🚀 [Feature]: Adding functionality to sign JWTs via Key Vault Keys #481
+503
−91
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…WTSignature` functions; update `Update-GitHubAppJWT` to use local signing method
…r JWT signing functions and update authentication methods in `Connect-GitHubAccount`
…t for enhanced security
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces Azure Key Vault integration for GitHub App JWT signing, enabling secure storage and usage of private keys through Azure Key Vault as an alternative to local private key files. The changes enhance security by eliminating the need to store sensitive private keys locally while maintaining backward compatibility with existing private key authentication.
- Adds support for Azure Key Vault key references in GitHub App authentication flows
- Refactors JWT signing functionality to support both local private keys and Key Vault-based signing
- Introduces new utility functions to validate Azure CLI and Azure PowerShell authentication states
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| Connect-GitHubAccount.ps1 | Enhanced to support Key Vault key references with new parameter sets and validation |
| Test-GitHubAzureCLI.ps1 | New utility function to verify Azure CLI installation and authentication status |
| Test-GitHubAzPowerShell.ps1 | New utility function to verify Azure PowerShell module availability and authentication |
| Update-GitHubAppJWT.ps1 | Modified to conditionally use either local or Key Vault JWT signing based on context |
| New-GitHubUnsignedJWT.ps1 | Refactored to use new GitHubJWTComponent class for base64 URL encoding |
| Add-GitHubLocalJWTSignature.ps1 | Renamed from Add-GitHubJWTSignature and updated to return secure string |
| Add-GitHubKeyVaultJWTSignature.ps1 | New function implementing Key Vault-based JWT signing with Azure authentication |
| GitHubJWTComponent.ps1 | New utility class centralizing base64 URL encoding logic for JWT operations |
| GitHubAppContext.ps1 | Extended to include KeyVaultKeyReference property for Key Vault authentication |
| README.md | Updated documentation with Key Vault authentication examples and prerequisites |
src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1
Outdated
Show resolved
Hide resolved
src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1
Outdated
Show resolved
Hide resolved
src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1
Outdated
Show resolved
Hide resolved
src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1
Outdated
Show resolved
Hide resolved
src/functions/private/Apps/GitHub Apps/Add-GitHubKeyVaultJWTSignature.ps1
Show resolved
Hide resolved
src/functions/private/Apps/GitHub Apps/Add-GitHubKeyVaultJWTSignature.ps1
Show resolved
Hide resolved
…ing GitHub App keys and signing JWTs
…remove mandatory requirement for GitHub App installation loading
… in `Update-GitHubAppJWT` and adding `Test-GitHubJWTRefreshRequired` function for refresh validation
…T` and `Update-GitHubUserAccessToken` to use hyphens instead of slashes for improved compatibility
…ired` to use `JwtTimeTolerance` instead of `JwtRefreshThreshold` for improved accuracy
- Created TEMPLATE.ps1 for Pester tests with default configurations. - Added Teams.Tests.ps1 to test GitHub Teams API functionalities including team creation, retrieval, updating, and deletion. - Introduced Users.Tests.ps1 to validate user-related API calls such as user retrieval and updates. - Implemented Variables.Tests.ps1 to cover GitHub variable management including setting, updating, and removing variables for users, organizations, and repositories.
…matting context display for better readability
…ed` and improve error handling in `Test-GitHubAccessTokenRefreshRequired`
- Created TEMPLATE.ps1 for structuring Pester tests with authentication cases. - Added Teams.Tests.ps1 to test GitHub Teams API functionalities, including team creation, retrieval, updating, and deletion. - Introduced Users.Tests.ps1 to validate user-related API calls, including user retrieval and updates. - Implemented Variables.Tests.ps1 to test GitHub variable management, covering organization and repository scopes, variable creation, updates, and deletions.
…r JWT and access token refresh processes
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces support for signing GitHub App JSON Web Tokens (JWTs) using Azure Key Vault in addition to local RSA private keys. It also refactors and enhances existing JWT-related functionality to improve maintainability and clarity. The most significant changes include the addition of Azure Key Vault integration, refactoring of JWT signing methods, and updates to related utility functions.
Improvements to Authentication Logic
Connect-GitHubAccountto support both private key and Azure Key Vault-based authentication for GitHub Apps, introducing new parameter sets and validation forKeyVaultKeyReference.Azure Key Vault Integration
KeyVaultKeyReferenceproperty to theGitHubAppContextclass for specifying Azure Key Vault keys as an alternative to local private keys.Add-GitHubKeyVaultJWTSignaturefunction to sign JWTs using Azure Key Vault keys, supporting both Azure CLI and Az PowerShell authentication.Test-GitHubAzureCLIandTest-GitHubAzPowerShellto check for Azure CLI and Az PowerShell module installation and authentication.Refactoring of JWT Signing
Add-GitHubJWTSignaturetoAdd-GitHubLocalJWTSignaturefor clarity and updated it to use the newGitHubJWTComponenthelper for base64 URL encoding.Update-GitHubAppJWTto conditionally use eitherAdd-GitHubLocalJWTSignatureorAdd-GitHubKeyVaultJWTSignaturebased on the presence ofPrivateKeyorKeyVaultKeyReferencein the context.Enhancements to JWT Utility Functions
GitHubJWTComponentclass to centralize base64 URL encoding logic and simplify JWT creation.New-GitHubUnsignedJWTto useGitHubJWTComponentfor encoding JWT headers and payloads.Type of change
Checklist