From 04d6d677fe520fa8bcff9f3e43634c4d2359405d Mon Sep 17 00:00:00 2001 From: Tatsuya Yano Date: Wed, 18 Sep 2024 20:17:57 +0900 Subject: [PATCH] Updated InstanceJenkinsProvider (#3) * Updated InstanceJenkinsProvider * Fixed InstanceJenkinsProvider --- .../impl/InstanceJenkinsProvider.java | 32 ++++++++----------- .../impl/InstanceJenkinsProviderTest.java | 22 ++----------- 2 files changed, 17 insertions(+), 37 deletions(-) diff --git a/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java b/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java index c03b10e..745f0fc 100644 --- a/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java +++ b/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java @@ -1,18 +1,3 @@ -/* - * Copyright The Athenz Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package com.yahoo.athenz.instance.provider.impl; import com.yahoo.athenz.auth.Authorizer; @@ -66,6 +51,7 @@ public class InstanceJenkinsProvider implements InstanceProvider { String provider = null; String audience = null; JwtsSigningKeyResolver signingKeyResolver = null; + JwtsSigningKeyResolver keyStoreSigningKeyResolver = null; Authorizer authorizer = null; DynamicConfigLong bootTimeOffsetSeconds; long certExpiryTime; @@ -107,6 +93,7 @@ public void initialize(String provider, String providerEndpoint, SSLContext sslC jenkinsIssuer = System.getProperty(JENKINS_PROP_ISSUER, JENKINS_ISSUER); signingKeyResolver = new JwtsSigningKeyResolver(extractJenkinsIssuerJwksUri(jenkinsIssuer), null); + keyStoreSigningKeyResolver = new JwtsSigningKeyResolver(null, null); } HttpDriver getHttpDriver(String url) { @@ -262,9 +249,18 @@ boolean validateOIDCToken(final String jwToken, final String domainName, final S .setAllowedClockSkewSeconds(60) .build() .parseClaimsJws(jwToken); - } catch (Exception ex) { - errMsg.append("Unable to parse and validate token: ").append(ex.getMessage()); - return false; + } catch (Exception e) { + errMsg.append("Unable to parse and validate token with JWKs: ").append(e.getMessage()); + try { + claims = Jwts.parserBuilder() + .setSigningKeyResolver(keyStoreSigningKeyResolver) + .setAllowedClockSkewSeconds(60) + .build() + .parseClaimsJws(jwToken); + } catch (Exception ex) { + errMsg.append("Unable to parse and validate token with Key Store: ").append(ex.getMessage()); + return false; + } } // verify the issuer in set to GitHub Actions diff --git a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java index dea2b84..6993bb2 100644 --- a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java +++ b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java @@ -1,18 +1,3 @@ -/* - * Copyright The Athenz Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ package com.yahoo.athenz.instance.provider.impl; import com.yahoo.athenz.auth.Authorizer; @@ -31,7 +16,6 @@ import org.testng.annotations.Test; import java.io.File; -import java.io.IOException; import java.security.PrivateKey; import java.time.Instant; import java.util.Date; @@ -200,7 +184,7 @@ public void testConfirmInstanceFailures() { fail(); } catch (ResourceException ex) { assertEquals(ex.getCode(), 403); - assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token: A signing key must be specified if the specified JWT is digitally signed.")); + assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token with JWKs: A signing key must be specified if the specified JWT is digitally signed.")); } // once we add the expected public key we should get a failure due to invalid san dns entry @@ -219,7 +203,7 @@ public void testConfirmInstanceFailures() { public void testConfirmInstanceWithoutAuthorizer() { System.setProperty(InstanceJenkinsProvider.JENKINS_PROP_JWKS_URI, "https://config.athenz.io"); InstanceJenkinsProvider provider = new InstanceJenkinsProvider(); - provider.initialize("sys.auth.github_actions", + provider.initialize("sys.auth.jenkins", "class://com.yahoo.athenz.instance.provider.impl.InstanceJenkinsProvider", null, null); provider.setAuthorizer(null); try { @@ -473,7 +457,7 @@ public void testValidateOIDCTokenAuthorizationFailure() { assertFalse(result); assertTrue(errMsg.toString().contains("authorization check failed for action")); } - + private String generateIdToken(final String issuer, long currentTimeSecs, boolean skipSubject, boolean skipEventName, boolean skipIssuedAt, boolean skipRunId, boolean skipRepository) {