Verify service discovery in integration test, add tool README

Author: smilindave26

.github/workflows/CI.yml

@@ -154,9 +154,13 @@ jobs:
           sleep 1
         done
 
-        # Login and create an OTT identity
+        # Login, create an OTT identity, and preseed a service + dial policy so the
+        # test verifies service discovery after auth (not just auth).
         ziti edge login localhost:1280 -u admin -p admin -y
-        ziti edge create identity ztr-integ -o /tmp/ztr.jwt
+        ziti edge create identity ztr-integ -a ztr-integ -o /tmp/ztr.jwt
+        ziti edge create service ztr-svc -a ztr-svc
+        ziti edge create service-policy ztr-svc-dial Dial \
+          --identity-roles '#ztr-integ' --service-roles '#ztr-svc'
 
         TOOL=./DerivedData/CZiti/Build/Products/Debug/ziti-test-runner
 

ziti-test-runner/README.md

@@ -0,0 +1,109 @@
+# ziti-test-runner
+
+End-to-end integration test tool for the CZiti Swift SDK. Drives real enrollment
+and context bring-up against a live Ziti controller, returning a pass/fail exit
+code suitable for CI.
+
+Used by the CI workflow (`.github/workflows/CI.yml`) against a
+`ziti edge quickstart` controller.
+
+## What it does
+
+**Default mode** - enroll, save, load, run, verify:
+
+1. Enrolls a Ziti identity from a one-time JWT file (OTT by default)
+2. Saves the resulting identity to a `.zid` file
+3. Loads the identity back from the `.zid` file via `Ziti(fromFile:)`
+4. Runs the Ziti context
+5. Waits for a `ContextEvent` with status OK (auth success)
+6. Waits for a `ServiceEvent` with at least one service (service channel works)
+7. Exits 0
+
+**`--only-run` mode** - load an existing `.zid` file and verify auth+services,
+no enrollment. Useful for verifying persistence across process boundaries.
+
+## Usage
+
+```
+ziti-test-runner [options] <jwt-file>             # enroll, save, load, run, verify
+ziti-test-runner --only-run [options] <zid-file>  # load an existing zid and run
+```
+
+Options:
+- `--mode <ott|cert-jwt|token-jwt>` - enrollment mode (default: `ott`)
+- `--timeout <seconds>` - total test timeout (default: 60)
+- `--keep-zid <path>` - keep the enrolled `.zid` at this path
+- `--log-level <level>` - `WTF|ERROR|WARN|INFO|DEBUG|VERBOSE|TRACE` (default: `INFO`)
+- `--only-run` - input is a `.zid` file; skip enrollment
+
+Exit codes:
+- `0` - success
+- `1` - enrollment failed
+- `2` - identity load / run failed
+- `3` - context status != OK, service timeout, or overall timeout
+- `64` - usage error
+
+## Building with the insecure-keys test flag
+
+macOS enrollment in this SDK uses the data protection keychain
+(`kSecUseDataProtectionKeychain = true` in `ZitiKeychain.createPrivateKey()`),
+which requires a provisioning-profile-backed `application-identifier`
+entitlement. Ad-hoc signed CLI tools don't have that, so enrollment fails with
+`errSecMissingEntitlement` (-34018) - both in CI and on dev machines using
+"Sign to Run Locally".
+
+To work around this **in test builds only**, the SDK supports the compile-time
+condition `CZITI_TEST_INSECURE_KEYS`. When set:
+
+- `ZitiKeychain.createPrivateKey()` generates an ephemeral RSA key with no
+  keychain interaction.
+- `Ziti.enroll()` skips `storeCertificate()` in the keychain and writes the
+  ephemeral private key PEM into `ZitiIdentity.key` instead.
+- `Ziti.run()` prefers `id.key` if present, over calling
+  `ZitiKeychain.getPrivateKey()`.
+- A one-shot `⚠️ CZITI_TEST_INSECURE_KEYS build` warning prints to stderr the
+  first time a key is minted in the process.
+
+**This flag must never be used in a release build.** Keys end up in plaintext
+in the `.zid` file on disk, with none of the OS-level isolation the keychain
+provides.
+
+### Command-line usage
+
+```bash
+xcodebuild build -scheme ziti-test-runner \
+  SWIFT_ACTIVE_COMPILATION_CONDITIONS='$(inherited) CZITI_TEST_INSECURE_KEYS'
+```
+
+The flag propagates to the `CZiti-macOS` dependency automatically (xcodebuild
+applies command-line build settings across the whole build graph).
+
+### Running locally
+
+```bash
+# 1. Start a quickstart
+ziti edge quickstart --home /tmp/qs &
+
+# 2. Log in and create an identity + service + dial policy
+ziti edge login localhost:1280 -u admin -p admin -y
+ziti edge create identity ztr -a ztr -o /tmp/ztr.jwt
+ziti edge create service ztr-svc -a ztr-svc
+ziti edge create service-policy ztr-dial Dial \
+  --identity-roles '#ztr' --service-roles '#ztr-svc'
+
+# 3. Run the tool (built with the flag)
+./DerivedData/CZiti/Build/Products/Debug/ziti-test-runner /tmp/ztr.jwt
+```
+
+## Scope
+
+Only OTT enrollment is exercised end-to-end. The `cert-jwt` and `token-jwt`
+modes compile under the flag but aren't wired through CI because:
+
+- `Ziti.enrollToCert(jwtFile:)` / `enrollToToken(jwtFile:)` use the OIDC flow,
+  which can't be driven non-interactively in CI without a mock JWT signer.
+- The `runEnrollTo(mode:)` path in `lib/Ziti.swift` has a keychain retag step
+  (`retagPrivateKey(to:)`) that isn't bracketed by `CZITI_TEST_INSECURE_KEYS`
+  and would likely fail under the flag.
+
+Fixing either is a legitimate follow-up.

