Fix multiline key parameter handling

PRX · Apr 9, 2024 · 7cb87e6 · 7cb87e6
1 parent 0f1c50e
commit 7cb87e6
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/samconfig.toml b/samconfig.toml
@@ -9,8 +9,22 @@ s3_prefix = "github-toolkit"
 confirm_changeset = false
 capabilities = "CAPABILITY_IAM"
 region = "us-east-2"
+
 # Parameter overrides only need to be included when a parameter is changing
+#
+# To create or manage private keys for this app, see
+# https://github.com/organizations/PRX/settings/apps/prx-internal#private-key
+#
+# In order to be handled correctly, the multiline key blob needs to be wrapped
+# in a multiline TOML string and a pair of double quotes. Follow the example
+# below.
+#
 # parameter_overrides = [
-#   "GitHubAppPrivateKey=",
-#   "GitHubWebhookSecret="
+# """GitHubAppPrivateKey="-----BEGIN RSA PRIVATE KEY-----
+# line1
+# line2
+# line3
+# -----END RSA PRIVATE KEY-----
+# """",
+# "GitHubWebhookSecret="
 # ]
diff --git a/src/webhook-endpoint/index.mjs b/src/webhook-endpoint/index.mjs
@@ -8,11 +8,13 @@ async function handleIssue(payload) {
   if (payload.action === "opened" && payload.issue.state === "open") {
     const app = new App({
       appId: 311508,
-      // GITHUB_APP_PRIVATE_KEY is the GitHub app private key
-      // The envar should look like:
+      // If the envar is added directly to the Lambda function it will
+      // probably look like:
       // -----BEGIN RSA PRIVATE KEY-----\nMIIEo…
-      // with the newlines replaced with "\n".
+      // with the newlines replaced with literal "\n".
       // Those will be replaced with real newlines below.
+      // If the envar is added via CloudFormation or AWS SAM, it will
+      // maintain actual newlines and the `replace` will be a no-op.
       // When generating a private key for a GitHub app, it will download a
       // .pem file. The contents of that file is the private key.
       privateKey: process.env.GITHUB_APP_PRIVATE_KEY.replace(/\\n/g, "\n"),

diff --git a/template.yml b/template.yml
@@ -34,7 +34,7 @@ Resources:
       Environment:
         Variables:
           GITHUB_WEBHOOK_SECRET: !Ref GitHubWebhookSecret
-          GITHUB_APP_PRIVATE_KEY: !Ref GitHubAppPrivateKey
+          GITHUB_APP_PRIVATE_KEY: !Sub ${GitHubAppPrivateKey}
       FunctionUrlConfig:
         AuthType: NONE
         InvokeMode: BUFFERED
@@ -49,7 +49,7 @@ Resources:
         prx:cloudformation:stack-id: !Ref AWS::StackId
         prx:ops:environment: Production
         prx:dev:application: GitHub Toolkit
-      Timeout: 3
+      Timeout: 10
   WebhookEndpointLogGroup:
     Type: AWS::Logs::LogGroup
     DeletionPolicy: Delete