Add CZITI_TEST_INSECURE_KEYS compile flag for CI integration tests

Author: smilindave26

.github/workflows/CI.yml

@@ -114,17 +114,53 @@ jobs:
         xcodebuild test -scheme CZitiTests -derivedDataPath ./DerivedData/CZiti \
           -sdk macosx -destination 'platform=macOS' ONLY_ACTIVE_ARCH=YES | xcpretty
 
-    # Builds the integration test tool to catch compile regressions. End-to-end
-    # execution against `ziti edge quickstart` is deferred until the macOS data
-    # protection keychain / entitlement issue is resolved (see ziti-test-runner/main.swift).
-    - name: Build ziti-test-runner
+    # Build ziti-test-runner with the insecure-keys test flag so enrollment can generate
+    # ephemeral keys and store them in the .zid file instead of the macOS data protection
+    # keychain (which requires provisioning-profile-backed entitlements CI doesn't have).
+    # NEVER use this flag in a release build.
+    - name: Build ziti-test-runner (insecure test keys)
       run: |
         set -o pipefail
         xcodebuild build -configuration Debug -scheme ziti-test-runner \
           -derivedDataPath ./DerivedData/CZiti -sdk macosx \
           -destination 'platform=macOS' ONLY_ACTIVE_ARCH=YES \
+          SWIFT_ACTIVE_COMPILATION_CONDITIONS='$(inherited) CZITI_TEST_INSECURE_KEYS' \
           CODE_SIGNING_ALLOWED=NO | xcpretty
 
+    - name: Install ziti CLI
+      run: |
+        set -euo pipefail
+        ZITI_URL=$(curl -s https://api.github.com/repos/openziti/ziti/releases/latest \
+          | grep browser_download_url | grep darwin-arm64 | head -1 | cut -d\" -f4)
+        echo "Downloading $ZITI_URL"
+        curl -sL "$ZITI_URL" -o /tmp/ziti.tgz
+        sudo tar -xzf /tmp/ziti.tgz -C /usr/local/bin --strip-components=1 ziti/ziti
+        ziti version
+
+    - name: Integration test (OTT enrollment against quickstart)
+      run: |
+        set -euo pipefail
+        rm -rf /tmp/qs && mkdir /tmp/qs
+        nohup ziti edge quickstart --home /tmp/qs > /tmp/qs.log 2>&1 &
+        QS_PID=$!
+        trap "kill $QS_PID 2>/dev/null || true; cat /tmp/qs.log | tail -60" EXIT
+
+        # Wait for controller
+        for i in $(seq 1 60); do
+          if curl -sk https://localhost:1280/edge/client/v1/version >/dev/null 2>&1; then
+            echo "controller ready after ${i}s"; break
+          fi
+          sleep 1
+        done
+
+        # Login and create an OTT identity
+        ziti edge login localhost:1280 -u admin -p admin -y
+        ziti edge create identity ztr-integ -o /tmp/ztr.jwt
+
+        # Run the integration test tool
+        ./DerivedData/CZiti/Build/Products/Debug/ziti-test-runner \
+          --timeout 60 /tmp/ztr.jwt
+
     - name: Create Frameworks
       run: |
         ./make_dist.sh

CZitiTests/ZitiIdentityTests.swift

@@ -85,4 +85,33 @@ class ZitiIdentityTests: XCTestCase {
         let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: data)
         XCTAssertEqual(decoded.startDisabled, true)
     }
+
+    func testKeyDefaultsToNil() throws {
+        let id = ZitiIdentity(id: "x", ztAPIs: ["https://ctrl:1280"])
+        XCTAssertNil(id.key)
+
+        let data = try JSONEncoder().encode(id)
+        let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: data)
+        XCTAssertNil(decoded.key)
+    }
+
+    func testKeyRoundTrip() throws {
+        let pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJB...\n-----END RSA PRIVATE KEY-----\n"
+        let id = ZitiIdentity(id: "x", ztAPIs: ["https://ctrl:1280"])
+        id.key = pem
+
+        let data = try JSONEncoder().encode(id)
+        let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: data)
+        XCTAssertEqual(decoded.key, pem)
+    }
+
+    func testDecodeOldZidWithoutKeyField() throws {
+        // Existing .zid files in the wild never have a key field. Must still decode.
+        let json = """
+        {"id":"legacy","ztAPI":"https://ctrl:1280","certs":"CERT","ca":"CA"}
+        """
+        let decoded = try JSONDecoder().decode(ZitiIdentity.self, from: json.data(using: .utf8)!)
+        XCTAssertEqual(decoded.id, "legacy")
+        XCTAssertNil(decoded.key)
+    }
 }

lib/Ziti.swift

@@ -368,20 +368,28 @@ import CZitiPrivate
             }
 
             let certs = dropFirst("pem:", respCert)
+#if !CZITI_TEST_INSECURE_KEYS
+            // Release build: persist the signed cert in the keychain alongside the private key.
             _ = zkc.deleteCertificate(silent: true)
             guard zkc.storeCertificate(fromPem: certs) == nil else {
                 let errStr = "Unable to store certificate\n"
                 log.error(errStr, function:"enroll()")
                 enrollCallback(nil, ZitiError(errStr))
                 return
             }
+#endif
 
             var ca = resp.id.ca
             if let idCa = resp.id.ca {
                 ca = dropFirst("pem:", idCa)
             }
 
             let zid = ZitiIdentity(id: subj, ztAPIs: resp.ztAPIs, certs: certs, ca: ca)
+#if CZITI_TEST_INSECURE_KEYS
+            // Insecure test build: stash the ephemeral PEM in the identity so run() can use
+            // it without a keychain lookup.
+            zid.key = pem
+#endif
             log.info("Enrolled id:\(subj) with controller: \(zid.ztAPI)", function:"enroll()")
 
             enrollCallback(zid, nil)
@@ -955,10 +963,20 @@ import CZitiPrivate
             log.debug("identity \(id.id) does not have certificates. this is ok if using external authentication")
         }
 
