@flink-app/github-app-plugin 0.12.1-alpha.38

package/spec/core-utilities.spec.ts

@@ -0,0 +1,243 @@
+/**
+ * Core Utilities Test Suite
+ *
+ * Tests for JWT utilities, token cache, webhook signature validation,
+ * state utilities, and error utilities.
+ */
+
+import crypto from "crypto";
+import { generateJWT, detectPEMFormat } from "../src/utils/jwt-utils";
+import { validateWebhookSignature } from "../src/utils/webhook-signature-utils";
+import { TokenCache } from "../src/utils/token-cache-utils";
+import { generateState, generateSessionId, validateState } from "../src/utils/state-utils";
+import { GitHubAppErrorCodes, createGitHubAppError } from "../src/utils/error-utils";
+
+describe("Core Utilities", () => {
+    // Test private keys (PKCS#1 and PKCS#8 formats)
+    // These are real test keys generated for testing purposes only
+    const pkcs1PrivateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAq6ubHwwPDOQM2+GhrYRSw8K6S+Jqp3znXDaHMMIg89Y6u1G2
+VbnoS608F606uRXkuYLv1HzhtKs2Z9OLhhtamZWNaeUDVVOchsCmLl5Mh+z11Kwh
+Ho0qMM9LqLsN/tXd2Y014NEaChDf7D251/1DXXxZCILi64tNbm7IxwSrwl9sxPID
+OC6keNtPA2la2tAf6W49Bv1Yqp0KbxNnpdxotJFl0FAF4XyBRyaz2/UY3tKPrn72
+qzN/P03xG8d2VOSxigx+9btrwEk8QHNjPlbGK5w275Oo0qv4XcU2/S3l1/I/5qxo
+AmahBI7FhY8qAdVwHaxcw4ddGUG38fIytFXJFQIDAQABAoIBAAkBx3FBEjcUbgJJ
+W9C9TRRdTqX1mq/v8zmY2M37mXwBpPI4Ds9/ogr6a1k4qwiT9/ytvISTCsqOYxve
+cwcVv1KokJNaQysCaId/axiqtOw6yAkhANnYATsvXSJcshbJRMsJyCZkAjA+A2mj
+MXF+Jb8ta4RxTZObKvRc1qbufU6E2iAv5h3Gphc/dkI2aFBrCoovwan23RZ4iunB
+JdjqAvZxQkzik7/NxFTf2LaI8/ejhhF6U8ipnaO8UCaKal0u0HoHVguxTzQ4EJ8f
+htAGJb/0G+0glM+vGkxqtxCQsa2pJviGi209aRKsHbyYTm9jagFORGhHdDscNCYJ
+0WP+m+8CgYEA4wUSGGcFierhdGSMZ/LQz99AYjZIW3GOXEJDpmobhO36WTIn3XDK
+OT7itpVBZmIlGAtNu2yrVDxTj3pkAPHX4arL/QLucxCrFetTN88nlBy7iHRHuR04
+JkSDB/A0UoRMyNS8jLoInQ+Q/UeEpcY8z3zqGEiXW1BKfUEF5WfeDmcCgYEAwZW7
+yTB5tPlLFGGwbNU1jasVQoJYXj60twM54JKcdIMVaXKTK9+zpg2v79i5sLsH8ntL
+WCHNH9rjwbhtG2fNOApykgcZcLx6UDwGTX3tu4/M2WwbqM/G+90//SXI+mC5oa4Y
+zucSYxlrylk2Zzg4S7M9W0JA3C61PxDRisWjByMCgYAlyQZGAX+ugOWdlc64znVq
+4+G3dwl8Dt5/BJh17ls+OM3eYra36Ln/5TOe6CDGhbde1SLO+ztY/eF6lAhpD9e6
+u87QAdjmVfPj5hMnytbvlAiyoYf+i5p45BZbD+PliBevpZjsY1pjqd+cCHdPkDs2
+3beo6wwmKqr7RgNRN4SCKQKBgB8i40JX3quCEVZk5AiNPoDbzJ6W8nmuIkjxZuS9
+EBcZYl9Eg3FiGLYTq4GrXSqU2pFgzVyOizyda1akQEBRMMvbulPMeoYMeqvfC7B5
+Gby6Q1uRLN25Fas7CejApBPJbPIZW3oj5mw0EYdJVBvECiH64VqFTINdq99J6Dom
+0bL7AoGAEoaROmQZU0rzQHW5I1ZtH3HJd95a0OHSeMWMbYZxOROVL5gPrHPHTsSf
+m3iZcKhX/utexGcZms7C8Ss95jxO4bWzAp61UMZSwUa+X54T4y05LVEtT8nSuTrK
+qWWL8eC5rF2KHb2wPUwVmfPG8IiLKQdPtvoVsDc6uOy5DRvJsWI=
+-----END RSA PRIVATE KEY-----`;
+
+    const pkcs8PrivateKey = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9BfzBJ094CsjQ
+P9Qo/yNKgS7QjzFyk9jXm/VUVoELcsLfCg4dwbxOd3ljpVqWknIpgnBgqH0RiPWB
+tC5C1tpPHy24YEXUY0pBrDXUZUsuLzAh1y96RblqrgQxD3QkHmH3mtFYdTPzYwR4
+akiH7loaA2DMN+2iC5BOFARQTM+V8VrcPN9rd1+Mtrou6ExvK9T36VK8uEJJb4WV
+VWuSyc+4immPID15Ou0QhZr6clVur9qg0pyrukbJxcXsIe1TqDYTVOunLxbVOiEs
+kUIh2Lq5RKaCFoxgIBbizSK5PEGLMcMI0PwVAlWsxchpna0LY5f2GvHGvnKX8SHl
+JeN58cTFAgMBAAECggEAJYeOy3rWmGrrvA0wPoOJqj1D4jzMAIfCQezBJOGX9YHv
+lwEUFGxmyt2FyHcIKWUiLYOsdER/sH+U3w+7L6Ig7hyuozDaLHUaRTe/6E/EQYM0
+90MWNhyp17h9NJBw6srtgI/IiNucWPKL7KyNgg+c7BVHnsRr9gR9vkLTKG5XuNk/
+DL1mxG9lenlrynhkohUg7aQS2PcEGsHAKXFkMvL8Vxgi1PwY8ySE1HFxnohKvIbZ
+xTa1JIqrj8Cx2PjmIGz+MoVbKE1A0hA7rcLmPXhQdEAgyjSF/5t52clX/Qro91IE
+qRLoTrPZo4a55syODEQEJAji9Xn7Wai1pSmxhGKnAQKBgQDxHh9EUW4rajfyCGl6
+GA625OGRzDzqg+527b8VDX1ysc1XLJdrkUY2/dyGijMLm7bp1Kb/przN7zEURHYJ
+iMdah7d+Dg49HHn08e3Go7ibBAXPpbO8iAC6W+yZxOaad2MUgkJVoOUDREnRLTPM
+yT2tW1q331omQmPmJRoo/7azFQKBgQDIsLp1NmchNfR3pVnF76v4o5OCWuvvx0cU
+QgnA6WqYy3h9O5nHxOgy8gkMkbv/XGyUU+meh40rhq9rWJslKc3C7ENdv13lnkmz
+O7CLxo4Gb24dkC6NqGdC7PZgsYr4K2+yAZGI6SIdnXCa+TywAFExCXTu8C/y3PzC
+mWs2nqn28QKBgCMwz0VsURT7CrFDcwmDy1n8K8PYuCdOHBa1ekb7UgzUUHDhrDPh
+3wqVoILuVqbiEh8sjzcOwc2YlGQt3cBkexwGZMx8Bq36ov4R9S8hpAbT3nlA6Oui
+OeD5G54Rs8pllEtg+4d91Q7V/6QM4duIn3zWsXXWnlSpKeVkEt5a+/JFAoGAVvxy
+9RcNgFGYkrtyu950VaLg7uFl3lorrtYo0Brb/zpCEVXiA7qPQnWyAmawa7Ctx2TP
+n8z1HWaVZhvTszn5W4F4eYvWsQ34t90pWoxHRvbJbbru0quphlKbP7H0oDiDg042
