Obfuscate test keys (#113)

* obfuscate private keys for tests

* update readme

* fix test

README.dev.md

@@ -21,7 +21,7 @@ This builds test virtual machines, attaches to the running Hocus agent, and star
 You may also attach to the agent container manually. The following runs a single E2E test of the prebuild workflow:
 
 ```bash
-TEST_STORAGE_DIR=/srv/jailer/tests yarn jest 'app/agent/workflows.test.ts' -t 'runBuildfsAndPrebuilds' --testTimeout 600000
+OCI_PROXY=host.docker.internal:9999 yarn jest 'app/agent/workflows.test.ts' -t 'runBuildfsAndPrebuilds' --testTimeout 600000
 ```
 
 ## Add another BuildKite runner

app/init/init.service.test.ts

@@ -7,7 +7,11 @@ import { v4 as uuidv4 } from "uuid";
 import { createActivities } from "~/agent/activities/list";
 import { createAgentInjector } from "~/agent/agent-injector";
 import { createAppInjector } from "~/app-injector.server";
-import { TESTS_PRIVATE_SSH_KEY, TESTS_REPO_URL } from "~/test-utils/constants";
+import {
+  TESTS_PRIVATE_SSH_KEY,
+  TESTS_PUBLIC_SSH_KEY,
+  TESTS_REPO_URL,
+} from "~/test-utils/constants";
 import { TestEnvironmentBuilder } from "~/test-utils/test-environment-builder";
 import { Token } from "~/token";
 import { waitForPromises } from "~/utils.shared";
@@ -18,59 +22,64 @@ jest.setTimeout(30 * 1000);
 const USER1_ID = "b7b83d63-a9b0-4871-92d0-07779f28cfa8";
 const USER2_ID = "166908ef-15d0-498f-88e3-bfd97cf5d21b";
 
-const EXPECTED_CONFIG = `projects:
-  - config:
-      maxPrebuildRamMib: 1
-      maxPrebuildVCPUCount: 2
-      maxWorkspaceRamMib: 3
-      maxWorkspaceVCPUCount: 4
-    env:
-      project:
-        a: "3"
-        b: "2"
-        c: "1"
-      user:
-        166908ef-15d0-498f-88e3-bfd97cf5d21b:
-          a1: "1"
-          b1: "2"
-          c1: "3"
-        b7b83d63-a9b0-4871-92d0-07779f28cfa8:
-          a0: "1"
-          b0: "2"
-          c0: "3"
-    externalId: 6f5157ef-a51e-489e-890f-6637983a4b3c
-    name: test
-    repoUrl: [email protected]:hocus-dev/tests.git
-    rootDirectoryPath: /
-repos:
-  - privateKey: |
-      -----BEGIN OPENSSH PRIVATE KEY-----
-      b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-      QyNTUxOQAAACD2OtjiG6gnlEUI7VN5v5p2JVu9U7Aymv6LwBup16ZonQAAAKAebpvbHm6b
-      2wAAAAtzc2gtZWQyNTUxOQAAACD2OtjiG6gnlEUI7VN5v5p2JVu9U7Aymv6LwBup16ZonQ
-      AAAEDQ8cjnVXbbBq8YoS9i8yty9NgOgKM1Y/Nj3x7vWgloHvY62OIbqCeURQjtU3m/mnYl
-      W71TsDKa/ovAG6nXpmidAAAAF2hvY3VzLXRlc3RzQGV4YW1wbGUuY29tAQIDBAUG
-      -----END OPENSSH PRIVATE KEY-----
-    publicKey: ssh-ed25519
-      AAAAC3NzaC1lZDI1NTE5AAAAIPY62OIbqCeURQjtU3m/mnYlW71TsDKa/ovAG6nXpmid
-      [email protected]
-    url: [email protected]:hocus-dev/tests.git
-users:
-  - externalId: 166908ef-15d0-498f-88e3-bfd97cf5d21b
-    git:
-      email: email_166908ef-15d0-498f-88e3-bfd97cf5d21b
-      username: username_166908ef-15d0-498f-88e3-bfd97cf5d21b
-    publicKeys:
-      - name: name_166908ef-15d0-498f-88e3-bfd97cf5d21b
-        publicKey: pk_166908ef-15d0-498f-88e3-bfd97cf5d21b
-  - externalId: b7b83d63-a9b0-4871-92d0-07779f28cfa8
-    git:
-      email: email_b7b83d63-a9b0-4871-92d0-07779f28cfa8
-      username: username_b7b83d63-a9b0-4871-92d0-07779f28cfa8
-    publicKeys:
-      - name: name_b7b83d63-a9b0-4871-92d0-07779f28cfa8
-        publicKey: pk_b7b83d63-a9b0-4871-92d0-07779f28cfa8
-`;
+const EXPECTED_CONFIG = {
+  repos: [
+    {
+      url: "[email protected]:hocus-dev/tests.git",
+      publicKey: TESTS_PUBLIC_SSH_KEY,
+      privateKey: TESTS_PRIVATE_SSH_KEY,
+    },
+  ],
+  users: [
+    {
+      externalId: "166908ef-15d0-498f-88e3-bfd97cf5d21b",
+      git: {
+        username: "username_166908ef-15d0-498f-88e3-bfd97cf5d21b",
+        email: "email_166908ef-15d0-498f-88e3-bfd97cf5d21b",
+      },
+      publicKeys: [
+        {
+          publicKey: "pk_166908ef-15d0-498f-88e3-bfd97cf5d21b",
+          name: "name_166908ef-15d0-498f-88e3-bfd97cf5d21b",
+        },
+      ],
+    },
+    {
+      externalId: "b7b83d63-a9b0-4871-92d0-07779f28cfa8",
+      git: {
+        username: "username_b7b83d63-a9b0-4871-92d0-07779f28cfa8",
+        email: "email_b7b83d63-a9b0-4871-92d0-07779f28cfa8",
+      },
+      publicKeys: [
+        {
+          publicKey: "pk_b7b83d63-a9b0-4871-92d0-07779f28cfa8",
+          name: "name_b7b83d63-a9b0-4871-92d0-07779f28cfa8",
+        },
+      ],
+    },
+  ],
+  projects: [
+    {
+      name: "test",
+      externalId: "6f5157ef-a51e-489e-890f-6637983a4b3c",
+      repoUrl: "[email protected]:hocus-dev/tests.git",
+      rootDirectoryPath: "/",
+      env: {
+        project: { a: "3", b: "2", c: "1" },
+        user: {
+          "166908ef-15d0-498f-88e3-bfd97cf5d21b": { a1: "1", b1: "2", c1: "3" },
+          "b7b83d63-a9b0-4871-92d0-07779f28cfa8": { a0: "1", b0: "2", c0: "3" },
+        },
+      },
+      config: {
+        maxPrebuildRamMib: 1,
+        maxPrebuildVCPUCount: 2,
+        maxWorkspaceRamMib: 3,
+        maxWorkspaceVCPUCount: 4,
+      },
+    },
+  ],
+};
 
