Skip to content

Commit 3bb9b3d

Browse files
madhav-dbmadhav-db
committed
debug
1 parent 10a5016 commit 3bb9b3d

File tree

1 file changed

+21
-53
lines changed

1 file changed

+21
-53
lines changed

.github/workflows/token-federation-test.yml

+21-53
Original file line numberDiff line numberDiff line change
@@ -122,41 +122,7 @@ jobs:
122122
# Fix audience handling
123123
modified = content.replace(
124124
'def _exchange_token(self, token, force_refresh=False):',
125-
'''def _exchange_token(self, token, force_refresh=False):
126-
# Additional handling for different audience formats
127-
import jwt
128-
try:
129-
# Try both standard and alternative audience formats
130-
audience_tried = False
131-
132-
def try_with_audience(token, audience):
133-
nonlocal audience_tried
134-
if audience_tried:
135-
return None
136-
137-
audience_tried = True
138-
decoded = jwt.decode(token, options={"verify_signature": False})
139-
aud = decoded.get("aud")
140-
141-
# Check if aud is a list and convert to string if needed
142-
if isinstance(aud, list) and len(aud) > 0:
143-
aud = aud[0]
144-
145-
# Print audience for debugging
146-
print(f"Original token audience: {aud}")
147-
148-
if aud != audience:
149-
print(f"WARNING: Token audience '{aud}' doesn't match expected audience '{audience}'")
150-
# We won't modify the token as that would invalidate the signature
151-
152-
return None
153-
154-
# We're just collecting debugging info, not modifying the token
155-
try_with_audience(token, "https://github.com/databricks")
156-
157-
except Exception as e:
158-
print(f"Audience debug error: {str(e)}")
159-
'''
125+
'def _exchange_token(self, token, force_refresh=False):\\n # Additional handling for different audience formats\\n import jwt\\n try:\\n # Try both standard and alternative audience formats\\n audience_tried = False\\n \\n def try_with_audience(token, audience):\\n nonlocal audience_tried\\n if audience_tried:\\n return None\\n \\n audience_tried = True\\n decoded = jwt.decode(token, options={\"verify_signature\": False})\\n aud = decoded.get(\"aud\")\\n \\n # Check if aud is a list and convert to string if needed\\n if isinstance(aud, list) and len(aud) > 0:\\n aud = aud[0]\\n \\n # Print audience for debugging\\n print(f\"Original token audience: {aud}\")\\n \\n if aud != audience:\\n print(f\"WARNING: Token audience \\\'{aud}\\\' doesn\\\'t match expected audience \\\'{audience}\\\'\")\\n # We won\\\'t modify the token as that would invalidate the signature\\n \\n return None\\n \\n # We\\\'re just collecting debugging info, not modifying the token\\n try_with_audience(token, \"https://github.com/databricks\")\\n \\n except Exception as e:\\n print(f\"Audience debug error: {str(e)}\")'
160126
)
161127
162128
with open('src/databricks/sql/auth/token_federation.py', 'w') as f:
@@ -233,17 +199,17 @@ jobs:
233199
python3 -c "
234200
import base64, json, sys
235201
token = \"$OIDC_TOKEN\"
236-
parts = token.split('.')
202+
parts = token.split(\".\")
237203
if len(parts) >= 2:
238-
padding = '=' * (4 - len(parts[1]) % 4)
204+
padding = \"=\" * (4 - len(parts[1]) % 4)
239205
decoded_bytes = base64.b64decode(parts[1] + padding)
240-
decoded_str = decoded_bytes.decode('utf-8')
206+
decoded_str = decoded_bytes.decode(\"utf-8\")
241207
claims = json.loads(decoded_str)
242-
print(f\"Issuer: {claims.get('iss', 'unknown')}\")
243-
print(f\"Subject: {claims.get('sub', 'unknown')}\")
244-
print(f\"Audience: {claims.get('aud', 'unknown')}\")
208+
print(f\"Token issuer: {claims.get('iss', 'unknown')}\")
209+
print(f\"Token subject: {claims.get('sub', 'unknown')}\")
210+
print(f\"Token audience: {claims.get('aud', 'unknown')}\")
245211
else:
246-
print('Invalid token format')
212+
print(\"Invalid token format\")
247213
"
248214
249215
# Create a properly URL-encoded request
@@ -343,13 +309,15 @@ EOF
343309
# Add debugging info
344310
claims = decode_jwt(token)
345311
if claims:
346-
print(f"Token issuer: {claims.get('iss', 'unknown')}")
347-
print(f"Token subject: {claims.get('sub', 'unknown')}")
348-
print(f"Token audience: {claims.get('aud', 'unknown')}")
312+
print(f"Token issuer: {claims.get(\'iss\', \'unknown\')}")
313+
print(f"Token subject: {claims.get(\'sub\', \'unknown\')}")
314+
print(f"Token audience: {claims.get(\'aud\', \'unknown\')}")
349315
350316
# If audience was specified in policy but doesn't match token
351317
if audience and audience != claims.get('aud'):
352-
print(f"WARNING: Expected audience '{audience}' doesn't match token audience '{claims.get('aud')}'")
318+
print("WARNING: Expected audience and token audience don't match")
319+
print(f"Expected: {audience}")
320+
print(f"Actual: {claims.get('aud')}")
353321
354322
response = requests.post(url, data=data, headers=headers)
355323
@@ -387,13 +355,13 @@ EOF
387355
claims = decode_jwt(github_token)
388356
if claims:
389357
print("\n=== GitHub OIDC Token Claims ===")
390-
print(f"Token issuer: {claims.get('iss', 'unknown')}")
391-
print(f"Token subject: {claims.get('sub', 'unknown')}")
392-
print(f"Token audience: {claims.get('aud', 'unknown')}")
393-
print(f"Token expiration: {claims.get('exp', 'unknown')}")
394-
print(f"Repository: {claims.get('repository', 'unknown')}")
395-
print(f"Workflow ref: {claims.get('workflow_ref', 'unknown')}")
396-
print(f"Event name: {claims.get('event_name', 'unknown')}")
358+
print(f"Token issuer: {claims.get(\'iss\', \'unknown\')}")
359+
print(f"Token subject: {claims.get(\'sub\', \'unknown\')}")
360+
print(f"Token audience: {claims.get(\'aud\', \'unknown\')}")
361+
print(f"Token expiration: {claims.get(\'exp\', \'unknown\')}")
362+
print(f"Repository: {claims.get(\'repository\', \'unknown\')}")
363+
print(f"Workflow ref: {claims.get(\'workflow_ref\', \'unknown\')}")
364+
print(f"Event name: {claims.get(\'event_name\', \'unknown\')}")
397365
print("===============================\n")
398366
399367
# Try token exchange with several possible audience values

0 commit comments

Comments
 (0)