+vHcAOIHjKujYqxiYGH8W1fH5dnTegaJp3BTNaqECgYEA4zGjcKVTVAkmnIXb0VZk
+SOmv9R3tKh+wUwYDKfw+kdUM6b+Tr7E589FgzIQuld68+FwNVupw7Eas56BTIVzW
+y8Ym74NTGSMnlTW8R/X2p5y5O1KrYjAAF621eRBJZ1nUBQLvL5XKNPt4ZmwURh6g
+tr8aCB8V88C1ffc7AfMLzzE=
+-----END PRIVATE KEY-----`;
+
+    describe("JWT Utilities", () => {
+        it("should detect PKCS#1 format correctly", () => {
+            const format = detectPEMFormat(pkcs1PrivateKey);
+            expect(format).toBe("pkcs1");
+        });
+
+        it("should detect PKCS#8 format correctly", () => {
+            const format = detectPEMFormat(pkcs8PrivateKey);
+            expect(format).toBe("pkcs8");
+        });
+
+        it("should generate valid JWT with PKCS#1 key", () => {
+            const appId = "123456";
+            const jwt = generateJWT(appId, pkcs1PrivateKey);
+            expect(jwt).toBeTruthy();
+            expect(typeof jwt).toBe("string");
+            expect(jwt.split(".").length).toBe(3); // JWT has 3 parts
+        });
+
+        it("should generate valid JWT with PKCS#8 key", () => {
+            const appId = "123456";
+            const jwt = generateJWT(appId, pkcs8PrivateKey);
+            expect(jwt).toBeTruthy();
+            expect(typeof jwt).toBe("string");
+            expect(jwt.split(".").length).toBe(3);
+        });
+
+        it("should throw error for invalid private key format", () => {
+            const invalidKey = "not a valid key";
+            expect(() => detectPEMFormat(invalidKey)).toThrow();
+        });
+    });
+
+    describe("Webhook Signature Utilities", () => {
+        const secret = "test-webhook-secret";
+        const payload = JSON.stringify({ test: "data" });
+
+        it("should validate correct webhook signature", () => {
+            // Generate valid signature
+            const signature = "sha256=" + crypto.createHmac("sha256", secret).update(payload).digest("hex");
+
+            const isValid = validateWebhookSignature(payload, signature, secret);
+            expect(isValid).toBe(true);
+        });
+
+        it("should reject invalid webhook signature", () => {
+            const invalidSignature = "sha256=invalid_signature";
+
+            const isValid = validateWebhookSignature(payload, invalidSignature, secret);
+            expect(isValid).toBe(false);
+        });
+
+        it("should reject signature with wrong secret", () => {
+            const wrongSecret = "wrong-secret";
+            const signature = "sha256=" + crypto.createHmac("sha256", wrongSecret).update(payload).digest("hex");
+
+            const isValid = validateWebhookSignature(payload, signature, secret);
+            expect(isValid).toBe(false);
+        });
+    });
+
+    describe("Token Cache Utilities", () => {
+        let cache: TokenCache;
+
+        beforeEach(() => {
+            cache = new TokenCache();
+        });
+
+        it("should store and retrieve token", () => {
+            const installationId = 12345;
+            const token = "test-token";
+            const ttl = 3600;
+
+            cache.setToken(installationId, token, ttl);
+            const retrieved = cache.getToken(installationId);
+
+            expect(retrieved).toBe(token);
+        });
+
+        it("should return null for expired token", (done) => {
+            const installationId = 12345;
+            const token = "test-token";
+            const ttl = 1; // 1 second
+
+            cache.setToken(installationId, token, ttl);
+
+            setTimeout(() => {
+                const retrieved = cache.getToken(installationId);
+                expect(retrieved).toBeNull();
+                done();
+            }, 1100); // Wait for expiration
+        });
+
+        it("should clear cache", () => {
+            cache.setToken(12345, "token1", 3600);
+            cache.setToken(67890, "token2", 3600);
+
+            cache.clearCache();
+
+            expect(cache.getToken(12345)).toBeNull();
+            expect(cache.getToken(67890)).toBeNull();
+        });
+    });
+
+    describe("State Utilities", () => {
