Misc improvements

2025-08-18 04:09:57 +00:00 · 2025-08-11 16:39:35 +05:30 · 2025-08-11 16:39:35 +05:30 · 8589035d64
commit 8589035d64
parent b30aa6273c
8 changed files with 222 additions and 156 deletions
--- a/internal/authz/asgardeo.go
+++ b/internal/authz/asgardeo.go
@ -194,7 +194,7 @@ func (p *asgardeoProvider) createAsgardeoApplication(regReq RegisterRequest) err

 	if resp.StatusCode >= 400 {
 		respBody, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("Asgardeo creation error (%d): %s", resp.StatusCode, string(respBody))
+		return fmt.Errorf("asgardeo creation error (%d): %s", resp.StatusCode, string(respBody))
 	}

 	logger.Info("Created Asgardeo application for clientID=%s", regReq.ClientID)
@ -367,16 +367,41 @@ func randomString(n int) string {
 func (p *asgardeoProvider) ProtectedResourceMetadataHandler() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+
+		// Extract only the values into a []string
+		var supportedScopes []string
+		var extractStrings func(interface{})
+		extractStrings = func(val interface{}) {
+			switch v := val.(type) {
+			case string:
+				supportedScopes = append(supportedScopes, v)
+			case []any:
+				for _, item := range v {
+					extractStrings(item)
+				}
+			case map[string]any:
+				for _, item := range v {
+					extractStrings(item)
+				}
+			}
+		}
+		for _, m := range p.cfg.ProtectedResourceMetadata.ScopesSupported {
+			for _, v := range m {
+				extractStrings(v)
+			}
+		}
+
 		meta := map[string]interface{}{
-			"resource":              p.cfg.ResourceIdentifier,
-			"scopes_supported":      p.cfg.ScopesSupported,
-			"authorization_servers": p.cfg.AuthorizationServers,
+			"resource":              p.cfg.ProtectedResourceMetadata.ResourceIdentifier,
+			"scopes_supported":      supportedScopes,
+			"authorization_servers": p.cfg.ProtectedResourceMetadata.AuthorizationServers,
 		}
-		if p.cfg.JwksURI != "" {
-			meta["jwks_uri"] = p.cfg.JwksURI
+
+		if p.cfg.ProtectedResourceMetadata.JwksURI != "" {
+			meta["jwks_uri"] = p.cfg.ProtectedResourceMetadata.JwksURI
 		}
-		if len(p.cfg.BearerMethodsSupported) > 0 {
-			meta["bearer_methods_supported"] = p.cfg.BearerMethodsSupported
+		if len(p.cfg.ProtectedResourceMetadata.BearerMethodsSupported) > 0 {
+			meta["bearer_methods_supported"] = p.cfg.ProtectedResourceMetadata.BearerMethodsSupported
 		}
 		if err := json.NewEncoder(w).Encode(meta); err != nil {
 			http.Error(w, "failed to encode metadata", http.StatusInternalServerError)
--- a/internal/authz/default.go
+++ b/internal/authz/default.go
@ -5,7 +5,7 @@ import (
 	"net/http"

 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
-	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
+	logger "github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )

 type defaultProvider struct {
@ -99,18 +99,17 @@ func (p *defaultProvider) ProtectedResourceMetadataHandler() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
 		meta := map[string]interface{}{
-			"audience": p.cfg.Audience,
-			"resource": p.cfg.ResourceIdentifier,
-			"scopes_supported": p.cfg.ScopesSupported,
-			"authorization_servers": p.cfg.AuthorizationServers,
+			"audience":              p.cfg.ProtectedResourceMetadata.Audience,
+			"scopes_supported":      p.cfg.ProtectedResourceMetadata.ScopesSupported,
+			"authorization_servers": p.cfg.ProtectedResourceMetadata.AuthorizationServers,
 		}

-		if p.cfg.JwksURI != "" {
-			meta["jwks_uri"] = p.cfg.JwksURI
+		if p.cfg.ProtectedResourceMetadata.JwksURI != "" {
+			meta["jwks_uri"] = p.cfg.ProtectedResourceMetadata.JwksURI
 		}

-		if len(p.cfg.BearerMethodsSupported) > 0 {
-			meta["bearer_methods_supported"] = p.cfg.BearerMethodsSupported
+		if len(p.cfg.ProtectedResourceMetadata.BearerMethodsSupported) > 0 {
+			meta["bearer_methods_supported"] = p.cfg.ProtectedResourceMetadata.BearerMethodsSupported
 		}

 		if err := json.NewEncoder(w).Encode(meta); err != nil {
--- a/internal/authz/scope_validator.go
+++ b/internal/authz/scope_validator.go
@ -18,36 +18,37 @@ func (d *ScopeValidator) ValidateAccess(
 	claims *jwt.MapClaims,
 	config *config.Config,
 ) AccessControlResult {
-    env, err := util.ParseRPCRequest(r)
-    if err != nil {
-        return AccessControlResult{DecisionDeny, "bad JSON-RPC request"}
-    }
-    requiredScopes := util.GetRequiredScopes(config, env.Method)
-    if len(requiredScopes) == 0 {
-        return AccessControlResult{DecisionAllow, ""}
-    }
+	env, err := util.ParseRPCRequest(r)
+	if err != nil {
+		return AccessControlResult{DecisionDeny, "bad JSON-RPC request"}
+	}
+	requiredScopes := util.GetRequiredScopes(config, env)

-    required := make(map[string]struct{}, len(requiredScopes))
-    for _, s := range requiredScopes {
-        s = strings.TrimSpace(s)
-        if s != "" {
-            required[s] = struct{}{}
-        }
-    }
+	if len(requiredScopes) == 0 {
+		return AccessControlResult{DecisionAllow, ""}
+	}

-    var tokenScopes []string
-    if claims, ok := (*claims)["scope"]; ok {
-        switch v := claims.(type) {
-        case string:
-            tokenScopes = strings.Fields(v)
-        case []interface{}:
-            for _, x := range v {
-                if s, ok := x.(string); ok && s != "" {
-                    tokenScopes = append(tokenScopes, s)
-                }
-            }
-        }
-    }
+	required := make(map[string]struct{}, len(requiredScopes))
+	for _, s := range requiredScopes {
+		s = strings.TrimSpace(s)
+		if s != "" {
+			required[s] = struct{}{}
+		}
+	}
+
+	var tokenScopes []string
+	if claims, ok := (*claims)["scope"]; ok {
+		switch v := claims.(type) {
+		case string:
+			tokenScopes = strings.Fields(v)
+		case []interface{}:
+			for _, x := range v {
+				if s, ok := x.(string); ok && s != "" {
+					tokenScopes = append(tokenScopes, s)
+				}
+			}
+		}
+	}

 	tokenScopeSet := make(map[string]struct{}, len(tokenScopes))
 	for _, s := range tokenScopes {