🐛 Fix audience configuration option parsing in JwtAuthenticationMecha…

…nism, can be null, a String or an Array of Strings
SoftInstigate · Dec 8, 2023 · bbfd5b1 · bbfd5b1
1 parent 1eade83
commit bbfd5b1
Showing 1 changed file with 36 additions and 18 deletions.
diff --git a/security/src/main/java/org/restheart/security/mechanisms/JwtAuthenticationMechanism.java b/security/src/main/java/org/restheart/security/mechanisms/JwtAuthenticationMechanism.java
@@ -20,43 +20,47 @@
  */
 package org.restheart.security.mechanisms;
 
-import com.auth0.jwt.JWT;
-import com.auth0.jwt.JWTVerifier;
-import com.auth0.jwt.algorithms.Algorithm;
-import com.auth0.jwt.exceptions.JWTDecodeException;
-import com.auth0.jwt.exceptions.JWTVerificationException;
-import com.auth0.jwt.interfaces.Claim;
-import com.auth0.jwt.interfaces.DecodedJWT;
-import com.auth0.jwt.interfaces.Verification;
-import com.google.common.net.HttpHeaders;
-import io.undertow.security.api.AuthenticationMechanism;
-import io.undertow.security.api.SecurityContext;
-import io.undertow.server.HttpServerExchange;
 import java.io.ByteArrayInputStream;
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Consumer;
+
 import org.apache.commons.codec.binary.StringUtils;
 import org.restheart.configuration.ConfigurationException;
 import org.restheart.exchange.Request;
-import org.restheart.security.JwtAccount;
 import org.restheart.plugins.ConsumingPlugin;
 import org.restheart.plugins.Inject;
 import org.restheart.plugins.OnInit;
 import org.restheart.plugins.RegisterPlugin;
 import org.restheart.plugins.security.AuthMechanism;
+import org.restheart.security.JwtAccount;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.Claim;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.Verification;
+import com.google.common.net.HttpHeaders;
+
+import io.undertow.security.api.AuthenticationMechanism;
+import io.undertow.security.api.SecurityContext;
+import io.undertow.server.HttpServerExchange;
+
 /**
  * factory for JWT AuthenticationMechanism
  *
@@ -78,7 +82,7 @@ public class JwtAuthenticationMechanism implements AuthMechanism, ConsumingPlugi
     private String rolesClaim;
     private List<String> fixedRoles;
     private String issuer;
-    private String[] audience;
+    private List<String> audience;
 
     @Inject("config")
     private Map<String, Object> config;
@@ -96,7 +100,21 @@ public void init() throws ConfigurationException {
         rolesClaim = argOrDefault(config, "rolesClaim", null);
         fixedRoles = argOrDefault(config, "fixedRoles", null);
         issuer = argOrDefault(config, "issuer", null);
-        audience = argOrDefault(config, "audience", null);
+        var _audience = argOrDefault(config, "audience", null);
+
+        audience = new ArrayList<String>();
+
+        if (_audience == null) {
+            this.audience = null;
+        } else if (_audience instanceof String _as) {
+            audience = new ArrayList<String>();
+            this.audience.add(_as);
+        } else if (_audience instanceof List<?> _al) {
+            audience = new ArrayList<String>();
+            _al.stream().filter(e -> e instanceof String).map(e -> (String)e).forEach(e -> this.audience.add(e));
+        } else {
+            throw new ConfigurationException("Wrong audience, must be a String or an Array of Strings");
+        }
 
         Algorithm _algorithm;
 
@@ -108,8 +126,8 @@ public void init() throws ConfigurationException {
 
         Verification v = JWT.require(_algorithm);
 
-        if (audience != null) {
-            v = v.withAudience(audience);
+        if (audience != null && !audience.isEmpty()) {
+            v = v.withAudience(audience.toArray(String[]::new));
         }
 
         if (issuer != null) {
@@ -120,7 +138,7 @@ public void init() throws ConfigurationException {
             throw new ConfigurationException("wrong JWT configuration, cannot set both 'rolesClaim' and 'fixedRoles'");
         }
 
-        if (rolesClaim == null && fixedRoles == null) {
+        if (rolesClaim == null && (fixedRoles == null || fixedRoles.isEmpty())) {
             throw new ConfigurationException("wrong JWT configuration, need to set either 'rolesClaim' or 'fixedRoles'");
         }