[management, client] Fix SSH server audience validator (#5105)

* **New Features** * SSH server JWT validation now accepts multiple audiences with backward-compatible handling of the previous single-audience setting and a guard ensuring at least one audience is configured. * **Tests** * Test suites updated and new tests added to cover multiple-audience scenarios and compatibility with existing behavior. * **Other** * Startup logging enhanced to report configured audiences for JWT auth.
2026-04-18 16:26:38 +00:00 · 2026-01-16 12:28:17 +01:00
parent 067c77e49e
commit 1ff7abe909
8 changed files with 565 additions and 371 deletions
--- a/management/internals/shared/grpc/conversion.go
+++ b/management/internals/shared/grpc/conversion.go
@@ -434,9 +434,16 @@ func buildJWTConfig(config *nbconfig.HttpServerConfig, deviceFlowConfig *nbconfi
 	if config.CLIAuthAudience != "" {
 		audience = config.CLIAuthAudience
 	}
+
+	audiences := []string{config.AuthAudience}
+	if config.CLIAuthAudience != "" && config.CLIAuthAudience != config.AuthAudience {
+		audiences = append(audiences, config.CLIAuthAudience)
+	}
+
 	return &proto.JWTConfig{
 		Issuer:       issuer,
 		Audience:     audience,
+		Audiences:    audiences,
 		KeysLocation: keysLocation,
 	}
 }
--- a/management/internals/shared/grpc/conversion_test.go
+++ b/management/internals/shared/grpc/conversion_test.go
@@ -6,9 +6,12 @@ import (
 	"reflect"
 	"testing"

+	"github.com/stretchr/testify/assert"
+
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller/cache"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 )

 func TestToProtocolDNSConfigWithCache(t *testing.T) {
@@ -148,3 +151,51 @@ func generateTestData(size int) nbdns.Config {

 	return config
 }
+
+func TestBuildJWTConfig_Audiences(t *testing.T) {
+	tests := []struct {
+		name              string
+		authAudience      string
+		cliAuthAudience   string
+		expectedAudiences []string
+		expectedAudience  string
+	}{
+		{
+			name:              "only_auth_audience",
+			authAudience:      "dashboard-aud",
+			cliAuthAudience:   "",
+			expectedAudiences: []string{"dashboard-aud"},
+			expectedAudience:  "dashboard-aud",
+		},
+		{
+			name:              "both_audiences_different",
+			authAudience:      "dashboard-aud",
+			cliAuthAudience:   "cli-aud",
+			expectedAudiences: []string{"dashboard-aud", "cli-aud"},
+			expectedAudience:  "cli-aud",
+		},
+		{
+			name:              "both_audiences_same",
+			authAudience:      "same-aud",
+			cliAuthAudience:   "same-aud",
+			expectedAudiences: []string{"same-aud"},
+			expectedAudience:  "same-aud",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			config := &nbconfig.HttpServerConfig{
+				AuthIssuer:      "https://issuer.example.com",
+				AuthAudience:    tc.authAudience,
+				CLIAuthAudience: tc.cliAuthAudience,
+			}
+
+			result := buildJWTConfig(config, nil)
+
+			assert.NotNil(t, result)
+			assert.Equal(t, tc.expectedAudiences, result.Audiences, "audiences should match expected")
+			assert.Equal(t, tc.expectedAudience, result.Audience, "audience should match expected")
+		})
+	}
+}