Fix integration tests

integration-tests/src/containers.rs

@@ -420,8 +420,16 @@ impl<'a> SignerNode<'a> {
                 hex::encode(cipher_key),
                 "--web-port".to_string(),
                 Self::CONTAINER_PORT.to_string(),
-                "--pagoda-firebase-audience-id".to_string(),
-                firebase_audience_id.to_string(),
+                "--pagoda-allowlist".to_string(),
+                serde_json::json!({
+                    "entries": [
+                        {
+                            "issuer": format!("https://securetoken.google.com/{firebase_audience_id}"),
+                            "audience": firebase_audience_id,
+                        }
+                    ]
+                })
+                .to_string(),
                 "--gcp-project-id".to_string(),
                 gcp_project_id.to_string(),
                 "--gcp-datastore-url".to_string(),
@@ -557,8 +565,16 @@ impl<'a> LeaderNode<'a> {
             account_creator_id.to_string(),
             "--account-creator-sk".to_string(),
             account_creator_sk.to_string(),
-            "--pagoda-firebase-audience-id".to_string(),
-            firebase_audience_id.to_string(),
+            "--pagoda-allowlist".to_string(),
+            serde_json::json!({
+                "entries": [
+                    {
+                        "issuer": format!("https://securetoken.google.com/{firebase_audience_id}"),
+                        "audience": firebase_audience_id,
+                    }
+                ]
+            })
+            .to_string(),
             "--gcp-project-id".to_string(),
             gcp_project_id.to_string(),
             "--gcp-datastore-url".to_string(),

mpc-recovery/src/main.rs

@@ -57,7 +57,10 @@ enum Cli {
         /// TEMPORARY - Account creator ed25519 secret key
         #[arg(long, env("MPC_RECOVERY_ACCOUNT_CREATOR_SK"))]
         account_creator_sk: Option<String>,
-        /// Filepath to a list of related items to be used to verify OIDC tokens.
+        /// JSON list of related items to be used to verify OIDC tokens.
+        #[arg(long, env("PAGODA_ALLOWLIST"))]
+        pagoda_allowlist: Option<String>,
+        /// Filepath to a JSON list of related items to be used to verify OIDC tokens.
         #[arg(long, value_parser, env("PAGODA_ALLOWLIST_FILEPATH"))]
         pagoda_allowlist_filepath: Option<PathBuf>,
         /// GCP project ID
@@ -86,8 +89,11 @@ enum Cli {
         /// The web port for this server
         #[arg(long, env("MPC_RECOVERY_WEB_PORT"))]
         web_port: u16,
-        /// Filepath to a list of related items to be used to verify OIDC tokens.
-        #[arg(long, value_parser)]
+        /// JSON list of related items to be used to verify OIDC tokens.
+        #[arg(long, env("PAGODA_ALLOWLIST"))]
+        pagoda_allowlist: Option<String>,
+        /// Filepath to a JSON list of related items to be used to verify OIDC tokens.
+        #[arg(long, value_parser, env("PAGODA_ALLOWLIST_FILEPATH"))]
         pagoda_allowlist_filepath: Option<PathBuf>,
         /// GCP project ID
         #[arg(long, env("MPC_RECOVERY_GCP_PROJECT_ID"))]
@@ -171,16 +177,21 @@ async fn load_account_creator_sk(
 async fn load_allowlist(
     gcp_service: &GcpService,
     env: &str,
+    allowlist: Option<String>,
     allowlist_path: Option<PathBuf>,
 ) -> anyhow::Result<AllowList> {
+    if let Some(allowlist) = allowlist {
+        return Ok(serde_json::from_str(&allowlist)?);
+    }
+
     match allowlist_path {
         Some(path) => {
             let file = std::fs::File::open(path)?;
             let reader = std::io::BufReader::new(file);
             Ok(serde_json::from_reader(reader)?)
         }
         None => {
-            let name = format!("mpc-recovery-account-allowlist-{env}/versions/latest");
+            let name = format!("mpc-recovery-allowlist-{env}/versions/latest");
             Ok(serde_json::from_slice(
                 &gcp_service.load_secret(name).await?,
             )?)
@@ -225,6 +236,7 @@ async fn main() -> anyhow::Result<()> {
             near_root_account,
             account_creator_id,
             account_creator_sk,
+            pagoda_allowlist,
             pagoda_allowlist_filepath,
             gcp_project_id,
             gcp_datastore_url,
@@ -234,7 +246,13 @@ async fn main() -> anyhow::Result<()> {
                 GcpService::new(env.clone(), gcp_project_id, gcp_datastore_url).await?;
             let account_creator_sk =
                 load_account_creator_sk(&gcp_service, &env, account_creator_sk).await?;
-            let allowlist = load_allowlist(&gcp_service, &env, pagoda_allowlist_filepath).await?;
+            let allowlist = load_allowlist(
+                &gcp_service,
+                &env,
+                pagoda_allowlist,
+                pagoda_allowlist_filepath,
+            )
+            .await?;
 
             let account_creator_sk = account_creator_sk.parse()?;
 
@@ -264,14 +282,21 @@ async fn main() -> anyhow::Result<()> {
             sk_share,
             cipher_key,
             web_port,
+            pagoda_allowlist,
             pagoda_allowlist_filepath,
             gcp_project_id,
             gcp_datastore_url,
             test,
         } => {
             let gcp_service =
                 GcpService::new(env.clone(), gcp_project_id, gcp_datastore_url).await?;
-            let allowlist = load_allowlist(&gcp_service, &env, pagoda_allowlist_filepath).await?;
+            let allowlist = load_allowlist(
+                &gcp_service,
+                &env,
+                pagoda_allowlist,
+                pagoda_allowlist_filepath,
+            )
+            .await?;
             let cipher_key = load_cipher_key(&gcp_service, &env, node_id, cipher_key).await?;
             let cipher_key = hex::decode(cipher_key)?;
             let cipher_key = GenericArray::<u8, U32>::clone_from_slice(&cipher_key);