/actions_oidc_test.go | Passes http.DefaultClient to updated token-exchange signatures. |
| internal/handlers/terraform_registry.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/terraform_registry_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/rubygems_server.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/rubygems_server_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/python_index.go | Adds transport param and uses it for OIDC credential creation/registration. |
| internal/handlers/python_index_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/pub_repository.go | Adds transport param and uses it for OIDC credential creation/registration. |
| internal/handlers/pub_repository_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/oidc_handling_test.go | Updates many handler factories to pass the new transport argument. |
| internal/handlers/nuget_feed.go | Adds transport param, uses it in HTTP client and OIDC registry. |
| internal/handlers/nuget_feed_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/npm_registry.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/npm_registry_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/maven_repository.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/maven_repository_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/hex_repository.go | Adds transport param and uses it for OIDC credential creation/registration. |
| internal/handlers/hex_repository_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/helm_registry.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/helm_registry_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/goproxy_server_handler.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/goproxy_server_handler_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/docker_registry.go | Constructs OIDC registry with the provided transport. |
| internal/handlers/composer.go | Adds transport param and passes it into OIDC registry. |
| internal/handlers/composer_test.go | Updates handler construction for new transport parameter. |
| internal/handlers/cargo_registry.go | Adds transport param and uses it for OIDC credential creation/registration. |
| internal/handlers/cargo_registry_test.go | Updates handler construction for new transport parameter. |
| // | ||
| // Returns an Azure AD access token scoped for Azure DevOps (499b84ac-1321-427f-aa17-267ca6975798/.default) | ||
| func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, githubToken string) (*OIDCAccessToken, error) { | ||
| func GetAzureAccessToken(ctx context.Context, params AzureOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { |
Contributor
Author
There was a problem hiding this comment.
These are now unified in the call before this where the actual client is created. This alert is only half-correct in my opinion, there could be a nil check for the value.
| // GetAzureAccessTokenForDevOps is a convenience function that combines fetching the GitHub OIDC token | ||
| // and exchanging it for an Azure AD access token in a single call. | ||
| func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameters) (*OIDCAccessToken, error) { | ||
| func GetAzureAccessTokenForDevOps(ctx context.Context, params AzureOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { |
| // | ||
| // Returns a JFrog access token | ||
| func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, githubToken string) (*OIDCAccessToken, error) { | ||
| func GetJFrogAccessToken(ctx context.Context, params JFrogOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameters) (*OIDCAccessToken, error) { | ||
| func GetJFrogAccessTokenForDevOps(ctx context.Context, params JFrogOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { |
| // | ||
| // Returns temporary AWS credentials | ||
| func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToken string) (*OIDCAccessToken, error) { | ||
| func GetAWSAccessToken(ctx context.Context, params AWSOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters) (*OIDCAccessToken, error) { | ||
| func GetAWSAccessTokenForDevOps(ctx context.Context, params AWSOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParameters, githubToken string) (*OIDCAccessToken, error) { | ||
| func GetCloudsmithAccessToken(ctx context.Context, params CloudsmithOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOIDCParameters) (*OIDCAccessToken, error) { | ||
| func GetCloudsmithAccessTokenForDevOps(ctx context.Context, params CloudsmithOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToken string) (*OIDCAccessToken, error) { | ||
| func GetGCPAccessToken(ctx context.Context, params GCPOIDCParameters, githubToken string, client *http.Client) (*OIDCAccessToken, error) { |
| } | ||
|
|
||
| func GetGCPAccessTokenForDevOps(ctx context.Context, params GCPOIDCParameters) (*OIDCAccessToken, error) { | ||
| func GetGCPAccessTokenForDevOps(ctx context.Context, params GCPOIDCParameters, client *http.Client) (*OIDCAccessToken, error) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is co-authored by Copilot
What are you trying to accomplish?
I am trying to unify the safeDialer use in the codebase. I noticed that there were plenty of user input going into Http Clients in some parameters and them not using the safe dialer that the proxy explicitly creates in the beginning. This will prevent any config parameters from being used to reach unintended destinations. The way I did it is a bit ugly and ends up with the transport being added to all of the registry handler constructors.
Anything you want to highlight for special attention from reviewers?
Please check if this change is needed. I am not sure if the initial state of not using safe dialer in some of the registry handlers was intended.
How will you know you've accomplished your goal?
No user input should reach a raw HTTP Client.
Checklist