diff --git a/go.mod b/go.mod index bf517cd26..8caa0c7bf 100644 --- a/go.mod +++ b/go.mod @@ -22,7 +22,6 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 github.com/hashicorp/golang-lru v1.0.2 github.com/magiconair/properties v1.8.7 - github.com/mitchellh/mapstructure v1.5.0 github.com/prometheus/client_golang v1.19.1 github.com/prometheus/client_model v0.6.1 github.com/prometheus/common v0.54.0 @@ -111,6 +110,7 @@ require ( github.com/letsencrypt/boulder v0.0.0-20230907030200-6d76a0f91e1e // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect diff --git a/pkg/config/config.go b/pkg/config/config.go index c2d2c36cd..58a898fc3 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -32,7 +32,6 @@ import ( "github.com/coreos/go-oidc/v3/oidc" lru "github.com/hashicorp/golang-lru" - "github.com/mitchellh/mapstructure" "github.com/sigstore/fulcio/pkg/certificate" fulciogrpc "github.com/sigstore/fulcio/pkg/generated/protobuf" "github.com/sigstore/fulcio/pkg/log" @@ -470,18 +469,16 @@ func validateCIIssuerMetadata(fulcioConfig *FulcioConfig) error { } for _, ciIssuerMetadata := range fulcioConfig.CIIssuerMetadata { - claimsTemplates := make(map[string]interface{}) - err := mapstructure.Decode(ciIssuerMetadata.ExtensionTemplates, &claimsTemplates) - if err != nil { - return err - } - for _, temp := range claimsTemplates { - err := checkParse(temp) + v := reflect.Indirect(reflect.ValueOf(&ciIssuerMetadata.ExtensionTemplates)) + for i := 0; i < v.NumField(); i++ { + s := v.Field(i).String() + err := checkParse(s) if err != nil { return err } } - err = checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate) + + err := checkParse(ciIssuerMetadata.SubjectAlternativeNameTemplate) if err != nil { return err } diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go index f45068e42..00a963bb9 100644 --- a/pkg/identity/ciprovider/principal.go +++ b/pkg/identity/ciprovider/principal.go @@ -21,11 +21,10 @@ import ( "fmt" "html/template" "net/url" + "reflect" "strings" "github.com/coreos/go-oidc/v3/oidc" - "github.com/mitchellh/mapstructure" - "github.com/sigstore/fulcio/pkg/certificate" "github.com/sigstore/fulcio/pkg/config" "github.com/sigstore/fulcio/pkg/identity" ) @@ -127,33 +126,24 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er } uris := []*url.URL{sanURL} cert.URIs = uris - mapExtensionsForTemplate := make(map[string]interface{}) - err = mapstructure.Decode(claimsTemplates, &mapExtensionsForTemplate) - if err != nil { - return err - } - - for k, v := range mapValuesToString(mapExtensionsForTemplate) { - // It avoids to try applying template or replace for a empty string. - if v != "" { - mapExtensionsForTemplate[k], err = applyTemplateOrReplace(v, claims, defaults) - if err != nil { - return err - } + v := reflect.Indirect(reflect.ValueOf(&claimsTemplates)) + for i := 0; i < v.NumField(); i++ { + s := v.Field(i).String() // value of each field, e.g the template string + if s == "" { + continue } + extValue, err := applyTemplateOrReplace(s, claims, defaults) + if err != nil { + return err + } + v.Field(i).SetString(extValue) } - ext := &certificate.Extensions{ - Issuer: principal.Token.Issuer, - } - err = mapstructure.Decode(mapExtensionsForTemplate, &ext) - if err != nil { - return err - } + // Guarantees to set the extension issuer as the token issuer // regardless of whether this field has been set before - ext.Issuer = principal.Token.Issuer + claimsTemplates.Issuer = principal.Token.Issuer // Embed additional information into custom extensions - cert.ExtraExtensions, err = ext.Render() + cert.ExtraExtensions, err = claimsTemplates.Render() if err != nil { return err }