on: [push]

env:
    JWT_CLI_VERSION: 6.2.0 # renovate: datasource=github-releases depName=jwt-cli packageName=mike-engel/jwt-cli

jobs:
    generation-allowed:
        enable-openid-connect: true
        runs-on: docker
        container:
            image: data.forgejo.org/oci/ci:1
        steps:
            - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/${{ env.JWT_CLI_VERSION }}/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
            - name: validate token generation works
              run: |
                  RAW_JWT=$(curl -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=exampleAudience" | jq -r ".value")
                  if [[ -z "RAW_JWT" ]]; then
                    echo "Error: RAW_JWT should be set"
                    exit 1
                  fi

                  DECODED_JWT_BODY=$(echo $RAW_JWT | jq -R 'split(".") | .[1] | @base64d | fromjson')
                  if [[ -z "$DECODED_JWT_BODY" ]]; then
                    echo "Error: DECODED_JWT_BODY should be set"
                    exit 1
                  fi

                  ISS=$(echo $DECODED_JWT_BODY | jq -r '.iss')
                  if [[ -z "$ISS" ]]; then
                    echo "Error: ISS should be set"
                    exit 1
                  fi

                  curl "$ISS/.well-known/keys" > jwks.json
                  JWKS=$(cat ./jwks.json)
                  if [[ -z "$JWKS" ]]; then
                    echo "Error: JWKS should be set"
                    exit 1
                  fi

                  # Verify that the JWT decodes with the JWKS data
                  ./jwt decode -S @./jwks.json -A RS256 $RAW_JWT || (echo "Error: failed signature validation" && exit 1)

                  WORKFLOW=$(echo $DECODED_JWT_BODY | jq -r '.workflow')
                  AUD=$(echo $DECODED_JWT_BODY | jq -r '.aud')
                  EVENT_NAME=$(echo $DECODED_JWT_BODY | jq -r '.event_name')
                  SUB=$(echo $DECODED_JWT_BODY | jq -r '.sub')
                  if [[ "$WORKFLOW" != "test.yml" ]]; then
                    echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
                    exit 1
                  fi
                  if [[ "$AUD" != "exampleAudience" ]]; then
                    echo "Error: AUD should be exampleAudience but is $AUD"
                    exit 1
                  fi
                  if [[ "$EVENT_NAME" != "push" ]]; then
                    echo "Error: EVENT_NAME should be push but is $EVENT_NAME"
                    exit 1
                  fi
                  if [[ "$SUB" != "repo:root/example-id-tokens:ref:refs/heads/main" ]]; then
                    echo "Error: SUB should be repo:root/example-id-tokens:ref:refs/heads/main but is $SUB"
                    exit 1
                  fi

    generation-not-allowed:
        enable-openid-connect: false
        runs-on: docker
        steps:
            - name: check variables are unset
              run: |
                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then
                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
                    exit 1
                  fi
                  if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]]; then
                    echo "Error: ACTIONS_ID_TOKEN_REQUEST_TOKEN should be unset"
                    exit 1
                  fi