+        it("should generate unique state parameter", () => {
+            const state1 = generateState();
+            const state2 = generateState();
+
+            expect(state1).toBeTruthy();
+            expect(state2).toBeTruthy();
+            expect(state1).not.toBe(state2);
+            expect(state1.length).toBe(64); // 32 bytes as hex = 64 chars
+        });
+
+        it("should generate unique session ID", () => {
+            const sessionId1 = generateSessionId();
+            const sessionId2 = generateSessionId();
+
+            expect(sessionId1).toBeTruthy();
+            expect(sessionId2).toBeTruthy();
+            expect(sessionId1).not.toBe(sessionId2);
+            expect(sessionId1.length).toBe(32); // 16 bytes as hex = 32 chars
+        });
+
+        it("should validate matching state using constant-time comparison", () => {
+            const state = generateState();
+            const isValid = validateState(state, state);
+
+            expect(isValid).toBe(true);
+        });
+
+        it("should reject non-matching state", () => {
+            const state1 = generateState();
+            const state2 = generateState();
+
+            const isValid = validateState(state1, state2);
+            expect(isValid).toBe(false);
+        });
+    });
+
+    describe("Error Utilities", () => {
+        it("should have kebab-case error codes", () => {
+            expect(GitHubAppErrorCodes.INVALID_STATE).toBe("invalid-state");
+            expect(GitHubAppErrorCodes.SESSION_EXPIRED).toBe("session-expired");
+            expect(GitHubAppErrorCodes.INSTALLATION_NOT_FOUND).toBe("installation-not-found");
+            expect(GitHubAppErrorCodes.INVALID_PRIVATE_KEY).toBe("invalid-private-key");
+            expect(GitHubAppErrorCodes.JWT_SIGNING_FAILED).toBe("jwt-signing-failed");
+            expect(GitHubAppErrorCodes.TOKEN_EXCHANGE_FAILED).toBe("token-exchange-failed");
+            expect(GitHubAppErrorCodes.WEBHOOK_SIGNATURE_INVALID).toBe("webhook-signature-invalid");
+            expect(GitHubAppErrorCodes.WEBHOOK_PAYLOAD_INVALID).toBe("webhook-payload-invalid");
+        });
+
+        it("should create GitHub App error with code and message", () => {
+            const error = createGitHubAppError("invalid-state", "State parameter is invalid");
+
+            expect(error.code).toBe("invalid-state");
+            expect(error.message).toBe("State parameter is invalid");
+        });
+
+        it("should create error with optional details", () => {
+            const error = createGitHubAppError("network-error", "Network failure", { statusCode: 500 });
+
+            expect(error.code).toBe("network-error");
+            expect(error.message).toBe("Network failure");
+            expect(error.details).toEqual({ statusCode: 500 });
+        });
+    });
+});

package/spec/handlers.spec.ts

@@ -0,0 +1,216 @@
+/**
+ * Handler Tests for GitHub App Plugin
+ *
+ * Tests for installation callback and webhook handlers.
+ * Focused tests covering critical paths only.
+ */
+
+import InstallationCallback from "../src/handlers/InstallationCallback";
+import WebhookHandler from "../src/handlers/WebhookHandler";
+import { generateSessionId, generateState } from "../src/utils/state-utils";
+
+describe("GitHub App Handlers", () => {
+    describe("InstallationCallback", () => {
+        it("should validate state and store installation", async () => {
+            const state = generateState();
+            const mockSession = {
+                sessionId: generateSessionId(),
+                state,
+                userId: "user123",
+                createdAt: new Date(),
+            };
+
+            const mockInstallation = {
+                id: 12345,
+                account: {
+                    id: 67890,
+                    login: "testuser",
+                    type: "User" as const,
+                    avatar_url: "https://example.com/avatar.png",
+                },
+                repository_selection: "selected",
+                permissions: {
+                    contents: "read",