 test.concurrent(
   "getInitConfig",
@@ -157,21 +166,20 @@ test.concurrent(
         },
       });
       const initConfig = await initService["getInitConfig"](db);
-      const initConfigStr = initService["stringifyInitConfig"](initConfig);
-      expect(initConfigStr).toEqual(EXPECTED_CONFIG);
+      expect(initConfig).toEqual(EXPECTED_CONFIG);
     }),
 );
 
 test.concurrent(
   "dump and load",
   new TestEnvironmentBuilder(createAppInjector).withTestLogging().run(async ({ injector }) => {
     const initService = injector.resolve(Token.InitService);
-    const initConfig = initService["parseInitConfig"](EXPECTED_CONFIG);
     const filePath = `/tmp/init-config-test-${uuidv4()}`;
-    await initService["dumpInitConfigToFile"](filePath, initConfig);
+    await initService["dumpInitConfigToFile"](filePath, EXPECTED_CONFIG);
     const loadedConfig = await initService["loadInitConfigFromFile"](filePath);
     const stringifiedConfig = initService["stringifyInitConfig"](loadedConfig);
-    expect(stringifiedConfig).toEqual(EXPECTED_CONFIG);
+    const expectedStringifiedConfig = initService["stringifyInitConfig"](EXPECTED_CONFIG);
+    expect(stringifiedConfig).toEqual(expectedStringifiedConfig);
     await fs.rm(filePath);
   }),
 );
@@ -186,7 +194,7 @@ test.concurrent(
       const taskQueue = `test-${uuidv4()}`;
       const initService = injector.resolve(Token.InitService);
       initService["temporalQueue"] = taskQueue;
-      const initConfig = initService["parseInitConfig"](EXPECTED_CONFIG);
+      const initConfig = EXPECTED_CONFIG;
 
       const agentInjector = createAgentInjector();
       const activities = await createActivities(agentInjector, db);

