[TT-16013] fix bug gateway panics when validating jwt claims - visor comments

Author: NurayAhmadova

apidef/oas/authentication.go

@@ -268,6 +268,41 @@ func (ss *SecuritySchemes) Get(key string) (interface{}, bool) {
 	return value, ok
 }
 
+// GetOrConvert fetches a scheme by name. If the stored value is a map[string]interface{},
+// it converts it into the concrete struct provided via 'out', stores it back once, and returns it.
+// Returns (value, true) if found; (nil, false) if missing.
+func (ss *SecuritySchemes) GetOrConvert(name string, out interface{}) (interface{}, bool) {
+	if ss == nil {
+		return nil, false
+	}
+	ss.mutex.RLock()
+	v, ok := ss.container[name]
+	ss.mutex.RUnlock()
+	if !ok {
+		return nil, false
+	}
+	if reflect.TypeOf(v) == reflect.TypeOf(out) {
+		return v, true
+	}
+
+	ss.mutex.Lock()
+	defer ss.mutex.Unlock()
+
+	v, ok = ss.container[name]
+	if !ok {
+		return nil, false
+	}
+	if reflect.TypeOf(v) == reflect.TypeOf(out) {
+		return v, true
+	}
+
+	if toStructIfMap(v, out) {
+		ss.container[name] = out
+		return out, true
+	}
+	return out, true
+}
+
 func (ss *SecuritySchemes) Delete(key string) {
 	if ss == nil {
 		return

apidef/oas/oas.go

@@ -221,111 +221,80 @@ func (s *OAS) getTykAuthentication() (authentication *Authentication) {
 }
 
 func (s *OAS) getTykTokenAuth(name string) (token *Token) {
-	securityScheme := s.getTykSecurityScheme(name)
-	if securityScheme == nil {
-		return
-	}
-
+	ss := s.getTykSecuritySchemes()
 	token = &Token{}
-	if tokenVal, ok := securityScheme.(*Token); ok {
-		token = tokenVal
-	} else {
-		toStructIfMap(securityScheme, token)
+	if v, ok := ss.GetOrConvert(name, token); ok {
+		if t, ok := v.(*Token); ok {
+			return t
+		}
 	}
-
-	s.getTykSecuritySchemes().Set(name, token)
-
-	return
+	return token
 }
 
 func (s *OAS) getTykJWTAuth(name string) (jwt *JWT) {
-	securityScheme := s.getTykSecurityScheme(name)
-	if securityScheme == nil {
-		return
-	}
-
+	ss := s.getTykSecuritySchemes()
 	jwt = &JWT{}
-	if jwtVal, ok := securityScheme.(*JWT); ok {
-		jwt = jwtVal
-	} else {
-		toStructIfMap(securityScheme, jwt)
+	if v, ok := ss.GetOrConvert(name, jwt); ok {
+		if j, ok := v.(*JWT); ok {
+			return j
+		}
 	}
-
-	s.getTykSecuritySchemes().Set(name, jwt)
-
-	return
+	return jwt
 }
 
-// getTykBasicAuth retrieves the Basic auth configuration from Tyk extension.
-// It handles both typed (*Basic) and untyped (map[string]interface{}) security schemes.
-// When an untyped scheme is found, it converts it to *Basic and caches the result.
+// getTykBasicAuth retrieves the Basic auth configuration from the Tyk extension.
+// Accepts both typed (*Basic) and untyped (map[string]interface{}) schemes.
+// Untyped values are converted and cached via SecuritySchemes.GetOrConvert.
 func (s *OAS) getTykBasicAuth(name string) (basic *Basic) {
+	ss := s.getTykSecuritySchemes()
 	basic = &Basic{}
-
-	securityScheme := s.getTykSecurityScheme(name)
-	if securityScheme == nil {
-		return
-	}
-
-	if basicVal, ok := securityScheme.(*Basic); ok {
-		basic = basicVal
-	} else {
-		// Security scheme is stored as map[string]interface{}, convert it to Basic struct
-		if toStructIfMap(securityScheme, basic) {
-			// Cache the converted struct for future use
-			s.getTykSecuritySchemes().Set(name, basic)
+	if v, ok := ss.GetOrConvert(name, basic); ok {
+		if b, ok := v.(*Basic); ok {
+			return b
 		}
 	}
-
-	return
+	return basic
 }
 
 func (s *OAS) getTykOAuthAuth(name string) (oauth *OAuth) {
-	securityScheme := s.getTykSecurityScheme(name)
-	if securityScheme == nil {
-		return
-	}
-
+	ss := s.getTykSecuritySchemes()
 	oauth = &OAuth{}
-	if oauthVal, ok := securityScheme.(*OAuth); ok {
-		oauth = oauthVal
-	} else {
-		toStructIfMap(securityScheme, oauth)
+	if v, ok := ss.GetOrConvert(name, oauth); ok {
+		if o, ok := v.(*OAuth); ok {
+			return o
+		}
 	}
-
-	s.getTykSecuritySchemes().Set(name, oauth)
-
-	return
+	return oauth
 }
 
 func (s *OAS) getTykExternalOAuthAuth(name string) (externalOAuth *ExternalOAuth) {
-	securityScheme := s.getTykSecurityScheme(name)
-	if securityScheme == nil {
-		return
-	}
-
+	ss := s.getTykSecuritySchemes()
 	externalOAuth = &ExternalOAuth{}
-	if oauthVal, ok := securityScheme.(*ExternalOAuth); ok {
-		externalOAuth = oauthVal
-	} else {
-		toStructIfMap(securityScheme, externalOAuth)
+	if v, ok := ss.GetOrConvert(name, externalOAuth); ok {
+		if eo, ok := v.(*ExternalOAuth); ok {
+			return eo
+		}
 	}
-
-	s.getTykSecuritySchemes().Set(name, externalOAuth)
-
-	return
+	return externalOAuth
 }
 
-func (s *OAS) getTykSecuritySchemes() (securitySchemes *SecuritySchemes) {
-	if s.getTykAuthentication() != nil {
-		securitySchemes = s.getTykAuthentication().SecuritySchemes
+func (s *OAS) getTykSecuritySchemes() *SecuritySchemes {
+	ext := s.GetTykExtension()
+	if ext == nil {
+		ext = &XTykAPIGateway{}
+		s.SetTykExtension(ext)
 	}
 
-	if securitySchemes == nil {
-		return NewSecuritySchemes()
+	// Server is a value field; ensure Authentication exists.
+	if ext.Server.Authentication == nil {
+		ext.Server.Authentication = &Authentication{}
+	}
+
+	if ext.Server.Authentication.SecuritySchemes == nil {
+		ext.Server.Authentication.SecuritySchemes = NewSecuritySchemes()
 	}
 
-	return securitySchemes
+	return ext.Server.Authentication.SecuritySchemes
 }
 
 func (s *OAS) getTykSecurityScheme(name string) interface{} {