fix(alcoholic_jwt): Support multiple values in jwt audience claim

Per https://tools.ietf.org/html/rfc7519#section-4.1.3, the audience
claim can consist of either a single string or an array of strings.
The latter currently causes an error due to the type of aud in
PartialClaims.

Message-Id: <87r1toex8n.fsf@riseup.net>
Change-Id: I6e00791d0ba56cb1e3c029e1b8617c33000d2ab1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/946
Tested-by: BuildkiteCI
Reviewed-by: lukegb <lukegb@tvl.fyi>
This commit is contained in:
Caranatar 2020-07-06 06:47:20 -04:00 committed by tazjin
parent 8b58593193
commit 618e5540c2

View file

@ -356,11 +356,20 @@ fn validate_jwt_signature(jwt: &JWT, key: Rsa<Public>) -> JWTResult<()> {
}
}
/// Internal helper enum for PartialClaims that supports single or
/// multiple audiences
#[derive(Deserialize)]
#[serde(untagged)]
enum Audience {
Single(String),
Multi(Vec<String>)
}
/// Internal helper struct for claims that are relevant for claim
/// validations.
#[derive(Deserialize)]
struct PartialClaims {
aud: Option<String>,
aud: Option<Audience>,
iss: Option<String>,
sub: Option<String>,
exp: Option<u64>,
@ -388,7 +397,12 @@ fn apply_validation(claims: &PartialClaims,
Validation::Audience(aud) => {
match claims.aud {
None => Err("'aud' claim is missing"),
Some(ref claim) => if *claim == aud {
Some(Audience::Single(ref claim)) => if *claim == aud {
Ok(())
} else {
Err("'aud' claim does not match")
},
Some(Audience::Multi(ref claims)) => if claims.contains(&aud) {
Ok(())
} else {
Err("'aud' claim does not match")