Bugfix/check json path (#1921)

* Validate jsonpath in claim extractor

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>

* Add test and changelog for claim extractor json path

---------

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

pkg/providers/util/claim_extractor.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/bitly/go-simplejson"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
+	"github.com/ohler55/ojg/jp"
 	"github.com/spf13/cast"
 )
 
@@ -139,9 +140,13 @@ func parseJWT(p string) ([]byte, error) {
 }
 
 // getClaimFrom gets a claim from a Json object.
-// It can accept either a single claim name or a json path.
+// It can accept either a single claim name or a json path if the path is a valid json path.
 // Paths with indexes are not supported.
 func getClaimFrom(claim string, src *simplejson.Json) interface{} {
+	_, err := jp.ParseString(claim)
+	if err != nil {
+		return src.Get(claim).Interface()
+	}
 	claimParts := strings.Split(claim, ".")
 	return src.GetPath(claimParts...).Interface()
 }

pkg/providers/util/claim_extractor_test.go

@@ -25,6 +25,10 @@ const (
       "groups": [
         "idTokenGroup1",
         "idTokenGroup2"
+      ],
+      "https://groups.test": [
+        "fqdnGroup1",
+        "fqdnGroup2"
       ]
     }`
 	basicProfileURLPayload = `{
@@ -224,6 +228,18 @@ var _ = Describe("Claim Extractor Suite", func() {
 				expectedValue: "nestedUser",
 				expectedError: nil,
 			}),
+			Entry("retrieves claim for with FQDN", getClaimTableInput{
+				testClaimExtractorOpts: testClaimExtractorOpts{
+					idTokenPayload:        basicIDTokenPayload,
+					setProfileURL:         true,
+					profileRequestHeaders: newAuthorizedHeader(),
+					profileRequestHandler: shouldNotBeRequestedProfileHandler,
+				},
+				claim:         "https://groups.test",
+				expectExists:  true,
+				expectedValue: []interface{}{"fqdnGroup1", "fqdnGroup2"},
+				expectedError: nil,
+			}),
 		)
 	})