diff --git a/docs/oidc.md b/docs/oidc.md index d0907bfc9..a58bc4aad 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -10,9 +10,7 @@ Sigstore runs a federated OIDC identity provider, Dex. Users authenticate to the To add a new OIDC issuer: -* Add a file under the [`federation` folder](https://github.com/sigstore/fulcio/tree/main/federation) with the URL, new issuer type name, and contact ([example](https://github.com/sigstore/fulcio/blob/8975dfd/federation/agent.buildkite.com/config.yaml)) -* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml) by running `go run federation/main.go` -* Add the new issuer to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. +* Add the new issuer to the [configuration](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml) and to the [`identity` folder](https://github.com/sigstore/fulcio/tree/main/pkg/identity) ([example](https://github.com/sigstore/fulcio/tree/main/pkg/identity/buildkite)). You will define an `Issuer` type and a way to map the token to the certificate extensions. * Define a constant with the issuer type name in the [configuration](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L213-L221), add update the [tests](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config_test.go#L473-L503) * Map the issuer type to the token claim that will be signed over when requesting a token [here](https://github.com/sigstore/fulcio/blob/afeadb3b7d11f704489637cabc4e150dea3e00ed/pkg/config/config.go#L464-L486). You can likely just use `sub`. * Add a case statement to map the issuer constant to the issuer type you created [here](https://github.com/sigstore/fulcio/blob/4d9d96a/pkg/server/issuer_pool.go#L40-L62) diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 22c7406dc..00f139824 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -28,10 +28,51 @@ import ( "github.com/sigstore/fulcio/pkg/certificate" ) -func TestLoad(t *testing.T) { +func TestLoadYamlConfig(t *testing.T) { td := t.TempDir() cfgPath := filepath.Join(td, "config.yaml") - if err := os.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil { + if err := os.WriteFile(cfgPath, []byte(validYamlCfg), 0644); err != nil { + t.Fatal(err) + } + + cfg, err := Load(cfgPath) + if err != nil { + t.Fatal(err) + } + got, ok := cfg.GetIssuer("https://accounts.google.com") + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "foo" { + t.Errorf("expected foo, got %s", got.ClientID) + } + if got.IssuerURL != "https://accounts.google.com" { + t.Errorf("expected https://accounts.google.com, got %s", got.IssuerURL) + } + if got := len(cfg.OIDCIssuers); got != 1 { + t.Errorf("expected 1 issuer, got %d", got) + } + + got, ok = cfg.GetIssuer("https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER") + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "bar" { + t.Errorf("expected bar, got %s", got.ClientID) + } + if got.IssuerURL != "https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER" { + t.Errorf("expected https://oidc.eks.fantasy-land.amazonaws.com/id/CLUSTERIDENTIFIER, got %s", got.IssuerURL) + } + + if _, ok := cfg.GetIssuer("not_an_issuer"); ok { + t.Error("no error returned from an unconfigured issuer") + } +} + +func TestLoadJsonConfig(t *testing.T) { + td := t.TempDir() + cfgPath := filepath.Join(td, "config.json") + if err := os.WriteFile(cfgPath, []byte(validJSONCfg), 0644); err != nil { t.Fatal(err) } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index fb57eb8f3..042fe9b8f 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -27,7 +27,7 @@ import ( "github.com/sigstore/fulcio/pkg/generated/protobuf" ) -var validCfg = ` +var validYamlCfg = ` oidc-issuers: https://accounts.google.com: issuer-url: https://accounts.google.com @@ -40,6 +40,25 @@ meta-issuers: type: kubernetes ` +var validJSONCfg = ` +{ + "OIDCIssuers": { + "https://accounts.google.com": { + "IssuerURL": "https://accounts.google.com", + "ClientID": "foo", + "Type": "email", + "ChallengeClaim": "email" + } + }, + "MetaIssuers": { + "https://oidc.eks.*.amazonaws.com/id/*": { + "ClientID": "bar", + "Type": "kubernetes" + } + } +} +` + func TestMetaURLs(t *testing.T) { tests := []struct { name string diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go index f829a65c9..c0c464523 100644 --- a/pkg/config/fulcio_config_test.go +++ b/pkg/config/fulcio_config_test.go @@ -22,15 +22,12 @@ import ( "path/filepath" "runtime" "testing" - - "gopkg.in/yaml.v3" ) -type FulcioConfigMap struct { - Data map[string]string `yaml:"data,omitempty"` -} - -// It tests that the config/fulcio-config.yaml is properly parsable +// The config/identity/config.yaml is a config file that is reflected directly +// to the public good instance. +// This test checks that the config.yaml is valid and can be properly used +// on the public good instance. func TestLoadFulcioConfig(t *testing.T) { _, path, _, _ := runtime.Caller(0) basepath := filepath.Dir(path) @@ -39,12 +36,7 @@ func TestLoadFulcioConfig(t *testing.T) { t.Errorf("read file: %v", err) } - cfg := FulcioConfigMap{} - if err := yaml.Unmarshal(b, &cfg); err != nil { - t.Errorf("Unmarshal: %v", err) - } - - fulcioConfig, err := Read([]byte(cfg.Data["config.yaml"])) + fulcioConfig, err := Read(b) if err != nil { t.Fatal(err) } @@ -63,6 +55,11 @@ func TestLoadFulcioConfig(t *testing.T) { if string(got.Type) == "" { t.Errorf("Issuer Type should not be empty") } + if got.Type == IssuerTypeCIProvider { + if got.CIProvider == "" { + t.Errorf("Issuer CIProvider should not be empty when Type is ci-provider") + } + } if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { t.Error("no error returned from an unconfigured issuer") } diff --git a/tools/loadtest/README.md b/tools/loadtest/README.md index 0e2af9930..1a5d7f014 100644 --- a/tools/loadtest/README.md +++ b/tools/loadtest/README.md @@ -24,7 +24,7 @@ Confirm a successful install with `locust -V`, which should print the version. Y ### Fetching identity token -To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/fulcio-config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio. +To fetch a certificate, you will need an OIDC token from one of the [OIDC issuers](https://github.com/sigstore/fulcio/blob/main/config/identity/config.yaml). One way is to fetch a token from Google. Note that you will need to install [`gcloud`](https://cloud.google.com/sdk/gcloud) and create a service account. A service account is necessary for the `--include-email` flag, which is needed to get an OIDC token with the correct format for Fulcio. Run the following command, and record the output: