Add functionality to check against a list of claims (#50)

hashicorp · May 16, 2019 · 363f591 · 363f591
1 parent 5bfe480
commit 363f591
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 4 deletions.
diff --git a/claims.go b/claims.go
@@ -96,7 +96,16 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in
 			return fmt.Errorf("claim %q is missing", claim)
 		}
 
-		var expVals []interface{}
+		var actVals, expVals []interface{}
+
+		switch v := actValue.(type) {
+		case []interface{}:
+			actVals = v
+		case string:
+			actVals = []interface{}{v}
+		default:
+			return fmt.Errorf("received claim is not a string or list: %v", actValue)
+		}
 
 		switch v := expValue.(type) {
 		case []interface{}:
@@ -108,10 +117,14 @@ func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]in
 		}
 
 		found := false
+
+	scan:
 		for _, v := range expVals {
-			if actValue == v {
-				found = true
-				break
+			for _, av := range actVals {
+				if av == v {
+					found = true
+					break scan
+				}
 			}
 		}
 

diff --git a/claims_test.go b/claims_test.go
@@ -197,6 +197,56 @@ func TestValidateBoundClaims(t *testing.T) {
 			},
 			errExpected: false,
 		},
+		{
+			name: "valid - non-string claim",
+			boundClaims: map[string]interface{}{
+				"foo": []interface{}{42},
+			},
+			allClaims: map[string]interface{}{
+				"foo": []interface{}{42},
+			},
+			errExpected: false,
+		},
+		{
+			name: "valid - match within list",
+			boundClaims: map[string]interface{}{
+				"foo": "a",
+			},
+			allClaims: map[string]interface{}{
+				"foo": []interface{}{"a", "b"},
+			},
+			errExpected: false,
+		},
+		{
+			name: "valid - match list against list",
+			boundClaims: map[string]interface{}{
+				"foo": []interface{}{"a", "b", "c"},
+			},
+			allClaims: map[string]interface{}{
+				"foo": []interface{}{"c", "d"},
+			},
+			errExpected: false,
+		},
+		{
+			name: "invalid - no match within list",
+			boundClaims: map[string]interface{}{
+				"foo": "c",
+			},
+			allClaims: map[string]interface{}{
+				"foo": []interface{}{"a", "b"},
+			},
+			errExpected: true,
+		},
+		{
+			name: "invalid - no match list against list",
+			boundClaims: map[string]interface{}{
+				"foo": []interface{}{"a", "b", "c"},
+			},
+			allClaims: map[string]interface{}{
+				"foo": []interface{}{"d", "e"},
+			},
+			errExpected: true,
+		},
 		{
 			name: "valid - extra data",
 			boundClaims: map[string]interface{}{
@@ -309,6 +359,16 @@ func TestValidateBoundClaims(t *testing.T) {
 			},
 			errExpected: true,
 		},
+		{
+			name: "invalid received claim expected value",
+			boundClaims: map[string]interface{}{
+				"email": "d",
+			},
+			allClaims: map[string]interface{}{
+				"email": 42,
+			},
+			errExpected: true,
+		},
 	}
 	for _, tt := range tests {
 		if err := validateBoundClaims(hclog.NewNullLogger(), tt.boundClaims, tt.allClaims); (err != nil) != tt.errExpected {