Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added check to handle token parsing with claims without "sub". #3287

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

wassafshahzad
Copy link

Description

In the oidc_introspection.py func (filter *oidcIntrospectionFilter) Request(ctx filters.FilterContext) function get value form the Claim map using sub key and then casts the value into a string, but this would panic if no sub key is present. I added a check to ensure we only cast values if sub key is present.

Linked Issue

closes #3216

Approach to solution

As describe in the following comment, I dug a bit deeper and found 2 suitable values to use if subject is not present in token. One is the Subject value in tokenContainer struct or UserInfo Struct. I decided to go with the tokenContainer struct. If this is not correct please do guide me if UserInfo Struct would be better.

@wassafshahzad wassafshahzad force-pushed the fix/claim-parsing-oidc-introspection branch from 03721d1 to c7467c4 Compare October 26, 2024 11:58
@MustafaSaber MustafaSaber added the bugfix Bug fixes and patches label Oct 28, 2024
@szuecs
Copy link
Member

szuecs commented Oct 29, 2024

Can you please add a test case?
Thanks 🙏🏽

@wassafshahzad
Copy link
Author

wassafshahzad commented Nov 3, 2024

Can you please add a test case? Thanks 🙏🏽

Could you give me some pointers, I have been looking into multiple filter tests and oidc_intorspection_tests but cant wrap my head around on how to test it.

@MustafaSaber
Copy link
Member

hi @wassafshahzad, thanks for your contribution! You can check

claims := jwt.MapClaims{

&
oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})

This server creates the token with those claims, I would try to find a way to override those claims and create another testcase where I create the server with the override and this case we expect the fail before the fix and succeed after.

The test case should fail or succeed after triggering

resp, err := client.Do(req)

@wassafshahzad
Copy link
Author

hi @wassafshahzad, thanks for your contribution! You can check

claims := jwt.MapClaims{

&

oidcServer := createOIDCServer(proxy.URL+"/redirect", validClient, "mysec", jwt.MapClaims{"groups": []string{"CD-Administrators", "Purchasing-Department", "AppX-Test-Users", "white space"}})

This server creates the token with those claims, I would try to find a way to override those claims and create another testcase where I create the server with the override and this case we expect the fail before the fix and succeed after.

The test case should fail or succeed after triggering

resp, err := client.Do(req)

Thank you and on it

…e token subjact if sub is not present in claims

Signed-off-by: wassafshahzad <[email protected]>
@wassafshahzad wassafshahzad force-pushed the fix/claim-parsing-oidc-introspection branch from 2f71fb9 to 3cfb9fa Compare November 18, 2024 02:10
@wassafshahzad
Copy link
Author

@MustafaSaber Sorry for the delay, I had a bit of a tough time resolving this issue. I tried using token.Subject and token.UserInfo.Subject in case sub was missing but this would still cause authentication issues. I still need help to identify the right key as I am not as familiar with the repo yet.

However I stumbled on to this piece of code from the jwt_validation file and decided to use it since we already have it for validation and thought consistency would be the right way to go.

@MustafaSaber
Copy link
Member

Thanks for the update! We will review when we have time, we can't merge in the next couple of days also.

@wassafshahzad
Copy link
Author

Thanks for the update! We will review when we have time, we can't merge in the next couple of days also.

No issue, Can I pick another issue ?

@MustafaSaber
Copy link
Member

ofc feel free to pick one of the issues 😄

@MustafaSaber
Copy link
Member

hi @wassafshahzad, can you rebase?

@wassafshahzad
Copy link
Author

hi @wassafshahzad, can you rebase?

Yeah sure no problem

sub := token.Claims["sub"].(string)
sub, ok := token.Claims["sub"].(string)
if !ok {
unauthorized(ctx, sub, invalidSub, "", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the sub will be empty? Maybe then pass empty value ("") or a sentinel value.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can also pass r.Host like in the invocations above.

@@ -165,6 +166,17 @@ func TestOIDCQueryClaimsFilter(t *testing.T) {
expected: 200,
expectErr: false,
},
{
msg: "secure sub/path is not permitted",
Copy link
Member

@AlexanderYastrebov AlexanderYastrebov Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe "missing sub claim is not permitted"

@AlexanderYastrebov
Copy link
Member

As a panic fix it looks good to me (with minor comments).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bugfix Bug fixes and patches
Projects
None yet
Development

Successfully merging this pull request may close these issues.

oidcclaimquery: better error handling for casting
4 participants