feat: add Connect/Workbench PPM authenticated repos via Identity Federation

api/core/v1beta1/connect_types.go

@@ -147,6 +147,22 @@ type ConnectSpec struct {
 	// ChronicleSidecarProductApiKeyEnabled assumes the api key for this product has been added to a secret and
 	// injects the secret as an environment variable to the sidecar. **EXPERIMENTAL**
 	ChronicleSidecarProductApiKeyEnabled bool `json:"chronicleSidecarProductApiKeyEnabled,omitempty"`
+
+	// AuthenticatedRepos enables PPM authenticated repository access for Connect
+	// +optional
+	AuthenticatedRepos bool `json:"authenticatedRepos,omitempty"`
+
+	// PPMAuthImage specifies the container image for PPM auth init/sidecar containers
+	// +optional
+	PPMAuthImage string `json:"ppmAuthImage,omitempty"`
+
+	// PPMUrl specifies the PPM URL for authenticated repository access
+	// +optional
+	PPMUrl string `json:"ppmUrl,omitempty"`
+
+	// PPMAuthAudience is the audience claim for the projected SA token used in PPM Identity Federation
+	// +optional
+	PPMAuthAudience string `json:"ppmAuthAudience,omitempty"`
 }
 
 // TODO: Validation should require Volume definition for off-host-execution...

api/core/v1beta1/package_manager_config.go

@@ -20,8 +20,12 @@ type PackageManagerConfig struct {
 	Debug          *PackageManagerDebugConfig          `json:"Debug,omitempty"`
 	Authentication *PackageManagerAuthenticationConfig `json:"Authentication,omitempty"`
 	OpenIDConnect  *PackageManagerOIDCConfig           `json:"OpenIDConnect,omitempty"`
+	// IdentityFederation was added after v1.20.0 and has never been released with a camelCase
+	// JSON tag, so the PascalCase key here is safe (no existing CRs to migrate).
+	IdentityFederation []PackageManagerIdentityFederationConfig `json:"IdentityFederation,omitempty"`
 
 	// AdditionalConfig allows appending arbitrary gcfg config content not covered by typed fields.
+	// Note: the JSON key is "additionalConfig" (camelCase) for backward compatibility with v1.20.0.
 	// The value is appended verbatim after the generated config. gcfg parsing naturally handles
 	// conflicts: list values are combined, scalar values use the last occurrence.
 	// +optional
@@ -55,6 +59,11 @@ func (configStruct *PackageManagerConfig) GenerateGcfg() (string, error) {
 			continue
 		}
 
+		// Skip IdentityFederation - handled specially after the main loop
+		if fieldName == "IdentityFederation" {
+			continue
+		}
+
 		if fieldValue.IsNil() {
 			continue
 		}
@@ -109,6 +118,79 @@ func (configStruct *PackageManagerConfig) GenerateGcfg() (string, error) {
 		}
 	}
 
+	// Render named IdentityFederation sections (these use the gcfg named subsection syntax)
+	for _, idf := range configStruct.IdentityFederation {
+		if strings.ContainsAny(idf.Name, "\"]\n\r") {
+			return "", fmt.Errorf("invalid IdentityFederation name %q: must not contain '\"', ']', or newlines", idf.Name)
+		}
+		// Validate all string field values reject newlines to prevent gcfg injection
+		for _, kv := range []struct{ key, val string }{
+			{"Issuer", idf.Issuer},
+			{"Audience", idf.Audience},
+			{"Subject", idf.Subject},
+			{"AuthorizedParty", idf.AuthorizedParty},
+			{"Scope", idf.Scope},
+			{"CustomScope", idf.CustomScope},
+			{"GroupsClaim", idf.GroupsClaim},
+			{"GroupsSeparator", idf.GroupsSeparator},
+			{"RoleClaim", idf.RoleClaim},
+			{"RolesSeparator", idf.RolesSeparator},
+			{"UniqueIdClaim", idf.UniqueIdClaim},
+			{"UsernameClaim", idf.UsernameClaim},
+			{"TokenLifetime", idf.TokenLifetime},
+		} {
+			if strings.ContainsAny(kv.val, "\n\r") {
+				return "", fmt.Errorf("invalid IdentityFederation %q field %s: must not contain newlines", idf.Name, kv.key)
+			}
+		}
+		builder.WriteString(fmt.Sprintf("\n[IdentityFederation \"%s\"]\n", idf.Name))
+		if idf.Issuer != "" {
+			builder.WriteString("Issuer = " + idf.Issuer + "\n")
+		}
+		if idf.Logging {
+			builder.WriteString("Logging = true\n")
+		}
+		if idf.Audience != "" {
+			builder.WriteString("Audience = " + idf.Audience + "\n")
+		}
+		if idf.Subject != "" {
+			builder.WriteString("Subject = " + idf.Subject + "\n")
+		}
+		if idf.AuthorizedParty != "" {
+			builder.WriteString("AuthorizedParty = " + idf.AuthorizedParty + "\n")
+		}
+		if idf.Scope != "" {
+			builder.WriteString("Scope = " + idf.Scope + "\n")
+		}
+		if idf.CustomScope != "" {
+			builder.WriteString("CustomScope = " + idf.CustomScope + "\n")
+		}
+		if idf.NoAutoGroupsScope {
+			builder.WriteString("NoAutoGroupsScope = true\n")
+		}
+		if idf.GroupsClaim != "" {
+			builder.WriteString("GroupsClaim = " + idf.GroupsClaim + "\n")
+		}
+		if idf.GroupsSeparator != "" {
+			builder.WriteString("GroupsSeparator = " + idf.GroupsSeparator + "\n")
+		}
+		if idf.RoleClaim != "" {
+			builder.WriteString("RoleClaim = " + idf.RoleClaim + "\n")
+		}
+		if idf.RolesSeparator != "" {
+			builder.WriteString("RolesSeparator = " + idf.RolesSeparator + "\n")
+		}
+		if idf.UniqueIdClaim != "" {
+			builder.WriteString("UniqueIdClaim = " + idf.UniqueIdClaim + "\n")
+		}
+		if idf.UsernameClaim != "" {
+			builder.WriteString("UsernameClaim = " + idf.UsernameClaim + "\n")
+		}
+		if idf.TokenLifetime != "" {
+			builder.WriteString("TokenLifetime = " + idf.TokenLifetime + "\n")
+		}
+	}
+
 	if configStruct.AdditionalConfig != "" {
 		builder.WriteString(configStruct.AdditionalConfig)
 	}
@@ -209,6 +291,25 @@ type PackageManagerOIDCConfig struct {
 	EnableDevicePKCE     bool   `json:"EnableDevicePKCE,omitempty"`
 }
 
