fix codeql security error

iam404 · iam404 · commit 588bfc1eab9b · 2026-05-29T00:10:19.000+05:30
diff --git a/examples/oidc_aws_e2e.py b/examples/oidc_aws_e2e.py
@@ -65,12 +65,9 @@
 
 from __future__ import annotations
 
-import hashlib
 import io
 import json
 import os
-import socket
-import ssl
 import sys
 import tarfile
 import time
@@ -105,6 +102,12 @@
 OIDC_PROVIDER_URL = "app.terraform.io"
 OIDC_AUDIENCE = "aws.workload.identity"
 
+# Placeholder thumbprint for IAM's CreateOpenIDConnectProvider. AWS no
+# longer validates this field for providers backed by Amazon Trust Services
+# CAs (app.terraform.io is one) — any 40-char hex string is accepted.
+# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+OIDC_PROVIDER_THUMBPRINT_PLACEHOLDER = "0" * 40
+
 # Tag applied to the test instance so we can find/verify it later.
 INSTANCE_NAME_TAG = WORKSPACE_NAME
 
@@ -176,20 +179,6 @@ def banner(s: str) -> None:
     print("=" * 72)
 
 
-def get_app_terraform_thumbprint() -> str:
-    """Fetch the leaf cert SHA1 thumbprint for app.terraform.io.
-
-    AWS no longer strictly enforces this thumbprint for IdPs backed by
-    Amazon Trust Services CAs (since July 2023), but the API still
-    requires the field. We pass the real leaf thumbprint for correctness.
-    """
-    ctx = ssl.create_default_context()
-    with socket.create_connection((OIDC_PROVIDER_URL, 443), timeout=10) as sock:
-        with ctx.wrap_socket(sock, server_hostname=OIDC_PROVIDER_URL) as ssock:
-            cert = ssock.getpeercert(binary_form=True)
-    return hashlib.sha1(cert).hexdigest()  # noqa: S324 (intentional: AWS API expects SHA1)
-
-
 def ensure_oidc_provider(iam) -> str:
     """Create or reuse the app.terraform.io OIDC provider. Returns ARN."""
     expected_url = f"https://{OIDC_PROVIDER_URL}"
@@ -199,11 +188,10 @@ def ensure_oidc_provider(iam) -> str:
             print(f"  reusing OIDC provider: {p['Arn']}")
             return p["Arn"]
 
-    thumbprint = get_app_terraform_thumbprint()
     resp = iam.create_open_id_connect_provider(
         Url=expected_url,
         ClientIDList=[OIDC_AUDIENCE],
-        ThumbprintList=[thumbprint],
+        ThumbprintList=[OIDC_PROVIDER_THUMBPRINT_PLACEHOLDER],
     )
     arn = resp["OpenIDConnectProviderArn"]
     print(f"  created OIDC provider: {arn}")
diff --git a/examples/oidc_setup.py b/examples/oidc_setup.py
@@ -59,11 +59,8 @@
 from __future__ import annotations
 
 import argparse
-import hashlib
 import json
 import os
-import socket
-import ssl
 import sys
 from dataclasses import dataclass, field
 from pathlib import Path
@@ -84,6 +81,21 @@
 OIDC_AUDIENCE = "aws.workload.identity"
 STATIC_AWS_VARS = ("AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN")
 
+# Placeholder thumbprint sent to AWS when creating the OIDC provider. AWS's
+# `CreateOpenIDConnectProvider` accepts a `ThumbprintList` parameter that
+# was historically expected to be the SHA1 hash of the provider's TLS
+# certificate. Since July 2023 AWS no longer validates this value for
+# providers backed by Amazon Trust Services CAs (which app.terraform.io
+# is) — the cert chain is validated at runtime against the ATS root CAs.
+# Any 40-char hex string is accepted in the field.
+# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html
+#
+# Sending a placeholder removes the need for this script to make a TLS
+# connection to app.terraform.io and SHA1-hash the leaf cert — both of
+# which trip CodeQL's py/insecure-protocol and py/weak-sensitive-data-hashing
+# rules even though neither is a security concern in this context.
+OIDC_PROVIDER_THUMBPRINT_PLACEHOLDER = "0" * 40
+
 
 # ---------------------------------------------------------------------------
 # CLI
@@ -258,16 +270,6 @@ def parse_args(argv: list[str] | None = None) -> Args:
 # ---------------------------------------------------------------------------
 
 
-def _terraform_thumbprint() -> str:
-    ctx = ssl.create_default_context()
-    with socket.create_connection((OIDC_PROVIDER_URL, 443), timeout=10) as sock:
-        with ctx.wrap_socket(sock, server_hostname=OIDC_PROVIDER_URL) as ssock:
-            cert = ssock.getpeercert(binary_form=True)
-    # AWS API expects SHA1; this is not used as a security primitive (since
-    # July 2023 AWS validates the certificate chain, not the thumbprint).
-    return hashlib.sha1(cert).hexdigest()  # noqa: S324
-
-
 def ensure_identity_provider(iam) -> tuple[str, bool]:
     """Return (OIDC provider ARN, was_created). Idempotent: reuses any
     existing provider for the same URL rather than recreating it.
@@ -285,7 +287,7 @@ def ensure_identity_provider(iam) -> tuple[str, bool]:
     resp = iam.create_open_id_connect_provider(
         Url=expected_url,
         ClientIDList=[OIDC_AUDIENCE],
-        ThumbprintList=[_terraform_thumbprint()],
+        ThumbprintList=[OIDC_PROVIDER_THUMBPRINT_PLACEHOLDER],
     )
     return resp["OpenIDConnectProviderArn"], True
 
