Fix: correctly parse roles claim containing JSON string

LEDfan · LEDfan · commit ee79783cd515 · 2021-06-10T10:24:07.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java
@@ -199,44 +199,61 @@ protected GrantedAuthoritiesMapper createAuthoritiesMapper() {
 						}
 						
 						Object claimValue = idToken.getClaims().get(rolesClaimName);
-						if (claimValue == null) {
-							log.debug("No matching claim found.");
-						} else {
-							log.debug(String.format("Matching claim found: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
-						}
 
-						// Workaround: in some cases, getClaimAsStringList fails to parse??
-						List<String> roles = idToken.getClaimAsStringList(rolesClaimName);
-						if (roles == null && claimValue instanceof String) {
-							List<String> parsedRoles = new ArrayList<>();
-							try {
-								Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse((String) claimValue);
-								if (value instanceof List) {
-									List<?> valueList = (List<?>) value;
-									valueList.forEach(o -> parsedRoles.add(o.toString()));
-								}
-							} catch (ParseException e) {
-								// Unable to parse JSON
-							}
-							roles = parsedRoles;
-						}
-						if (roles == null) {
-							if (log.isDebugEnabled()) log.debug("Failed to parse claim value as an array: " + claimValue);
-							continue;
-						}
-						
-						for (String role: roles) {
+						for (String role: parseRolesClaim(log, rolesClaimName, claimValue)) {
 							String mappedRole = role.toUpperCase().startsWith("ROLE_") ? role : "ROLE_" + role;
 							mappedAuthorities.add(new SimpleGrantedAuthority(mappedRole.toUpperCase()));
 						}
-						if (log.isDebugEnabled()) log.debug("The following roles were successfully parsed: " + roles);
 					}
 				}
 				return mappedAuthorities;
 			};
 		}
 	}
-	
+
+	/**
+	 * Parses the claim containing the roles to a List of Strings.
+	 * See #25549 and TestOpenIdParseClaimRoles
+	 */
+	public static List<String> parseRolesClaim(Logger log, String rolesClaimName, Object claimValue) {
+		if (claimValue == null) {
+			log.debug(String.format("No roles claim with name %s found", rolesClaimName));
+			return new ArrayList<>();
+		} else {
+			log.debug(String.format("Matching claim found: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
+		}
+
+		if (claimValue instanceof Collection) {
+			List<String> result = new ArrayList<>();
+			for (Object object : ((Collection<?>) claimValue)) {
+				if (object != null) {
+					result.add(object.toString());
+				}
+			}
+			log.debug(String.format("Parsed roles claim as Java Collection: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
+			return result;
+		}
+
+		if (claimValue instanceof String) {
+			List<String> result = new ArrayList<>();
+			try {
+				Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse((String) claimValue);
+				if (value instanceof List) {
+					List<?> valueList = (List<?>) value;
+					valueList.forEach(o -> result.add(o.toString()));
+				}
+			} catch (ParseException e) {
+				// Unable to parse JSON
+				log.debug(String.format("Unable to parse claim as JSON: %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
+			}
+			log.debug(String.format("Parsed roles claim as JSON: %s -> %s (%s)", rolesClaimName, result, result.getClass()));
+			return result;
+		}
+
+		log.debug(String.format("No parser found for roles claim (unsupported type): %s -> %s (%s)", rolesClaimName, claimValue, claimValue.getClass()));
+		return new ArrayList<>();
+	}
+
 	protected OidcUserService createOidcUserService() {
 		// Use a custom UserService that supports the 'emails' array attribute.
 		return new OidcUserService() {
@@ -258,7 +275,8 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
 			}
 		};
 	}
-	
+
+
 	public static class CustomNameOidcUser extends DefaultOidcUser {
 
 		private static final long serialVersionUID = 7563253562760236634L;
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/unit/TestComputeTargetPath.java b/src/test/java/eu/openanalytics/containerproxy/test/unit/TestComputeTargetPath.java
@@ -22,25 +22,13 @@
 
 import eu.openanalytics.containerproxy.ContainerProxyApplication;
 import eu.openanalytics.containerproxy.backend.AbstractContainerBackend;
-import eu.openanalytics.containerproxy.model.runtime.Proxy;
-import eu.openanalytics.containerproxy.model.spec.ProxySpec;
-import eu.openanalytics.containerproxy.service.ProxyService;
-import eu.openanalytics.containerproxy.service.UserService;
-import eu.openanalytics.containerproxy.test.proxy.MockedUserService;
 import eu.openanalytics.containerproxy.test.proxy.TestProxyService.TestConfiguration;
-import eu.openanalytics.containerproxy.util.ProxyMappingManager;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Primary;
-import org.springframework.core.env.Environment;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.junit4.SpringRunner;
 
-import javax.inject.Inject;
-import java.net.URI;
-
 import static org.junit.Assert.assertEquals;
 
 @SpringBootTest(classes= {TestConfiguration.class, ContainerProxyApplication.class})
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/unit/TestOpenIdParseClaimRoles.java b/src/test/java/eu/openanalytics/containerproxy/test/unit/TestOpenIdParseClaimRoles.java
@@ -0,0 +1,120 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.test.unit;
+
+import eu.openanalytics.containerproxy.ContainerProxyApplication;
+import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
+import eu.openanalytics.containerproxy.test.proxy.TestProxyService;
+import net.minidev.json.JSONArray;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.junit.jupiter.api.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+
+@SpringBootTest(classes= {TestProxyService.TestConfiguration.class, ContainerProxyApplication.class})
+@RunWith(SpringRunner.class)
+@ActiveProfiles("test")
+public class TestOpenIdParseClaimRoles {
+
+    private final Logger logger = LogManager.getLogger(OpenIDAuthenticationBackend.class);
+
+    @Test
+    public void testParseProperJsonArray() {
+        JSONArray claimValue = new JSONArray();
+        claimValue.add("operators");
+        claimValue.add("default-roles-master");
+        claimValue.add("uma_authorization");
+        claimValue.add("offline_access");
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseList() {
+        List<String> claimValue = new ArrayList<>();
+        claimValue.add("operators");
+        claimValue.add("default-roles-master");
+        claimValue.add("uma_authorization");
+        claimValue.add("offline_access");
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseProperJsonArrayAsString() {
+        String claimValue = "[\"operators\",\"default-roles-master\",\"uma_authorization\",\"offline_access\"]";
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseNonStandardJsonArrayAsString() {
+        String claimValue = "[operators,default-roles-master,uma_authorization,offline_access]";
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseNonStandardJsonArrayAsString2() {
+        String claimValue = "[operators, default-roles-master,uma_authorization, offline_access ]";
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseNonStandardJsonArrayAsString3() {
+        String claimValue = "[operators, default-roles-master,uma_authorization, \"offline_access\"]";
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+    @Test
+    public void testParseNonStandardJsonArrayAsString4() {
+        String claimValue = "[operators, default-roles-master,uma_authorization, 'offline_access']";
+
+        List<String> result = OpenIDAuthenticationBackend.parseRolesClaim(logger, "realm_access_roles", claimValue);
+
+        assertEquals(Arrays.asList("operators","default-roles-master","uma_authorization","offline_access"), result);
+    }
+
+}
