updating test for check-config workflow

Signed-off-by: Javan lacerda <javanlacerda@google.com>
sigstore · Jul 8, 2024 · d84c0d1 · d84c0d1
1 parent 5a97d56
commit d84c0d1
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 28 deletions.
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -91,5 +91,4 @@ jobs:
       - name: check-config
         run: |
           set -e
-          go run federation/main.go
-          git diff --exit-code
+          go test -timeout 30s -run ^TestLoadFulcioConfig$ github.com/sigstore/fulcio/pkg/config
diff --git a/config/config.yaml b/config/config.yaml
@@ -1,84 +1,72 @@
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 oidc-issuers:
     https://accounts.google.com:
         issuer-url: https://accounts.google.com
         client-id: sigstore
         type: email
-        contact: tac@sigstore.dev 
-        description: "Google OIDC auth"
     https://agent.buildkite.com:
         issuer-url: https://agent.buildkite.com
         client-id: sigstore
         type: buildkite-job
-        contact: support@buildkite.com
-        description: "Buildkite Agent OIDC tokens for job identity"
     https://allow.pub:
         issuer-url: https://allow.pub
         client-id: sigstore
         type: spiffe
         spiffe-trust-domain: allow.pub
-        contact: evan@phx.io
-        description: "Server side signing support for the OCI registry vcr.pub"
     https://auth-staging.eclipse.org/realms/sigstore:
         issuer-url: https://auth-staging.eclipse.org/realms/sigstore
         client-id: sigstore
         type: email
-        contact: security@eclipse-foundation.org
-        description: "Eclipse Foundation Staging OIDC provider"
     https://auth.eclipse.org/auth/realms/sigstore:
         issuer-url: https://auth.eclipse.org/auth/realms/sigstore
         client-id: sigstore
         type: email
-        contact: security@eclipse-foundation.org
-        description: "Eclipse Foundation Production OIDC provider"
     https://dev.gitlab.org:
         issuer-url: https://dev.gitlab.org
         client-id: sigstore
         type: gitlab-pipeline
-        contact: distribution-be@gitlab.com
-        description: "GitLab OIDC tokens for job identity"
     https://gitlab.archlinux.org:
         issuer-url: https://gitlab.archlinux.org
         client-id: sigstore
         type: gitlab-pipeline
-        contact: sigstore@archlinux.org
-        description: "GitLab OIDC tokens for job identity"
     https://gitlab.com:
         issuer-url: https://gitlab.com
         client-id: sigstore
         type: gitlab-pipeline
-        contact: support@gitlab.com
-        description: "GitLab OIDC tokens for job identity"
     https://issuer.enforce.dev:
         issuer-url: https://issuer.enforce.dev
         client-id: sigstore
         type: chainguard-identity
-        contact: mattmoor@chainguard.dev
-        description: "Chainguard identity tokens"
     https://oauth2.sigstore.dev/auth:
         issuer-url: https://oauth2.sigstore.dev/auth
         client-id: sigstore
         type: email
         issuer-claim: $.federated_claims.connector_id
-        contact: tac@sigstore.dev
-        description: "dex address for fulcio"
     https://oidc.codefresh.io:
         issuer-url: https://oidc.codefresh.io
         client-id: sigstore
         type: codefresh-workflow
-        contact: support@codefresh.io
-        description: "Codefresh OIDC tokens for job identity"
     https://ops.gitlab.net:
         issuer-url: https://ops.gitlab.net
         client-id: sigstore
         type: gitlab-pipeline
-        contact: distribution-be@gitlab.com
-        description: "GitLab OIDC tokens for job identity"
     https://token.actions.githubusercontent.com:
         issuer-url: https://token.actions.githubusercontent.com
         client-id: sigstore
         type: github-workflow
-        contact: tac@sigstore.dev
-        description: "GitHub Actions OIDC auth"
 meta-issuers:
     https://*.oic.prod-aks.azure.com/*:
         client-id: sigstore

diff --git a/pkg/config/fulcio_config_test.go b/pkg/config/fulcio_config_test.go
@@ -0,0 +1,76 @@
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+//go:build !hermetic
+
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"gopkg.in/yaml.v3"
+)
+
+type FulcioConfigMap struct {
+	Data map[string]string `yaml:"data,omitempty"`
+}
+
+// It tests that the config/fulcio-config.yaml is properly parsable
+func TestLoadFulcioConfig(t *testing.T) {
+	_, path, _, _ := runtime.Caller(0)
+	basepath := filepath.Dir(path)
+	b, err := os.ReadFile(basepath + "/../../config/config.yaml")
+	if err != nil {
+		t.Errorf("read file: %v", err)
+	}
+
+	cfg := FulcioConfigMap{}
+	if err := yaml.Unmarshal(b, &cfg); err != nil {
+		t.Errorf("Unmarshal: %v", err)
+	}
+
+	fulcioConfig, err := Read([]byte(cfg.Data["config.yaml"]))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for issuerURL := range fulcioConfig.OIDCIssuers {
+		got, ok := fulcioConfig.GetIssuer(issuerURL)
+		if !ok {
+			t.Error("expected true, got false")
+		}
+		if got.ClientID != "sigstore" {
+			t.Errorf("expected sigstore, got %s", got.ClientID)
+		}
+		if got.IssuerURL != issuerURL {
+			t.Errorf("expected %s, got %s", issuerURL, got.IssuerURL)
+		}
+		if string(got.Type) == "" {
+			t.Errorf("Issuer Type should not be empty")
+		}
+		if _, ok := fulcioConfig.GetIssuer("not_an_issuer"); ok {
+			t.Error("no error returned from an unconfigured issuer")
+		}
+	}
+
+	for _, metaIssuer := range fulcioConfig.MetaIssuers {
+		if metaIssuer.ClientID != "sigstore" {
+			t.Errorf("expected sigstore, got %s", metaIssuer.ClientID)
+		}
+	}
+}