Fail open on parsing the audience claim

stackrox · May 22, 2024 · c5a1af0 · c5a1af0
1 parent d13e393
commit c5a1af0
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/pkg/auth/acs_claims.go b/pkg/auth/acs_claims.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang/glog"
 	"github.com/stackrox/acs-fleet-manager/pkg/shared/utils/arrays"
 )
 
@@ -94,11 +95,12 @@ func (c *ACSClaims) GetAudience() ([]string, error) {
 		aud = v
 	case []interface{}:
 		for _, a := range v {
-			vs, ok := a.(string)
-			if !ok {
-				return nil, fmt.Errorf("can't parse part of the audience claim: %q", a)
+			if vs, ok := a.(string); !ok {
+				userID, _ := c.GetUserID()
+				glog.V(5).Infof("can't parse part of the audience claim for user %q: %q", userID, a)
+			} else {
+				aud = append(aud, vs)
 			}
-			aud = append(aud, vs)
 		}
 	default:
 		return nil, fmt.Errorf("can't parse the audience claim: %q", v)

diff --git a/pkg/auth/acs_claims_test.go b/pkg/auth/acs_claims_test.go
@@ -289,6 +289,12 @@ func TestACSClaims_Audience(t *testing.T) {
 			}),
 			expectError: true,
 		},
+		"should not fail when part of the claim can't be parsed": {
+			claims: ACSClaims(jwt.MapClaims{
+				audienceClaim: []interface{}{123, "test"},
+			}),
+			expectValues: []string{"test"},
+		},
 	}
 
 	for name, tt := range tests {