rust-lang
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 3 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎crates/crates_io_trustpub/Cargo.toml‎
Lines changed: 2 additions & 1 deletion b/‎crates/crates_io_trustpub/Cargo.toml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎crates/crates_io_trustpub/src/keystore/mod.rs‎
Lines changed: 18 additions & 0 deletions b/‎crates/crates_io_trustpub/src/keystore/mod.rs‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎crates/crates_io_trustpub/src/keystore/snapshots/crates_io_oidc__keystore__load_jwks__tests__load_jwks.snap‎
Lines changed: 126 additions & 0 deletions b/‎crates/crates_io_trustpub/src/keystore/snapshots/crates_io_oidc__keystore__load_jwks__tests__load_jwks.snap‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎crates/crates_io_trustpub/src/lib.rs‎
Lines changed: 1 addition & 1 deletion b/‎crates/crates_io_trustpub/src/lib.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/bin/server.rs‎
Lines changed: 10 additions & 3 deletions b/‎src/bin/server.rs‎
Lines changed: 10 additions & 3 deletions
@@ -110,6 +110,7 @@ paste = "=1.0.15"
 postgres-native-tls = "=0.5.1"
 prometheus = { version = "=0.14.0", default-features = false }
 rand = "=0.9.1"
+regex = "=1.11.1"
 reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 rss = { version = "=2.0.12", default-features = false, features = ["atom"] }
 secrecy = "=0.10.3"
@@ -143,11 +144,12 @@ crates_io_index = { path = "crates/crates_io_index", features = ["testing"] }
 crates_io_tarball = { path = "crates/crates_io_tarball", features = ["builder"] }
 crates_io_team_repo = { path = "crates/crates_io_team_repo", features = ["mock"] }
 crates_io_test_db = { path = "crates/crates_io_test_db" }
+crates_io_trustpub = { path = "crates/crates_io_trustpub", features = ["mock"] }
 claims = "=0.8.0"
 diesel = { version = "=2.2.10", features = ["r2d2"] }
 googletest = "=0.14.0"
 insta = { version = "=1.43.1", features = ["glob", "json", "redactions"] }
-regex = "=1.11.1"
+jsonwebtoken = "=9.3.1"
 sentry = { version = "=0.37.0", features = ["test"] }
 tokio = "=1.45.0"
 zip = { version = "=2.6.1", default-features = false, features = ["deflate"] }
@@ -8,7 +8,7 @@ edition = "2024"
 workspace = true
 
 [features]
-mock = ["dep:mockall"]
+mock = ["dep:mockall", "dep:serde_json"]
 
 [dependencies]
 anyhow = "=1.0.98"
@@ -19,6 +19,7 @@ mockall = { version = "=0.13.1", optional = true }
 reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
 regex = "=1.11.1"
 serde = { version = "=1.0.219", features = ["derive"] }
+serde_json = { version = "=1.0.140", optional = true }
 thiserror = "=2.0.12"
 tokio = { version = "=1.45.0", features = ["sync"] }
 
