Fix audience array handling in roles config

outfoxx · Nov 9, 2021 · b0e12ae · b0e12ae
1 parent 5451be7
commit b0e12ae
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 2 deletions.
diff --git a/plugin/path_roles.go b/plugin/path_roles.go
@@ -240,11 +240,15 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f
 			if !config.AudiencePattern.MatchString(aud) {
 				return logical.ErrorResponse("validation of 'aud' claim failed"), logical.ErrInvalidRequest
 			}
-		case []string:
+		case []interface{}:
 			if config.MaxAudiences > -1 && len(aud) > config.MaxAudiences {
 				return logical.ErrorResponse("too many audience claims: %d", len(aud)), logical.ErrInvalidRequest
 			}
-			for _, audEntry := range aud {
+			for _, rawAudEntry := range aud {
+				audEntry, ok := rawAudEntry.(string)
+				if !ok {
+					return logical.ErrorResponse("'aud' claim was %T, not string", audEntry), logical.ErrInvalidRequest
+				}
 				if !config.AudiencePattern.MatchString(audEntry) {
 					return logical.ErrorResponse("validation of 'aud' claim failed"), logical.ErrInvalidRequest
 				}

diff --git a/plugin/path_roles_test.go b/plugin/path_roles_test.go
@@ -153,6 +153,38 @@ func TestCreateDisallowedOtherClaim(t *testing.T) {
 
 }
 
+func TestCreateAudienceAsArray(t *testing.T) {
+	b, storage := getTestBackend(t)
+
+	role := "tester"
+
+	claims := map[string]interface{}{
+		"aud": []interface{}{"foo", "bar"},
+	}
+
+	if err := writeRole(b, storage, role, role+".example.com", claims); err != nil {
+		t.Fatalf("%v\n", err)
+	}
+
+	resp, err := readRole(b, storage, role)
+	if err != nil {
+		t.Fatalf("%v\n", err)
+	}
+
+	claims, ok := resp.Data[keyClaims].(map[string]interface{})
+	if !ok {
+		t.Error("failed to read response claims")
+	}
+
+	audience, ok := claims["aud"]
+	if !ok {
+		t.Error("no audience claim found")
+	}
+	if diff := deep.Equal(claims["aud"], audience); diff != nil {
+		t.Error("failed to update audience:", diff)
+	}
+}
+
 func TestList(t *testing.T) {
 	b, storage := getTestBackend(t)