Merge pull request #9 from jamestelfer/improve-local-testing

test: improve local testing key creation and scripting

.development/.envrc

@@ -1,13 +1,35 @@
-#!/bin/sh
+#!/bin/bash
+
+# This configuration allows for local testing of the bridge. It uses Git config
+# environment variables to override local configuration without making changes
+# to it. See https://git-scm.com/docs/git-config#ENVIRONMENT
+
+git_config_add() {
+    local key="$1"
+    local value="$2"
+
+    index=$(( "${GIT_CONFIG_COUNT:-0}" - 1 ))
+
+    # index is incremented each time a setting is added
+    index=$(( index + 1 ))
+    export GIT_CONFIG_COUNT=$(( index + 1 ))
+    export "GIT_CONFIG_KEY_${index}=${key}"
+    export "GIT_CONFIG_VALUE_${index}=${value}"
+}
 
-# default values
-export GIT_CONFIG_COUNT=2
-export GIT_CONFIG_KEY_0="credential.https://github.com.usehttppath"
-export GIT_CONFIG_VALUE_0="true"
 helper_path="$(expand_path ../helper)"
-export GIT_CONFIG_KEY_1="credential.https://github.com.helper"
-export GIT_CONFIG_VALUE_1="${helper_path}/buildkite-connector-credential-helper http://localhost:${SERVER_PORT:-8080}/credential-helper"
 
+# Use the empty string to override helpers from other configuration
+# See https://git-scm.com/docs/gitcredentials/2.29.0#Documentation/gitcredentials.txt-helper
+git_config_add "credential.helper" ""
+git_config_add "credential.https://github.com.helper" ""
+
+# Now configure the testing helper from the this repo. This uses the local JWT
+# keys to create an OIDC token that mimics Buildkite's, but doesn't require a
+# Buildkite agent. It only works if the server is run with the corresponding
+# test keys; see the root .envrc for that information.
+git_config_add "credential.https://github.com.helper" "${helper_path}/buildkite-connector-credential-helper http://localhost:${SERVER_PORT:-8080}/git-credentials"
+git_config_add "credential.https://github.com.usehttppath" "true"
 
 source_up
 
@@ -21,9 +43,15 @@ source_env_if_exists ".envrc.private"
 #
 # Git diagnostics
 #
+# Useful git variables for understanding if the credential helper is working.
+#
 
-# useful git variables for understanding if the credential helper is working
+# trace will show the credential commands that are executed
 # export GIT_TRACE=2
+
+# like curl -v, but for git
 # export GIT_CURL_VERBOSE=1
+
+# unsure about the value of this one
 # export GIT_TRACE_PACKET=1
 

.envrc

@@ -25,7 +25,9 @@ source_env_if_exists .envrc.private
 # required
 # export JWT_BUILDKITE_ORGANIZATION_SLUG="<your test organization slug>"
 
-# export JWT_JWKS_STATIC="$(cat .development/keys/jwks.json)"
+# use "make keygen" to generate a new key pair for testing
+# jwks="$(cat .development/keys/jwk-sig-testing-pub.json)"
+# export JWT_JWKS_STATIC="${jwks}"
 # export JWT_ISSUER_URL="https://local.testing"
 # export JWT_AUDIENCE="test-audience"
 

Makefile

@@ -37,3 +37,14 @@ docker-down:
 ensure-deps: mod
 	@go mod tidy
 	@git diff --exit-code
+
+# use generation tool to create a JWKS key pair that can be used for local
+# testing.
+keygen:
+	go install github.com/go-jose/go-jose/v4/jose-util@latest
+	cd .development/keys \
+		&& rm -f *.json \
+		&& jose-util generate-key --use sig --alg RS256 --kid testing \
+		&& chmod +w *.json \
+		&& jq '. | { keys: [ . ] }' < jwk-sig-testing-pub.json > tmp.json \
+		&& mv tmp.json jwk-sig-testing-pub.json

README.md

@@ -179,6 +179,11 @@ variables, and can be deployed to a server or as a container.
 
 ## Contributing
 
-### Generating test keys
-
-Use [https://mkjwk.org], save private and public to `.development/keys`. Good enough for test credentials.
+Contributions are welcome.
+
+- `direnv` is the tool for setting up the test environment
+- some variant of docker compose makes it easier to run locally
+- Run `make keygen` to create test keys
+- Execute `git` commands in the `.development/keys` directory. This has git
+  configuration set up so it uses a local credential helper that will use the
+  keys in the `.development/keys` directory.

cmd/create/main.go

@@ -1,3 +1,6 @@
+// This command is only used for local testing: it is executed by the local
+// credential helper used to run commands with a locally-signed JWT against a
+// local server.
 package main
 
 import (
@@ -29,24 +32,22 @@ func main() {
 		os.Exit(1)
 	}
 
-	jwksPath := ".development/keys/jwks.private.json"
+	jwksPath := ".development/keys/jwk-sig-testing-priv.json"
 
 	jwksBytes, err := os.ReadFile(jwksPath)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error reading jwks: %v\n", err)
 		os.Exit(1)
 	}
 
-	jwks := jose.JSONWebKeySet{}
-	err = json.Unmarshal(jwksBytes, &jwks)
+	jwksKey := jose.JSONWebKey{}
+	err = json.Unmarshal(jwksBytes, &jwksKey)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error loading jwks: %v\n", err)
 		os.Exit(1)
 	}
 
-	key := jwks.Key("test-key")[0]
-
-	jwt, err := createJWT(&key, validity(jwt.Claims{
+	jwt, err := createJWT(&jwksKey, validity(jwt.Claims{
 		Audience: []string{cfg.Audience},
 		Subject:  cfg.Subject,
 		Issuer:   cfg.Issuer,