From c543416cf622dd0491a1f369bed80c597e9a8fe5 Mon Sep 17 00:00:00 2001
From: Russell Lewis <russelll@netflix.com>
Date: Wed, 29 Mar 2017 15:40:31 -0700
Subject: [PATCH] Thanks to @Stype: Update the kmsauth token validation code to
 verify that all remote_usernames are checked against the offered
 kmsauth_token.

---
 bless/aws_lambda/bless_lambda.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bless/aws_lambda/bless_lambda.py b/bless/aws_lambda/bless_lambda.py
index 4199d92..8a482ab 100644
--- a/bless/aws_lambda/bless_lambda.py
+++ b/bless/aws_lambda/bless_lambda.py
@@ -138,7 +138,7 @@ def lambda_handler(event, context=None, ca_private_key_password=None,
                 )
                 # decrypt_token will raise a TokenValidationError if token doesn't match
                 validator.decrypt_token(
-                    "2/user/{}".format(request.remote_usernames.split(',')[0]),
+                    "2/user/{}".format(request.remote_usernames),
                     request.kmsauth_token
                 )
             except TokenValidationError as e: