From 9e6fbf785a91b44904a72bfe4922085394ba7cc5 Mon Sep 17 00:00:00 2001
From: Tatsuya Yano <tatyano@yahoo-corp.jp>
Date: Wed, 18 Sep 2024 20:06:26 +0900
Subject: [PATCH 1/2] Updated InstanceJenkinsProvider

---
 .../impl/InstanceJenkinsProvider.java         | 32 ++++++++-----------
 .../impl/InstanceJenkinsProviderTest.java     | 20 ++----------
 2 files changed, 16 insertions(+), 36 deletions(-)

diff --git a/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java b/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java
index c03b10e..745f0fc 100644
--- a/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java
+++ b/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProvider.java
@@ -1,18 +1,3 @@
-/*
- * Copyright The Athenz Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.yahoo.athenz.instance.provider.impl;
 
 import com.yahoo.athenz.auth.Authorizer;
@@ -66,6 +51,7 @@ public class InstanceJenkinsProvider implements InstanceProvider {
     String provider = null;
     String audience = null;
     JwtsSigningKeyResolver signingKeyResolver = null;
+    JwtsSigningKeyResolver keyStoreSigningKeyResolver = null;
     Authorizer authorizer = null;
     DynamicConfigLong bootTimeOffsetSeconds;
     long certExpiryTime;
@@ -107,6 +93,7 @@ public void initialize(String provider, String providerEndpoint, SSLContext sslC
 
         jenkinsIssuer = System.getProperty(JENKINS_PROP_ISSUER, JENKINS_ISSUER);
         signingKeyResolver = new JwtsSigningKeyResolver(extractJenkinsIssuerJwksUri(jenkinsIssuer), null);
+        keyStoreSigningKeyResolver = new JwtsSigningKeyResolver(null, null);
     }
 
     HttpDriver getHttpDriver(String url) {
@@ -262,9 +249,18 @@ boolean validateOIDCToken(final String jwToken, final String domainName, final S
                     .setAllowedClockSkewSeconds(60)
                     .build()
                     .parseClaimsJws(jwToken);
-        } catch (Exception ex) {
-            errMsg.append("Unable to parse and validate token: ").append(ex.getMessage());
-            return false;
+        } catch (Exception e) {
+            errMsg.append("Unable to parse and validate token with JWKs: ").append(e.getMessage());
+            try {
+                 claims = Jwts.parserBuilder()
+                        .setSigningKeyResolver(keyStoreSigningKeyResolver)
+                        .setAllowedClockSkewSeconds(60)
+                        .build()
+                        .parseClaimsJws(jwToken);
+            } catch (Exception ex) {
+                errMsg.append("Unable to parse and validate token with Key Store: ").append(ex.getMessage());
+            	return false;
+            }
         }
 
         // verify the issuer in set to GitHub Actions
diff --git a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
index dea2b84..5c86ca0 100644
--- a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
+++ b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
@@ -1,18 +1,3 @@
-/*
- * Copyright The Athenz Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.yahoo.athenz.instance.provider.impl;
 
 import com.yahoo.athenz.auth.Authorizer;
@@ -31,7 +16,6 @@
 import org.testng.annotations.Test;
 
 import java.io.File;
-import java.io.IOException;
 import java.security.PrivateKey;
 import java.time.Instant;
 import java.util.Date;
@@ -219,7 +203,7 @@ public void testConfirmInstanceFailures() {
     public void testConfirmInstanceWithoutAuthorizer() {
         System.setProperty(InstanceJenkinsProvider.JENKINS_PROP_JWKS_URI, "https://config.athenz.io");
         InstanceJenkinsProvider provider = new InstanceJenkinsProvider();
-        provider.initialize("sys.auth.github_actions",
+        provider.initialize("sys.auth.jenkins",
                 "class://com.yahoo.athenz.instance.provider.impl.InstanceJenkinsProvider", null, null);
         provider.setAuthorizer(null);
         try {
@@ -473,7 +457,7 @@ public void testValidateOIDCTokenAuthorizationFailure() {
         assertFalse(result);
         assertTrue(errMsg.toString().contains("authorization check failed for action"));
     }
-
+ 
     private String generateIdToken(final String issuer, long currentTimeSecs, boolean skipSubject,
             boolean skipEventName, boolean skipIssuedAt, boolean skipRunId, boolean skipRepository) {
 

From ca4f6064c42b762bdcb812471efd61a024367b4c Mon Sep 17 00:00:00 2001
From: Tatsuya Yano <tatyano@yahoo-corp.jp>
Date: Wed, 18 Sep 2024 20:12:15 +0900
Subject: [PATCH 2/2] Fixed InstanceJenkinsProvider

---
 .../instance/provider/impl/InstanceJenkinsProviderTest.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
index 5c86ca0..6993bb2 100644
--- a/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
+++ b/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceJenkinsProviderTest.java
@@ -184,7 +184,7 @@ public void testConfirmInstanceFailures() {
             fail();
         } catch (ResourceException ex) {
             assertEquals(ex.getCode(), 403);
-            assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token: A signing key must be specified if the specified JWT is digitally signed."));
+            assertTrue(ex.getMessage().contains("Unable to validate Certificate Request: Unable to parse and validate token with JWKs: A signing key must be specified if the specified JWT is digitally signed."));
         }
 
         // once we add the expected public key we should get a failure due to invalid san dns entry