 
@@ -18,3 +18,21 @@ pub trait OidcKeyStore: Send + Sync {
     /// is an error while fetching the key, it will return an error.
     async fn get_oidc_key(&self, key_id: &str) -> anyhow::Result<Option<DecodingKey>>;
 }
+
+#[cfg(feature = "mock")]
+impl MockOidcKeyStore {
+    /// Creates a new instance of [`MockOidcKeyStore`] based on the RSA keys
+    /// provided in the [`crate::test_keys`] module.
+    pub fn with_test_key() -> Self {
+        use crate::test_keys::{DECODING_KEY, KEY_ID};
+        use mockall::predicate::*;
+
+        let mut mock = Self::new();
+
+        mock.expect_get_oidc_key()
+            .with(eq(KEY_ID))
+            .returning(|_| Ok(Some(DECODING_KEY.clone())));
+
+        mock
+    }
+}
@@ -0,0 +1,126 @@
+---
+source: crates/crates_io_trustpub/src/keystore/load_jwks.rs
+expression: jwks
+---
+JwkSet {
+    keys: [
+        Jwk {
+            common: CommonParameters {
+                public_key_use: Some(
+                    Signature,
+                ),
+                key_operations: None,
+                key_algorithm: Some(
+                    RS256,
+                ),
+                key_id: Some(
+                    "cc413527-173f-5a05-976e-9c52b1d7b431",
+                ),
+                x509_url: None,
+                x509_chain: None,
+                x509_sha1_fingerprint: None,
+                x509_sha256_fingerprint: None,
+            },
+            algorithm: RSA(
+                RSAKeyParameters {
+                    key_type: RSA,
+                    n: "w4M936N3ZxNaEblcUoBm-xu0-V9JxNx5S7TmF0M3SBK-2bmDyAeDdeIOTcIVZHG-ZX9N9W0u1yWafgWewHrsz66BkxXq3bscvQUTAw7W3s6TEeYY7o9shPkFfOiU3x_KYgOo06SpiFdymwJflRs9cnbaU88i5fZJmUepUHVllP2tpPWTi-7UA3AdP3cdcCs5bnFfTRKzH2W0xqKsY_jIG95aQJRBDpbiesefjuyxcQnOv88j9tCKWzHpJzRKYjAUM6OPgN4HYnaSWrPJj1v41eEkFM1kORuj-GSH2qMVD02VklcqaerhQHIqM-RjeHsN7G05YtwYzomE5G-fZuwgvQ",
+                    e: "AQAB",
+                },
+            ),
+        },
+        Jwk {
+            common: CommonParameters {
+                public_key_use: Some(
+                    Signature,
+                ),
+                key_operations: None,
+                key_algorithm: Some(
+                    RS256,
+                ),
+                key_id: Some(
+                    "38826b17-6a30-5f9b-b169-8beb8202f723",
+                ),
+                x509_url: None,
+                x509_chain: Some(
+                    [
+                        "MIIDKzCCAhOgAwIBAgIUDnwm6eRIqGFA3o/P1oBrChvx/nowDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAwwaYWN0aW9ucy5zZWxmLXNpZ25lZC5naXRodWIwHhcNMjQwMTIzMTUyNTM2WhcNMzQwMTIwMTUyNTM2WjAlMSMwIQYDVQQDDBphY3Rpb25zLnNlbGYtc2lnbmVkLmdpdGh1YjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOTGp5svs8LJN8BH7VzXShWXnOK0lhDVuI0xnr5bwHFPc924CwaIEFb6mC7bvW2lZtgd633uaJ2naG6vKaOVGpCdGLE4ohH11nUk+2CNknZL7/oTmDHGSmGeHRb7kjtb0Ng4BJMPzmTYmCNUudfDFhHDcZz1Obuu85GsABrC5ZlzWzspYFXwUSaxvII+rHK/rAbOC2gmt5IOSLmgh3taQfp0mB6Lxlf89HoBPNwtPfBX8DtXTWQVnqODm4W+WfmWBSyXGX54DGNMyZwlTZqR0FjoMXxopId3MIuDGKxa2weDU5cW60N2y/qxikeV99fL3sg5aPA8s9iljKG0+MAfVNUCAwEAAaNTMFEwHQYDVR0OBBYEFIPALo5VanJ6E1B9eLQgGO+uGV65MB8GA1UdIwQYMBaAFIPALo5VanJ6E1B9eLQgGO+uGV65MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGS0hZE+DqKIRi49Z2KDOMOaSZnAYgqq6ws9HJHT09MXWlMHB8E/apvy2ZuFrcSu14ZLweJid+PrrooXEXEO6azEakzCjeUb9G1QwlzP4CkTcMGCw1Snh3jWZIuKaw21f7mp2rQ+YNltgHVDKY2s8AD273E8musEsWxJl80/MNvMie8Hfh4n4/Xl2r6t1YPmUJMoXAXdTBb0hkPy1fUu3r2T+1oi7Rw6kuVDfAZjaHupNHzJeDOg2KxUoK/GF2/M2qpVrd19Pv/JXNkQXRE4DFbErMmA7tXpp1tkXJRPhFui/Pv5H9cPgObEf9x6W4KnCXzT3ReeeRDKF8SqGTPELsc=",
+                    ],
+                ),
+                x509_sha1_fingerprint: Some(
+                    "ykNaY4qM_ta4k2TgZOCEYLkcYlA",
+                ),
+                x509_sha256_fingerprint: None,
+            },
+            algorithm: RSA(
+                RSAKeyParameters {
+                    key_type: RSA,
+                    n: "5Manmy-zwsk3wEftXNdKFZec4rSWENW4jTGevlvAcU9z3bgLBogQVvqYLtu9baVm2B3rfe5onadobq8po5UakJ0YsTiiEfXWdST7YI2Sdkvv-hOYMcZKYZ4dFvuSO1vQ2DgEkw_OZNiYI1S518MWEcNxnPU5u67zkawAGsLlmXNbOylgVfBRJrG8gj6scr-sBs4LaCa3kg5IuaCHe1pB-nSYHovGV_z0egE83C098FfwO1dNZBWeo4Obhb5Z-ZYFLJcZfngMY0zJnCVNmpHQWOgxfGikh3cwi4MYrFrbB4NTlxbrQ3bL-rGKR5X318veyDlo8Dyz2KWMobT4wB9U1Q",
+                    e: "AQAB",
+                },
+            ),
+        },
+        Jwk {
+            common: CommonParameters {
+                public_key_use: Some(
+                    Signature,
+                ),
+                key_operations: None,
+                key_algorithm: Some(
