allow regex in claimrules

stackrox · Dec 17, 2024 · b909935 · b909935
1 parent 5a2d4be
commit b909935
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 1 deletion.
diff --git a/auth/claimrule/claim_rule.go b/auth/claimrule/claim_rule.go
@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/jeremywohl/flatten/v2"
@@ -70,9 +71,14 @@ func (cr *ClaimRule) equalCheck(flatTokenClaims map[string]interface{}, jsonPath
 		return errors.Errorf("expected claim %q is not found", jsonPath)
 	}
 
-	if cr.Value != tokenClaimValue {
+	pattern := fmt.Sprintf("^%s$", cr.Value)
+	found, err := regexp.MatchString(pattern, tokenClaimValue.(string))
+	if !found {
 		return errors.Errorf("expected claim %q is not correct", jsonPath)
 	}
+	if err != nil {
+		return errors.Wrapf(err, "error matching claim %s to expected value", tokenClaimValue)
+	}
 
 	return nil
 }

diff --git a/auth/claimrule/claim_rule_test.go b/auth/claimrule/claim_rule_test.go
@@ -164,6 +164,39 @@ func getDataSets() map[string]dataSet {
 			}},
 			err: true,
 		},
+		"eq-regex-match": {
+			tokenClaims: map[string]interface{}{
+				"field": "val1",
+			},
+			rules: ClaimRules{{
+				Value: "(val1|val2)",
+				Path:  "field",
+				Op:    "eq",
+			}},
+			err: false,
+		},
+		"eq-regex-no-match": {
+			tokenClaims: map[string]interface{}{
+				"field": "val3",
+			},
+			rules: ClaimRules{{
+				Value: "(val1|val2)",
+				Path:  "field",
+				Op:    "eq",
+			}},
+			err: true,
+		},
+		"in-regex-match": {
+			tokenClaims: map[string]interface{}{
+				"field": []string{"val1", "val2"},
+			},
+			rules: ClaimRules{{
+				Value: "(val2|val3)",
+				Path:  "field",
+				Op:    "in",
+			}},
+			err: false,
+		},
 	}
 }