+type PackageManagerIdentityFederationConfig struct {
+	Name              string `json:"Name"`
+	Issuer            string `json:"Issuer,omitempty"`
+	Logging           bool   `json:"Logging,omitempty"`
+	Audience          string `json:"Audience,omitempty"`
+	Subject           string `json:"Subject,omitempty"`
+	AuthorizedParty   string `json:"AuthorizedParty,omitempty"`
+	Scope             string `json:"Scope,omitempty"`
+	CustomScope       string `json:"CustomScope,omitempty"`
+	NoAutoGroupsScope bool   `json:"NoAutoGroupsScope,omitempty"`
+	GroupsClaim       string `json:"GroupsClaim,omitempty"`
+	GroupsSeparator   string `json:"GroupsSeparator,omitempty"`
+	RoleClaim         string `json:"RoleClaim,omitempty"`
+	RolesSeparator    string `json:"RolesSeparator,omitempty"`
+	UniqueIdClaim     string `json:"UniqueIdClaim,omitempty"`
+	UsernameClaim     string `json:"UsernameClaim,omitempty"`
+	TokenLifetime     string `json:"TokenLifetime,omitempty"`
+}
+
 // SSHKeyConfig defines SSH key configuration for Git authentication
 type SSHKeyConfig struct {
 	// Name is a unique identifier for this SSH key configuration

api/core/v1beta1/package_manager_config_test.go

@@ -1,6 +1,7 @@
 package v1beta1
 
 import (
+	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -81,6 +82,65 @@ func TestPackageManagerConfig_OpenIDConnect(t *testing.T) {
 	require.Contains(t, str, "RequireLogin = true")
 }
 
