Feat: ConfigFiles for Multiple GitHub Action Provider Environments

[mlajkim]

Background

The current GItHubActionInstanceProvider does not allow multiple GitHub Action environments with one Athenz ZTS Server.

What's done?

Allows ZTS owner to set multiple GitHub Action environments with config, with issuer as an ID
By setting following:

athenz.zts.github_actions.prop_file_path=/path/to/file/for/the/config.json

With the following:

{
  "props": [
    {
      "provider_dns_suffix": "example-suffix1",
      "enterprise": "enterprise1",
      "audience": "https://audience1.com",
      "issuer": "https://issuer1.com",
      "jwks_uri": "https://issuer1.com/jwks"
    },
    {
      "provider_dns_suffix": "example-suffix3,example-suffix4",
      "enterprise": "enterprise2",
      "audience": "https://audience2.com",
      "issuer": "https://issuer2.com",
      "jwks_uri": "https://issuer2.com/jwks"
    }
  ]
}

Minor Changes

• Log InstanceGithubActionsProp not initialized added
• JWT Processor not initialized log modified
  • Into JWT Processor not found for issuer: <issuer_name>
• Log token issuer is not GitHub Actions: <claim_issuer> removed

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[havetisyan]

please add the Athenz Authors header block (see other files in the repo)

[havetisyan]

we should add a check to see if the issuer is already set or not. otherwise, if the admin makes a mistake and specifies the same issuer in two different blocks, then the second one will override the first one and there would be no indication that it has taken place until the end users complain about their actions not working. e.g. both blocks have the same issuer:

{ "props": [ { "provider_dns_suffix": "example-suffix1,example-suffix2", "enterprise": "enterprise1", "audience": "https://audience1.com", "issuer": "https://issuer1.com", "jwks_uri": "https://issuer1.com/jwks" }, { "provider_dns_suffix": "example-suffix3,example-suffix4", "enterprise": "enterprise2", "audience": "https://audience2.com", "issuer": "https://issuer1.com", "jwks_uri": "https://issuer2.com/jwks" } ] }

also please add a corresponding test case for it.

[havetisyan]

do we only care about nulls or should we also check for empty strings?

[havetisyan]

please remove the space after the method name

[havetisyan]

let's fix the comment to say githib-actions.athenz.io instead of athenz.cloud (the original code had the issue).

[havetisyan]

I'm not sure if I like the order of objects here since it kind of creates a somewhat ambiguous set up. I can configure both a file and property settings and they both will be set accordingly which is probably not what we expect. I'd like to have the following order where the preference is given to the file config and the property settings are read only if the file config is not set. So we should have the following logic:

// we should not catch any exceptions and instead any errors
// need to be reported to the caller as failures

initializeFromFilePath();

// at this point if our configuration is set as in we have valid
// entries in our props objects, we're done and nothing else to do

if (!props.isEmpty()) {
return;
}

// otherwise add a new issuer entry based on the configured property values

String githubIssuer = System.getProperty(GITHUB_ACTIONS_PROP_ISSUER, GITHUB_ACTIONS_ISSUER);
.... (like you have the code above).

So with this model there is only a single way to configure the provider - either valid file config or system properties.

[havetisyan]

So just to follow-up, in the InstanceGithubActionsProp class you need to define a new member method called isEmpty that returns boolean whether or not member field properties hashmap has entries or not.