Allow usage of predefined tokens

pkg/api/values.go

@@ -8,6 +8,10 @@ const (
 	RekorUIURL       = "SIGSTORE_REKOR_UI_URL"
 	TufURL           = "TUF_URL"
 	OidcIssuerURL    = "SIGSTORE_OIDC_ISSUER"
+	OidcToken        = "OIDC_TOKEN"
+	OidcUser         = "OIDC_USER"
+	OidcPassword     = "OIDC_PASSWORD"
+	OidcUserDomain   = "OIDC_USER_DOMAIN"
 	OidcRealm        = "KEYCLOAK_REALM"
 	GithubToken      = "TEST_GITHUB_TOKEN" // #nosec G101: Potential hardcoded credentials (gosec)
 	GithubUsername   = "TEST_GITHUB_USER"
@@ -33,6 +37,9 @@ func init() {
 	Values = viper.New()
 
 	Values.SetDefault(OidcRealm, "trusted-artifact-signer")
+	Values.SetDefault(OidcUser, "jdoe")
+	Values.SetDefault(OidcPassword, "secure")
+	Values.SetDefault(OidcUserDomain, "redhat.com")
 	Values.SetDefault(GithubUsername, "ignore")
 	Values.SetDefault(GithubOwner, "securesign")
 	Values.SetDefault(GithubRepo, "e2e-gitsign-test")

tas-env-variables.sh

@@ -28,18 +28,22 @@ if [ -z "$TSA_URL" ]; then
   export TSA_URL=$(oc get timestampauthorities -o jsonpath='{.items[0].status.url}')/api/v1/timestamp
 fi
 
+if [ -z "$OIDC_CLIENT_ID" ]; then
+  OIDC_CLIENT_ID="trusted-artifact-signer"
+fi
+
 # Export the environment variables for the current session
 export COSIGN_MIRROR=$TUF_URL
 export COSIGN_ROOT=$TUF_URL/root.json
-export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
+export COSIGN_OIDC_CLIENT_ID=$OIDC_CLIENT_ID
 export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL
 export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL
 export COSIGN_YES="true"
 export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL
 export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
 export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
 export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL
-export SIGSTORE_OIDC_CLIENT_ID=trusted-artifact-signer
+export SIGSTORE_OIDC_CLIENT_ID=$OIDC_CLIENT_ID
 export SIGSTORE_REKOR_UI_URL=$REKOR_UI_URL
 
 # Print the environment variables to verify they are set

test/benchmark/token_manager.go

@@ -5,7 +5,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/securesign/sigstore-e2e/pkg/api"
 	"github.com/securesign/sigstore-e2e/test/testsupport"
 	"github.com/sirupsen/logrus"
 )
@@ -38,7 +37,7 @@ func (tm *TokenManager) RefreshToken(ctx context.Context) {
 	defer tm.mu.Unlock()
 
 	var err error
-	tm.token, err = testsupport.GetOIDCToken(ctx, api.GetValueFor(api.OidcIssuerURL), "jdoe", "secure", api.GetValueFor(api.OidcRealm))
+	tm.token, err = testsupport.GetOIDCToken(ctx)
 	if err != nil {
 		logrus.Errorf("failed to get OIDC token %v", err)
 	}

test/cosign/cosign_sign_verify_test.go

@@ -47,7 +47,7 @@ var _ = Describe("Cosign test", Ordered, func() {
 		logrus.Infof("Starting cosign test")
 		err = testsupport.CheckMandatoryAPIConfigValues(api.OidcRealm)
 		if err != nil {
-			Skip("Skip this test - " + err.Error())
+			Fail(err.Error())
 		}
 
 		cosign = clients.NewCosign()
@@ -102,15 +102,15 @@ var _ = Describe("Cosign test", Ordered, func() {
 
 	Describe("cosign sign", func() {
 		It("should sign the container", func() {
-			token, err := testsupport.GetOIDCToken(testsupport.TestContext, api.GetValueFor(api.OidcIssuerURL), "jdoe", "secure", api.GetValueFor(api.OidcRealm))
+			token, err := testsupport.GetOIDCToken(testsupport.TestContext)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(cosign.Command(testsupport.TestContext, "sign", "-y", "--identity-token="+token, targetImageName).Run()).To(Succeed())
 		})
 	})
 
 	Describe("cosign verify", func() {
 		It("should verify the signature and extract logIndex", func() {
-			output, err := cosign.CommandOutput(testsupport.TestContext, "verify", "--certificate-identity-regexp", ".*@redhat", "--certificate-oidc-issuer-regexp", ".*keycloak.*", targetImageName)
+			output, err := cosign.CommandOutput(testsupport.TestContext, "verify", "--certificate-identity-regexp", ".*"+regexp.QuoteMeta(api.GetValueFor(api.OidcUserDomain)), "--certificate-oidc-issuer-regexp", regexp.QuoteMeta(api.GetValueFor(api.OidcIssuerURL)), targetImageName)
 			Expect(err).ToNot(HaveOccurred())
 
 			startIndex := strings.Index(string(output), "[")
@@ -199,7 +199,7 @@ var _ = Describe("Cosign test", Ordered, func() {
 		})
 
