From 098706a9784d6b8ff0342ac6084c9c7feed157e8 Mon Sep 17 00:00:00 2001 From: Tom Martensen Date: Wed, 18 Dec 2024 10:01:47 +0100 Subject: [PATCH] ROX-27432: allow regex in authentication claimrules (#1441) --- .github/workflows/PR.yaml | 8 ++--- .gitignore | 1 + auth/claimrule/claim_rule.go | 8 ++++- auth/claimrule/claim_rule_test.go | 55 +++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 5 deletions(-) diff --git a/.github/workflows/PR.yaml b/.github/workflows/PR.yaml index 69375bf8c..1521d9c3e 100644 --- a/.github/workflows/PR.yaml +++ b/.github/workflows/PR.yaml @@ -104,7 +104,7 @@ jobs: run: | ENVIRONMENT=development TEST_MODE=true make install-argo clean-argo-config install-monitoring helm-deploy sleep 10 # wait for old pods to disappear so the svc port-forward doesn't connect to them - kubectl -n infra port-forward svc/infra-server-service 8443:8443 & + kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 & sleep 10 kubectl -n infra logs -l app=infra-server --tail=-1 @@ -115,7 +115,7 @@ jobs: - name: Check the deployment run: | - kubectl -n infra port-forward svc/infra-server-service 8443:8443 & + kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 & sleep 10 version="$($INFRACTL version --json)" @@ -157,7 +157,7 @@ jobs: env: INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }} run: | - kubectl -n infra port-forward svc/infra-server-service 8443:8443 & + kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 & sleep 5 $INFRACTL whoami || true @@ -173,6 +173,6 @@ jobs: env: INFRA_TOKEN: ${{ secrets.INFRA_TOKEN_DEV }} run: | - kubectl -n infra port-forward svc/infra-server-service 8443:8443 & + kubectl -n infra port-forward svc/infra-server-service 8443:8443 > /dev/null 2>&1 & sleep 5 make go-e2e-tests diff --git a/.gitignore b/.gitignore index 3a25ebd88..6fca92897 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ nohup.out test/mocks __debug_bin* .DS_Store +report.xml diff --git a/auth/claimrule/claim_rule.go b/auth/claimrule/claim_rule.go index d3a3f3832..ba2afd856 100644 --- a/auth/claimrule/claim_rule.go +++ b/auth/claimrule/claim_rule.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "regexp" "strings" "github.com/jeremywohl/flatten/v2" @@ -70,9 +71,14 @@ func (cr *ClaimRule) equalCheck(flatTokenClaims map[string]interface{}, jsonPath return errors.Errorf("expected claim %q is not found", jsonPath) } - if cr.Value != tokenClaimValue { + pattern := fmt.Sprintf("^%s$", cr.Value) + found, err := regexp.MatchString(pattern, tokenClaimValue.(string)) + if !found { return errors.Errorf("expected claim %q is not correct", jsonPath) } + if err != nil { + return errors.Wrapf(err, "error matching claim %s to expected value", tokenClaimValue) + } return nil } diff --git a/auth/claimrule/claim_rule_test.go b/auth/claimrule/claim_rule_test.go index 4b5be3bc1..3907cfe1b 100644 --- a/auth/claimrule/claim_rule_test.go +++ b/auth/claimrule/claim_rule_test.go @@ -164,6 +164,61 @@ func getDataSets() map[string]dataSet { }}, err: true, }, + "eq-regex-match": { + tokenClaims: map[string]interface{}{ + "field": "val1", + }, + rules: ClaimRules{{ + Value: "(val1|val2)", + Path: "field", + Op: "eq", + }}, + err: false, + }, + "eq-regex-no-match": { + tokenClaims: map[string]interface{}{ + "field": "val3", + }, + rules: ClaimRules{{ + Value: "(val1|val2)", + Path: "field", + Op: "eq", + }}, + err: true, + }, + "eq-regex-no-match-substring-claim": { + tokenClaims: map[string]interface{}{ + "field": "val", + }, + rules: ClaimRules{{ + Value: "val1", + Path: "field", + Op: "eq", + }}, + err: true, + }, + "eq-regex-no-match-substring-rule": { + tokenClaims: map[string]interface{}{ + "field": "val23", + }, + rules: ClaimRules{{ + Value: "val2", + Path: "field", + Op: "eq", + }}, + err: true, + }, + "in-regex-match": { + tokenClaims: map[string]interface{}{ + "field": []string{"val1", "val2"}, + }, + rules: ClaimRules{{ + Value: "(val2|val3)", + Path: "field", + Op: "in", + }}, + err: false, + }, } }