adding test for fulcio config parsing

Signed-off-by: Javan lacerda <javanlacerda@google.com>
sigstore · Jul 3, 2024 · 64c5ce0 · 64c5ce0
1 parent dd1edb0
commit 64c5ce0
Show file tree

Hide file tree

Showing 6 changed files with 95 additions and 4 deletions.
diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml
@@ -124,7 +124,7 @@ jobs:
             name: fulcio-config
             namespace: fulcio-system
           data:
-            config.json: |-
+            config.yaml: |-
               {
                 ${{ matrix.issuer-config }}
               }

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -87,3 +87,8 @@ jobs:
         with:
           go-version: '1.22'
           check-latest: true
+
+      - name: check-config
+        run: |
+          set -e
+          go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config
diff --git a/cmd/app/serve.go b/cmd/app/serve.go
@@ -87,7 +87,7 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
 	cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log")
 	cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs")
-	cmd.Flags().String("config-path", "/etc/fulcio-config/config.json", "path to fulcio config json")
+	cmd.Flags().String("config-path", "/etc/fulcio-config/config.yaml", "path to fulcio config yaml")
 	cmd.Flags().String("pkcs11-config-path", "config/crypto11.conf", "path to fulcio pkcs11 config file")
 	cmd.Flags().String("fileca-cert", "", "Path to CA certificate")
 	cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key")

diff --git a/config/fulcio-config.yaml b/config/fulcio-config.yaml
@@ -14,7 +14,7 @@
 # limitations under the License.
 apiVersion: v1
 data:
-    config.yaml: |-
+    config.yaml:
         oidc-issuers:
             https://accounts.google.com:
                 issuer-url: https://accounts.google.com
@@ -112,7 +112,7 @@ data:
             https://token.actions.githubusercontent.com/*:
                 client-id: sigstore
                 type: github-workflow
-    server.yaml: |-
+    server.yaml:
         host: 0.0.0.0
         port: 5555
         grpc-port: 5554

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -86,6 +86,10 @@ type OIDCIssuer struct {
 	// Optional, the challenge claim expected for the issuer
 	// Set if using a custom issuer
 	ChallengeClaim string `json:"ChallengeClaim,omitempty" yaml:"challenge-claim,omitempty"`
+	// Optional, the description for the issuer
+	Description string `json:"Description,omitempty" yaml:"description,omitempty"`
+	// Optional, the description for the issuer
+	Contact string `json:"Contact,omitempty" yaml:"contact,omitempty"`
 }
 
 func metaRegex(issuer string) (*regexp.Regexp, error) {

diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go
@@ -0,0 +1,82 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+//go:build !hermetic
+
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"gopkg.in/yaml.v3"
+)
+
+type FulcioConfigMap struct {
+	Data map[string]FulcioConfig `yaml:"data,omitempty"`
+}
+
+// It tests that the config/fulcio-config.yaml is properly parsable
+func TestLoadFulcioConfig(t *testing.T) {
+	_, path, _, _ := runtime.Caller(0)
+	basepath := filepath.Dir(path)
+	b, err := os.ReadFile(basepath + "/../../config/fulcio-config.yaml")
+	if err != nil {
+		t.Errorf("read file: %v", err)
+	}
+
+	cfg := FulcioConfigMap{}
+	if err := yaml.Unmarshal(b, &cfg); err != nil {
+		panic(err)
+	}
+
+	fCfg := cfg.Data["config.yaml"]
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for issuerURL := range fCfg.OIDCIssuers {
+		got, ok := fCfg.GetIssuer(issuerURL)
+		if !ok {
+			t.Error("expected true, got false")
+		}
+		if got.ClientID != "sigstore" {
+			t.Errorf("expected sigstore, got %s", got.ClientID)
+		}
+		if got.IssuerURL != issuerURL {
+			t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL)
+		}
+		if string(got.Type) == "" {
+			t.Errorf("Issuer Type should not be empty")
+		}
+		if got.Description == "" {
+			t.Errorf("Issuer Description should not be empty")
+		}
+		if got.Contact == "" {
+			t.Errorf("Issuer Email should not be empty")
+		}
+		if _, ok := fCfg.GetIssuer("not_an_issuer"); ok {
+			t.Error("no error returned from an unconfigured issuer")
+		}
+	}
+
+	for _, metaIssuer := range fCfg.MetaIssuers {
+		if metaIssuer.ClientID != "sigstore" {
+			t.Errorf("expected sigstore, got %s", metaIssuer.ClientID)
+		}
+	}
+}