 		It("should sign and attach the predicate as an attestation to the image", func() {
-			token, err := testsupport.GetOIDCToken(testsupport.TestContext, api.GetValueFor(api.OidcIssuerURL), "jdoe", "secure", api.GetValueFor(api.OidcRealm))
+			token, err := testsupport.GetOIDCToken(testsupport.TestContext)
 			Expect(err).ToNot(HaveOccurred())
 
 			Expect(cosign.Command(testsupport.TestContext, "attest", "-y", "--identity-token="+token, "--fulcio-url="+api.GetValueFor(api.FulcioURL), "--rekor-url="+api.GetValueFor(api.RekorURL), "--oidc-issuer="+api.GetValueFor(api.OidcIssuerURL), "--predicate", predicatePath, "--type", "slsaprovenance", targetImageName).Run()).To(Succeed())
@@ -245,7 +245,7 @@ var _ = Describe("Cosign test", Ordered, func() {
 
 	Describe("ec validate", func() {
 		It("should verify signature and attestation of the image", func() {
-			output, err := ec.CommandOutput(testsupport.TestContext, "validate", "image", "--image", targetImageName, "--certificate-identity-regexp", ".*@redhat", "--certificate-oidc-issuer-regexp", ".*keycloak.*", "--output", "yaml", "--show-successes")
+			output, err := ec.CommandOutput(testsupport.TestContext, "validate", "image", "--image", targetImageName, "--certificate-identity-regexp", ".*"+regexp.QuoteMeta(api.GetValueFor(api.OidcUserDomain)), "--certificate-oidc-issuer-regexp", ".*"+regexp.QuoteMeta(api.GetValueFor(api.OidcIssuerURL)), "--output", "yaml", "--show-successes")
 			Expect(err).ToNot(HaveOccurred())
 
 			successPatterns := []*regexp.Regexp{

test/cosign/cosign_sign_verify_tsa_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 
 	"github.com/docker/docker/api/types/image"
 
@@ -37,7 +38,7 @@ var _ = Describe("TSA test", Ordered, func() {
 		logrus.Infof("Starting TSA cosign test")
 		err = testsupport.CheckMandatoryAPIConfigValues(api.OidcRealm)
 		if err != nil {
-			Skip("Skip this test - " + err.Error())
+			Fail(err.Error())
 		}
 
 		cosign = clients.NewCosign()
@@ -87,7 +88,7 @@ var _ = Describe("TSA test", Ordered, func() {
 
 	Describe("cosign sign tsa", func() {
 		It("should sign the container using TSA", func() {
-			token, err := testsupport.GetOIDCToken(testsupport.TestContext, api.GetValueFor(api.OidcIssuerURL), "jdoe", "secure", api.GetValueFor(api.OidcRealm))
+			token, err := testsupport.GetOIDCToken(testsupport.TestContext)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(cosign.Command(testsupport.TestContext, "sign", "-y", "--timestamp-server-url", api.GetValueFor(api.TsaURL), "--identity-token="+token, tsaTargetImageName).Run()).To(Succeed())
 		})
@@ -114,7 +115,7 @@ var _ = Describe("TSA test", Ordered, func() {
 
 	Describe("cosign verify tsa", func() {
 		It("should verify the signature using TSA", func() {
-			Expect(cosign.Command(testsupport.TestContext, "verify", "--timestamp-certificate-chain", tsaChainPath, "--certificate-identity-regexp", ".*@redhat", "--certificate-oidc-issuer-regexp", ".*keycloak.*", tsaTargetImageName).Run()).To(Succeed())
+			Expect(cosign.Command(testsupport.TestContext, "verify", "--timestamp-certificate-chain", tsaChainPath, "--certificate-identity-regexp", ".*"+regexp.QuoteMeta(api.GetValueFor(api.OidcUserDomain)), "--certificate-oidc-issuer-regexp", regexp.QuoteMeta(api.GetValueFor(api.OidcIssuerURL)), tsaTargetImageName).Run()).To(Succeed())
 		})
 	})
 })

test/gitsign/gitsign_sign_verify_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -44,7 +45,7 @@ var _ = Describe("Signing and verifying commits by using Gitsign from the comman
 	BeforeAll(func() {
 		err = testsupport.CheckAnyTestMandatoryAPIConfigValues()
 		if err != nil {
-			Skip("Skip this test - " + err.Error())
+			Fail(err.Error())
 		}
 
 		Expect(testsupport.InstallPrerequisites(
@@ -73,9 +74,9 @@ var _ = Describe("Signing and verifying commits by using Gitsign from the comman
 	})
 