-        // Get private key
+        // Get private key. Under CZITI_TEST_INSECURE_KEYS, prefer a PEM stored in the
+        // identity file so ad-hoc-signed CLI tools can use enrolled identities without
+        // touching the data protection keychain.
         var privKeyPEMPtr: UnsafeMutablePointer<Int8>? = nil
-        if let privKey = zkc.getPrivateKey() {
-            let privKeyPEM = zkc.getKeyPEM(privKey)
+        let privKeyPEM: String? = {
+#if CZITI_TEST_INSECURE_KEYS
+            if let idKey = id.key, !idKey.isEmpty { return idKey }
+#endif
+            if let privKey = zkc.getPrivateKey() {
+                return zkc.getKeyPEM(privKey)
+            }
+            return nil
+        }()
+        if let privKeyPEM = privKeyPEM {
             privKeyPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: privKeyPEM.count + 1)
             privKeyPEMPtr!.initialize(from: privKeyPEM, count: privKeyPEM.count + 1)
         } else {

lib/ZitiIdentity.swift

@@ -54,18 +54,27 @@ import Foundation
     /// Certificates (PEM)
     @objc public var certs:String?
 
+    /// Private key (PEM).
+    ///
+    /// Only populated by builds compiled with `CZITI_TEST_INSECURE_KEYS`. Release builds
+    /// keep the private key in the keychain and leave this field nil. If this field is
+    /// populated in a loaded identity, `Ziti.run()` (in an insecure-keys build) will use
+    /// it directly instead of reading from the keychain. This field is never populated
+    /// or read by release builds.
+    @objc public var key:String?
+
     /// CA pool verified as part of enrollment that can be used to establish trust with of the  Ziti controller
     @objc public var ca:String?
-    
+
     /// Request `Ziti` to start this identity in disabled state
     public var startDisabled:Bool? = false
-    
+
     /// Initialize a `ZitiIdentity` given the provided identity infomation
     ///
     /// - Parameters:
     ///     - id: unique identifier of this identity
     ///     - ztAPIs: URLs for accessing Ziti controller API
-    ///     - certCNs: common names of certififcates 
+    ///     - certCNs: common names of certififcates
     ///     - name: name currently configured for this identity
     ///     - ca: CA pool that can be used to verify trust of the Ziti controller
     @objc public init(id:String, ztAPIs:[String], name:String?=nil, certs:String?=nil, ca:String?=nil) {

lib/ZitiKeychain.swift

@@ -16,6 +16,15 @@ limitations under the License.
 
 import Foundation
 
+#if CZITI_TEST_INSECURE_KEYS
+// Lazy-initialized so the warning prints at most once per process, the first time
+// anything in this module actually generates an ephemeral key.
+internal let _cztiInsecureBuildWarningPrinted: Void = {
+    let msg = "⚠️  CZITI_TEST_INSECURE_KEYS build: private keys are generated ephemerally and written into .zid files in plaintext. NEVER SHIP THIS BUILD.\n"
+    FileHandle.standardError.write(Data(msg.utf8))
+}()
+#endif
+
 /// This class manages access to the Keychain, creating and storing keys and certificates needed to access a Ziti network.
 ///
 /// This is primarily an internally used class, though certain methods are marked public in order to support senarios where the enrollment is
@@ -41,11 +50,27 @@ public class ZitiKeychain : NSObject {
 
     private let keySize = 3072
     func createPrivateKey() -> SecKey? {
+#if CZITI_TEST_INSECURE_KEYS
+        // Insecure test build: generate an ephemeral key with no keychain interaction.
+        // Caller is expected to stash the extracted PEM in the ZitiIdentity for persistence.
+        _ = _cztiInsecureBuildWarningPrinted   // fire once, first time anyone mints a key
+        let parameters: [CFString: Any] = [
+            kSecAttrKeyType: kSecAttrKeyTypeRSA,
+            kSecAttrKeySizeInBits: keySize,
+            kSecAttrIsPermanent: false,
+        ]
+        var error: Unmanaged<CFError>?
+        guard let privateKey = SecKeyCreateRandomKey(parameters as CFDictionary, &error) else {
+            log.error("Unable to create ephemeral private key for \(tag): \(error!.takeRetainedValue() as Error)")
+            return nil
+        }
+        return privateKey
+#else
         let privateKeyParams: [CFString: Any] = [ // iOS
             kSecAttrIsPermanent: true,
             kSecAttrLabel: tag,
             kSecAttrApplicationTag: atag]
-        
+
         var parameters: [CFString: Any] = [
             kSecAttrKeyType: kSecAttrKeyTypeRSA,
             kSecAttrKeySizeInBits: keySize,
@@ -57,13 +82,14 @@ public class ZitiKeychain : NSObject {
         if #available(iOS 13.0, OSX 10.15, *) {
             parameters[kSecUseDataProtectionKeychain] = true
         }
-        
+
         var error: Unmanaged<CFError>?
         guard let privateKey = SecKeyCreateRandomKey(parameters as CFDictionary, &error) else {
             log.error("Unable to create private key for \(tag): \(error!.takeRetainedValue() as Error)")
             return nil
         }
         return privateKey
+#endif
     }
 
     func getPrivateKey() -> SecKey? {