Enable GCP integration test (#82)

.github/workflows/test.yml

@@ -36,6 +36,14 @@ jobs:
         with:
           aws-region: "us-east-1"
           role-to-assume: arn:aws:iam::175142243308:role/doi-github-actions-signing
+      - name: auth-with-gcp
+        if: matrix.os == 'ubuntu-latest' && github.actor != 'dependabot[bot]'
+        uses: google-github-actions/auth@v2
+        with:
+          project_id: 'attest-kms-test'
+          export_environment_variables: true
+          workload_identity_provider: 'projects/385966116051/locations/global/workloadIdentityPools/attest-kms-test/providers/attest-kms-test'
+          service_account: 'attest-kms-test@attest-kms-test.iam.gserviceaccount.com'
       - name: Setup Testcontainers Cloud Client
         uses: atomicjar/testcontainers-cloud-setup-action@v1
         with:

pkg/signerverifier/gcp_test.go

@@ -1,5 +1,17 @@
+//go:build e2e
+
 package signerverifier
 
+import (
+	"context"
+	"crypto/ecdsa"
+	"testing"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
 const publicKeyPEM = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMswW3iu7PR/rWTQjlhVmUsPK7rF
 k2s4SO3XbQ2GG2alm289SUUpmBAuVxvT8muYQ8HC/QzixzyTACTXsBDjQg==
@@ -8,26 +20,26 @@ k2s4SO3XbQ2GG2alm289SUUpmBAuVxvT8muYQ8HC/QzixzyTACTXsBDjQg==
 // to run locally, we need to impersonate the GCP service account
 // gcloud auth application-default login --impersonate-service-account attest-kms-test@attest-kms-test.iam.gserviceaccount.com
 
-// func TestGCPKMS_Signer(t *testing.T) {
-// 	// create a new signer
-// 	ctx := context.Background()
-// 	ref := "projects/attest-kms-test/locations/us-west1/keyRings/attest-kms-test/cryptoKeys/test-signing-key/cryptoKeyVersions/1"
-// 	signer, err := GetGCPSigner(ctx, ref)
-// 	require.NoError(t, err)
-// 	msg := []byte("hello world")
-// 	hash := util.SHA256(msg)
+func TestGCPKMS_Signer(t *testing.T) {
+	// create a new signer
+	ctx := context.Background()
+	ref := "projects/attest-kms-test/locations/us-west1/keyRings/attest-kms-test/cryptoKeys/test-signing-key/cryptoKeyVersions/1"
+	signer, err := GetGCPSigner(ctx, ref)
+	require.NoError(t, err)
+	msg := []byte("hello world")
+	hash := util.SHA256(msg)
 
-// 	// sign message digest
-// 	sig, err := signer.Sign(ctx, hash)
-// 	require.NoError(t, err)
-// 	assert.NotEmpty(t, sig)
-// 	// get Key ID from signer
-// 	keyId, err := signer.KeyID()
-// 	require.NoError(t, err)
-// 	assert.NotEmpty(t, keyId)
-// 	publicKey, err := Parse([]byte(publicKeyPEM))
-// 	require.NoError(t, err)
-// 	// verify payload ecdsa signature
-// 	ok := ecdsa.VerifyASN1(publicKey, hash, sig)
-// 	assert.True(t, ok)
-// }
+	// sign message digest
+	sig, err := signer.Sign(ctx, hash)
+	require.NoError(t, err)
+	assert.NotEmpty(t, sig)
+	// get Key ID from signer
+	keyId, err := signer.KeyID()
+	require.NoError(t, err)
+	assert.NotEmpty(t, keyId)
+	publicKey, err := Parse([]byte(publicKeyPEM))
+	require.NoError(t, err)
+	// verify payload ecdsa signature
+	ok := ecdsa.VerifyASN1(publicKey, hash, sig)
+	assert.True(t, ok)
+}