log authz failure for github action provider (#2530)

Signed-off-by: Henry Avetisyan <hga@yahooinc.com> Co-authored-by: Henry Avetisyan <hga@yahooinc.com>
AthenZ · Feb 27, 2024 · 1697d5c · 1697d5c
1 parent aebd6fd
commit 1697d5c
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/.../src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java b/.../src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java
@@ -339,11 +339,16 @@ boolean validateTenantDomainToken(final Claims claims, final String domainName,
             errMsg.append("token does not contain required subject claim");
             return false;
         }
-        final String resource = domainName + ":" + subject;
 
         // generate our principal object and carry out authorization check
 
+        final String resource = domainName + ":" + subject;
         Principal principal = SimplePrincipal.create(domainName, serviceName, (String) null);
-        return authorizer.access(action, resource, principal, null);
+        boolean accessCheck = authorizer.access(action, resource, principal, null);
+        if (!accessCheck) {
+            errMsg.append("authorization check failed for action: ").append(action)
+                    .append(" resource: ").append(resource);
+        }
+        return accessCheck;
     }
 }
diff --git a/.../test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java b/.../test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java
@@ -516,6 +516,36 @@ public void testValidateOIDCTokenMissingSubject() {
         assertTrue(errMsg.toString().contains("token does not contain required subject claim"));
     }
 
+    @Test
+    public void testValidateOIDCTokenAuthorizationFailure() {
+
+        System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_JWKS_URI, "https://config.athenz.io");
+        System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_AUDIENCE, "https://athenz.io");
+        System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_ENTERPRISE, "athenz");
+
+        InstanceGithubActionsProvider provider = new InstanceGithubActionsProvider();
+        provider.initialize("sys.auth.github_actions",
+                "class://com.yahoo.athenz.instance.provider.impl.InstanceGithubActionsProvider", null, null);
+
+        provider.signingKeyResolver.addPublicKey("0", Crypto.loadPublicKey(ecPublicKey));
+
+        Authorizer authorizer = Mockito.mock(Authorizer.class);
+        Principal principal = SimplePrincipal.create("sports", "api", (String) null);
+        Mockito.when(authorizer.access("github.push", "sports:repo:athenz/sia:ref:refs/heads/main", principal, null))
+                .thenReturn(false);
+        provider.setAuthorizer(authorizer);
+
+        // create an id token
+
+        String idToken = generateIdToken("https://token.actions.githubusercontent.com",
+                System.currentTimeMillis() / 1000, false, false, false);
+
+        StringBuilder errMsg = new StringBuilder(256);
+        boolean result = provider.validateOIDCToken(idToken, "sports", "api", "0001", errMsg);
+        assertFalse(result);
+        assertTrue(errMsg.toString().contains("authorization check failed for action"));
+    }
+
     private String generateIdToken(final String issuer, long currentTimeSecs, boolean skipSubject,
             boolean skipEventName, boolean skipIssuedAt) {