From cae395feddb0e096fa0338b0940662ac1b845840 Mon Sep 17 00:00:00 2001
From: Hongli Lai <hongli@hongli.nl>
Date: Wed, 31 Jul 2024 11:09:56 +0200
Subject: [PATCH] apiserver: fix validating OIDC JWT claims

---
 apiserver/app.rb | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/apiserver/app.rb b/apiserver/app.rb
index f6fa424..afc6357 100644
--- a/apiserver/app.rb
+++ b/apiserver/app.rb
@@ -93,12 +93,23 @@ def fetch_github_jwks
   end
 
   def valid_claims?(claims, repository, expected_claim_values)
-    return false unless claims['sub'].start_with?("repo:#{repository}:") &&
-      claims['repository'] == repository &&
-      claims['runner_environment'] == 'github-hosted'
+    if !claims['sub'].start_with?("repo:#{repository}:") || claims['repository'] != repository
+      $stderr.puts "Invalid repository claim: expected=#{repository.inspect}, actual=#{JSON.pretty_generate(claims)}"
+      return false
+    end
+
+    if claims['runner_environment'] != 'github-hosted'
+      $stderr.puts "Invalid runner_environment claim: expected=github-hosted, actual=#{JSON.pretty_generate(claims)}"
+      return false
+    end
+
     expected_claim_values.each_pair do |key, value|
-      return false unless claims[key] == value
+      if claims[key.to_s] != value
+        $stderr.puts "Invalid #{key} claim: expected=#{value.inspect}, actual=#{JSON.pretty_generate(claims)}"
+        return false
+      end
     end
+
     true
   end
 end