Merge pull request #32 from gdbranco/feat/ocm-5798

OCM-5798 | add thumbprint fetcher
openshift-online · Jan 29, 2024 · ff8c6c1 · ff8c6c1
2 parents c9bd03c + 43bfb0d
commit ff8c6c1
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/pkg/rosa/oidcconfigs/oidcconfigs.go b/pkg/rosa/oidcconfigs/oidcconfigs.go
@@ -4,11 +4,15 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha1"
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"net/http"
+	"net/url"
 	"regexp"
 	"strings"
 
@@ -215,3 +219,29 @@ func keyIDFromPublicKey(publicKey interface{}) (string, error) {
 
 	return keyID, nil
 }
+
+func FetchThumbprint(oidcEndpointURL string) (string, error) {
+	connect, err := url.ParseRequestURI(oidcEndpointURL)
+	if err != nil {
+		return "", err
+	}
+	response, err := http.Get(fmt.Sprintf("https://%s:443", connect.Host))
+	if err != nil {
+		return "", err
+	}
+	certChain := response.TLS.PeerCertificates
+	// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+	// If you see more than one certificate, find the last certificate displayed (at the end of the command output).
+	// This contains the certificate of the top intermediate CA in the certificate authority chain.
+	cert := certChain[len(certChain)-1]
+	return sha1Hash(cert.Raw), nil
+}
+
+// sha1Hash computes the SHA1 of the byte array and returns the hex encoding as a string.
+func sha1Hash(data []byte) string {
+	// nolint:gosec
+	hasher := sha1.New()
+	hasher.Write(data)
+	hashed := hasher.Sum(nil)
+	return hex.EncodeToString(hashed)
+}