abcxyz · raserva · Jun 27, 2022 · Jun 27, 2022 · Jun 27, 2022 · Jun 28, 2022
@@ -16,8 +16,8 @@ concurrency:
 jobs:
   integration:
     env:
-      # project: jvs-ci
-      PROJECT_NUMBER: '1039479707997'
+      # project: jvs-ci-test
+      PROJECT_NUMBER: '1096923323432'
 
     permissions:
       contents: 'read'
@@ -49,19 +49,11 @@ jobs:
         uses: 'google-github-actions/auth@ceee102ec2387dd9e844e01b530ccd4ec87ce955' # ratchet:google-github-actions/auth@v0
         with:
           workload_identity_provider: 'projects/${{ env.PROJECT_NUMBER }}/locations/global/workloadIdentityPools/github-pool/providers/github-provider'
-          service_account: 'gh-access-sa@jvs-ci.iam.gserviceaccount.com'
-          token_format: 'access_token' # Needed for Terraform workaround
-
-      # TODO: Workload Identity doesn't work with GCS Provider.
-      # https://github.com/google-github-actions/auth/issues/89
-      - name: 'Workaround Terraform issue'
-        shell: 'bash'
-        run: |-
-          echo "GOOGLE_OAUTH_ACCESS_TOKEN=${{ steps.auth.outputs.access_token }}" >> $GITHUB_ENV
+          service_account: 'gh-access-sa@jvs-ci-test.iam.gserviceaccount.com'
 
       - name: 'Install and configure gcloud'
         uses: 'google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb' # ratchet:google-github-actions/setup-gcloud@v0
 
       - name: 'Run integration tests'
         run: |-
-          ./scripts/integration_build.sh
+          ./scripts/integration_build.sh -p "jvs-ci-test" -k "ci-keyring"
@@ -15,22 +15,30 @@
 
 ROOT="$(cd "$(dirname "$0")/.." &>/dev/null; pwd -P)"
 
-JVS_SERVICE_ACCOUNT="jvs-service-sa@jvs-ci.iam.gserviceaccount.com"
-ROTATOR_SERVICE_ACCOUNT="rotator-sa@jvs-ci.iam.gserviceaccount.com"
-PUB_KEY_SERVICE_ACCOUNT="pubkey-sa@jvs-ci.iam.gserviceaccount.com"
-PROJECT_ID="jvs-ci"
+# TODO: change it to jvs-test later
+while getopts ":p:k:" opt; do
+  case $opt in
+    p) project_id="$OPTARG"
+    ;;
+    k) keyring_id="$OPTARG"
+    ;;
+    \?) echo "Invalid option -$OPTARG" >&2
+    exit 1
+    ;;
+  esac
 
-CI_DIR=${ROOT}/terraform/modules/ci-run
+  case $OPTARG in
+    -*) echo "Option $opt needs a valid argument"
+    exit 1
+    ;;
+  esac
+done
 
-cd $CI_DIR
-terraform init
-terraform apply -auto-approve \
-  -var="project_id=${PROJECT_ID}" \
-  -var="jvs_service_account=${JVS_SERVICE_ACCOUNT}" \
-  -var="rotator_service_account=${ROTATOR_SERVICE_ACCOUNT}" \
-  -var="public_key_service_account=${PUB_KEY_SERVICE_ACCOUNT}"
-
-export TEST_JVS_KMS_KEY_RING=$(terraform output key_ring)
+[  -z "$project_id" ] &&  { echo "Error: project_id is empty"; exit 1; }
+[  -z "$keyring_id" ] &&  { echo "Error: keyring_id is empty"; exit 1; }
+printf "Argument project_id is %s\n" "$project_id"
+printf "Argument keyring_id is %s\n" "$keyring_id"
+export TEST_JVS_KMS_KEY_RING="projects/${project_id}/locations/global/keyRings/${keyring_id}"
 export TEST_JVS_INTEGRATION=true
 
 cd ${ROOT}

@@ -17,6 +17,9 @@ package integ
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
@@ -43,6 +46,7 @@ import (
 	"github.com/sethvargo/go-retry"
 	"google.golang.org/api/iterator"
 	kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/fieldmaskpb"
 )
@@ -88,6 +92,26 @@ func TestJVS(t *testing.T) {
 		t.Fatalf("failed to setup grpc auth handler: %v", err)
 	}
 
+	authKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	ecdsaKey, err := jwk.FromRaw(authKey.PublicKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	key := "projects/[PROJECT]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[CRYPTO_KEY]"
+	keyID := key + "/cryptoKeyVersions/[VERSION]-0"
+	if err := ecdsaKey.Set(jwk.KeyIDKey, keyID); err != nil {
+		t.Fatal(err)
+	}
+
+	tok := testutil.CreateJWT(t, "test_id", "user@example.com")
+	validJWT := testutil.SignToken(t, tok, authKey, keyID)
+	ctx = metadata.NewIncomingContext(ctx, metadata.New(map[string]string{
+		"authorization": "Bearer " + validJWT,
+	}))
+
 	p := justification.NewProcessor(kmsClient, cfg, authHandler)
 	jvsAgent := justification.NewJVSAgent(p)
 
@@ -116,7 +140,7 @@ func TestJVS(t *testing.T) {
 				"justs": []any{
 					map[string]any{"category": "explanation", "value": "This is a test."},
 				},
-				"sub": "TODO #22",
+				"sub": "user@example.com",
 			},
 		},
 		{