app/test-utils/constants.ts

@@ -1,11 +1,15 @@
-export const TESTS_PUBLIC_SSH_KEY = `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPY62OIbqCeURQjtU3m/mnYlW71TsDKa/ovAG6nXpmid [email protected]`;
-export const TESTS_PRIVATE_SSH_KEY = `-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACD2OtjiG6gnlEUI7VN5v5p2JVu9U7Aymv6LwBup16ZonQAAAKAebpvbHm6b
-2wAAAAtzc2gtZWQyNTUxOQAAACD2OtjiG6gnlEUI7VN5v5p2JVu9U7Aymv6LwBup16ZonQ
-AAAEDQ8cjnVXbbBq8YoS9i8yty9NgOgKM1Y/Nj3x7vWgloHvY62OIbqCeURQjtU3m/mnYl
-W71TsDKa/ovAG6nXpmidAAAAF2hvY3VzLXRlc3RzQGV4YW1wbGUuY29tAQIDBAUG
------END OPENSSH PRIVATE KEY-----
-`;
+import { decryptText } from "./encryption";
+
+// We store these keys obfuscated because GitHub will automatically revoke them if they are
+// stored in plain text and committed to a public repo. These keys are supposed to be publicly available.
+const encryptionKey = "not-a-secret";
+export const TESTS_PUBLIC_SSH_KEY = decryptText(
+  "HRwcAARJQVBWQ1xULy41bCIePR8CMVQYNCs9HC95NlAiMyQ1JyYtFVkZNSMgCzYkHzdEXSp3BDZbABxEIAVMBhB+K1AMCgYWJRcCHQRUAx1DGgoXGxw0SBlMHhUPF0sXAQI=",
+  encryptionKey,
+);
+export const TESTS_PRIVATE_SSH_KEY = decryptText(
+  "Q0JZAExvNiIqPEU7Pio6fjJlUzUxOzM1OipUZiR0XkhOX0h+DFw2QQNDPR8CMVQGNDcfWQVHNiQiMyQ1LChBWwNAJiQiMyQxDAJNWDt8MiQiMyQ1Ly41byBsMiQuBSQ1Ly4AVwIfFBE5JW8lFyEgeBliIiQiMyY3KT8kYiN/IhYIGFMYVyQnQAJoBS5bBiEtQT8FRg0GEig7NRwHDFY8XhBOIiQiMy8TOlpbRFdoWANXeBATLy41bBVXEFcEBj8jPxY6eTRVPDQiMyQ3LSgkfS5vITQQGQ9CAlY/fgxONhMoShEwN0AkXApBWAQuKiINHQ1NZRJcEDRpMyQ1Ky0cGiZfKT0ZAyE1GFkjTClMIC0GACI5IgAwezRABygKFlMyIC01Gk5mQjxXK11MWikybhh+IxQ7QhU/NBgnFRNUQ28tGF1fHzwsGA5VEAcoChNECxYEVSBsMiQmJQ0CN1wiVzBqJVE6JVQDDCghWDgfShEiIywwLC5JEGsAXkhOXyA6Kk87fSRjIDYrUjUmJzk1eSQNOCA6X0hZQ0J+",
+  encryptionKey,
+);
 export const TESTS_REPO_URL = "[email protected]:hocus-dev/tests.git";
 export const HOCUS_REPO_URL = "[email protected]:hocus-dev/hocus.git";

app/test-utils/encryption.test.ts

@@ -0,0 +1,9 @@
+import { encryptText, decryptText } from "./encryption";
+
+test.concurrent("encrypts and decrypts a string", async () => {
+  const text = "test";
+  const key = "not-a-secret";
+  const encrypted = await encryptText(text, key);
+  const decrypted = await decryptText(encrypted, key);
+  expect(decrypted).toBe(text);
+});

app/test-utils/encryption.ts

@@ -0,0 +1,17 @@
+export const encryptText = (text: string, key: string): string => {
+  // xor the text with the key
+  const xor = Buffer.from(text, "utf8").map(
+    (byte, index) => byte ^ key.charCodeAt(index % key.length),
+  );
+  // return the encrypted text as base64
+  return Buffer.from(xor).toString("base64");
+};
+
+export const decryptText = (text: string, key: string): string => {
+  // xor the text with the key
+  const xor = Buffer.from(text, "base64").map(
+    (byte, index) => byte ^ key.charCodeAt(index % key.length),
+  );
+  // return the decrypted text as utf8
+  return Buffer.from(xor).toString("utf8");
+};