[wip] support more complex scope / role objects from JWT claims (#3529)

asoorm · vaske · jeffy-mathew · Tyk Bot · commit 18312b487b3f · 2021-11-01T08:41:55.000Z
* scopes can be nested and either space separated strings or array slices * functions rename to have better reading and understanding Co-authored-by: Milan Vasic <milan.vasic.su@gmail.com> Co-authored-by: Jeffy Mathew <jeffy.mathew100@gmail.com> (cherry picked from commit 8ba3c49)
diff --git a/gateway/mw_jwt.go b/gateway/mw_jwt.go
@@ -315,16 +315,47 @@ func (k *JWTMiddleware) getUserIdFromClaim(claims jwt.MapClaims) (string, error)
 	return "", errors.New(message)
 }
 
-func getScopeFromClaim(claims jwt.MapClaims, scopeClaimName string) []string {
-	// get claim with scopes and turn it into slice of strings
-	if scope, found := claims[scopeClaimName].(string); found {
-		return strings.Split(scope, " ") // by standard is space separated list of values
+func toStrings(v interface{}) []string {
+	switch e := v.(type) {
+	case string:
+		return strings.Split(e, " ")
+	case []interface{}:
+		var r []string
+		for _, x := range e {
+			r = append(r, toStrings(x)...)
+		}
+		return r
 	}
-
-	// claim with scopes is optional so return nothing if it is not present
 	return nil
 }
 
+func nestedMapLookup(m map[string]interface{}, ks ...string) interface{} {
+	var c interface{} = m
+	for _, k := range ks {
+		if _, ok := c.(map[string]interface{}); !ok {
+			//fmt.Errorf("key not found; remaining keys: %v", ks)
+			return nil
+		}
+		c = getMapContext(c, k)
+	}
+	return c
+}
+
+func getMapContext(m interface{}, k string) (rval interface{}) {
+	switch e := m.(type) {
+	case map[string]interface{}:
+		return e[k]
+	default:
+		return e
+	}
+}
+
+func getScopeFromClaim(claims jwt.MapClaims, scopeClaimName string) []string {
+	lookedUp := nestedMapLookup(claims, strings.Split(scopeClaimName, ".")...)
+
+	return toStrings(lookedUp)
+}
+
 func mapScopeToPolicies(mapping map[string]string, scope []string) []string {
 	polIDs := []string{}
 
diff --git a/gateway/mw_jwt_test.go b/gateway/mw_jwt_test.go
@@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/dgrijalva/jwt-go"
 	"github.com/lonelycode/go-uuid/uuid"
 	"github.com/stretchr/testify/assert"
 
@@ -1223,7 +1223,81 @@ func TestJWTScopeToPolicyMapping(t *testing.T) {
 			},
 		)
 	})
+}
+
+func TestGetScopeFromClaim(t *testing.T) {
+	type tableTest struct {
+		jwt            string
+		key            string
+		expectedClaims []string
+		name           string
+	}
+
+	tests := []tableTest{
+		{
+			jwt:            `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOiJmb28gYmFyIGJheiJ9.iS5FYY99ccB1oTGtMmNjM1lppS18FSKPytrV9oQouSM`,
+			key:            "scope",
+			expectedClaims: []string{"foo", "bar", "baz"},
+			name:           "space separated",
+		},
+		{
+			jwt:            `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUiOlsiZm9vIiwiYmFyIiwiYmF6Il19.Lo_7J1FpUcsKWC4E9nMiouyVdUClA3KujHu9EwqHEwo`,
+			key:            "scope",
+			expectedClaims: []string{"foo", "bar", "baz"},
+			name:           "slice strings",
+		},
+		{
+			jwt:            `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUxIjp7InNjb3BlMiI6ImZvbyBiYXIgYmF6In19.IsCBEl-GozS-sgZaTHoLwuBKmxYLOCYYVCiLLVmGu8o`,
+			key:            "scope1.scope2",
+			expectedClaims: []string{"foo", "bar", "baz"},
+			name:           "nested space separated",
+		},
+		{
+			jwt:            `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwic2NvcGUxIjp7InNjb3BlMiI6WyJmb28iLCJiYXIiLCJiYXoiXX19.VDBnH2U7KWl-fajAHGq6PzzWp4mnNCkfKAodfhHc0gY`,
+			key:            "scope1.scope2",
+			expectedClaims: []string{"foo", "bar", "baz"},
+			name:           "nested slice strings",
+		},
+	}
+
+	pubKey := []byte(`mysecret`)
+
+	for i, mytest := range tests {
+		t.Run(fmt.Sprintf("%d %s", i, mytest.name), func(t *testing.T) {
+			tok, err := jwt.Parse(mytest.jwt, func(token *jwt.Token) (interface{}, error) {
+				return pubKey, nil
+			})
+			if err != nil {
+				t.Fatal(err.Error())
+			}
+
+			scopes := getScopeFromClaim(tok.Claims.(jwt.MapClaims), mytest.key)
+			if !testEq(mytest.expectedClaims, scopes) {
+				t.Logf("expected: %v", mytest.expectedClaims)
+				t.Logf("actual: %v", scopes)
+				t.Fatal(i, "slices not equal")
+			}
+		})
+	}
+}
+
+func testEq(a, b []string) bool {
+	// If one is nil, the other must also be nil.
+	if (a == nil) != (b == nil) {
+		return false
+	}
+
+	if len(a) != len(b) {
+		return false
+	}
+
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
 
+	return true
 }
 
 func TestJWTExistingSessionRSAWithRawSourcePolicyIDChanged(t *testing.T) {
