[TT-16013] fix bug gateway panics when validating jwt claims

Author: NurayAhmadova

apidef/oas/authentication.go

@@ -3,8 +3,10 @@ package oas
 import (
 	"encoding/json"
 	"fmt"
+	"iter"
 	"reflect"
 	"sort"
+	"sync"
 	"time"
 
 	"github.com/getkin/kin-openapi/openapi3"
@@ -76,7 +78,7 @@ type Authentication struct {
 	Custom *CustomPluginAuthentication `bson:"custom,omitempty" json:"custom,omitempty"`
 
 	// SecuritySchemes contains security schemes definitions.
-	SecuritySchemes SecuritySchemes `bson:"securitySchemes,omitempty" json:"securitySchemes,omitempty"`
+	SecuritySchemes *SecuritySchemes `bson:"securitySchemes,omitempty" json:"securitySchemes,omitempty"`
 
 	// CustomKeyLifetime contains configuration for the maximum retention period for access tokens.
 	CustomKeyLifetime *CustomKeyLifetime `bson:"customKeyLifetime,omitempty" json:"customKeyLifetime,omitempty"`
@@ -229,73 +231,209 @@ func (a *Authentication) ExtractTo(api *apidef.APIDefinition) {
 	a.CustomKeyLifetime.ExtractTo(api)
 }
 
-// SecuritySchemes holds security scheme values, filled with Import().
-type SecuritySchemes map[string]interface{}
+// SecuritySchemes never use the zero value of the type, always use the constructor.
+type SecuritySchemes struct {
+	container map[string]interface{}
+	mutex     sync.RWMutex
+}
+
+func NewSecuritySchemes() *SecuritySchemes {
+	return &SecuritySchemes{container: make(map[string]interface{})}
+}
+
+func (ss *SecuritySchemes) Set(key string, value interface{}) {
+	if ss == nil {
+		return
+	}
+	ss.mutex.Lock()
+	defer ss.mutex.Unlock()
+
+	if ss.container == nil {
+		ss.container = make(map[string]interface{})
+	}
+	ss.container[key] = value
+}
+
+func (ss *SecuritySchemes) Get(key string) (interface{}, bool) {
+	if ss == nil {
+		return nil, false
+	}
+	ss.mutex.RLock()
+	defer ss.mutex.RUnlock()
+
+	if ss.container == nil {
+		return nil, false
+	}
+	value, ok := ss.container[key]
+	return value, ok
+}
+
+func (ss *SecuritySchemes) Delete(key string) {
+	if ss == nil {
+		return
+	}
+	ss.mutex.Lock()
+	defer ss.mutex.Unlock()
+
+	if ss.container == nil {
+		return
+	}
+	delete(ss.container, key)
+}
+
+func (ss *SecuritySchemes) Len() int {
+	if ss == nil {
+		return 0
+	}
+	ss.mutex.RLock()
+	defer ss.mutex.RUnlock()
+
+	return len(ss.container)
+}
+
+// Iter returns a snapshot iterator: it copies entries under RLock,
+// then releases the lock before calling user code.
+func (ss *SecuritySchemes) Iter() iter.Seq2[string, interface{}] {
+	return func(yield func(string, interface{}) bool) {
+		if ss == nil {
+			return
+		}
+
+		ss.mutex.RLock()
+		if ss.container == nil {
+			ss.mutex.RUnlock()
+			return
+		}
+
+		snap := make([]struct {
+			k string
+			v interface{}
+		}, 0, len(ss.container))
+		for k, v := range ss.container {
+			snap = append(snap, struct {
+				k string
+				v interface{}
+			}{k, v})
+		}
+		ss.mutex.RUnlock()
+
+		for _, e := range snap {
+			if !yield(e.k, e.v) {
+				return
+			}
+		}
+	}
+}
+
+// MarshalJSON implements json.Marshaler.
+// It snapshots the map under RLock, unlocks, then marshals.
+func (ss *SecuritySchemes) MarshalJSON() ([]byte, error) {
+	if ss == nil {
+		return []byte(`{}`), nil
+	}
+
+	ss.mutex.RLock()
+	defer ss.mutex.RUnlock()
+
+	if ss.container == nil {
+		return []byte(`{}`), nil
+	}
+
+	return json.Marshal(ss.container)
+}
+
+// UnmarshalJSON implements json.Unmarshaler.
+// It builds a temporary map, then replaces the internal map under Lock.
+func (ss *SecuritySchemes) UnmarshalJSON(b []byte) error {
+	if string(b) == "null" {
+		if ss != nil {
+			ss.mutex.Lock()
+			ss.container = make(map[string]interface{})
+			ss.mutex.Unlock()
+		}
+		return nil
+	}
+
+	tmp := make(map[string]interface{})
+	if err := json.Unmarshal(b, &tmp); err != nil {
+		return err
+	}
+
+	if ss != nil {
+		ss.mutex.Lock()
+		ss.container = tmp
+		ss.mutex.Unlock()
+	}
+	return nil
+}
 
 // SecurityScheme defines an Importer interface for security schemes.
 type SecurityScheme interface {
 	Import(nativeSS *openapi3.SecurityScheme, enable bool)
 }
 
-// Import takes the openapi3.SecurityScheme as argument and applies it to the receiver. The
-// SecuritySchemes receiver is a map, so modification of the receiver is enabled, regardless
-// of the fact that the receiver isn't a pointer type. The map is a pointer type itself.
-func (ss SecuritySchemes) Import(name string, nativeSS *openapi3.SecurityScheme, enable bool) error {
+// Import takes the openapi3.SecurityScheme as argument and applies it to the receiver.
+// The SecuritySchemes type uses internal synchronization to safely modify its contents.
+func (ss *SecuritySchemes) Import(name string, nativeSS *openapi3.SecurityScheme, enable bool) error {
+	if ss == nil {
+		return fmt.Errorf("SecuritySchemes is nil")
+	}
+
 	switch {
 	case nativeSS.Type == typeAPIKey:
 		token := &Token{}
-		if ss[name] == nil {
-			ss[name] = token
+		scheme, exists := ss.Get(name)
+		if !exists {
+			ss.Set(name, token)
+		}
+		if tokenVal, ok := scheme.(*Token); ok {
+			token = tokenVal
 		} else {
-			if tokenVal, ok := ss[name].(*Token); ok {
-				token = tokenVal
-			} else {
-				toStructIfMap(ss[name], token)
-			}
+			toStructIfMap(scheme, token)
 		}
 
 		token.Enabled = &enable
 	case nativeSS.Type == typeHTTP && nativeSS.Scheme == schemeBearer && nativeSS.BearerFormat == bearerFormatJWT:
 		jwt := &JWT{}
-		if ss[name] == nil {
-			ss[name] = jwt
+		scheme, exists := ss.Get(name)
+		if !exists {
+			ss.Set(name, jwt)
+		}
+		if jwtVal, ok := scheme.(*JWT); ok {
+			jwt = jwtVal
 		} else {
-			if jwtVal, ok := ss[name].(*JWT); ok {
-				jwt = jwtVal
-			} else {
-				toStructIfMap(ss[name], jwt)
-			}
+			toStructIfMap(scheme, jwt)
 		}
 
 		jwt.Import(enable)
 	case nativeSS.Type == typeHTTP && nativeSS.Scheme == schemeBasic:
 		basic := &Basic{}
-		if ss[name] == nil {
-			ss[name] = basic
+		scheme, exists := ss.Get(name)
+		if !exists {
+			ss.Set(name, basic)
+		}
+		if basicVal, ok := scheme.(*Basic); ok {
+			basic = basicVal
 		} else {
-			if basicVal, ok := ss[name].(*Basic); ok {
-				basic = basicVal
-			} else {
-				toStructIfMap(ss[name], basic)
-			}
+			toStructIfMap(scheme, basic)
 		}
 
 		basic.Import(enable)
 	case nativeSS.Type == typeOAuth2:
 		oauth := &OAuth{}
-		if ss[name] == nil {
-			ss[name] = oauth
+		scheme, exists := ss.Get(name)
+		if !exists {
+			ss.Set(name, oauth)
+		}
+		if oauthVal, ok := scheme.(*OAuth); ok {
+			oauth = oauthVal
 		} else {
-			if oauthVal, ok := ss[name].(*OAuth); ok {
-				oauth = oauthVal
-			} else {
-				toStructIfMap(ss[name], oauth)
-			}
+			toStructIfMap(scheme, oauth)
 		}
 
 		oauth.Import(enable)
 	default:
-		return fmt.Errorf(unsupportedSecuritySchemeFmt, name)
+		return fmt.Errorf("unsupported securityScheme type: %s", nativeSS.Type)
 	}
 
 	return nil
@@ -317,15 +455,15 @@ func baseIdentityProviderPrecedence(authType apidef.AuthTypeEnum) int {
 }
 
 // GetBaseIdentityProvider returns the identity provider by precedence from SecuritySchemes.
-func (ss SecuritySchemes) GetBaseIdentityProvider() (res apidef.AuthTypeEnum) {
-	if len(ss) < 2 {
+func (ss *SecuritySchemes) GetBaseIdentityProvider() (res apidef.AuthTypeEnum) {
+	if ss == nil || ss.Len() < 2 {
 		return
 	}
 
 	resBaseIdentityProvider := baseIdentityProviderPrecedence(apidef.AuthTypeNone)
 	res = apidef.OAuthKey
 
-	for _, scheme := range ss {
+	for _, scheme := range ss.Iter() {
 		if _, ok := scheme.(*Token); ok {
 			return apidef.AuthToken
 		}

apidef/oas/default.go

@@ -190,7 +190,7 @@ func (s *OAS) importAuthentication(enable bool) error {
 
 	tykSecuritySchemes := authentication.SecuritySchemes
 	if tykSecuritySchemes == nil {
-		tykSecuritySchemes = make(SecuritySchemes)
+		tykSecuritySchemes = NewSecuritySchemes()
 		authentication.SecuritySchemes = tykSecuritySchemes
 	}