Updated InstanceJenkinsProvider (#3)

* Updated InstanceJenkinsProvider * Fixed InstanceJenkinsProvider
ctyano · Sep 18, 2024 · 04d6d67 · 04d6d67
1 parent 002b589
commit 04d6d67
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 37 deletions.
diff --git a/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java b/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java
@@ -1,18 +1,3 @@
-/*
- * Copyright The Athenz Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.yahoo.athenz.instance.provider.impl;
 
 import com.yahoo.athenz.auth.Authorizer;
@@ -66,6 +51,7 @@ public class InstanceJenkinsProvider implements InstanceProvider {
     String provider = null;
     String audience = null;
     JwtsSigningKeyResolver signingKeyResolver = null;
+    JwtsSigningKeyResolver keyStoreSigningKeyResolver = null;
     Authorizer authorizer = null;
     DynamicConfigLong bootTimeOffsetSeconds;
     long certExpiryTime;
@@ -107,6 +93,7 @@ public void initialize(String provider, String providerEndpoint, SSLContext sslC
 
         jenkinsIssuer = System.getProperty(JENKINS_PROP_ISSUER, JENKINS_ISSUER);
         signingKeyResolver = new JwtsSigningKeyResolver(extractJenkinsIssuerJwksUri(jenkinsIssuer), null);
+        keyStoreSigningKeyResolver = new JwtsSigningKeyResolver(null, null);
     }
 
     HttpDriver getHttpDriver(String url) {
@@ -262,9 +249,18 @@ boolean validateOIDCToken(final String jwToken, final String domainName, final S
                     .setAllowedClockSkewSeconds(60)
                     .build()
                     .parseClaimsJws(jwToken);
-        } catch (Exception ex) {
-            errMsg.append("Unable to parse and validate token: ").append(ex.getMessage());
-            return false;
+        } catch (Exception e) {
+            errMsg.append("Unable to parse and validate token with JWKs: ").append(e.getMessage());
+            try {
+                 claims = Jwts.parserBuilder()
+                        .setSigningKeyResolver(keyStoreSigningKeyResolver)
+                        .setAllowedClockSkewSeconds(60)
+                        .build()
+                        .parseClaimsJws(jwToken);
+            } catch (Exception ex) {
+                errMsg.append("Unable to parse and validate token with Key Store: ").append(ex.getMessage());
+            	return false;
+            }
         }
 
         // verify the issuer in set to GitHub Actions

diff --git a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
@@ -1,18 +1,3 @@
-/*
- * Copyright The Athenz Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.yahoo.athenz.instance.provider.impl;
 
 import com.yahoo.athenz.auth.Authorizer;
@@ -31,7 +16,6 @@
 import org.testng.annotations.Test;
 
 import java.io.File;
-import java.io.IOException;
 import java.security.PrivateKey;
 import java.time.Instant;
 import java.util.Date;
@@ -200,7 +184,7 @@ public void testConfirmInstanceFailures() {
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), 403);
-            assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token: A signing key must be specified if the specified JWT is digitally signed."));
+            assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token with JWKs: A signing key must be specified if the specified JWT is digitally signed."));
         }
 
         // once we add the expected public key we should get a failure due to invalid san dns entry
@@ -219,7 +203,7 @@ public void testConfirmInstanceFailures() {
     public void testConfirmInstanceWithoutAuthorizer() {
         System.setProperty(InstanceJenkinsProvider.JENKINS_PROP_JWKS_URI, "https://config.athenz.io");
         InstanceJenkinsProvider provider = new InstanceJenkinsProvider();
-        provider.initialize("sys.auth.github_actions",
+        provider.initialize("sys.auth.jenkins",
                 "class://com.yahoo.athenz.instance.provider.impl.InstanceJenkinsProvider", null, null);
         provider.setAuthorizer(null);
         try {
@@ -473,7 +457,7 @@ public void testValidateOIDCTokenAuthorizationFailure() {
         assertFalse(result);
         assertTrue(errMsg.toString().contains("authorization check failed for action"));
     }
-
+ 
     private String generateIdToken(final String issuer, long currentTimeSecs, boolean skipSubject,
             boolean skipEventName, boolean skipIssuedAt, boolean skipRunId, boolean skipRepository) {