Merge remote-tracking branch 'upstream/master' into adong/google_oidc

* upstream/master: docs: add pull request template (hashicorp#106) Update deps and vendoring Add optional client_nonce for OIDC logins (hashicorp#104) Change default_role to be lowercase (hashicorp#100) Update api and sdk deps Support form_post mode (hashicorp#98) Add timeout to OIDC callback listener (hashicorp#97) Update dependencies (hashicorp#95) Add missing test name Move tests into sub tests Add the ability to match bound claims using globs (hashicorp#89) Additional test scenarios strip innerLoop reduce nested loops rewrite loop Additional review changes Code review changes Add ability to match bound claims using globs (i.e. wildcards) Default OIDC callback listener to only listen on localhost (hashicorp#86) more customisation for callback URL (hashicorp#80)
adongy · Apr 8, 2020 · 012bb50 · 012bb50
2 parents 382d691 + 0e93b06
commit 012bb50
Show file tree

Hide file tree

Showing 365 changed files with 40,554 additions and 12,737 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,20 @@
+# Overview
+A high level description of the contribution, including:
+Who the change affects or is for (stakeholders)?
+What is the change? 
+Why is the change needed?
+How does this change affect the user experience (if at all)?
+
+# Design of Change
+How was this change implemented?
+
+# Related Issues/Pull Requests
+[ ] [Issue #1234](https://github.com/hashicorp/vault/issues/1234)
+[ ] [PR #1234](https://github.com/hashicorp/vault/pr/1234)
+
+# Contributor Checklist
+[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
+[My Docs PR Link](link)
+[Example](https://github.com/hashicorp/vault/commit/2715f5cec982aabc7b7a6ae878c547f6f475bba6)
+[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
+[ ] Backwards compatible
diff --git a/claims.go b/claims.go
@@ -5,10 +5,10 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/hashicorp/vault/sdk/helper/strutil"
-
 	log "github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/mitchellh/pointerstructure"
+	"github.com/ryanuber/go-glob"
 )
 
 // getClaim returns a claim value from allClaims given a provided claim string.
@@ -89,45 +89,63 @@ func validateAudience(boundAudiences, audClaim []string, strict bool) error {
 
 // validateBoundClaims checks that all of the claim:value requirements in boundClaims are
 // met in allClaims.
-func validateBoundClaims(logger log.Logger, boundClaims, allClaims map[string]interface{}) error {
+func validateBoundClaims(logger log.Logger, boundClaimsType string, boundClaims, allClaims map[string]interface{}) error {
+	useGlobs := boundClaimsType == boundClaimsTypeGlob
+
 	for claim, expValue := range boundClaims {
 		actValue := getClaim(logger, allClaims, claim)
 		if actValue == nil {
 			return fmt.Errorf("claim %q is missing", claim)
 		}
 
-		var actVals, expVals []interface{}
-
 		actVals, ok := normalizeList(actValue)
 		if !ok {
 			return fmt.Errorf("received claim is not a string or list: %v", actValue)
 		}
 
-		expVals, ok = normalizeList(expValue)
+		expVals, ok := normalizeList(expValue)
 		if !ok {
 			return fmt.Errorf("bound claim is not a string or list: %v", expValue)
 		}
 
-		found := false
-
-	scan:
-		for _, v := range expVals {
-			for _, av := range actVals {
-				if av == v {
-					found = true
-					break scan
-				}
-			}
+		found, err := matchFound(expVals, actVals, useGlobs)
+		if err != nil {
+			return err
 		}
-
 		if !found {
 			return fmt.Errorf("claim %q does not match any associated bound claim values", claim)
 		}
 	}
-
 	return nil
 }
 
+func matchFound(expVals, actVals []interface{}, useGlobs bool) (bool, error) {
+	for _, expVal := range expVals {
+		for _, actVal := range actVals {
+			if useGlobs {
+				// Only string globbing is supported.
+				expValStr, ok := expVal.(string)
+				if !ok {
+					return false, fmt.Errorf("received claim is not a glob string: %expVal", expVal)
+				}
+				actValStr, ok := actVal.(string)
+				if !ok {
+					continue
+				}
+				if !glob.Glob(expValStr, actValStr) {
+					continue
+				}
+			} else {
+				if actVal != expVal {
+					continue
+				}
+			}
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // normalizeList takes a string, bool or list and returns a list. This is useful when
 // providers are expected to return a list (typically of strings) but reduce it
 // to a string type when the list count is 1.