diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index ec2722d9b..7ed180cb0 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -91,5 +91,4 @@ jobs: - name: check-config run: | set -e - go run federation/main.go - git diff --exit-code + go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config diff --git a/config/config.yaml b/config/config.yaml index 9226a85ba..67549fc0a 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -3,82 +3,56 @@ oidc-issuers: issuer-url: https://accounts.google.com client-id: sigstore type: email - contact: tac@sigstore.dev - description: "Google OIDC auth" https://agent.buildkite.com: issuer-url: https://agent.buildkite.com client-id: sigstore type: buildkite-job - contact: support@buildkite.com - description: "Buildkite Agent OIDC tokens for job identity" https://allow.pub: issuer-url: https://allow.pub client-id: sigstore type: spiffe spiffe-trust-domain: allow.pub - contact: evan@phx.io - description: "Server side signing support for the OCI registry vcr.pub" https://auth-staging.eclipse.org/realms/sigstore: issuer-url: https://auth-staging.eclipse.org/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Staging OIDC provider" https://auth.eclipse.org/auth/realms/sigstore: issuer-url: https://auth.eclipse.org/auth/realms/sigstore client-id: sigstore type: email - contact: security@eclipse-foundation.org - description: "Eclipse Foundation Production OIDC provider" https://dev.gitlab.org: issuer-url: https://dev.gitlab.org client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://gitlab.archlinux.org: issuer-url: https://gitlab.archlinux.org client-id: sigstore type: gitlab-pipeline - contact: sigstore@archlinux.org - description: "GitLab OIDC tokens for job identity" https://gitlab.com: issuer-url: https://gitlab.com client-id: sigstore type: gitlab-pipeline - contact: support@gitlab.com - description: "GitLab OIDC tokens for job identity" https://issuer.enforce.dev: issuer-url: https://issuer.enforce.dev client-id: sigstore type: chainguard-identity - contact: mattmoor@chainguard.dev - description: "Chainguard identity tokens" https://oauth2.sigstore.dev/auth: issuer-url: https://oauth2.sigstore.dev/auth client-id: sigstore type: email issuer-claim: $.federated_claims.connector_id - contact: tac@sigstore.dev - description: "dex address for fulcio" https://oidc.codefresh.io: issuer-url: https://oidc.codefresh.io client-id: sigstore type: codefresh-workflow - contact: support@codefresh.io - description: "Codefresh OIDC tokens for job identity" https://ops.gitlab.net: issuer-url: https://ops.gitlab.net client-id: sigstore type: gitlab-pipeline - contact: distribution-be@gitlab.com - description: "GitLab OIDC tokens for job identity" https://token.actions.githubusercontent.com: issuer-url: https://token.actions.githubusercontent.com client-id: sigstore type: github-workflow - contact: tac@sigstore.dev - description: "GitHub Actions OIDC auth" meta-issuers: https://*.oic.prod-aks.azure.com/*: client-id: sigstore diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go new file mode 100644 index 000000000..34744b62d --- /dev/null +++ b/pkg/config/fulcio_config_test.go @@ -0,0 +1,76 @@ +// Copyright 2024 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +//go:build !hermetic + +package config + +import ( + "os" + "path/filepath" + "runtime" + "testing" + + "gopkg.in/yaml.v3" +) + +type FulcioConfigMap struct { + Data map[string]string `yaml:"data,omitempty"` +} + +// It tests that the config/fulcio-config.yaml is properly parsable +func TestLoadFulcioConfig(t *testing.T) { + _, path, _, _ := runtime.Caller(0) + basepath := filepath.Dir(path) + b, err := os.ReadFile(basepath + "/../../config/config.yaml") + if err != nil { + t.Errorf("read file: %v", err) + } + + cfg := FulcioConfigMap{} + if err := yaml.Unmarshal(b, &cfg); err != nil { + t.Errorf("Unmarshal: %v", err) + } + + fulcioConfig, err := Read([]byte(cfg.Data["config.yaml"])) + if err != nil { + t.Fatal(err) + } + + for issuerURL := range fulcioConfig.OIDCIssuers { + got, ok := fulcioConfig.GetIssuer(issuerURL) + if !ok { + t.Error("expected true, got false") + } + if got.ClientID != "sigstore" { + t.Errorf("expected sigstore, got %s", got.ClientID) + } + if got.IssuerURL != issuerURL { + t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL) + } + if string(got.Type) == "" { + t.Errorf("Issuer Type should not be empty") + } + if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok { + t.Error("no error returned from an unconfigured issuer") + } + } + + for _, metaIssuer := range fulcioConfig.MetaIssuers { + if metaIssuer.ClientID != "sigstore" { + t.Errorf("expected sigstore, got %s", metaIssuer.ClientID) + } + } +}