From 395eb4a57abf65adee72ccbfa125025979fd1dcd Mon Sep 17 00:00:00 2001
From: dekiel <przemyslaw.pokrywka@sap.com>
Date: Thu, 16 Jan 2025 17:05:49 +0100
Subject: [PATCH] Add sre oidc provider to the trusted issuers. Disable job
 workflow ref claim verification is it's not defined in trusted issuer.

---
 pkg/oidc/oidc.go      | 12 +++++--
 pkg/oidc/oidc_test.go | 80 +++++++++++++++++++++++++++++++------------
 2 files changed, 69 insertions(+), 23 deletions(-)

diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
index 44d8a3735e17..5d1207dc035b 100644
--- a/pkg/oidc/oidc.go
+++ b/pkg/oidc/oidc.go
@@ -37,9 +37,17 @@ var (
 		GithubURL:              "https://github.tools.sap",
 		ClientID:               "image-builder",
 	}
+	SREJenkinsOIDCIssuer = Issuer{
+		Name:      "sre-jenkins",
+		IssuerURL: "https://storage.googleapis.com/kyma-mps-prod-artifacts/jaas/oidc",
+		JWKSURL:   "https://storage.googleapis.com/kyma-mps-prod-artifacts/jaas/oidc/jwks",
+		GithubURL: "https://github.tools.sap",
+		ClientID:  "sre-jenkins-image-builder",
+	}
 	TrustedOIDCIssuers = map[string]Issuer{
 		GithubOIDCIssuer.IssuerURL:         GithubOIDCIssuer,
 		GithubToolsSAPOIDCIssuer.IssuerURL: GithubToolsSAPOIDCIssuer,
+		SREJenkinsOIDCIssuer.IssuerURL:     SREJenkinsOIDCIssuer,
 	}
 )
 
@@ -325,7 +333,7 @@ func NewClaims(logger LoggerInterface) Claims {
 func (claims *Claims) validateExpectations(issuer Issuer) error {
 	logger := claims.LoggerInterface
 	logger.Debugw("Validating job_workflow_ref claim against expected value", "job_workflow_ref", claims.JobWorkflowRef, "expected", issuer.ExpectedJobWorkflowRef)
-	if claims.JobWorkflowRef != issuer.ExpectedJobWorkflowRef {
+	if issuer.ExpectedJobWorkflowRef != "" && claims.JobWorkflowRef != issuer.ExpectedJobWorkflowRef {
 		return fmt.Errorf("job_workflow_ref claim expected value validation failed, expected: %s, provided: %s", claims.JobWorkflowRef, issuer.ExpectedJobWorkflowRef)
 	}
 	logger.Debugw("Claims validated successfully")
@@ -570,4 +578,4 @@ func (tokenProcessor *TokenProcessor) ValidateClaims(claims ClaimsInterface, tok
 		return fmt.Errorf("expecations validation failed: %w", err)
 	}
 	return nil
-}
\ No newline at end of file
+}
diff --git a/pkg/oidc/oidc_test.go b/pkg/oidc/oidc_test.go
index 621c749f23ca..092ed5b3ca6c 100644
--- a/pkg/oidc/oidc_test.go
+++ b/pkg/oidc/oidc_test.go
@@ -203,27 +203,65 @@ var _ = Describe("OIDC", func() {
 			BeforeEach(func() {
 				claims = tioidc.NewClaims(logger)
 			})
-			It("should return no error when the token is valid", func() {
-				mockToken.On(
-					"Claims", &claims).Run(
-					func(args mock.Arguments) {
-						arg := args.Get(0).(*tioidc.Claims)
-						arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
-						arg.Subject = "mysub"
-						arg.Audience = jwt.Audience{"myaudience"}
-						arg.JobWorkflowRef = "kyma-project/test-infra/.github/workflows/verify-oidc-token.yml@refs/heads/main"
-					},
-				).Return(nil)
-				token.Token = &mockToken
-
-				// Run
-				err = tokenProcessor.ValidateClaims(&claims, &token)
-
-				// Verify
-				Expect(err).NotTo(HaveOccurred())
-				Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
-				Expect(claims.Subject).To(Equal("mysub"))
-				Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
+			When("token is valid", func() {
+				It("should return no error", func() {
+					mockToken.On(
+						"Claims", &claims).Run(
+						func(args mock.Arguments) {
+							arg := args.Get(0).(*tioidc.Claims)
+							arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
+							arg.Subject = "mysub"
+							arg.Audience = jwt.Audience{"myaudience"}
+							arg.JobWorkflowRef = "kyma-project/test-infra/.github/workflows/verify-oidc-token.yml@refs/heads/main"
+						},
+					).Return(nil)
+					token.Token = &mockToken
+
+					// Run
+					err = tokenProcessor.ValidateClaims(&claims, &token)
+
+					// Verify
+					Expect(err).NotTo(HaveOccurred())
+					Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
+					Expect(claims.Subject).To(Equal("mysub"))
+					Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
+				})
+
+				When("trusted issuer ExpectedJobWorkflowRef is not set", func() {
+					It("should return no error", func() {
+						trustedIssuers = map[string]tioidc.Issuer{
+							"https://fakedings.dev-gcp.nais.io/fake": {
+								Name:      "github",
+								IssuerURL: "https://fakedings.dev-gcp.nais.io/fake",
+								JWKSURL:   "https://fakedings.dev-gcp.nais.io/fake/jwks",
+								ClientID:  "testClientID",
+							},
+						}
+						tokenProcessor, err = tioidc.NewTokenProcessor(logger, trustedIssuers, string(rawToken))
+						Expect(err).NotTo(HaveOccurred())
+						Expect(tokenProcessor).NotTo(BeNil())
+
+						mockToken.On(
+							"Claims", &claims).Run(
+							func(args mock.Arguments) {
+								arg := args.Get(0).(*tioidc.Claims)
+								arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
+								arg.Subject = "mysub"
+								arg.Audience = jwt.Audience{"myaudience"}
+							},
+						).Return(nil)
+						token.Token = &mockToken
+
+						// Run
+						err = tokenProcessor.ValidateClaims(&claims, &token)
+
+						// Verify
+						Expect(err).NotTo(HaveOccurred())
+						Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
+						Expect(claims.Subject).To(Equal("mysub"))
+						Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
+					})
+				})
 			})
 			It("should return an error when unexpected job workflow reference is provided", func() {
 				mockToken.On(