check if aud has any valid value when authing w/ burnettk

2023-03-07 11:58:59 -05:00 · 2023-03-07 11:58:59 -05:00 · 4344e015ca
parent 762116f258
commit 4344e015ca
3 changed files with 27 additions and 11 deletions
--- a/spiffworkflow-backend/bin/get_token
+++ b/spiffworkflow-backend/bin/get_token
@ -20,22 +20,28 @@ set -o errtrace -o errexit -o nounset -o pipefail
 # ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
 # ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'

-if [[ -z "${KEYCLOAK_BASE_URL:-}" ]]; then
-  # KEYCLOAK_BASE_URL=http://localhost:7002
-  KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org
-fi
 if [[ -z "${BACKEND_BASE_URL:-}" ]]; then
  # BACKEND_BASE_URL=http://localhost:7000
  BACKEND_BASE_URL=https://api.dev.spiffworkflow.org
 fi
+if [[ -z "${KEYCLOAK_BASE_URL:-}" ]]; then
+  # KEYCLOAK_BASE_URL=http://localhost:7002
+  KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org
+  if grep -qE "spiffworkflow.org" <<<"$BACKEND_BASE_URL" ; then
+    env_domain=$(sed -E 's/.*api\.(\w+\.spiffworkflow.org).*/\1/' <<<"${BACKEND_BASE_URL}")
+    KEYCLOAK_BASE_URL="https://keycloak.${env_domain}"
+  elif grep -qE "localhost:7000" <<<"$BACKEND_BASE_URL" ; then
+    KEYCLOAK_BASE_URL="http://localhost:7002"
+  fi
+fi
 if [[ -z "${BACKEND_CLIENT_ID:-}" ]]; then
  export BACKEND_CLIENT_ID=spiffworkflow-backend
 fi
 if [[ -z "${BACKEND_CLIENT_SECRET:-}" ]]; then
  export BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"  # noqa: S105
 fi
-USERNAME=${1-fin}
-PASSWORD=${2-fin}
+USERNAME=${1-admin}
+PASSWORD=${2-admin}
 REALM_NAME=${3-spiffworkflow}

 SECURE=false
@ -66,8 +72,13 @@ result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
 -d "password=$PASSWORD" \
 -d 'grant_type=password' \
 -d "client_id=$BACKEND_CLIENT_ID" \
+ -d "audienc111e=${BACKEND_CLIENT_ID}" \
 )
 backend_token=$(jq -r '.access_token' <<< "$result")
+if [[ -z "$backend_token" || "$backend_token" == "null" ]]; then
+  >&2 echo "ERROR: Could not get the backend token. Received result: ${result}"
+  exit 1
+fi
 echo "$backend_token"
 # curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token"
 # curl -v -X POST "${BACKEND_BASE_URL}/v1.0/login_with_access_token?access_token=${backend_token}" -H "Authorization: Bearer $backend_token"
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@ -129,7 +129,6 @@ def verify_token(
                        message="Cannot get user info from token",
                        status_code=401,
                    ) from e
-
                if (
                    user_info is not None
                    and "error" not in user_info
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -169,13 +169,19 @@ class AuthenticationService:
        aud = decoded_token["aud"]
        azp = decoded_token["azp"] if "azp" in decoded_token else None
        iat = decoded_token["iat"]
+
+        valid_audience_values = (cls.client_id(), "account")
+        audience_array_in_token = aud
+        if isinstance(aud, str):
+            audience_array_in_token = [aud]
+        overlapping_aud_values = [
+            x for x in audience_array_in_token if x in valid_audience_values
+        ]
+
        if iss != cls.server_url():
            valid = False
        # aud could be an array or a string
-        elif aud not in (cls.client_id(), "account") and aud != [
-            cls.client_id(),
-            "account",
-        ]:
+        elif len(overlapping_aud_values) < 1:
            valid = False
        elif azp and azp not in (
            cls.client_id(),