Skip to content

Commit

Permalink
Add sre oidc provider to the trusted issuers. (kyma-project#12562)
Browse files Browse the repository at this point in the history
Disable job workflow ref claim verification is it's not defined in trusted issuer.
  • Loading branch information
dekiel authored Jan 17, 2025
1 parent 29127db commit 6d8c276
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 23 deletions.
12 changes: 10 additions & 2 deletions pkg/oidc/oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,17 @@ var (
GithubURL: "https://github.tools.sap",
ClientID: "image-builder",
}
SREJenkinsOIDCIssuer = Issuer{
Name: "sre-jenkins",
IssuerURL: "https://storage.googleapis.com/kyma-mps-prod-artifacts/jaas/oidc",
JWKSURL: "https://storage.googleapis.com/kyma-mps-prod-artifacts/jaas/oidc/jwks",
GithubURL: "https://github.tools.sap",
ClientID: "sre-jenkins-image-builder",
}
TrustedOIDCIssuers = map[string]Issuer{
GithubOIDCIssuer.IssuerURL: GithubOIDCIssuer,
GithubToolsSAPOIDCIssuer.IssuerURL: GithubToolsSAPOIDCIssuer,
SREJenkinsOIDCIssuer.IssuerURL: SREJenkinsOIDCIssuer,
}
)

Expand Down Expand Up @@ -325,7 +333,7 @@ func NewClaims(logger LoggerInterface) Claims {
func (claims *Claims) validateExpectations(issuer Issuer) error {
logger := claims.LoggerInterface
logger.Debugw("Validating job_workflow_ref claim against expected value", "job_workflow_ref", claims.JobWorkflowRef, "expected", issuer.ExpectedJobWorkflowRef)
if claims.JobWorkflowRef != issuer.ExpectedJobWorkflowRef {
if issuer.ExpectedJobWorkflowRef != "" && claims.JobWorkflowRef != issuer.ExpectedJobWorkflowRef {
return fmt.Errorf("job_workflow_ref claim expected value validation failed, expected: %s, provided: %s", claims.JobWorkflowRef, issuer.ExpectedJobWorkflowRef)
}
logger.Debugw("Claims validated successfully")
Expand Down Expand Up @@ -570,4 +578,4 @@ func (tokenProcessor *TokenProcessor) ValidateClaims(claims ClaimsInterface, tok
return fmt.Errorf("expecations validation failed: %w", err)
}
return nil
}
}
80 changes: 59 additions & 21 deletions pkg/oidc/oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,27 +203,65 @@ var _ = Describe("OIDC", func() {
BeforeEach(func() {
claims = tioidc.NewClaims(logger)
})
It("should return no error when the token is valid", func() {
mockToken.On(
"Claims", &claims).Run(
func(args mock.Arguments) {
arg := args.Get(0).(*tioidc.Claims)
arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
arg.Subject = "mysub"
arg.Audience = jwt.Audience{"myaudience"}
arg.JobWorkflowRef = "kyma-project/test-infra/.github/workflows/verify-oidc-token.yml@refs/heads/main"
},
).Return(nil)
token.Token = &mockToken

// Run
err = tokenProcessor.ValidateClaims(&claims, &token)

// Verify
Expect(err).NotTo(HaveOccurred())
Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
Expect(claims.Subject).To(Equal("mysub"))
Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
When("token is valid", func() {
It("should return no error", func() {
mockToken.On(
"Claims", &claims).Run(
func(args mock.Arguments) {
arg := args.Get(0).(*tioidc.Claims)
arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
arg.Subject = "mysub"
arg.Audience = jwt.Audience{"myaudience"}
arg.JobWorkflowRef = "kyma-project/test-infra/.github/workflows/verify-oidc-token.yml@refs/heads/main"
},
).Return(nil)
token.Token = &mockToken

// Run
err = tokenProcessor.ValidateClaims(&claims, &token)

// Verify
Expect(err).NotTo(HaveOccurred())
Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
Expect(claims.Subject).To(Equal("mysub"))
Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
})

When("trusted issuer ExpectedJobWorkflowRef is not set", func() {
It("should return no error", func() {
trustedIssuers = map[string]tioidc.Issuer{
"https://fakedings.dev-gcp.nais.io/fake": {
Name: "github",
IssuerURL: "https://fakedings.dev-gcp.nais.io/fake",
JWKSURL: "https://fakedings.dev-gcp.nais.io/fake/jwks",
ClientID: "testClientID",
},
}
tokenProcessor, err = tioidc.NewTokenProcessor(logger, trustedIssuers, string(rawToken))
Expect(err).NotTo(HaveOccurred())
Expect(tokenProcessor).NotTo(BeNil())

mockToken.On(
"Claims", &claims).Run(
func(args mock.Arguments) {
arg := args.Get(0).(*tioidc.Claims)
arg.Issuer = "https://fakedings.dev-gcp.nais.io/fake"
arg.Subject = "mysub"
arg.Audience = jwt.Audience{"myaudience"}
},
).Return(nil)
token.Token = &mockToken

// Run
err = tokenProcessor.ValidateClaims(&claims, &token)

// Verify
Expect(err).NotTo(HaveOccurred())
Expect(claims.Issuer).To(Equal("https://fakedings.dev-gcp.nais.io/fake"))
Expect(claims.Subject).To(Equal("mysub"))
Expect(claims.Audience).To(Equal(jwt.Audience{"myaudience"}))
})
})
})
It("should return an error when unexpected job workflow reference is provided", func() {
mockToken.On(
Expand Down

0 comments on commit 6d8c276

Please sign in to comment.