From 9db43be74dd4da9e8d671d81b74af189c5b70ccd Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Tue, 9 Apr 2019 08:22:43 -0700 Subject: [PATCH 1/4] Interpret bound claims value as a "one of" test if a list is provided --- claims.go | 23 +++++++++++++++++++++-- claims_test.go | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 2 deletions(-) diff --git a/claims.go b/claims.go index ad062464..da4f4e36 100644 --- a/claims.go +++ b/claims.go @@ -96,8 +96,27 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in return fmt.Errorf("claim %q is missing", claim) } - if expValue != actValue { - return fmt.Errorf("claim %q does not match associated bound claim", claim) + var expVals []string + + switch v := expValue.(type) { + case []string: + expVals = v + case string: + expVals = []string{v} + default: + return fmt.Errorf("bound claim not a string or []string: %v", expValue) + } + + found := false + for _, v := range expVals { + if actValue == v { + found = true + break + } + } + + if !found { + return fmt.Errorf("claim %q does not match any associated bound claim values", claim) } } diff --git a/claims_test.go b/claims_test.go index dd522a24..73b3671b 100644 --- a/claims_test.go +++ b/claims_test.go @@ -275,6 +275,40 @@ func TestValidateBoundClaims(t *testing.T) { }, errExpected: true, }, + { + name: "valid - match alternates", + boundClaims: map[string]interface{}{ + "email": []string{"a", "b", "c"}, + "color": "green", + }, + allClaims: map[string]interface{}{ + "email": "c", + "color": "green", + }, + errExpected: false, + }, + { + name: "invalid - no match alternates", + boundClaims: map[string]interface{}{ + "email": []string{"a", "b", "c"}, + "color": "green", + }, + allClaims: map[string]interface{}{ + "email": "d", + "color": "green", + }, + errExpected: true, + }, + { + name: "invalid bound claim expected value", + boundClaims: map[string]interface{}{ + "email": 42, + }, + allClaims: map[string]interface{}{ + "email": "d", + }, + errExpected: true, + }, } for _, tt := range tests { if err := validateBoundClaims(hclog.NewNullLogger(), tt.boundClaims, tt.allClaims); (err != nil) != tt.errExpected { From 7021aa40a9a47ac3e1fe59307c24e058d68e69ca Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 9 Apr 2019 10:51:15 -0700 Subject: [PATCH 2/4] Update claims.go Co-Authored-By: kalafut --- claims.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/claims.go b/claims.go index da4f4e36..d82c485c 100644 --- a/claims.go +++ b/claims.go @@ -104,7 +104,7 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in case string: expVals = []string{v} default: - return fmt.Errorf("bound claim not a string or []string: %v", expValue) + return fmt.Errorf("bound claim not a string or list: %v", expValue) } found := false From 1a53e806fa991bc198d4424a078cc8e9b663a406 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Tue, 9 Apr 2019 11:59:52 -0700 Subject: [PATCH 3/4] Update string to interface{} --- claims.go | 6 +++--- claims_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/claims.go b/claims.go index da4f4e36..27508e76 100644 --- a/claims.go +++ b/claims.go @@ -96,13 +96,13 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in return fmt.Errorf("claim %q is missing", claim) } - var expVals []string + var expVals []interface{} switch v := expValue.(type) { - case []string: + case []interface{}: expVals = v case string: - expVals = []string{v} + expVals = []interface{}{v} default: return fmt.Errorf("bound claim not a string or []string: %v", expValue) } diff --git a/claims_test.go b/claims_test.go index 73b3671b..57f0d10f 100644 --- a/claims_test.go +++ b/claims_test.go @@ -278,7 +278,7 @@ func TestValidateBoundClaims(t *testing.T) { { name: "valid - match alternates", boundClaims: map[string]interface{}{ - "email": []string{"a", "b", "c"}, + "email": []interface{}{"a", "b", "c"}, "color": "green", }, allClaims: map[string]interface{}{ @@ -290,7 +290,7 @@ func TestValidateBoundClaims(t *testing.T) { { name: "invalid - no match alternates", boundClaims: map[string]interface{}{ - "email": []string{"a", "b", "c"}, + "email": []interface{}{"a", "b", "c"}, "color": "green", }, allClaims: map[string]interface{}{ From 3080246407e18e0bb6f70f0d0ecd57abf705dfbb Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Tue, 9 Apr 2019 12:02:43 -0700 Subject: [PATCH 4/4] Update message --- claims.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/claims.go b/claims.go index df98dbc9..50438f2a 100644 --- a/claims.go +++ b/claims.go @@ -104,7 +104,7 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in case string: expVals = []interface{}{v} default: - return fmt.Errorf("bound claim not a string or list: %v", expValue) + return fmt.Errorf("bound claim is not a string or list: %v", expValue) } found := false