fix: handle array policies in JWT claim (#10041)

PR #10014 was not complete as only handled policy claims partially.
2025-11-10 05:59:43 -05:00 · 2020-07-14 10:26:47 -07:00
parent 778e9c864f
commit 369a876ebe
5 changed files with 90 additions and 27 deletions
--- a/pkg/iam/policy/policy.go
+++ b/pkg/iam/policy/policy.go
@@ -47,23 +47,36 @@ func GetPoliciesFromClaims(claims map[string]interface{}, policyClaimName string
 	if !ok {
 		return s, false
 	}
-	pnames, ok := pname.([]string)
+	pnames, ok := pname.([]interface{})
 	if !ok {
 		pnameStr, ok := pname.(string)
 		if ok {
-			pnames = strings.Split(pnameStr, ",")
-		} else {
-			return s, false
+			for _, pname := range strings.Split(pnameStr, ",") {
+				pname = strings.TrimSpace(pname)
+				if pname == "" {
+					// ignore any empty strings, considerate
+					// towards some user errors.
+					continue
+				}
+				s.Add(pname)
+			}
+			return s, true
 		}
+		return s, false
 	}
 	for _, pname := range pnames {
-		pname = strings.TrimSpace(pname)
-		if pname == "" {
-			// ignore any empty strings, considerate
-			// towards some user errors.
-			continue
+		pnameStr, ok := pname.(string)
+		if ok {
+			for _, pnameStr := range strings.Split(pnameStr, ",") {
+				pnameStr = strings.TrimSpace(pnameStr)
+				if pnameStr == "" {
+					// ignore any empty strings, considerate
+					// towards some user errors.
+					continue
+				}
+				s.Add(pnameStr)
+			}
 		}
-		s.Add(pname)
 	}
 	return s, true
 }
--- a/pkg/iam/policy/policy_test.go
+++ b/pkg/iam/policy/policy_test.go
@@ -22,10 +22,55 @@ import (
 	"reflect"
 	"testing"

+	"github.com/minio/minio-go/v6/pkg/set"
 	"github.com/minio/minio/pkg/bucket/policy"
 	"github.com/minio/minio/pkg/bucket/policy/condition"
 )

+func TestGetPoliciesFromClaims(t *testing.T) {
+	attributesArray := `{
+  "exp": 1594690452,
+  "iat": 1594689552,
+  "auth_time": 1594689552,
+  "jti": "18ed05c9-2c69-45d5-a33f-8c94aca99ad5",
+  "iss": "http://localhost:8080/auth/realms/minio",
+  "aud": "account",
+  "sub": "7e5e2f30-1c97-4616-8623-2eae14dee9b1",
+  "typ": "ID",
+  "azp": "account",
+  "nonce": "66ZoLzwJbjdkiedI",
+  "session_state": "3df7b526-5310-4038-9f35-50ecd295a31d",
+  "acr": "1",
+  "upn": "harsha",
+  "address": {},
+  "email_verified": false,
+  "groups": [
+    "offline_access"
+  ],
+  "preferred_username": "harsha",
+  "policy": [
+    "readwrite",
+    "readwrite,readonly",
+    "  readonly",
+    ""
+  ]}`
+	var m = make(map[string]interface{})
+	if err := json.Unmarshal([]byte(attributesArray), &m); err != nil {
+		t.Fatal(err)
+	}
+	var expectedSet = set.CreateStringSet("readwrite", "readonly")
+	gotSet, ok := GetPoliciesFromClaims(m, "policy")
+	if !ok {
+		t.Fatal("no policy claim was found")
+	}
+	if gotSet.IsEmpty() {
+		t.Fatal("no policies were found in policy claim")
+	}
+	if !gotSet.Equals(expectedSet) {
+		t.Fatalf("Expected %v got %v", expectedSet, gotSet)
+	}
+}
+
 func TestPolicyIsAllowed(t *testing.T) {
 	case1Policy := Policy{
 		Version: DefaultVersion,