fix: Use gitlab's CI_SERVER_URL to build jwks url

Previously the gitlab attestor had the JWKS url hard-coded to the public instance's jwks url. This uses the provided CI_SERVER_URL to build up the jwks url instead. Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
in-toto · Jun 1, 2022 · a2ea846 · a2ea846
1 parent c59280e
commit a2ea846
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go
@@ -27,8 +27,6 @@ const (
 	Name    = "gitlab"
 	Type    = "https://witness.dev/attestations/gitlab/v0.1"
 	RunType = attestation.PreRunType
-
-	jwksUrl = "https://gitlab.com/-/jwks"
 )
 
 func init() {
@@ -57,6 +55,7 @@ type Attestor struct {
 	ProjectUrl   string        `json:"projecturl"`
 	RunnerID     string        `json:"runnerid"`
 	CIHost       string        `json:"cihost"`
+	CIServerUrl  string        `json:"ciserverurl"`
 
 	subjects map[string]cryptoutil.DigestSet
 }
@@ -84,6 +83,8 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		return ErrNotGitlab{}
 	}
 
+	a.CIServerUrl = os.Getenv("CI_SERVER_URL")
+	jwksUrl := fmt.Sprintf("%s/-/jwks", a.CIServerUrl)
 	jwtString := os.Getenv("CI_JOB_JWT")
 	if jwtString != "" {
 		a.JWT = jwt.New(jwt.WithToken(jwtString), jwt.WithJWKSUrl(jwksUrl))