+                    RS256,
+                ),
+                key_id: Some(
+                    "1F2AB83404C08EC9EA0BB99DAED02186B091DBF4",
+                ),
+                x509_url: None,
+                x509_chain: Some(
+                    [
+                        "MIIDrDCCApSgAwIBAgIQAP4blP36Q3WmMOhWf0RBMzANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTIzMTAyNDE0NTI1NVoXDTI1MTAyNDE1MDI1NVowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvM0mJ+SUfzucssEnjoZllnezjKC25YeIhk3iIUzlaJ/uXueESt9GEA3lAo6W/bt73R0zu10u4uhM5MC27FDoq9u7oaqBRhll0gGaz6HDqG0haCwuZdDb0ikalbaaAAzh3AIefby26/Hc98bRBBsf6pS083xX1ogiGFosteQtqKNXjT8c0Hzr3bu2Hrejn+JrrFdBLOf5jRE6XhzlRK4vD1n8c8OPOVByI97KHJeC5PyN4g8h34KU+PbSCWIRxOTSJizXcDIWtXAQiGyTMtXSQn3aCvNux4vaisgZn7TUD4XsxlUbDo7H9gX1Bsxj+aQhqxQYxDnC4Y/94/kyXm4L0CAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBSmWMP5CXuaSzoLKwcLXYZnoeCJmDAdBgNVHQ4EFgQUpljD+Ql7mks6CysHC12GZ6HgiZgwDQYJKoZIhvcNAQELBQADggEBAINwybFwYpXJkvauL5QbtrykIDYeP8oFdVIeVY8YI9MGfx7OwWDsNBVXv2B62zAZ49hK5G87++NmFI/FHnGOCISDYoJkRSCy2Nbeyr7Nx2VykWzUQqHLZfvr5KqW4Gj1OFHUqTl8lP3FWDd/P+lil3JobaSiICQshgF0GnX2a8ji8mfXpJSP20gzrLw84brmtmheAvJ9X/sLbM/RBkkT6g4NV2QbTMqo6k601qBNQBsH+lTDDWPCkRoAlW6a0z9bWIhGHWJ2lcR70zagcxIVl5/Fq35770/aMGroSrIx3JayOEqsvgIthYBKHzpT2VFwUz1VpBpNVJg9/u6jCwLY7QA=",
+                    ],
+                ),
+                x509_sha1_fingerprint: Some(
+                    "Hyq4NATAjsnqC7mdrtAhhrCR2_Q",
+                ),
+                x509_sha256_fingerprint: None,
+            },
+            algorithm: RSA(
+                RSAKeyParameters {
+                    key_type: RSA,
+                    n: "u8zSYn5JR_O5yywSeOhmWWd7OMoLblh4iGTeIhTOVon-5e54RK30YQDeUCjpb9u3vdHTO7XS7i6EzkwLbsUOir27uhqoFGGWXSAZrPocOobSFoLC5l0NvSKRqVtpoADOHcAh59vLbr8dz3xtEEGx_qlLTzfFfWiCIYWiy15C2oo1eNPxzQfOvdu7Yet6Of4musV0Es5_mNETpeHOVEri8PWfxzw485UHIj3socl4Lk_I3iDyHfgpT49tIJYhHE5NImLNdwMha1cBCIbJMy1dJCfdoK827Hi9qKyBmftNQPhezGVRsOjsf2BfUGzGP5pCGrFBjEOcLhj_3j-TJebgvQ",
+                    e: "AQAB",
+                },
+            ),
+        },
+        Jwk {
+            common: CommonParameters {
+                public_key_use: Some(
+                    Signature,
+                ),
+                key_operations: None,
+                key_algorithm: Some(
+                    RS256,
+                ),
+                key_id: Some(
+                    "001DDCD014A848E8824577B3E4F3AEDB3BCF5FFD",
+                ),
+                x509_url: None,
+                x509_chain: Some(
+                    [
+                        "MIIDrDCCApSgAwIBAgIQKiyRrA01T5qtxdzvZ/ErzjANBgkqhkiG9w0BAQsFADA2MTQwMgYDVQQDEyt2c3RzLXZzdHNnaHJ0LWdoLXZzby1vYXV0aC52aXN1YWxzdHVkaW8uY29tMB4XDTIzMTAxODE1MDExOFoXDTI1MTAxODE1MTExOFowNjE0MDIGA1UEAxMrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCP6+IjsL0cZLEqL8mTfHWubvnYdO33XKoexY8iimQjla+3WvPfMZNExvXme5XwNQpgUx+LF+Xr4OGINsXRQ8WCuMZi2XMDMkGSA4mXHSLo57bWqqZazL/7/mMgGqRxZrnWwTvDVbjh94JhmidNhvLtVXX/Atz3TStd3IeMKTb8qMcKmiFhj0s7nQOphjxqL0S4buXRDjiUibbC8xMTbzZh54TyWZNOq+xXj5AVkkNQgh1wM6QfmlFhGQtRSjEoqtnb3zgsoibbRHco/Dv+cqm9MCwD2/vDXc5KaW0WpdlhqMKFPgHo6qFiJoXw85TgUErZ4bgJbiqQOrB9InypULECAwEAAaOBtTCBsjAOBgNVHQ8BAf8EBAMCBaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIrdnN0cy12c3RzZ2hydC1naC12c28tb2F1dGgudmlzdWFsc3R1ZGlvLmNvbTAfBgNVHSMEGDAWgBQ45rBfvl4JJ7vg3WgLjQTfhDihvzAdBgNVHQ4EFgQUOOawX75eCSe74N1oC40E34Q4ob8wDQYJKoZIhvcNAQELBQADggEBABdN6HPheRdzwvJgi4xGHnf9pvlUC8981kAtgHnPT0VEYXh/dCMnKJSvCDJADpdmkuKxLxAfACeZR2CUHkQ0eO1ek/ihLvPqywDhLENq6Lvzu3qlhvUPBkGYjydpLtXQ1bBXUQ1FzT5/L1U19P2rJso9mC4ltu2OHJ9NLCKG0zffBItAJqhAiXtKbCUg4c9RbQxi9T2/xr9R72di4Qygfnmr3QleAqmjRG918cm5/uJ0s5EaK3QI7GQy7+tc44o3H3AI5eFtrHwIV0zoY4A9YIsaRmMHq9soHFBEO1HDKKRUOl/4tjpx8zHpp5Clz0wiZMgvSIdBa3/fTeUJ3flUYMo=",
+                    ],
+                ),
+                x509_sha1_fingerprint: Some(
+                    "AB3c0BSoSOiCRXez5POu2zvPX_0",
+                ),
+                x509_sha256_fingerprint: None,
+            },
+            algorithm: RSA(
+                RSAKeyParameters {
+                    key_type: RSA,
+                    n: "sI_r4iOwvRxksSovyZN8da5u-dh07fdcqh7FjyKKZCOVr7da898xk0TG9eZ7lfA1CmBTH4sX5evg4Yg2xdFDxYK4xmLZcwMyQZIDiZcdIujnttaqplrMv_v-YyAapHFmudbBO8NVuOH3gmGaJ02G8u1Vdf8C3PdNK13ch4wpNvyoxwqaIWGPSzudA6mGPGovRLhu5dEOOJSJtsLzExNvNmHnhPJZk06r7FePkBWSQ1CCHXAzpB-aUWEZC1FKMSiq2dvfOCyiJttEdyj8O_5yqb0wLAPb-8NdzkppbRal2WGowoU-AejqoWImhfDzlOBQStnhuAluKpA6sH0ifKlQsQ",
+                    e: "AQAB",
+                },
+            ),
+        },
+    ],
+}
@@ -2,7 +2,7 @@
 
