feat: accept lists in the token audience claim

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2022-09-27 15:34:26 +02:00 · 2022-09-27 15:34:26 +02:00 · 3472f7a8e3
commit 3472f7a8e3
parent 97fa1183bf
4 changed files with 35 additions and 22 deletions
--- a/contrib/token-server/token.go
+++ b/contrib/token-server/token.go
@ -180,7 +180,7 @@ func (issuer *TokenIssuer) CreateJWT(subject string, audience string, grantedAcc
 	claimSet := token.ClaimSet{
 		Issuer:     issuer.Issuer,
 		Subject:    subject,
-		Audience:   audience,
+		Audience:   []string{audience},
 		Expiration: now.Add(exp).Unix(),
 		NotBefore:  now.Unix(),
 		IssuedAt:   now.Unix(),
--- a/registry/auth/token/token.go
+++ b/registry/auth/token/token.go
@ -44,7 +44,7 @@ type ClaimSet struct {
 	// Public claims
 	Issuer     string         `json:"iss"`
 	Subject    string         `json:"sub"`
-	Audience   string `json:"aud"`
+	Audience   WeakStringList `json:"aud"`
 	Expiration int64          `json:"exp"`
 	NotBefore  int64          `json:"nbf"`
 	IssuedAt   int64          `json:"iat"`
@ -141,8 +141,8 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {
 	}

 	// Verify that the Audience claim is allowed.
-	if !contains(verifyOpts.AcceptedAudiences, t.Claims.Audience) {
-		log.Infof("token intended for another audience: %q", t.Claims.Audience)
+	if !containsAny(verifyOpts.AcceptedAudiences, t.Claims.Audience) {
+		log.Infof("token intended for another audience: %v", t.Claims.Audience)
 		return ErrInvalidToken
 	}

@ -185,6 +185,7 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {

 // VerifySigningKey attempts to get the key which was used to sign this token.
 // The token header should contain either of these 3 fields:
+//
 //	`x5c` - The x509 certificate chain for the signing key. Needs to be
 //	        verified.
 //	`jwk` - The JSON Web Key representation of the signing key.
@ -192,6 +193,7 @@ func (t *Token) Verify(verifyOpts VerifyOptions) error {
 //	`kid` - The unique identifier for the key. This library interprets it
 //	        as a libtrust fingerprint. The key itself can be looked up in
 //	        the trustedKeys field of the given verify options.
+//
 // Each of these methods are tried in that order of preference until the
 // signing key is found or an error is returned.
 func (t *Token) VerifySigningKey(verifyOpts VerifyOptions) (signingKey libtrust.PublicKey, err error) {
--- a/registry/auth/token/token_test.go
+++ b/registry/auth/token/token_test.go
@ -117,7 +117,7 @@ func makeTestToken(issuer, audience string, access []*ResourceActions, rootKey l
 	claimSet := &ClaimSet{
 		Issuer:     issuer,
 		Subject:    "foo",
-		Audience:   audience,
+		Audience:   []string{audience},
 		Expiration: exp.Unix(),
 		NotBefore:  now.Unix(),
 		IssuedAt:   now.Unix(),
--- a/registry/auth/token/util.go
+++ b/registry/auth/token/util.go
@ -56,3 +56,14 @@ func contains(ss []string, q string) bool {

 	return false
 }
+
+// containsAny returns true if any of q is found in ss.
+func containsAny(ss []string, q []string) bool {
+	for _, s := range ss {
+		if contains(q, s) {
+			return true
+		}
+	}
+
+	return false
+}