From 590d977dc77bd87ce3b2ab65f40f8ddf062fe61c Mon Sep 17 00:00:00 2001 From: Givi Khojanashvili Date: Mon, 19 Jun 2023 18:23:26 +0400 Subject: [PATCH] Fix claim extraciton after testing on real auth0 setup --- management/server/account.go | 29 +++++++++++++++++++++++------ management/server/account_test.go | 11 ++++++++--- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/management/server/account.go b/management/server/account.go index 255412957..ecc7f2260 100644 --- a/management/server/account.go +++ b/management/server/account.go @@ -624,22 +624,25 @@ func (a *Account) GetPeer(peerID string) *Peer { } // AddJWTGroups to existed groups if they does not exists -func (a *Account) AddJWTGroups(groups []string) error { +func (a *Account) AddJWTGroups(groups []string) (int, error) { existedGroups := make(map[string]*Group) for _, g := range a.Groups { existedGroups[g.Name] = g } + var count int for _, name := range groups { if _, ok := existedGroups[name]; !ok { - a.Groups[name] = &Group{ - ID: xid.New().String(), + id := xid.New().String() + a.Groups[id] = &Group{ + ID: id, Name: name, Issued: GroupIssuedJWT, } + count++ } } - return nil + return count, nil } // BuildManager creates a new DefaultAccountManager with a provided Store @@ -1277,10 +1280,24 @@ func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.Authorizat return account, user, nil } if claim, ok := claims.Raw[account.Settings.JWTGroupsClaimName]; ok { - if groups, ok := claim.([]string); ok { - if err := account.AddJWTGroups(groups); err != nil { + if slice, ok := claim.([]interface{}); ok { + var groups []string + for _, item := range slice { + if g, ok := item.(string); ok { + groups = append(groups, g) + } else { + log.Errorf("JWT claim %q is not a string: %v", account.Settings.JWTGroupsClaimName, item) + } + } + n, err := account.AddJWTGroups(groups) + if err != nil { log.Errorf("failed to add JWT groups: %v", err) } + if n > 0 { + if err := am.Store.SaveAccount(account); err != nil { + log.Errorf("failed to save account: %v", err) + } + } } else { log.Debugf("JWT claim %q is not a string array", account.Settings.JWTGroupsClaimName) } diff --git a/management/server/account_test.go b/management/server/account_test.go index b0e28dcbc..55aa0d1d0 100644 --- a/management/server/account_test.go +++ b/management/server/account_test.go @@ -478,7 +478,7 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) { Domain: domain, UserId: userId, DomainCategory: "test-category", - Raw: jwt.MapClaims{"idp-groups": []string{"group1", "group2"}}, + Raw: jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}}, } t.Run("JWT groups disabled", func(t *testing.T) { @@ -507,12 +507,17 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) { require.NoError(t, err, "get account by token failed") require.Len(t, account.Groups, 3, "groups should be added to the account") - g1, ok := account.Groups["group1"] + groupsByNames := map[string]*Group{} + for _, g := range account.Groups { + groupsByNames[g.Name] = g + } + + g1, ok := groupsByNames["group1"] require.True(t, ok, "group1 should be added to the account") require.Equal(t, g1.Name, "group1", "group1 name should match") require.Equal(t, g1.Issued, GroupIssuedJWT, "group1 issued should match") - g2, ok := account.Groups["group2"] + g2, ok := groupsByNames["group2"] require.True(t, ok, "group2 should be added to the account") require.Equal(t, g2.Name, "group2", "group2 name should match") require.Equal(t, g2.Issued, GroupIssuedJWT, "group2 issued should match")