Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added check to handle token parsing with claims without "sub". #3287

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion filters/auth/oidc_introspection.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,12 @@ func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext) {
return
}

sub := token.Claims["sub"].(string)
sub, ok := token.Claims["sub"].(string)
if !ok {
unauthorized(ctx, sub, invalidSub, "", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the sub will be empty? Maybe then pass empty value ("") or a sentinel value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can also pass r.Host like in the invocations above.

return
}

authorized(ctx, sub)
}

Expand Down
24 changes: 18 additions & 6 deletions filters/auth/oidc_introspection_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,11 +139,12 @@ func TestCreateOIDCQueryClaimsFilter(t *testing.T) {

func TestOIDCQueryClaimsFilter(t *testing.T) {
for _, tc := range []struct {
msg string
path string
expected int
expectErr bool
args []interface{}
msg string
path string
expected int
expectErr bool
args []interface{}
removeClaims []string
}{
{
msg: "secure sub/path not permitted",
Expand All @@ -165,6 +166,17 @@ func TestOIDCQueryClaimsFilter(t *testing.T) {
expected: 200,
expectErr: false,
},
{
msg: "secure sub/path is not permitted",
Copy link
Member

@AlexanderYastrebov AlexanderYastrebov Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe "missing sub claim is not permitted"

args: []interface{}{
"/login:groups.#[==\"AppX-Test-Users\"]",
"/:@_:email%\"*@example.org\"",
},
path: "/login/page",
expected: 401,
expectErr: false,
removeClaims: []string{"sub"},
},
{
msg: "generic user path permitted",
args: []interface{}{
Expand Down Expand Up @@ -292,7 +304,7 @@ func TestOIDCQueryClaimsFilter(t *testing.T) {
t.Errorf("Failed to parse url %s: %v", proxy.URL, err)
}
reqURL.Path = tc.path
oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})
oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}}, tc.removeClaims)
defer oidcServer.Close()
t.Logf("oidc/auth server URL: %s", oidcServer.URL)
// create filter
Expand Down
11 changes: 8 additions & 3 deletions filters/auth/oidc_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ var testOpenIDConfig = `{
// returns a localhost instance implementation of an OpenID Connect
// server with configendpoint, tokenendpoint, authenticationserver endpoint, userinfor
// endpoint, jwks endpoint
func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims) *httptest.Server {
func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims, removeClaims []string) *httptest.Server {
var oidcServer *httptest.Server
oidcServer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
Expand Down Expand Up @@ -233,6 +233,11 @@ func createOIDCServer(cb, client, clientsecret string, extraClaims jwt.MapClaims
for k, v := range extraClaims {
claims[k] = v
}

for _, k := range removeClaims {
delete(claims, k)
}

token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

privKey, err := os.ReadFile(keyPath)
Expand Down Expand Up @@ -557,7 +562,7 @@ func TestNewOidc(t *testing.T) {
}

func TestCreateFilterOIDC(t *testing.T) {
oidcServer := createOIDCServer("", "", "", nil)
oidcServer := createOIDCServer("", "", "", nil, nil)
defer oidcServer.Close()

for _, tt := range []struct {
Expand Down Expand Up @@ -900,7 +905,7 @@ func TestOIDCSetup(t *testing.T) {

t.Logf("redirect URL: %s", redirectURL.String())

oidcServer := createOIDCServer(redirectURL.String(), "valid-client", "mysec", tc.extraClaims)
oidcServer := createOIDCServer(redirectURL.String(), "valid-client", "mysec", tc.extraClaims, nil)
defer oidcServer.Close()
t.Logf("oidc server URL: %s", oidcServer.URL)

Expand Down
Loading