This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch sbp
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/sbp by this push:
new e693c2da Keep a strict subset of GitHub OIDC payloads
e693c2da is described below
commit e693c2da8b9b4e1b1a77817f85d0a7fb9e56b341
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Feb 20 19:57:54 2026 +0000
Keep a strict subset of GitHub OIDC payloads
---
atr/jwtoken.py | 42 +++++++++++++++++++++++++++++++++++++-----
atr/models/schema.py | 4 ++++
2 files changed, 41 insertions(+), 5 deletions(-)
diff --git a/atr/jwtoken.py b/atr/jwtoken.py
index 3f1c8dee..ec613903 100644
--- a/atr/jwtoken.py
+++ b/atr/jwtoken.py
@@ -30,6 +30,7 @@ import quart
import atr.config as config
import atr.ldap as ldap
import atr.log as log
+import atr.models.schema as schema
import atr.util as util
_ALGORITHM: Final[str] = "HS256"
@@ -50,6 +51,41 @@ if TYPE_CHECKING:
from collections.abc import Awaitable, Callable, Coroutine
+class GitHubOIDCPayload(schema.Subset):
+ # Not in atr.models because this is not used outside of this file
+
+ actor: str
+ actor_id: str
+ aud: str
+ base_ref: str
+ check_run_id: str
+ enterprise: str
+ enterprise_id: str
+ event_name: str
+ exp: int
+ head_ref: str
+ iat: int
+ iss: str
+ job_workflow_ref: str
+ job_workflow_sha: str
+ jti: str
+ nbf: int | None = None
+ ref: str
+ ref_protected: str
+ ref_type: str
+ repository: str
+ repository_owner: str
+ repository_visibility: str
+ run_attempt: str
+ run_number: str
+ runner_environment: str
+ sha: str
+ sub: str
+ workflow: str
+ workflow_ref: str
+ workflow_sha: str
+
+
def issue(uid: str, *, ttl: int = _ATR_JWT_TTL) -> str:
now = datetime.datetime.now(tz=datetime.UTC)
payload = {
@@ -151,11 +187,7 @@ async def verify_github_oidc(token: str) -> dict[str, Any]:
f"GitHub OIDC payload mismatch: {key} = {payload[key]} !=
{value}",
errorcode=401,
)
- # del payload["actor_id"]
- del payload["repository_id"]
- del payload["repository_owner_id"]
- del payload["run_id"]
- return payload
+ return GitHubOIDCPayload.model_validate(payload).model_dump()
def _extract_bearer_token(request: quart.Request) -> str:
diff --git a/atr/models/schema.py b/atr/models/schema.py
index f7ac4837..6868de57 100644
--- a/atr/models/schema.py
+++ b/atr/models/schema.py
@@ -32,6 +32,10 @@ class Strict(pydantic.BaseModel):
model_config = pydantic.ConfigDict(extra="forbid", strict=True,
validate_assignment=True)
+class Subset(pydantic.BaseModel):
+ model_config = pydantic.ConfigDict(extra="ignore", strict=False,
validate_assignment=True, validate_by_name=True)
+
+
class Form(pydantic.BaseModel):
model_config = pydantic.ConfigDict(
extra="forbid",
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
