claims map must be treated as const

apigee · Jun 4, 2021 · 1f5ba3f · 1f5ba3f
1 parent 255c97d
commit 1f5ba3f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 8 deletions.
diff --git a/auth/context.go b/auth/context.go
@@ -48,6 +48,7 @@ type Context struct {
 }
 
 // if claims can't be processed, returns error and sets no fields
+// claims map must not be written to: treat as const
 func (a *Context) setClaims(claims map[string]interface{}) error {
 	if claims[apiProductListKey] == nil {
 		return fmt.Errorf("api_product_list claim is required")
@@ -58,14 +59,12 @@ func (a *Context) setClaims(claims map[string]interface{}) error {
 		return errors.Wrapf(err, "unable to interpret api_product_list: %v", claims[apiProductListKey])
 	}
 
-	if _, ok := claims[scopeKey].(string); !ok {
-		if claims[scopeKey] == nil { // nil is ok
-			claims[scopeKey] = ""
-		} else {
-			return fmt.Errorf("unable to interpret %s: %v", scopeKey, claims[scopeKey])
-		}
+	var scope string
+	var ok bool
+	if scope, ok = claims[scopeKey].(string); !ok && claims[scopeKey] != nil { // nil is ok
+		return fmt.Errorf("unable to interpret %s: %v", scopeKey, claims[scopeKey])
 	}
-	scopes := strings.Split(claims[scopeKey].(string), " ")
+	scopes := strings.Split(scope, " ")
 
 	if _, ok := claims[clientIDKey].(string); !ok {
 		return fmt.Errorf("unable to interpret %s: %v", clientIDKey, claims[clientIDKey])

diff --git a/auth/context_test.go b/auth/context_test.go
@@ -61,9 +61,34 @@ func TestSetClaims(t *testing.T) {
 	if !reflect.DeepEqual(claimsWant, c.Scopes) {
 		t.Errorf("claims want: %s, got: %v", claimsWant, claims[scopeKey])
 	}
+
+	claims[scopeKey] = 12
+	if err := c.setClaims(claims); err == nil {
+		t.Errorf("bad scope should error")
+	}
+	claims[scopeKey] = nil
+
+	claims[clientIDKey] = 12
+	if err := c.setClaims(claims); err == nil {
+		t.Errorf("bad ClientID should error")
+	}
+	claims[clientIDKey] = nil
+
+	claims[applicationNameKey] = 12
+	if err := c.setClaims(claims); err == nil {
+		t.Errorf("bad applicationName should error")
+	}
 }
 
 func TestParseArrays(t *testing.T) {
+	res, err := parseArrayOfStrings(nil)
+	if err != nil {
+		t.Errorf("nil array should not error")
+	}
+	if res != nil {
+		t.Errorf("nil array should return nil")
+	}
+
 	arr := []interface{}{
 		"this",
 		"is",
@@ -72,7 +97,7 @@ func TestParseArrays(t *testing.T) {
 		123,
 	}
 
-	res, err := parseArrayOfStrings(arr)
+	res, err = parseArrayOfStrings(arr)
 	if err == nil || err.Error() != "unable to interpret: 123" {
 		t.Errorf("wanted 'unable to interpret: 123', got %v", err)
 	}

diff --git a/auth/key/verify_api_key.go b/auth/key/verify_api_key.go
@@ -187,6 +187,7 @@ func (kv *verifierImpl) singleFetchToken(ctx context.Context, apiKey string) (ma
 }
 
 // verify returns the list of claims that an API key has.
+// claims map must not be written to: treat as const
 func (kv *verifierImpl) Verify(ctx context.Context, apiKey string) (claims map[string]interface{}, err error) {
 	if existing, ok := kv.cache.Get(apiKey); ok {
 		claims = existing.(map[string]interface{})