Google Git
Sign in
edge/third_party/SermoDigital/jose/2d886f60e2bf2ec35ada58b6fa885207e50fce90^!/.
commit
2d886f60e2bf2ec35ada58b6fa885207e50fce90
[log] [tgz]
author
Eric Lagergren <ericscottlagergren@gmail.com>
Sun Apr 17 23:38:15 2016 -0700
committer
Eric Lagergren <ericscottlagergren@gmail.com>
Sun Apr 17 23:38:15 2016 -0700
tree
e10339c30a6995a095fc07eccf39cffa34193bee
parent
413cd93d06fca57ad0a325602b023b0710a6c87d [diff]
jwt: Fix Audience validation to match spec more closely

diff --git a/jwt/claims.go b/jwt/claims.go
index a44f207..d4f94b8 100644
--- a/jwt/claims.go
+++ b/jwt/claims.go

@@ -84,7 +84,7 @@
 	// Since json.Unmarshal calls UnmarshalJSON,
 	// calling json.Unmarshal on *p would be infinitely recursive
 	// A temp variable is needed because &map[string]interface{}(*p) is
-	// invalid Go.
+	// invalid Go. (Address of unaddressable object and all that...)
 
 	tmp := map[string]interface{}(*c)
 	if err = json.Unmarshal(b, &tmp); err != nil {
@@ -111,6 +111,8 @@
 // Audience retrieves claim "aud" per its type in
 // https://tools.ietf.org/html/rfc7519#section-4.1.3
 func (c Claims) Audience() ([]string, bool) {
+	// Audience claim must be stringy. That is, it may be one string
+	// or multiple strings but it should not be anything else. E.g. an int.
 	switch t := c.Get("aud").(type) {
 	case string:
 		return []string{t}, true

diff --git a/jwt/eq.go b/jwt/eq.go
index a7a37a9..3113269 100644
--- a/jwt/eq.go
+++ b/jwt/eq.go

@@ -1,52 +1,47 @@
 package jwt
 
-import "reflect"
+func verifyPrincipals(pcpls, auds []string) bool {
+	// "Each principal intended to process the JWT MUST
+	// identify itself with a value in the audience claim."
+	// - https://tools.ietf.org/html/rfc7519#section-4.1.3
 
-// eq returns true if the two types are either strings
-// or comparable slices.
-func eq(a, b interface{}) bool {
-	t1 := reflect.TypeOf(a)
-	t2 := reflect.TypeOf(b)
-
-	if t1.Kind() == t2.Kind() {
-		switch t1.Kind() {
-		case reflect.Slice:
-			return eqSlice(a, b)
-		case reflect.String:
-			return reflect.ValueOf(a).String() ==
-				reflect.ValueOf(b).String()
-		}
-	}
-	return false
-}
-
-// eqSlice returns true if the two interfaces are both slices
-// and are equal. For example: https://play.golang.org/p/5VLMwNE3i-
-func eqSlice(a, b interface{}) bool {
-	if a == nil || b == nil {
-		return false
-	}
-
-	v1 := reflect.ValueOf(a)
-	v2 := reflect.ValueOf(b)
-
-	if v1.Kind() != reflect.Slice ||
-		v2.Kind() != reflect.Slice {
-		return false
-	}
-
-	if v1.Len() == v2.Len() && v1.Len() > 0 {
-		for i := 0; i < v1.Len() && i < v2.Len(); i++ {
-			k1 := v1.Index(i)
-			k2 := v2.Index(i)
-			if k1.Type().Comparable() &&
-				k2.Type().Comparable() &&
-				k1.CanInterface() && k2.CanInterface() &&
-				k1.Interface() != k2.Interface() {
-				return false
+	found := -1
+	for i, p := range pcpls {
+		for _, v := range auds {
+			if p == v {
+				found++
+				break
 			}
 		}
-		return true
+		if found != i {
+			return false
+		}
 	}
-	return false
+	return true
+}
+
+// ValidAudience returns true iff:
+// 	- a and b are strings and a == b
+// 	- a is string, b is []string and a is in b
+// 	- a is []string, b is []string and all of a is in b
+// 	- a is []string, b is string and len(a) == 1 and a[0] == b
+func ValidAudience(a, b interface{}) bool {
+	s1, ok := a.(string)
+	if ok {
+		if s2, ok := b.(string); ok {
+			return s1 == s2
+		}
+		a2, ok := b.([]string)
+		return ok && verifyPrincipals([]string{s1}, a2)
+	}
+
+	a1, ok := a.([]string)
+	if !ok {
+		return false
+	}
+	if a2, ok := b.([]string); ok {
+		return verifyPrincipals(a1, a2)
+	}
+	s2, ok := b.(string)
+	return ok && len(a1) == 1 && a1[0] == s2
 }

diff --git a/jwt/eq_test.go b/jwt/eq_test.go
new file mode 100644
index 0000000..5f9d4fd
--- /dev/null
+++ b/jwt/eq_test.go

@@ -0,0 +1,26 @@
+package jwt_test
+
+import (
+	"testing"
+
+	"github.com/SermoDigital/jose/jwt"
+)
+
+func TestValidAudience(t *testing.T) {
+	tests := [...]struct {
+		a interface{}
+		b interface{}
+		v bool
+	}{
+		0: {"https://www.google.com", "https://www.google.com", true},
+		1: {[]string{"example.com", "google.com"}, []string{"example.com"}, false},
+		2: {500, 43, false},
+		3: {"google.com", "facebook.com", false},
+		4: {[]string{"example.com"}, []string{"example.com", "foo.com"}, true},
+	}
+	for i, v := range tests {
+		if x := jwt.ValidAudience(v.a, v.b); x != v.v {
+			t.Fatalf("#%d: wanted %t, got %t", i, v.v, x)
+		}
+	}
+}

diff --git a/jwt/jwt.go b/jwt/jwt.go
index 18f5758..d29c43a 100644
--- a/jwt/jwt.go
+++ b/jwt/jwt.go

@@ -42,13 +42,7 @@
 	NBF      time.Duration // NBFLeeway
 	Fn       ValidateFunc  // See ValidateFunc for more information.
 
-	_ struct{}
-}
-
-var defaultClaims = []string{
-	"iss", "sub", "aud",
-	"exp", "nbf", "iat",
-	"jti",
+	_ struct{} // Require explicitly-named struct fields.
 }
 
 // Validate validates the JWT based on the expected claims in v.
@@ -75,7 +69,8 @@
 	}
 
 	if aud, ok := v.Expected.Audience(); ok {
-		if aud2, _ := j.Claims().Audience(); !eq(aud, aud2) {
+		aud2, ok := j.Claims().Audience()
+		if !ok || !ValidAudience(aud, aud2) {
 			return ErrInvalidAUDClaim
 		}
 	}