address suggestions

Signed-off-by: Javan lacerda <javanlacerda@google.com>
sigstore · Jul 12, 2024 · 0c20cf0 · 0c20cf0
1 parent e75c86a
commit 0c20cf0
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 20 deletions.
diff --git a/docs/oidc.md b/docs/oidc.md
@@ -10,9 +10,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the
 
 To add a new OIDC issuer:
 
-* Add a file under the [`federation` folder](https://github.com/sigstore/fulcio/tree/main/federation) with the URL, new issuer type name, and contact ([example](https://github.com/sigstore/fulcio/blob/8975dfd/federation/agent.buildkite.com/config.yaml))
-* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml) by running `go run federation/main.go`
-* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
+* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions.
 * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503)
 * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`.
 * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62)

diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go
@@ -28,10 +28,51 @@ import (
 	"github.com/sigstore/fulcio/pkg/certificate"
 )
 
-func TestLoad(t *testing.T) {
+func TestLoadYamlConfig(t *testing.T) {
 	td := t.TempDir()
 	cfgPath := filepath.Join(td, "config.yaml")
-	if err := os.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil {
+	if err := os.WriteFile(cfgPath, []byte(validYamlCfg), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg, err := Load(cfgPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	got, ok := cfg.GetIssuer("https://accounts.google.com")
+	if !ok {
+		t.Error("expected true, got false")
+	}
+	if got.ClientID != "foo" {
+		t.Errorf("expected foo, got %s", got.ClientID)
+	}
+	if got.IssuerURL != "https://accounts.google.com" {
+		t.Errorf("expected https://accounts.google.com, got %s", got.IssuerURL)
+	}
+	if got := len(cfg.OIDCIssuers); got != 1 {
+		t.Errorf("expected 1 issuer, got %d", got)
+	}
+
+	got, ok = cfg.GetIssuer("https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER")
+	if !ok {
+		t.Error("expected true, got false")
+	}
+	if got.ClientID != "bar" {
+		t.Errorf("expected bar, got %s", got.ClientID)
+	}
+	if got.IssuerURL != "https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER" {
+		t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL)
+	}
+
+	if _, ok := cfg.GetIssuer("not_an_issuer"); ok {
+		t.Error("no error returned from an unconfigured issuer")
+	}
+}
+
+func TestLoadJsonConfig(t *testing.T) {
+	td := t.TempDir()
+	cfgPath := filepath.Join(td, "config.json")
+	if err := os.WriteFile(cfgPath, []byte(validJSONCfg), 0644); err != nil {
 		t.Fatal(err)
 	}
 

diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -27,7 +27,7 @@ import (
 	"github.com/sigstore/fulcio/pkg/generated/protobuf"
 )
 
-var validCfg = `
+var validYamlCfg = `
 oidc-issuers:
   https://accounts.google.com:
     issuer-url: https://accounts.google.com
@@ -40,6 +40,25 @@ meta-issuers:
     type: kubernetes
 `
 
+var validJSONCfg = `
+{
+	"OIDCIssuers": {
+		"https://accounts.google.com": {
+			"IssuerURL": "https://accounts.google.com",
+			"ClientID": "foo",
+			"Type": "email",
+			"ChallengeClaim": "email"
+		}
+	},
+	"MetaIssuers": {
+		"https://oidc.eks.*.amazonaws.com/id/*": {
+			"ClientID": "bar",
+			"Type": "kubernetes"
+		}
+	}
+}
+`
+
 func TestMetaURLs(t *testing.T) {
 	tests := []struct {
 		name    string

diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go
@@ -22,15 +22,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"testing"
-
-	"gopkg.in/yaml.v3"
 )
 
-type FulcioConfigMap struct {
-	Data map[string]string `yaml:"data,omitempty"`
-}
-
-// It tests that the config/fulcio-config.yaml is properly parsable
+// The config/identity/config.yaml is a config file that is reflected directly
+// to the public good instance.
+// This test checks that the config.yaml is valid and can be properly used
+// on the public good instance.
 func TestLoadFulcioConfig(t *testing.T) {
 	_, path, _, _ := runtime.Caller(0)
 	basepath := filepath.Dir(path)
@@ -39,12 +36,7 @@ func TestLoadFulcioConfig(t *testing.T) {
 		t.Errorf("read file: %v", err)
 	}
 
-	cfg := FulcioConfigMap{}
-	if err := yaml.Unmarshal(b, &cfg); err != nil {
-		t.Errorf("Unmarshal: %v", err)
-	}
-
-	fulcioConfig, err := Read([]byte(cfg.Data["config.yaml"]))
+	fulcioConfig, err := Read(b)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -63,6 +55,11 @@ func TestLoadFulcioConfig(t *testing.T) {
 		if string(got.Type) == "" {
 			t.Errorf("Issuer Type should not be empty")
 		}
+		if got.Type == IssuerTypeCIProvider {
+			if got.CIProvider == "" {
+				t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider")
+			}
+		}
 		if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {
 			t.Error("no error returned from an unconfigured issuer")
 		}

diff --git a/tools/loadtest/README.md b/tools/loadtest/README.md
@@ -24,7 +24,7 @@ Confirm a successful install with `locust -V`, which should print the version. Y
 
 ### Fetching identity token
 
-To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio.
+To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio.
 
 Run the following command, and record the output: