fix(jans-cedarling): do not create duplicate role entities

Signed-off-by: rmarinn <[email protected]>
JanssenProject · Jan 8, 2025 · 1dd94f3 · 1dd94f3
1 parent f24a100
commit 1dd94f3
Showing 1 changed file with 52 additions and 7 deletions.
diff --git a/jans-cedarling/cedarling/src/authz/entity_builder/build_role_entity.rs b/jans-cedarling/cedarling/src/authz/entity_builder/build_role_entity.rs
@@ -14,6 +14,7 @@ impl EntityBuilder {
         tokens: &DecodedTokens,
     ) -> Result<Vec<Entity>, BuildRoleEntityError> {
         let entity_name = &self.entity_names.role;
+        let mut created_roles = HashSet::new();
         let mut entities = Vec::new();
 
         // Get entity namespace and type
@@ -36,9 +37,11 @@ impl EntityBuilder {
                 match claim.value() {
                     // Case: the claim is a String
                     serde_json::Value::String(role) => {
-                        let entity = build_entity(&entity_name, role)
-                            .map_err(|e| BuildRoleEntityError::map_tkn_err(token, e))?;
-                        entities.push(entity);
+                        if let Some(entity) =
+                            build_role_entity(&mut created_roles, &entity_name, role, token)?
+                        {
+                            entities.push(entity);
+                        }
                     },
 
                     // Case: the claim is an Array
@@ -53,10 +56,11 @@ impl EntityBuilder {
                                     ));
                                 },
                             };
-
-                            let entity = build_entity(&entity_name, role)
-                                .map_err(|e| BuildRoleEntityError::map_tkn_err(token, e))?;
-                            entities.push(entity);
+                            if let Some(entity) =
+                                build_role_entity(&mut created_roles, &entity_name, role, token)?
+                            {
+                                entities.push(entity);
+                            }
                         }
                     },
 
@@ -80,6 +84,24 @@ impl EntityBuilder {
     }
 }
 
+/// Builds the role entity if it doesn't exist yet
+fn build_role_entity(
+    created_roles: &mut HashSet<String>,
+    entity_type_name: &str,
+    role: &str,
+    token: &Token,
+) -> Result<Option<Entity>, BuildRoleEntityError> {
+    if created_roles.contains(role) {
+        return Ok(None);
+    }
+
+    let entity = build_entity(entity_type_name, role)
+        .map_err(|e| BuildRoleEntityError::map_tkn_err(token, e))?;
+    created_roles.insert(role.to_string());
+
+    Ok(Some(entity))
+}
+
 fn build_entity(name: &str, id: &str) -> Result<Entity, BuildEntityError> {
     let name = EntityTypeName::from_str(name).map_err(BuildEntityError::ParseEntityTypeName)?;
     let id = EntityId::from_str(id).map_err(BuildEntityError::ParseEntityId)?;
@@ -215,4 +237,27 @@ mod test {
         };
         test_build_entity_from_str_claim(tokens);
     }
+
+    #[test]
+    fn ignores_duplicate_roles() {
+        let iss = TrustedIssuer::default();
+        let access_token = Token::new_access(
+            TokenClaims::new(HashMap::from([("role".to_string(), json!("admin"))])),
+            Some(&iss),
+        );
+        let id_token = Token::new_id(
+            TokenClaims::new(HashMap::from([("role".to_string(), json!("admin"))])),
+            Some(&iss),
+        );
+        let userinfo_token = Token::new_userinfo(
+            TokenClaims::new(HashMap::from([("role".to_string(), json!("admin"))])),
+            Some(&iss),
+        );
+        let tokens = DecodedTokens {
+            access: Some(access_token),
+            id: Some(id_token),
+            userinfo: Some(userinfo_token),
+        };
+        test_build_entity_from_str_claim(tokens);
+    }
 }