ziti-test-runner/main.swift

@@ -158,25 +158,48 @@ func finish(_ code: Int32, _ msg: String) {
     exit(code)
 }
 
-/// Load a saved identity, run Ziti, and succeed on the first OK context event.
+/// Load a saved identity, run Ziti, and succeed once we've seen:
+///   1. A ContextEvent with status OK (authenticated with the controller)
+///   2. A ServiceEvent with at least one service in `added`
+/// The second check verifies the service channel works end-to-end, not just auth.
+/// CI must configure at least one service + service-policy for the test identity,
+/// otherwise this will time out.
 func runFromZidFile(_ zidPath: String) {
     guard let ziti = Ziti(fromFile: zidPath) else {
         finish(2, "failed to load Ziti identity from \(zidPath)")
         return
     }
 
+    var contextOK = false
+    var servicesSeen = false
+
     ziti.registerEventCallback({ event in
-        guard !done else { return }
-        guard let event = event, event.type == .Context, let ctx = event.contextEvent else { return }
-        if ctx.status == 0 {
-            finish(0, "context authenticated (id=\(ziti.id.id) ztAPI=\(ziti.id.ztAPI))")
-            ziti.shutdown()
-        } else {
-            let msg = ctx.err ?? "context error status=\(ctx.status)"
-            finish(3, msg)
+        guard !done, let event = event else { return }
+        switch event.type {
+        case .Context:
+            guard let ctx = event.contextEvent else { return }
+            if ctx.status == 0 {
+                print("context authenticated")
+                contextOK = true
+            } else {
+                let msg = ctx.err ?? "context error status=\(ctx.status)"
+                finish(3, msg)
+                ziti.shutdown()
+                return
+            }
+        case .Service:
+            guard let svc = event.serviceEvent, !svc.added.isEmpty else { return }
+            let names = svc.added.compactMap { $0.name }.joined(separator: ", ")
+            print("services received: [\(names)]")
+            servicesSeen = true
+        default:
+            return
+        }
+        if contextOK && servicesSeen {
+            finish(0, "context+service OK (id=\(ziti.id.id) ztAPI=\(ziti.id.ztAPI))")
             ziti.shutdown()
         }
-    }, ZitiEvent.EventType.Context.rawValue)
+    }, ZitiEvent.EventType.Context.rawValue | ZitiEvent.EventType.Service.rawValue)
 
     ziti.run { zErr in
         if let zErr = zErr {
@@ -186,7 +209,11 @@ func runFromZidFile(_ zidPath: String) {
         ziti.startTimer(UInt64(timeoutSeconds) * 1000, 0) { timer in
             ziti.endTimer(timer)
             if !done {
-                finish(3, "timeout after \(timeoutSeconds)s waiting for context event")
+                let missing = [
+                    contextOK ? nil : "context",
+                    servicesSeen ? nil : "service"
+                ].compactMap { $0 }.joined(separator: "+")
+                finish(3, "timeout after \(timeoutSeconds)s waiting for: \(missing)")
                 ziti.shutdown()
             }
         }