Include IDP type and subject domain in configuration API response (sigstore#1824)

Signed-off-by: Aditya Sirish A Yelgundhalli <[email protected]>

Author: adityasaky

fulcio.proto

@@ -237,4 +237,8 @@ message OIDCIssuer {
     string challenge_claim = 4;
     // The expected SPIFFE trust domain. Only present when the OIDC issuer issues tokens for SPIFFE identities.
     string spiffe_trust_domain = 5;
+    // The type of the IDP (e.g. "email", "username", etc.).
+    string issuer_type = 6;
+    // The expected subject domain. Only present when the OIDC issuer issues tokens for URI or username identities.
+    string subject_domain = 7;
 }

fulcio.swagger.json

@@ -237,6 +237,14 @@
         "spiffeTrustDomain": {
           "type": "string",
           "description": "The expected SPIFFE trust domain. Only present when the OIDC issuer issues tokens for SPIFFE identities."
+        },
+        "issuerType": {
+          "type": "string",
+          "description": "The type of the IDP (e.g. \"email\", \"username\", etc.)."
+        },
+        "subjectDomain": {
+          "type": "string",
+          "description": "The expected subject domain. Only present when the OIDC issuer issues tokens for URI or username identities."
         }
       },
       "description": "Metadata about an OIDC issuer."

pkg/config/config.go

@@ -237,6 +237,8 @@ func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer {
 			Audience:          cfgIss.ClientID,
 			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
 			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
+			IssuerType:        cfgIss.Type.String(),
+			SubjectDomain:     cfgIss.SubjectDomain,
 		}
 		issuers = append(issuers, issuer)
 	}
@@ -247,6 +249,8 @@ func (fc *FulcioConfig) ToIssuers() []*fulciogrpc.OIDCIssuer {
 			Audience:          cfgIss.ClientID,
 			SpiffeTrustDomain: cfgIss.SPIFFETrustDomain,
 			ChallengeClaim:    issuerToChallengeClaim(cfgIss.Type, cfgIss.ChallengeClaim),
+			IssuerType:        cfgIss.Type.String(),
+			SubjectDomain:     cfgIss.SubjectDomain,
 		}
 		issuers = append(issuers, issuer)
 	}
@@ -304,6 +308,10 @@ func (fc *FulcioConfig) prepare() error {
 
 type IssuerType string
 
+func (it IssuerType) String() string {
+	return string(it)
+}
+
 const (
 	IssuerTypeBuildkiteJob      = "buildkite-job"
 	IssuerTypeEmail             = "email"

pkg/config/config_test.go

@@ -540,46 +540,98 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 }
 
 func TestToIssuers(t *testing.T) {
-	config := &FulcioConfig{
-		OIDCIssuers: map[string]OIDCIssuer{
-			"example.com": {
-				IssuerURL: "example.com",
-				ClientID:  "sigstore",
-				Type:      IssuerTypeEmail,
+	tests := []struct {
+		config *FulcioConfig
+		want   []*protobuf.OIDCIssuer
+	}{
+		{
+			config: &FulcioConfig{
+				OIDCIssuers: map[string]OIDCIssuer{
+					"example.com": {
+						IssuerURL: "example.com",
+						ClientID:  "sigstore",
+						Type:      IssuerTypeEmail,
+					},
+				},
+				MetaIssuers: map[string]OIDCIssuer{
+					"wildcard.*.example.com": {
+						ClientID: "sigstore",
+						Type:     IssuerTypeKubernetes,
+					},
+				},
 			},
-		},
-		MetaIssuers: map[string]OIDCIssuer{
-			"wildcard.*.example.com": {
-				ClientID: "sigstore",
-				Type:     IssuerTypeKubernetes,
+			want: []*protobuf.OIDCIssuer{
+				{
+					Audience:       "sigstore",
+					ChallengeClaim: "email",
+					Issuer: &protobuf.OIDCIssuer_IssuerUrl{
+						IssuerUrl: "example.com",
+					},
+					IssuerType: IssuerTypeEmail,
+				},
+				{
+					Audience:       "sigstore",
+					ChallengeClaim: "sub",
+					Issuer: &protobuf.OIDCIssuer_WildcardIssuerUrl{
+						WildcardIssuerUrl: "wildcard.*.example.com",
+					},
+					IssuerType: IssuerTypeKubernetes,
+				},
 			},
 		},
-	}
-
-	issuers := config.ToIssuers()
-	if len(issuers) != 2 {
-		t.Fatalf("unexpected number of issues, expected 2, got %v", len(issuers))
-	}
-
-	iss := &protobuf.OIDCIssuer{
-		Audience:       "sigstore",
-		ChallengeClaim: "email",
-		Issuer: &protobuf.OIDCIssuer_IssuerUrl{
-			IssuerUrl: "example.com",
+		{
+			config: &FulcioConfig{
+				OIDCIssuers: map[string]OIDCIssuer{
+					"username.example.com": {
+						IssuerURL:     "username.example.com",
+						ClientID:      "sigstore",
+						Type:          IssuerTypeUsername,
+						SubjectDomain: "username.example.com",
+					},
+				},
+			},
+			want: []*protobuf.OIDCIssuer{
+				{
+					Audience:       "sigstore",
+					ChallengeClaim: "sub",
+					Issuer: &protobuf.OIDCIssuer_IssuerUrl{
+						IssuerUrl: "username.example.com",
+					},
+					IssuerType:    IssuerTypeUsername,
+					SubjectDomain: "username.example.com",
+				},
+			},
 		},
-	}
-	if !reflect.DeepEqual(issuers[0], iss) {
-		t.Fatalf("expected issuer %v, got %v", iss, issuers[0])
-	}
-	iss = &protobuf.OIDCIssuer{
-		Audience:       "sigstore",
-		ChallengeClaim: "sub",
-		Issuer: &protobuf.OIDCIssuer_WildcardIssuerUrl{
-			WildcardIssuerUrl: "wildcard.*.example.com",
+		{
+			config: &FulcioConfig{
+				OIDCIssuers: map[string]OIDCIssuer{
+					"uriissuer.example.com": {
+						IssuerURL:     "uriissuer.example.com",
+						ClientID:      "sigstore",
+						Type:          IssuerTypeURI,
+						SubjectDomain: "uriissuer.example.com",
+					},
+				},
+			},
+			want: []*protobuf.OIDCIssuer{
+				{
+					Audience:       "sigstore",
+					ChallengeClaim: "sub",
+					Issuer: &protobuf.OIDCIssuer_IssuerUrl{
+						IssuerUrl: "uriissuer.example.com",
+					},
+					IssuerType:    IssuerTypeURI,
+					SubjectDomain: "uriissuer.example.com",
+				},
+			},
 		},
 	}
-	if !reflect.DeepEqual(issuers[1], iss) {
-		t.Fatalf("expected issuer %v, got %v", iss, issuers[1])
+
+	for _, test := range tests {
+		issuers := test.config.ToIssuers()
+		if !reflect.DeepEqual(issuers, test.want) {
+			t.Fatalf("expected issuers %v, got %v", test.want, issuers)
+		}
 	}
 }