You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2022/06/21 14:50:36 UTC
[GitHub] [couchdb] rnewson commented on a diff in pull request #4041: Allow and evaluate nested json claim roles
rnewson commented on code in PR #4041:
URL: https://github.com/apache/couchdb/pull/4041#discussion_r902721938
##########
src/couch/src/couch_httpd_auth.erl:
##########
@@ -253,6 +246,59 @@ jwt_authentication_handler(Req) ->
Req
end.
+tokenize_json_path(Path, SliceStart, [], Result) ->
+ Result1 = Result ++ [?l2b(string:slice(Path, SliceStart))],
+ [?l2b(string:replace(X, "\\.", ".", all)) || X <- Result1];
+tokenize_json_path(Path, SliceStart, [[{Pos, _}] | T], Result) ->
+ Slice = string:slice(Path, SliceStart, Pos - SliceStart),
+ NewResult = Result ++ [?l2b(Slice)],
+ tokenize_json_path(Path, Pos + 1, T, NewResult).
+
+tokenize_json_path(Path, SplitPositions) ->
+ tokenize_json_path(Path, 0, SplitPositions, []).
+
+get_roles_claim(Claims) ->
+ RolesClaimPath = config:get(
+ "jwt_auth", "roles_claim_path"
+ ),
+ Result =
+ case RolesClaimPath of
+ undefined ->
+ couch_util:get_value(
+ ?l2b(
+ config:get(
+ "jwt_auth", "roles_claim_name", "_couchdb.roles"
+ )
+ ),
+ Claims,
+ []
+ );
+ _ ->
+ % find all "." but no "\."
+ PathRegex = "(?<!\\\\)\\.",
+ MatchPositions =
+ case re:run(RolesClaimPath, PathRegex, [global]) of
+ nomatch -> [];
+ {match, Pos} -> Pos
+ end,
+ TokenizedJsonPath = tokenize_json_path(RolesClaimPath, MatchPositions),
+ couch_util:get_nested_json_value({Claims}, TokenizedJsonPath)
+ end,
+ case is_list(Result) of
+ true ->
+ [
+ throw(
+ {bad_request, <<"Malformed JWT roles claim. Must be a JSON list of strings">>}
Review Comment:
`{bad_request, <<"Malformed token">>}` to match the other errors, we try not to reveal useful information to failed authentication requests.
##########
src/couch/src/couch_httpd_auth.erl:
##########
@@ -253,6 +246,59 @@ jwt_authentication_handler(Req) ->
Req
end.
+tokenize_json_path(Path, SliceStart, [], Result) ->
+ Result1 = Result ++ [?l2b(string:slice(Path, SliceStart))],
+ [?l2b(string:replace(X, "\\.", ".", all)) || X <- Result1];
+tokenize_json_path(Path, SliceStart, [[{Pos, _}] | T], Result) ->
+ Slice = string:slice(Path, SliceStart, Pos - SliceStart),
+ NewResult = Result ++ [?l2b(Slice)],
+ tokenize_json_path(Path, Pos + 1, T, NewResult).
+
+tokenize_json_path(Path, SplitPositions) ->
+ tokenize_json_path(Path, 0, SplitPositions, []).
+
+get_roles_claim(Claims) ->
+ RolesClaimPath = config:get(
+ "jwt_auth", "roles_claim_path"
+ ),
+ Result =
+ case RolesClaimPath of
+ undefined ->
+ couch_util:get_value(
+ ?l2b(
+ config:get(
+ "jwt_auth", "roles_claim_name", "_couchdb.roles"
+ )
+ ),
+ Claims,
+ []
+ );
+ _ ->
+ % find all "." but no "\."
+ PathRegex = "(?<!\\\\)\\.",
+ MatchPositions =
+ case re:run(RolesClaimPath, PathRegex, [global]) of
+ nomatch -> [];
+ {match, Pos} -> Pos
+ end,
+ TokenizedJsonPath = tokenize_json_path(RolesClaimPath, MatchPositions),
+ couch_util:get_nested_json_value({Claims}, TokenizedJsonPath)
+ end,
+ case is_list(Result) of
+ true ->
+ [
+ throw(
+ {bad_request, <<"Malformed JWT roles claim. Must be a JSON list of strings">>}
+ )
+ || R <- Result, not is_binary(R)
+ ],
+ Result;
+ false ->
+ throw(
+ {bad_request, <<"Malformed JWT roles claim. Needs to be a JSON list of strings.">>}
Review Comment:
`{bad_request, <<"Malformed token">>}` to match the other errors, we try not to reveal useful information to failed authentication requests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org