+                    issues: "write",
+                },
+                events: ["push", "pull_request"],
+            };
+
+            const mockRepositories = [
+                {
+                    id: 1,
+                    name: "repo1",
+                    full_name: "testuser/repo1",
+                    private: false,
+                },
+            ];
+
+            const mockCtx: any = {
+                repos: {
+                    githubAppSessionRepo: {
+                        getOne: jasmine.createSpy("getOne").and.returnValue(Promise.resolve(mockSession)),
+                        deleteBySessionId: jasmine.createSpy("deleteBySessionId").and.returnValue(Promise.resolve(1)),
+                    },
+                    githubInstallationRepo: {
+                        create: jasmine.createSpy("create").and.returnValue(Promise.resolve({})),
+                    },
+                },
+                plugins: {
+                    githubApp: {
+                        authService: {
+                            generateAppJWT: jasmine.createSpy("generateAppJWT").and.returnValue("mock-jwt"),
+                        },
+                        options: {
+                            baseUrl: "https://api.github.com",
+                            onInstallationSuccess: jasmine.createSpy("onInstallationSuccess").and.returnValue(
+                                Promise.resolve({
+                                    userId: "user123",
+                                    redirectUrl: "/dashboard",
+                                })
+                            ),
+                        },
+                    },
+                },
+            };
+
+            // Mock fetch for installation details and repositories
+            global.fetch = jasmine.createSpy("fetch").and.returnValues(
+                // First call: get installation details
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve(mockInstallation),
+                } as any),
+                // Second call: get installation token
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve({ token: "mock-token" }),
+                } as any),
+                // Third call: get repositories
+                Promise.resolve({
+                    ok: true,
+                    json: () => Promise.resolve({ repositories: mockRepositories }),
+                } as any)
+            );
+
+            const mockReq: any = {
+                query: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state,
+                },
+            };
+
+            const result = await InstallationCallback({ ctx: mockCtx, req: mockReq } as any);
+
+            expect(result.status).toBe(302);
+            expect(mockCtx.repos.githubAppSessionRepo.getOne).toHaveBeenCalledWith({ state });
+            expect(mockCtx.repos.githubAppSessionRepo.deleteBySessionId).toHaveBeenCalledWith(mockSession.sessionId);
+            expect(mockCtx.plugins.githubApp.options.onInstallationSuccess).toHaveBeenCalled();
+            expect(mockCtx.repos.githubInstallationRepo.create).toHaveBeenCalled();
+        });
+
+        it("should reject invalid state", async () => {
+            const mockCtx: any = {
+                repos: {
+                    githubAppSessionRepo: {
+                        getOne: jasmine.createSpy("getOne").and.returnValue(Promise.resolve(null)),
+                    },
+                },
+                plugins: {
+                    githubApp: {
+                        options: {},
+                    },
+                },
+            };
+
+            const mockReq: any = {
+                query: {
+                    installation_id: "12345",
+                    setup_action: "install",
+                    state: "invalid-state",
+                },
+            };
+
+            const result = await InstallationCallback({ ctx: mockCtx, req: mockReq } as any);
+
+            expect(result.status).toBe(400);
+        });
+    });
+
+    describe("WebhookHandler", () => {