 	Context("With configured git", func() {
-		It("sets the local repository to use 'jdoe@redhat.com' user", func() {
+		It("sets the local repository to use OIDC user", func() {
 			config.User.Name = "John Doe"
-			config.User.Email = "jdoe@redhat.com"
+			config.User.Email = fmt.Sprintf("%s@%s", api.GetValueFor(api.OidcUser), api.GetValueFor(api.OidcUserDomain))
 
 			Expect(repo.SetConfig(config)).To(Succeed())
 		})
@@ -104,10 +105,7 @@ var _ = Describe("Signing and verifying commits by using Gitsign from the comman
 		})
 
 		It("gets ID token and makes commit", func() {
-			token, err := testsupport.GetOIDCToken(testsupport.TestContext, api.GetValueFor(api.OidcIssuerURL),
-				"jdoe@redhat.com",
-				"secure",
-				api.GetValueFor(api.OidcRealm))
+			token, err := testsupport.GetOIDCToken(testsupport.TestContext)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(token).To(Not(BeEmpty()))
 			Expect(gitsign.GitWithGitSign(testsupport.TestContext, dir, token, "commit", "-S", "-m", "CI commit "+time.Now().String())).To(Succeed())
@@ -136,7 +134,7 @@ var _ = Describe("Signing and verifying commits by using Gitsign from the comman
 		When("commiter is authorized", func() {
 			It("should verify HEAD signature by gitsign", func() {
 				cmd := gitsign.Command(testsupport.TestContext, "verify",
-					"--certificate-identity", "jdoe@redhat.com",
+					"--certificate-identity", fmt.Sprintf("%s@%s", api.GetValueFor(api.OidcUser), api.GetValueFor(api.OidcUserDomain)),
 					"--certificate-oidc-issuer", api.GetValueFor(api.OidcIssuerURL),
 					"HEAD")
 

test/rekorcli/rekorcli_sign_verify_test.go

@@ -35,7 +35,7 @@ var _ = Describe("Verify entries, query the transparency log for inclusion proof
 	BeforeAll(func() {
 		err = testsupport.CheckMandatoryAPIConfigValues(api.OidcRealm)
 		if err != nil {
-			Skip("Skip this test - " + err.Error())
+			Fail(err.Error())
 		}
 
 		rekorCli = clients.NewRekorCli()

test/rekorsearchui/rekor_search_sign_verify_test.go

@@ -85,7 +85,7 @@ var _ = Describe("Test the Rekor Search UI", Ordered, func() {
 	BeforeAll(func() {
 		err = testsupport.CheckMandatoryAPIConfigValues(api.OidcRealm, api.RekorUIURL)
 		if err != nil {
-			Skip("Skip this test - " + err.Error())
+			Fail(err.Error())
 		}
 
 		rekorCli = clients.NewRekorCli()
@@ -119,7 +119,7 @@ var _ = Describe("Test the Rekor Search UI", Ordered, func() {
 
 		// configure git user
 		config.User.Name = "John Doe"
-		config.User.Email = "jdoe@redhat.com"
+		config.User.Email = fmt.Sprintf("%s@%s", api.GetValueFor(api.OidcUser), api.GetValueFor(api.OidcUserDomain))
 
 		// configure gitsign
 		config.Raw.AddOption("commit", "", "gpgsign", "true")
@@ -143,8 +143,7 @@ var _ = Describe("Test the Rekor Search UI", Ordered, func() {
 		Expect(err).ToNot(HaveOccurred())
 
 		// sign commit with gitsign
-		token, err := testsupport.GetOIDCToken(testsupport.TestContext,
-			api.GetValueFor(api.OidcIssuerURL), "jdoe@redhat.com", "secure", api.GetValueFor(api.OidcRealm))
+		token, err := testsupport.GetOIDCToken(testsupport.TestContext)
 		Expect(err).ToNot(HaveOccurred())
 		Expect(token).To(Not(BeEmpty()))
 

test/testsupport/test_support.go

@@ -83,15 +83,19 @@ func DestroyPrerequisites() error {
 	return nil
 }
 
-func GetOIDCToken(ctx context.Context, issuerURL string, userName string, password string, realm string) (string, error) {
-	urlString := issuerURL + "/protocol/openid-connect/token"
+func GetOIDCToken(ctx context.Context) (string, error) {
+	if token := api.GetValueFor(api.OidcToken); token != "" {
+		logrus.Info("Using OIDC token from ENV var")
+		return token, nil
+	}
+	urlString := api.GetValueFor(api.OidcIssuerURL) + "/protocol/openid-connect/token"
 
 	client := &http.Client{}
 	data := url.Values{}
-	data.Set("username", userName)
-	data.Set("password", password)
+	data.Set("username", api.GetValueFor(api.OidcUser))
+	data.Set("password", api.GetValueFor(api.OidcPassword))
 	data.Set("scope", "openid")
-	data.Set("client_id", realm)
+	data.Set("client_id", api.GetValueFor(api.OidcRealm))
 	data.Set("grant_type", "password")
 
 	r, _ := http.NewRequestWithContext(ctx, http.MethodPost, urlString, strings.NewReader(data.Encode())) // URL-encoded payload