artefactual-sdps · jraddaoui · Nov 14, 2024 · Nov 14, 2024 · jraddaoui · Nov 14, 2024
diff --git a/internal/api/auth/token_verifier.go b/internal/api/auth/token_verifier.go
@@ -108,7 +108,7 @@ func (t *OIDCTokenVerifier) parseAttributes(token *oidc.IDToken) ([]string, erro
 				)
 			}
 
-			var filteredValue []string
+			filteredValue := []string{}
 			for i := range val.Len() {
 				str, ok := val.Index(i).Interface().(string)
 				if ok {
@@ -122,7 +122,7 @@ func (t *OIDCTokenVerifier) parseAttributes(token *oidc.IDToken) ([]string, erro
 				return filteredValue, nil
 			}
 
-			var attributes []string
+			attributes := []string{}
 			for _, role := range filteredValue {
 				if attrs, ok := t.cfg.ABAC.RolesMapping[role]; ok {
 					attributes = append(attributes, attrs...)

diff --git a/internal/api/auth/token_verifier_test.go b/internal/api/auth/token_verifier_test.go
@@ -183,6 +183,47 @@ func TestParseAttributes(t *testing.T) {
 				Attributes:    []string{"*"},
 			},
 		},
+		{
+			name: "Parses attributes based on configuration (disabled)",
+			config: &auth.OIDCConfig{
+				ProviderURL: iss,
+				ClientID:    audience,
+				ABAC: auth.OIDCABACConfig{
+					Enabled: false,
+				},
+			},
+			token: token(t, signer, iss, customClaims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    []string{"*"},
+			}),
+			wantClaims: &auth.Claims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    nil,
+			},
+		},
+		{
+			name: "Parses attributes based on configuration (no attributes)",
+			config: &auth.OIDCConfig{
+				ProviderURL: iss,
+				ClientID:    audience,
+				ABAC: auth.OIDCABACConfig{
+					Enabled:   true,
+					ClaimPath: "attributes",
+				},
+			},
+			token: token(t, signer, iss, customClaims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    []string{},
+			}),
+			wantClaims: &auth.Claims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    []string{},
+			},
+		},
 		{
 			name: "Parses attributes based on configuration (nested)",
 			config: &auth.OIDCConfig{
@@ -254,6 +295,29 @@ func TestParseAttributes(t *testing.T) {
 				Attributes:    []string{"*", "package:list", "package:listActions", "package:move", "package:read", "package:upload"},
 			},
 		},
+		{
+			name: "Parses attributes based on configuration (mapping roles, no attributes)",
+			config: &auth.OIDCConfig{
+				ProviderURL: iss,
+				ClientID:    audience,
+				ABAC: auth.OIDCABACConfig{
+					Enabled:      true,
+					ClaimPath:    "attributes",
+					UseRoles:     true,
+					RolesMapping: map[string][]string{"admin": {"*"}},
+				},
+			},
+			token: token(t, signer, iss, customClaims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    []string{"other", "random", "role"},
+			}),
+			wantClaims: &auth.Claims{
+				Email:         "[email protected]",
+				EmailVerified: true,
+				Attributes:    []string{},
+			},
+		},
 		{
 			name: "Fails to parse attributes (missing claim)",
 			config: &auth.OIDCConfig{

diff --git a/internal/workflow/processing.go b/internal/workflow/processing.go
@@ -1284,7 +1284,6 @@ func (w *ProcessingWorkflow) validatePREMIS(
 		XMLPath: xmlPath,
 		XSDPath: w.cfg.ValidatePREMIS.XSDPath,
 	}).Get(activityOpts, &xmlvalidateResult)
-
 	if err != nil {
 		if strings.Contains(err.Error(), fmt.Sprintf("%s: no such file or directory", xmlPath)) {
 			// Allow PREMIS XML to not exist without failing workflow.