+        it("should validate signature and call webhook callback", async () => {
+            const secret = "test-secret";
+            const payload = JSON.stringify({
+                action: "created",
+                installation: {
+                    id: 12345,
+                },
+            });
+
+            const mockCtx: any = {
+                repos: {
+                    githubWebhookEventRepo: {
+                        create: jasmine.createSpy("create").and.returnValue(Promise.resolve({})),
+                    },
+                },
+                plugins: {
+                    githubApp: {
+                        webhookValidator: {
+                            validateSignature: jasmine.createSpy("validateSignature").and.returnValue(true),
+                            parsePayload: jasmine.createSpy("parsePayload").and.returnValue({
+                                action: "created",
+                                installation: { id: 12345 },
+                            }),
+                            extractInstallationId: jasmine.createSpy("extractInstallationId").and.returnValue(12345),
+                        },
+                        options: {
+                            logWebhookEvents: true,
+                            onWebhookEvent: jasmine.createSpy("onWebhookEvent").and.returnValue(Promise.resolve()),
+                        },
+                    },
+                },
+            };
+
+            const mockReq: any = {
+                headers: {
+                    "x-github-event": "installation",
+                    "x-github-delivery": "delivery-123",
+                    "x-hub-signature-256": "sha256=fake-signature",
+                },
+                body: payload,
+            };
+
+            const result = await WebhookHandler({ ctx: mockCtx, req: mockReq } as any);
+
+            expect(result.status).toBe(200);
+            expect(mockCtx.plugins.githubApp.webhookValidator.validateSignature).toHaveBeenCalled();
+            expect(mockCtx.plugins.githubApp.options.onWebhookEvent).toHaveBeenCalled();
+        });
+
+        it("should reject invalid signature", async () => {
+            const mockCtx: any = {
+                plugins: {
+                    githubApp: {
+                        webhookValidator: {
+                            validateSignature: jasmine.createSpy("validateSignature").and.returnValue(false),
+                        },
+                        options: {},
+                    },
+                },
+            };
+
+            const mockReq: any = {
+                headers: {
+                    "x-github-event": "installation",
+                    "x-github-delivery": "delivery-123",
+                    "x-hub-signature-256": "invalid-signature",
+                },
+                body: "{}",
+            };
+
+            const result = await WebhookHandler({ ctx: mockCtx, req: mockReq } as any);
+
+            expect(result.status).toBe(401);
+        });
+    });
+});

package/spec/helpers/reporter.ts

@@ -0,0 +1,41 @@
+/**
+ * Jasmine Spec Reporter Configuration
+ * Provides cleaner, more readable test output
+ */
+
+import { SpecReporter, StacktraceOption } from 'jasmine-spec-reporter';
+
+// Remove default reporter
+jasmine.getEnv().clearReporters();
+
+// Add spec reporter with custom configuration
+jasmine.getEnv().addReporter(new SpecReporter({
+  spec: {
+    displayPending: true,
+    displayDuration: true,
+    displayErrorMessages: true,
+    displayStacktrace: StacktraceOption.PRETTY,
+    displaySuccessful: true,
+    displayFailed: true,
+  },
+  summary: {
+    displayPending: true,
+    displayDuration: true,
+    displayErrorMessages: true,
+    displayStacktrace: StacktraceOption.PRETTY,
+    displaySuccessful: false,
+    displayFailed: true,
+  },
+  colors: {
+    enabled: true,
+    successful: 'green',
+    failed: 'red',
+    pending: 'yellow',
+  },
+  prefixes: {
+    successful: '✓ ',
+    failed: '✗ ',
+    pending: '○ ',
+  },
+  customProcessors: [],
+}));