Merge pull request #42 from shogo82148/imrpove-verify-claims

custom validation for GitHub OIDC tokens
shogo82148 · Sep 23, 2021 · 87eff84 · 87eff84
2 parents a9328f2 + 207ff11
commit 87eff84
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 21 deletions.
diff --git a/provider/github-app-token/github/parse_id_token.go b/provider/github-app-token/github/parse_id_token.go
@@ -2,27 +2,37 @@ package github
 
 import (
 	"context"
-
-	"github.com/golang-jwt/jwt/v4"
+	"errors"
+	"fmt"
+	"time"
 )
 
 type ActionsIDToken struct {
-	jwt.StandardClaims
-	Ref             string `json:"ref"`
-	SHA             string `json:"sha"`
-	Repository      string `json:"repository"`
-	RepositoryOwner string `json:"repository_owner"`
-	RunID           string `json:"run_id"`
-	RunNumber       string `json:"run_number"`
-	RunAttempt      string `json:"run_attempt"`
-	Actor           string `json:"actor"`
-	Workflow        string `json:"workflow"`
-	HeadRef         string `json:"head_ref"`
-	BaseRef         string `json:"base_ref"`
-	EventName       string `json:"event_name"`
-	EventType       string `json:"branch"`
-	JobWorkflowRef  string `json:"job_workflow_ref"`
-	Environment     string `json:"environment"`
+	// common jwt parameters
+	Audience  string `json:"aud,omitempty"`
+	ExpiresAt int64  `json:"exp,omitempty"`
+	Id        string `json:"jti,omitempty"`
+	IssuedAt  int64  `json:"iat,omitempty"`
+	Issuer    string `json:"iss,omitempty"`
+	NotBefore int64  `json:"nbf,omitempty"`
+	Subject   string `json:"sub,omitempty"`
+
+	// GitHub's extara parameters
+	Ref             string `json:"ref,omitempty"`
+	SHA             string `json:"sha,omitempty"`
+	Repository      string `json:"repository,omitempty"`
+	RepositoryOwner string `json:"repository_owner,omitempty"`
+	RunID           string `json:"run_id,omitempty"`
+	RunNumber       string `json:"run_number,omitempty"`
+	RunAttempt      string `json:"run_attempt,omitempty"`
+	Actor           string `json:"actor,omitempty"`
+	Workflow        string `json:"workflow,omitempty"`
+	HeadRef         string `json:"head_ref,omitempty"`
+	BaseRef         string `json:"base_ref,omitempty"`
+	EventName       string `json:"event_name,omitempty"`
+	EventType       string `json:"branch,omitempty"`
+	JobWorkflowRef  string `json:"job_workflow_ref,omitempty"`
+	Environment     string `json:"environment,omitempty"`
 }
 
 func (c *Client) ParseIDToken(ctx context.Context, idToken string) (*ActionsIDToken, error) {
@@ -33,3 +43,32 @@ func (c *Client) ParseIDToken(ctx context.Context, idToken string) (*ActionsIDTo
 	}
 	return &claims, nil
 }
+
+func (token *ActionsIDToken) Valid() error {
+	now := time.Now()
+
+	if token.Issuer != oidcIssuer {
+		return fmt.Errorf("github: unexpected issuer: %q", token.Issuer)
+	}
+
+	if token.ExpiresAt == 0 {
+		return errors.New("github: the exp (expires at) parameter is not set")
+	}
+	truncatedTime := now.Truncate(time.Second).Unix()
+	if truncatedTime >= token.ExpiresAt {
+		return errors.New("github: the token is already expired")
+	}
+
+	if token.NotBefore == 0 {
+		return errors.New("github: the nbf (not before) paremeter is not set")
+	}
+
+	// the not before parameter might be a future time, because GitHub rounds off it.
+	// we rounds up the current time here to accept such a case.
+	roundedUpTime := now.Add(time.Second - 1).Truncate(time.Second).Unix()
+	if roundedUpTime < token.NotBefore {
+		return errors.New("github: the token is not valid yet")
+	}
+
+	return nil
+}
diff --git a/provider/github-app-token/github/parse_id_token_test.go b/provider/github-app-token/github/parse_id_token_test.go
@@ -28,9 +28,6 @@ func TestParseIDToken_Intergrated(t *testing.T) {
 	}
 	t.Logf("the id is issued at %s", time.Now())
 
-	// The clock of the token vendor is drifted from the GitHub Actions' runners.
-	time.Sleep(5 * time.Second)
-
 	oidcClient, err := oidc.NewClient(http.DefaultClient, oidcIssuer, oidcThumbprints)
 	if err != nil {
 		t.Fatal(err)