 pub mod github;
 pub mod keystore;
-#[cfg(test)]
+#[cfg(any(test, feature = "mock"))]
 pub mod test_keys;
 pub mod unverified;
 
 
@@ -1,16 +1,18 @@
 #[macro_use]
 extern crate tracing;
 
+use axum::ServiceExt;
 use crates_io::middleware::normalize_path::normalize_path;
 use crates_io::{App, Emails, metrics::LogEncoder};
-use std::{sync::Arc, time::Duration};
-
-use axum::ServiceExt;
 use crates_io_github::RealGitHubClient;
+use crates_io_trustpub::github::GITHUB_ISSUER_URL;
+use crates_io_trustpub::keystore::{OidcKeyStore, RealOidcKeyStore};
 use prometheus::Encoder;
 use reqwest::Client;
+use std::collections::HashMap;
 use std::io::Write;
 use std::net::SocketAddr;
+use std::{sync::Arc, time::Duration};
 use tokio::net::TcpListener;
 use tokio::signal::unix::{SignalKind, signal};
 use tower::Layer;
@@ -33,10 +35,15 @@ fn main() -> anyhow::Result<()> {
     let github = RealGitHubClient::new(client);
     let github = Box::new(github);
 
+    let github_key_store: Box<dyn OidcKeyStore> = Box::new(RealOidcKeyStore::github());
+    let oidc_key_stores: HashMap<String, Box<dyn OidcKeyStore>> =
+        HashMap::from([(GITHUB_ISSUER_URL.into(), github_key_store)]);
+
     let app = App::builder()
         .databases_from_config(&config.db)
         .github(github)
         .github_oauth_from_config(&config)
+        .oidc_key_stores(oidc_key_stores)
         .emails(emails)
         .storage_from_config(&config.storage)
         .rate_limiter_from_config(config.rate_limiter.clone())