From 2c7cdff9d2e677f5f892d6107a3c0b8b9ce61632 Mon Sep 17 00:00:00 2001
From: arekkas <aeneas@ory.am>
Date: Sun, 9 Jul 2017 23:07:20 +0200
Subject: [PATCH] scope: resolve haystack needle mixup - closes #201

---
 .../oauth2/flow_authorize_code_auth_test.go   |  5 +-
 .../oauth2/flow_authorize_code_token_test.go  |  2 +-
 scope_strategy.go                             | 30 ++++---
 scope_strategy_test.go                        | 78 ++++++++++++-------
 session_test.go                               |  2 +-
 token/jwt/claims_test.go                      |  3 +-
 6 files changed, 73 insertions(+), 47 deletions(-)

diff --git a/handler/oauth2/flow_authorize_code_auth_test.go b/handler/oauth2/flow_authorize_code_auth_test.go
index 2b209951e..f321a0606 100644
--- a/handler/oauth2/flow_authorize_code_auth_test.go
+++ b/handler/oauth2/flow_authorize_code_auth_test.go
@@ -5,12 +5,13 @@ import (
 	"strings"
 	"testing"
 
+	"time"
+
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/storage"
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"time"
 )
 
 func parseUrl(uu string) *url.URL {
@@ -72,7 +73,7 @@ func TestAuthorizeCode_HandleAuthorizeEndpointRequest(t *testing.T) {
 								RedirectURIs:  []string{"https://asdf.de/cb"},
 							},
 							GrantedScopes: fosite.Arguments{"a", "b"},
-							Session:       &fosite.DefaultSession{
+							Session: &fosite.DefaultSession{
 								ExpiresAt: map[fosite.TokenType]time.Time{fosite.AccessToken: time.Now().Add(time.Hour)},
 							},
 							RequestedAt: time.Now(),
diff --git a/handler/oauth2/flow_authorize_code_token_test.go b/handler/oauth2/flow_authorize_code_token_test.go
index d95984d45..b8e70c533 100644
--- a/handler/oauth2/flow_authorize_code_token_test.go
+++ b/handler/oauth2/flow_authorize_code_token_test.go
@@ -81,7 +81,7 @@ func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) {
 					setup: func(t *testing.T, areq *fosite.AccessRequest) {
 						require.NoError(t, store.CreateAuthorizeCodeSession(nil, "bar", areq))
 					},
-					expectErr:   fosite.ErrInvalidRequest,
+					expectErr: fosite.ErrInvalidRequest,
 				},
 				{
 					areq: &fosite.AccessRequest{
diff --git a/scope_strategy.go b/scope_strategy.go
index 89d315965..92789cdac 100644
--- a/scope_strategy.go
+++ b/scope_strategy.go
@@ -35,23 +35,29 @@ func HierarchicScopeStrategy(haystack []string, needle string) bool {
 	return false
 }
 
-func WildcardScopeStrategy(haystack []string, needle string) bool {
-	for _, this := range haystack {
-		if this == needle {
-			return true
-		}
+func WildcardScopeStrategy(matchers []string, needle string) bool {
+	needleParts := strings.Split(needle, ".")
+	for _, matcher := range matchers {
+		matcherParts := strings.Split(matcher, ".")
 
-		needles := strings.Split(needle, ".")
-		haystack := strings.Split(this, ".")
-		if len(needles) != len(haystack) {
+		if len(matcherParts) > len(needleParts) {
 			continue
 		}
 
 		var noteq bool
-		for k, needle := range needles {
-			current := haystack[k]
-			if needle == "*" && len(current) > 0 {
-			} else if current != needle {
+		for k, c := range strings.Split(matcher, ".") {
+			// this is the last item and the lengths are different
+			if k == len(matcherParts)-1 && len(matcherParts) != len(needleParts) {
+				if c != "*" {
+					noteq = true
+					break
+				}
+			}
+
+			if c == "*" && len(needleParts[k]) > 0 {
+				// pass because this satisfies the requirements
+				continue
+			} else if c != needleParts[k] {
 				noteq = true
 				break
 			}
diff --git a/scope_strategy_test.go b/scope_strategy_test.go
index 77bd1668d..096daaec5 100644
--- a/scope_strategy_test.go
+++ b/scope_strategy_test.go
@@ -47,43 +47,61 @@ func TestWildcardScopeStrategy(t *testing.T) {
 	var scopes = []string{}
 
 	assert.False(t, strategy(scopes, "foo.bar.baz"))
-	assert.False(t, strategy(scopes, "foo.*.bar"))
-	assert.False(t, strategy(scopes, "foo.*"))
-	assert.False(t, strategy(scopes, "*"))
+	assert.False(t, strategy(scopes, "foo.bar"))
 
-	scopes = []string{""}
-	assert.False(t, strategy(scopes, "*"))
+	scopes = []string{"*"}
+	assert.False(t, strategy(scopes, ""))
+	assert.True(t, strategy(scopes, "asdf"))
+	assert.True(t, strategy(scopes, "asdf.asdf"))
 
 	scopes = []string{"foo"}
-	assert.True(t, strategy(scopes, "*"))
+	assert.False(t, strategy(scopes, "*"))
 	assert.False(t, strategy(scopes, "foo.*"))
 	assert.False(t, strategy(scopes, "fo*"))
+	assert.True(t, strategy(scopes, "foo"))
 