+func TestPackageManagerConfig_IdentityFederation(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:     "connect",
+				Issuer:   "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE",
+				Audience: "sts.amazonaws.com",
+				Subject:  "system:serviceaccount:posit-team:mysite-connect",
+				Scope:    "repos:read:*",
+			},
+			{
+				Name:     "workbench",
+				Issuer:   "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE",
+				Audience: "sts.amazonaws.com",
+				Subject:  "system:serviceaccount:posit-team:mysite-workbench",
+				Scope:    "repos:read:*",
+			},
+		},
+	}
+	str, err := cfg.GenerateGcfg()
+	require.Nil(t, err)
+	require.Contains(t, str, `[IdentityFederation "connect"]`)
+	require.Contains(t, str, `[IdentityFederation "workbench"]`)
+	require.Contains(t, str, "Issuer = https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE")
+	require.Contains(t, str, "Audience = sts.amazonaws.com")
+	require.Contains(t, str, "Subject = system:serviceaccount:posit-team:mysite-connect")
+	require.Contains(t, str, "Scope = repos:read:*")
+}
+
+func TestPackageManagerConfig_OpenIDConnectAndIdentityFederation(t *testing.T) {
+	cfg := PackageManagerConfig{
+		Server: &PackageManagerServerConfig{
+			Address: "https://packagemanager.example.com",
+		},
+		OpenIDConnect: &PackageManagerOIDCConfig{
+			ClientId:     "ppm-client",
+			ClientSecret: "/etc/rstudio-pm/oidc-client-secret",
+			Issuer:       "https://login.example.com",
+			RequireLogin: true,
+		},
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:          "connect",
+				Issuer:        "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLE",
+				Audience:      "sts.amazonaws.com",
+				Subject:       "system:serviceaccount:posit-team:.*-connect",
+				Scope:         "repos:read:*",
+				TokenLifetime: "1h",
+			},
+		},
+	}
+	str, err := cfg.GenerateGcfg()
+	require.Nil(t, err)
+	require.Contains(t, str, "[Server]")
+	require.Contains(t, str, "[OpenIDConnect]")
+	require.Contains(t, str, `[IdentityFederation "connect"]`)
+	require.Contains(t, str, "TokenLifetime = 1h")
+}
+
 func TestPackageManagerConfig_Authentication(t *testing.T) {
 	cfg := PackageManagerConfig{
 		Authentication: &PackageManagerAuthenticationConfig{
@@ -140,3 +200,125 @@ func TestPackageManagerConfig_OIDCNewFields(t *testing.T) {
 	require.Contains(t, str, "NoAutoGroupsScope = true")
 	require.Contains(t, str, "EnableDevicePKCE = true")
 }
+
+func TestPackageManagerConfig_IdentityFederationJSONRoundTrip(t *testing.T) {
+	original := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:     "connect",
+				Issuer:   "https://issuer.example.com",
+				Audience: "my-audience",
+				Subject:  "system:serviceaccount:posit-team:mysite-connect",
+				Scope:    "repos:read:*",
+			},
+		},
+	}
+
+	data, err := json.Marshal(original)
+	require.NoError(t, err)
+
+	var roundTripped PackageManagerConfig
+	err = json.Unmarshal(data, &roundTripped)
+	require.NoError(t, err)
+
+	require.Len(t, roundTripped.IdentityFederation, 1)
+	require.Equal(t, "connect", roundTripped.IdentityFederation[0].Name)
+	require.Equal(t, "https://issuer.example.com", roundTripped.IdentityFederation[0].Issuer)
+	require.Equal(t, "my-audience", roundTripped.IdentityFederation[0].Audience)
+	require.Equal(t, "system:serviceaccount:posit-team:mysite-connect", roundTripped.IdentityFederation[0].Subject)
+	require.Equal(t, "repos:read:*", roundTripped.IdentityFederation[0].Scope)
+}
+
+func TestPackageManagerConfig_IdentityFederationNewFields(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:              "my-idp",
+				Issuer:            "https://issuer.example.com",
+				Logging:           true,
+				Audience:          "my-audience",
+				CustomScope:       "read write",
+				NoAutoGroupsScope: true,
+				GroupsClaim:       "groups",
+				GroupsSeparator:   ",",
+				RoleClaim:         "roles",
+				RolesSeparator:    ";",
+				UniqueIdClaim:     "sub",
+				UsernameClaim:     "preferred_username",
+				TokenLifetime:     "2h",
+			},
+		},
+	}
+	str, err := cfg.GenerateGcfg()
+	require.Nil(t, err)
+	require.Contains(t, str, `[IdentityFederation "my-idp"]`)
+	require.Contains(t, str, "Issuer = https://issuer.example.com")
+	require.Contains(t, str, "Logging = true")
+	require.Contains(t, str, "Audience = my-audience")
+	require.Contains(t, str, "CustomScope = read write")
+	require.Contains(t, str, "NoAutoGroupsScope = true")
+	require.Contains(t, str, "GroupsClaim = groups")
+	require.Contains(t, str, "GroupsSeparator = ,")
+	require.Contains(t, str, "RoleClaim = roles")
+	require.Contains(t, str, "RolesSeparator = ;")
+	require.Contains(t, str, "UniqueIdClaim = sub")
+	require.Contains(t, str, "UsernameClaim = preferred_username")
+	require.Contains(t, str, "TokenLifetime = 2h")
+}
+
+func TestPackageManagerConfig_IdentityFederationRejectsQuoteInName(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:   `bad"name`,
+				Issuer: "https://issuer.example.com",
+			},
+		},
+	}
+	_, err := cfg.GenerateGcfg()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must not contain")
+}
+
+func TestPackageManagerConfig_IdentityFederationRejectsBracketInName(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:   `name"]`,
+				Issuer: "https://issuer.example.com",
+			},
+		},
+	}
+	_, err := cfg.GenerateGcfg()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must not contain")
+}
+
+func TestPackageManagerConfig_IdentityFederationRejectsCarriageReturn(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:   "bad\rname",
+				Issuer: "https://issuer.example.com",
+			},
+		},
+	}
+	_, err := cfg.GenerateGcfg()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must not contain")
+}
+
+func TestPackageManagerConfig_IdentityFederationRejectsNewlineInValues(t *testing.T) {
+	cfg := PackageManagerConfig{
+		IdentityFederation: []PackageManagerIdentityFederationConfig{
+			{
+				Name:   "valid-name",
+				Issuer: "https://evil.com\nBadKey = badvalue",
+			},
+		},
+	}
+	_, err := cfg.GenerateGcfg()
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "must not contain newlines")
+	require.Contains(t, err.Error(), "Issuer")
+}