From 1697d5cd3ddddc646a43a5d1a341b32dce92c5e8 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Tue, 27 Feb 2024 13:36:51 -0800 Subject: [PATCH] log authz failure for github action provider (#2530) Signed-off-by: Henry Avetisyan Co-authored-by: Henry Avetisyan --- .../impl/InstanceGithubActionsProvider.java | 9 ++++-- .../InstanceGithubActionsProviderTest.java | 30 +++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java index 5f60941dc04..63a4ac089e5 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProvider.java @@ -339,11 +339,16 @@ boolean validateTenantDomainToken(final Claims claims, final String domainName, errMsg.append("token does not contain required subject claim"); return false; } - final String resource = domainName + ":" + subject; // generate our principal object and carry out authorization check + final String resource = domainName + ":" + subject; Principal principal = SimplePrincipal.create(domainName, serviceName, (String) null); - return authorizer.access(action, resource, principal, null); + boolean accessCheck = authorizer.access(action, resource, principal, null); + if (!accessCheck) { + errMsg.append("authorization check failed for action: ").append(action) + .append(" resource: ").append(resource); + } + return accessCheck; } } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java index 98e7a15b48d..6e22e69cff2 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceGithubActionsProviderTest.java @@ -516,6 +516,36 @@ public void testValidateOIDCTokenMissingSubject() { assertTrue(errMsg.toString().contains("token does not contain required subject claim")); } + @Test + public void testValidateOIDCTokenAuthorizationFailure() { + + System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_JWKS_URI, "https://config.athenz.io"); + System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_AUDIENCE, "https://athenz.io"); + System.setProperty(InstanceGithubActionsProvider.GITHUB_ACTIONS_PROP_ENTERPRISE, "athenz"); + + InstanceGithubActionsProvider provider = new InstanceGithubActionsProvider(); + provider.initialize("sys.auth.github_actions", + "class://com.yahoo.athenz.instance.provider.impl.InstanceGithubActionsProvider", null, null); + + provider.signingKeyResolver.addPublicKey("0", Crypto.loadPublicKey(ecPublicKey)); + + Authorizer authorizer = Mockito.mock(Authorizer.class); + Principal principal = SimplePrincipal.create("sports", "api", (String) null); + Mockito.when(authorizer.access("github.push", "sports:repo:athenz/sia:ref:refs/heads/main", principal, null)) + .thenReturn(false); + provider.setAuthorizer(authorizer); + + // create an id token + + String idToken = generateIdToken("https://token.actions.githubusercontent.com", + System.currentTimeMillis() / 1000, false, false, false); + + StringBuilder errMsg = new StringBuilder(256); + boolean result = provider.validateOIDCToken(idToken, "sports", "api", "0001", errMsg); + assertFalse(result); + assertTrue(errMsg.toString().contains("authorization check failed for action")); + } + private String generateIdToken(final String issuer, long currentTimeSecs, boolean skipSubject, boolean skipEventName, boolean skipIssuedAt) {