-	scopes = []string{"foo.bar"}
-	assert.True(t, strategy(scopes, "foo.*"))
-
-	scopes = []string{"foo.baz"}
-	assert.True(t, strategy(scopes, "foo.*"))
-	assert.False(t, strategy(scopes, "foo.*.foo"))
-	assert.False(t, strategy(scopes, "foo.*."))
-	assert.False(t, strategy(scopes, "foo.foo.*."))
-	assert.False(t, strategy(scopes, "foo.foo.*"))
-
-	scopes = []string{"foo.baz.bar"}
-	assert.False(t, strategy(scopes, "foo.*"))
-	assert.True(t, strategy(scopes, "foo.*.*"))
-	assert.True(t, strategy(scopes, "foo.*.bar"))
-	assert.True(t, strategy(scopes, "foo.baz.*"))
-	assert.True(t, strategy(scopes, "foo.baz.bar"))
-	assert.False(t, strategy(scopes, "foo.b*.bar"))
+	scopes = []string{"foo*"}
+	assert.False(t, strategy(scopes, "foo"))
+	assert.False(t, strategy(scopes, "fooa"))
+	assert.False(t, strategy(scopes, "fo"))
+	assert.True(t, strategy(scopes, "foo*"))
 
-	scopes = []string{"foo.bar", "foo.baz.bar"}
-	assert.True(t, strategy(scopes, "foo.*"))
-	assert.True(t, strategy(scopes, "foo.*.*"))
-	assert.True(t, strategy(scopes, "foo.*.bar"))
-	assert.False(t, strategy(scopes, "foo.bar.*"))
-	assert.True(t, strategy(scopes, "foo.baz.*"))
+	scopes = []string{"foo.*"}
+	assert.True(t, strategy(scopes, "foo.bar"))
+	assert.True(t, strategy(scopes, "foo.baz"))
+	assert.True(t, strategy(scopes, "foo.bar.baz"))
+	assert.False(t, strategy(scopes, "foo"))
 
-	scopes = []string{"foo..bar"}
+	scopes = []string{"foo.*.baz"}
+	assert.True(t, strategy(scopes, "foo.*.baz"))
+	assert.True(t, strategy(scopes, "foo.bar.baz"))
+	assert.False(t, strategy(scopes, "foo..baz"))
+	assert.False(t, strategy(scopes, "foo.baz"))
+	assert.False(t, strategy(scopes, "foo"))
+	assert.False(t, strategy(scopes, "foo.bar.bar"))
+
+	scopes = []string{"foo.*.bar.*"}
+	assert.True(t, strategy(scopes, "foo.baz.bar.baz"))
+	assert.False(t, strategy(scopes, "foo.baz.baz.bar.baz"))
+	assert.True(t, strategy(scopes, "foo.baz.bar.bar.bar"))
+	assert.False(t, strategy(scopes, "foo.baz.bar"))
+	assert.True(t, strategy(scopes, "foo.*.bar.*.*.*"))
+	assert.True(t, strategy(scopes, "foo.1.bar.1.2.3.4.5"))
+
+	scopes = []string{"foo.*.bar"}
+	assert.True(t, strategy(scopes, "foo.bar.bar"))
+	assert.False(t, strategy(scopes, "foo.bar.bar.bar"))
+	assert.False(t, strategy(scopes, "foo..bar"))
+	assert.False(t, strategy(scopes, "foo.bar..bar"))
+
+	scopes = []string{"foo.*.bar.*.baz.*"}
+	assert.False(t, strategy(scopes, "foo.*.*"))
 	assert.False(t, strategy(scopes, "foo.*.bar"))
+	assert.False(t, strategy(scopes, "foo.baz.*"))
+	assert.False(t, strategy(scopes, "foo.baz.bar"))
+	assert.False(t, strategy(scopes, "foo.b*.bar"))
+	assert.True(t, strategy(scopes, "foo.bar.bar.baz.baz.baz"))
+	assert.True(t, strategy(scopes, "foo.bar.bar.baz.baz.baz.baz"))
+	assert.False(t, strategy(scopes, "foo.bar.bar.baz.baz"))
+	assert.False(t, strategy(scopes, "foo.bar.baz.baz.baz.bar"))
 }
diff --git a/session_test.go b/session_test.go
index 81ee05e7d..635649a6f 100644
--- a/session_test.go
+++ b/session_test.go
@@ -11,4 +11,4 @@ func TestSession(t *testing.T) {
 	assert.Empty(t, s.GetSubject())
 	assert.Empty(t, s.GetUsername())
 	assert.Nil(t, s.Clone())
-}
\ No newline at end of file
+}
diff --git a/token/jwt/claims_test.go b/token/jwt/claims_test.go
index c945aaee0..fbb8104cb 100644
--- a/token/jwt/claims_test.go
+++ b/token/jwt/claims_test.go
@@ -2,8 +2,9 @@ package jwt
 
 import (
 	"testing"
-	"github.com/stretchr/testify/assert"
 	"time"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestToString(t *testing.T) {