diff --git a/.development/.envrc b/.development/.envrc index 276ea37..d266fea 100644 --- a/.development/.envrc +++ b/.development/.envrc @@ -1,13 +1,35 @@ -#!/bin/sh +#!/bin/bash + +# This configuration allows for local testing of the bridge. It uses Git config +# environment variables to override local configuration without making changes +# to it. See https://git-scm.com/docs/git-config#ENVIRONMENT + +git_config_add() { + local key="$1" + local value="$2" + + index=$(( "${GIT_CONFIG_COUNT:-0}" - 1 )) + + # index is incremented each time a setting is added + index=$(( index + 1 )) + export GIT_CONFIG_COUNT=$(( index + 1 )) + export "GIT_CONFIG_KEY_${index}=${key}" + export "GIT_CONFIG_VALUE_${index}=${value}" +} -# default values -export GIT_CONFIG_COUNT=2 -export GIT_CONFIG_KEY_0="credential.https://github.com.usehttppath" -export GIT_CONFIG_VALUE_0="true" helper_path="$(expand_path ../helper)" -export GIT_CONFIG_KEY_1="credential.https://github.com.helper" -export GIT_CONFIG_VALUE_1="${helper_path}/buildkite-connector-credential-helper http://localhost:${SERVER_PORT:-8080}/credential-helper" +# Use the empty string to override helpers from other configuration +# See https://git-scm.com/docs/gitcredentials/2.29.0#Documentation/gitcredentials.txt-helper +git_config_add "credential.helper" "" +git_config_add "credential.https://github.com.helper" "" + +# Now configure the testing helper from the this repo. This uses the local JWT +# keys to create an OIDC token that mimics Buildkite's, but doesn't require a +# Buildkite agent. It only works if the server is run with the corresponding +# test keys; see the root .envrc for that information. +git_config_add "credential.https://github.com.helper" "${helper_path}/buildkite-connector-credential-helper http://localhost:${SERVER_PORT:-8080}/git-credentials" +git_config_add "credential.https://github.com.usehttppath" "true" source_up @@ -21,9 +43,15 @@ source_env_if_exists ".envrc.private" # # Git diagnostics # +# Useful git variables for understanding if the credential helper is working. +# -# useful git variables for understanding if the credential helper is working +# trace will show the credential commands that are executed # export GIT_TRACE=2 + +# like curl -v, but for git # export GIT_CURL_VERBOSE=1 + +# unsure about the value of this one # export GIT_TRACE_PACKET=1 diff --git a/.envrc b/.envrc index b8ee2a7..5353aca 100644 --- a/.envrc +++ b/.envrc @@ -25,7 +25,9 @@ source_env_if_exists .envrc.private # required # export JWT_BUILDKITE_ORGANIZATION_SLUG="" -# export JWT_JWKS_STATIC="$(cat .development/keys/jwks.json)" +# use "make keygen" to generate a new key pair for testing +# jwks="$(cat .development/keys/jwk-sig-testing-pub.json)" +# export JWT_JWKS_STATIC="${jwks}" # export JWT_ISSUER_URL="https://local.testing" # export JWT_AUDIENCE="test-audience" diff --git a/Makefile b/Makefile index 6ebec7e..dcc206c 100644 --- a/Makefile +++ b/Makefile @@ -37,3 +37,14 @@ docker-down: ensure-deps: mod @go mod tidy @git diff --exit-code + +# use generation tool to create a JWKS key pair that can be used for local +# testing. +keygen: + go install github.com/go-jose/go-jose/v4/jose-util@latest + cd .development/keys \ + && rm -f *.json \ + && jose-util generate-key --use sig --alg RS256 --kid testing \ + && chmod +w *.json \ + && jq '. | { keys: [ . ] }' < jwk-sig-testing-pub.json > tmp.json \ + && mv tmp.json jwk-sig-testing-pub.json diff --git a/README.md b/README.md index 14e87e8..f28c0d8 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,11 @@ variables, and can be deployed to a server or as a container. ## Contributing -### Generating test keys - -Use [https://mkjwk.org], save private and public to `.development/keys`. Good enough for test credentials. +Contributions are welcome. + +- `direnv` is the tool for setting up the test environment +- some variant of docker compose makes it easier to run locally +- Run `make keygen` to create test keys +- Execute `git` commands in the `.development/keys` directory. This has git + configuration set up so it uses a local credential helper that will use the + keys in the `.development/keys` directory. diff --git a/cmd/create/main.go b/cmd/create/main.go index af52ad8..0a8fd9e 100644 --- a/cmd/create/main.go +++ b/cmd/create/main.go @@ -1,3 +1,6 @@ +// This command is only used for local testing: it is executed by the local +// credential helper used to run commands with a locally-signed JWT against a +// local server. package main import ( @@ -29,7 +32,7 @@ func main() { os.Exit(1) } - jwksPath := ".development/keys/jwks.private.json" + jwksPath := ".development/keys/jwk-sig-testing-priv.json" jwksBytes, err := os.ReadFile(jwksPath) if err != nil { @@ -37,16 +40,14 @@ func main() { os.Exit(1) } - jwks := jose.JSONWebKeySet{} - err = json.Unmarshal(jwksBytes, &jwks) + jwksKey := jose.JSONWebKey{} + err = json.Unmarshal(jwksBytes, &jwksKey) if err != nil { fmt.Fprintf(os.Stderr, "error loading jwks: %v\n", err) os.Exit(1) } - key := jwks.Key("test-key")[0] - - jwt, err := createJWT(&key, validity(jwt.Claims{ + jwt, err := createJWT(&jwksKey, validity(jwt.Claims{ Audience: []string{cfg.Audience}, Subject: cfg.Subject, Issuer: cfg.Issuer,