Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify oidc token against extended expiration time #12218

Merged
merged 8 commits into from
Oct 25, 2024
Merged

Verify oidc token against extended expiration time #12218

merged 8 commits into from
Oct 25, 2024

Conversation

dekiel
Copy link
Contributor

@dekiel dekiel commented Oct 25, 2024
edited
Loading

Description

Due to long queued time of ADO pipelines GitHub oidc tokens passed from Image builder GitHub Actions are expiring. This causes failed image builds. To prevent failed builds when high load on ADO is observed oidc token verifier will verify oidc tokens with extended expiration time.

Example error in failed ADO run: https://dev.azure.com/hyperspace-pipelines/kyma/_build/results?buildId=7329713&view=logs&j=3eaab1e8-b99d-54c2-e3b9-c8d721213979&t=94b89c64-0a6c-5eb1-9ee6-a00128da7d80&l=33

Changes proposed in this pull request:

  • Verify oidc token against extended expiration time. Added function for this verification.
  • Split oidc token standard verification and claims verification. These are two separate functions.
  • Added flag for extended expiration time value to make it configurable. Default value is 10 minutes.

@kyma-bot kyma-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 25, 2024
@kyma-bot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kyma-bot kyma-bot added cla: yes Indicates the PR's author has signed the CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 25, 2024
@dekiel
Mask raw token in debug logs
2e20017 
Configure extended expiration time through flag
@kyma-bot kyma-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 25, 2024
@akiioto akiioto force-pushed the extended-expiration branch from de2d75f to ccdef29 Compare October 25, 2024 11:51
@akiioto
Align with the code structure and test update
556739f 
revert to Token

align with Token
@akiioto akiioto force-pushed the extended-expiration branch from ccdef29 to 556739f Compare October 25, 2024 12:09
dekiel added 2 commits October 25, 2024 15:06
@dekiel
Accept ClaimsReader interface in ValidateClaims instead a concrete type
8918ade 
Check if expiration timestamp is in the future
Test VerifyExtendedExpiration method
@dekiel
cleanup TokenProcessor tests
bc67776
@dekiel dekiel changed the title Extended expiration Verify oidc token against extended expiration time Oct 25, 2024
@dekiel dekiel marked this pull request as ready for review October 25, 2024 13:24
@dekiel dekiel requested review from neighbors-dev-bot and a team as code owners October 25, 2024 13:24
@dekiel dekiel requested review from akiioto and Sawthis October 25, 2024 13:24
@kyma-bot kyma-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 25, 2024
@kyma-bot kyma-bot added the lgtm Looks good to me! label Oct 25, 2024
@akiioto
Copy link
Contributor

akiioto commented Oct 25, 2024

/cla

@kyma-bot
Copy link
Contributor

Successfully reached out to cla-assistant.io to initialize recheck of PR #12218

@kyma-bot kyma-bot merged commit 15339bf into kyma-project:main Oct 25, 2024
92 checks passed
KacperMalachowski pushed a commit to KacperMalachowski/test-infra that referenced this pull request Nov 6, 2024
@dekiel @akiioto @KacperMalachowski
Verify oidc token against extended expiration time (kyma-project#12218)
1f1c3f0 
* Allow 10 minutes of grace period before the token expire

* test

* Split token and claims verification
Added function for checking extended expiration time

* Use extended expiration when standard expiration was to short

* Mask raw token in debug logs
Configure extended expiration time through flag

* Align with the code structure and test update

revert to Token

align with Token

* Accept ClaimsReader interface in ValidateClaims instead a concrete type
Check if expiration timestamp is in the future
Test VerifyExtendedExpiration method

* cleanup TokenProcessor tests

---------

Co-authored-by: Patryk Dobrowolski <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akiioto akiioto akiioto approved these changes

@neighbors-dev-bot neighbors-dev-bot Awaiting requested review from neighbors-dev-bot neighbors-dev-bot is a code owner

@Sawthis Sawthis Awaiting requested review from Sawthis Sawthis is a code owner automatically assigned from kyma-project/prow

Assignees

@dekiel dekiel

Labels
cla: yes Indicates the PR's author has signed the CLA. lgtm Looks good to me! size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dekiel @kyma-bot @akiioto