trustpub: Implement FullGitHubClaims struct for testing purposes

Author: Turbo87

Cargo.lock

@@ -8,11 +8,12 @@ edition = "2024"
 workspace = true
 
 [features]
-test-helpers = ["dep:mockall", "dep:serde_json"]
+test-helpers = ["dep:bon", "dep:mockall", "dep:serde_json"]
 
 [dependencies]
 anyhow = "=1.0.98"
 async-trait = "=0.1.88"
+bon = { version = "=3.6.3", optional = true }
 chrono = { version = "=0.4.41", features = ["serde"] }
 jsonwebtoken = "=9.3.1"
 mockall = { version = "=0.13.1", optional = true }
@@ -24,6 +25,7 @@ thiserror = "=2.0.12"
 tokio = { version = "=1.45.0", features = ["sync"] }
 
 [dev-dependencies]
+bon = "=3.6.3"
 claims = "=0.8.0"
 insta = { version = "=1.43.1", features = ["json", "redactions"] }
 mockito = "=1.7.0"

crates/crates_io_trustpub/Cargo.toml

@@ -1,4 +1,6 @@
 mod claims;
+#[cfg(any(test, feature = "test-helpers"))]
+pub mod test_helpers;
 pub mod validation;
 mod workflows;
 

crates/crates_io_trustpub/src/github/mod.rs

@@ -0,0 +1,32 @@
+---
+source: crates/crates_io_trustpub/src/github/test_helpers.rs
+expression: claims
+---
+{
+  "iss": "https://token.actions.githubusercontent.com",
+  "nbf": "[timestamp]",
+  "exp": "[timestamp]",
+  "iat": "[timestamp]",
+  "jti": "example-id",
+  "sub": "repo:octocat/hello-world",
+  "aud": "crates.io",
+  "ref": "refs/heads/main",
+  "sha": "example-sha",
+  "repository": "octocat/hello-world",
+  "repository_owner": "octocat",
+  "actor_id": "12",
+  "repository_visibility": "private",
+  "repository_id": "74",
+  "repository_owner_id": "123",
+  "run_id": "example-run-id",
+  "run_number": "10",
+  "run_attempt": "2",
+  "runner_environment": "github-hosted",
+  "actor": "octocat",
+  "workflow": "example-workflow",
+  "head_ref": "",
+  "base_ref": "",
+  "event_name": "workflow_dispatch",
+  "ref_type": "branch",
+  "workflow_ref": "octocat/hello-world/.github/workflows/ci.yml@refs/heads/main"
+}

crates/crates_io_trustpub/src/github/snapshots/crates_io_trustpub__github__test_helpers__tests__github_claims.snap

@@ -0,0 +1,128 @@
+use crate::github::GITHUB_ISSUER_URL;
+use crate::test_keys::encode_for_testing;
+use bon::bon;
+use serde_json::json;
+
+pub const AUDIENCE: &str = "crates.io";
+
+/// A struct representing all the claims in a GitHub Actions OIDC token.
+///
+/// This struct is used to create a JWT for testing purposes.
+#[derive(Debug, serde::Serialize)]
+pub struct FullGitHubClaims {
+    pub iss: String,
+    pub nbf: i64,
+    pub exp: i64,
+    pub iat: i64,
+    pub jti: String,
+    pub sub: String,
+    pub aud: String,
+
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub environment: Option<String>,
+    #[serde(rename = "ref")]
+    pub r#ref: String,
+    pub sha: String,
+    pub repository: String,
+    pub repository_owner: String,
+    pub actor_id: String,
+    pub repository_visibility: String,
+    pub repository_id: String,
+    pub repository_owner_id: String,
+    pub run_id: String,
+    pub run_number: String,
+    pub run_attempt: String,
+    pub runner_environment: String,
+    pub actor: String,
+    pub workflow: String,
+    pub head_ref: String,
+    pub base_ref: String,
+    pub event_name: String,
+    pub ref_type: String,
+    pub workflow_ref: String,
+}
+
+#[bon]
+impl FullGitHubClaims {
+    #[builder]
+    pub fn new(
+        owner_id: i32,
+        owner_name: &str,
+        repository_name: &str,
+        workflow_filename: &str,
+        environment: Option<&str>,
+    ) -> Self {
+        let now = chrono::Utc::now().timestamp();
+
+        Self {
+            iss: GITHUB_ISSUER_URL.into(),
+            nbf: now,
+            iat: now,
+            exp: now + 30 * 60,
+            jti: "example-id".into(),
+            sub: format!("repo:{owner_name}/{repository_name}"),
+            aud: AUDIENCE.into(),
+
+            environment: environment.map(|s| s.into()),
+            r#ref: "refs/heads/main".into(),
+            sha: "example-sha".into(),
+            repository: format!("{owner_name}/{repository_name}"),
+            repository_owner: owner_name.into(),
+            actor_id: "12".into(),
+            repository_visibility: "private".into(),
+            repository_id: "74".into(),
+            repository_owner_id: owner_id.to_string(),
+            run_id: "example-run-id".into(),
+            run_number: "10".into(),
+            run_attempt: "2".into(),
+            runner_environment: "github-hosted".into(),
+            actor: "octocat".into(),
+            workflow: "example-workflow".into(),
+            head_ref: "".into(),
+            base_ref: "".into(),
+            event_name: "workflow_dispatch".into(),
+            ref_type: "branch".into(),
+            workflow_ref: format!(
+                "{owner_name}/{repository_name}/.github/workflows/{workflow_filename}@refs/heads/main"
+            ),
+        }
+    }
+
+    pub fn encoded(&self) -> anyhow::Result<String> {
+        Ok(encode_for_testing(self)?)
+    }
+
+    pub fn as_exchange_body(&self) -> anyhow::Result<String> {
+        let jwt = self.encoded()?;
+        Ok(serde_json::to_string(&json!({ "jwt": jwt }))?)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use claims::assert_ok;
+    use insta::assert_json_snapshot;
+
+    #[test]
+    fn test_github_claims() {
+        let claims = FullGitHubClaims::builder()
+            .owner_id(123)
+            .owner_name("octocat")
+            .repository_name("hello-world")
+            .workflow_filename("ci.yml")
+            .build();
+
+        assert_json_snapshot!(claims, {
+            ".nbf" => "[timestamp]",
+            ".iat" => "[timestamp]",
+            ".exp" => "[timestamp]",
+        });
+
+        let encoded = assert_ok!(claims.encoded());
+        assert!(!encoded.is_empty());
+
+        let exchange_body = assert_ok!(claims.as_exchange_body());
+        assert!(exchange_body.contains(&encoded));
+    }
+}