fixup

libops · Jan 7, 2025 · 7428b67 · 7428b67
1 parent 242f3a7
commit 7428b67
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 14 deletions.
diff --git a/.github/workflows/lint-test-build-push.yml b/.github/workflows/lint-test-build-push.yml
@@ -53,10 +53,13 @@ jobs:
 
       - name: Wait for container to be ready
         run: |
-          for i in {1..10}; do
-            if curl -s \
-              -H "Authorization: Bearer $ACTIONS_ID_TOKEN" \
-              http://localhost:8080/test | grep "ok"; then
+          TOKEN=$(curl -s \
+            -H "Accept: application/json; api-version=2.0" \
+            -H "Content-Type: application/json" -d "{}"  \
+            -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=ghat" | jq -r '.value')
+          for i in {1..5}; do
+            if curl -s -H "Authorization: Bearer $TOKEN" http://localhost:8080/test | grep "ok"; then
               echo "Auth passed!"
               exit 0
             fi

diff --git a/lib/handler/middleware.go b/lib/handler/middleware.go
@@ -17,7 +17,7 @@ type contextKey string
 
 const claimsKey contextKey = "claims"
 
-const githubKeysURL = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
+const githubKeysURL = "https://token.actions.githubusercontent.com/.well-known/jwks"
 
 func LoggingMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -76,25 +76,30 @@ func JWTAuthMiddleware(next http.Handler) http.Handler {
 func verifyJWT(tokenString string) (*GitHubClaims, error) {
 	keySet, err := fetchJWKS()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Unable to fetch JWKS: %v", err)
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	token, err := jwt.Parse([]byte(tokenString), jwt.WithKeySet(keySet), jwt.WithContext(ctx))
+	token, err := jwt.Parse(
+		[]byte(tokenString),
+		jwt.WithKeySet(keySet),
+		jwt.WithContext(ctx),
+		jwt.WithVerify(true))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Unable to parse token: %v", err)
 	}
 
-	var claims GitHubClaims
 	if err := validateClaims(token); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Unable to validate claims: %v", err)
 	}
 	rawClaims, err := json.Marshal(token)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal claims: %v", err)
 	}
+
+	var claims GitHubClaims
 	if err := json.Unmarshal(rawClaims, &claims); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal claims: %v", err)
 	}
@@ -115,8 +120,12 @@ func validateClaims(token jwt.Token) error {
 		return fmt.Errorf("invalid issuer: %v", iss)
 	}
 
-	if time.Now().After(token.Expiration()) {
-		return fmt.Errorf("token has expired")
+	aud, ok := token.Get("aud")
+	if !ok {
+		return fmt.Errorf("aud claim not found")
+	}
+	if strings.ToLower(aud.(string)) != "https://github.com/libops" {
+		return fmt.Errorf("invalid aud: %v", aud)
 	}
 
 	ro, ok := token.Get("repository_owner")
@@ -126,5 +135,6 @@ func validateClaims(token jwt.Token) error {
 	if strings.ToLower(ro.(string)) != "libops" {
 		return fmt.Errorf("invalid repository_owner: %v", iss)
 	}
+
 	return nil
 }
diff --git a/main.go b/main.go
@@ -21,8 +21,11 @@ func main() {
 	r.Use(handler.JWTAuthMiddleware)
 	r.HandleFunc("/repo/admin", wh.RepoAdminToken).Methods("POST")
 	r.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		w.Write([]byte(`ok`))
+		_, err := w.Write([]byte(`ok`))
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			slog.Error("Unable to write for healthcheck")
+		}
 	}).Methods("GET")
 
 	port := os.Getenv("PORT")