Merge branch 'master' of github.com:TykTechnologies/tyk into TT-15507

Author: mativm02

apidef/oas/authentication.go

@@ -484,6 +484,11 @@ type Scopes struct {
 	// - For JWT: `scopes.jwt.scope_claim_name`
 	ClaimName string `bson:"claimName,omitempty" json:"claimName,omitempty"`
 
+	// Claims contains a list of claims that contains the claim name.
+	// The first match from the list of claims in the token is used.
+	// OAS only field applied to OAS apis.
+	Claims []string `bson:"claims,omitempty" json:"claims,omitempty"`
+
 	// ScopeToPolicyMapping contains the mappings of scopes to policy IDs.
 	//
 	// Tyk classic API definition:
@@ -495,6 +500,9 @@ type Scopes struct {
 // Fill fills *Scopes from *apidef.ScopeClaim.
 func (s *Scopes) Fill(scopeClaim *apidef.ScopeClaim) {
 	s.ClaimName = scopeClaim.ScopeClaimName
+	if s.ClaimName != "" {
+		s.Claims = []string{scopeClaim.ScopeClaimName}
+	}
 
 	s.ScopeToPolicyMapping = []ScopeToPolicy{}
 

apidef/oas/authentication_test.go

@@ -22,15 +22,41 @@ func TestAuthentication(t *testing.T) {
 }
 
 func TestScopes(t *testing.T) {
-	var emptyScopes Scopes
+	t.Run("default", func(t *testing.T) {
+		var emptyScopes Scopes
 
-	scopeClaim := apidef.ScopeClaim{}
-	emptyScopes.ExtractTo(&scopeClaim)
+		scopeClaim := apidef.ScopeClaim{}
+		emptyScopes.ExtractTo(&scopeClaim)
 
-	var resultScopes Scopes
-	resultScopes.Fill(&scopeClaim)
+		var resultScopes Scopes
+		resultScopes.Fill(&scopeClaim)
+
+		assert.Equal(t, emptyScopes, resultScopes)
+	})
+	t.Run("fill scope claim", func(t *testing.T) {
+		var emptyScopes Scopes
+
+		scopeClaim := apidef.ScopeClaim{
+			ScopeClaimName: "test",
+		}
+
+		emptyScopes.Fill(&scopeClaim)
+
+		assert.Equal(t, emptyScopes.Claims, []string{scopeClaim.ScopeClaimName})
+	})
+
+	t.Run("extract scope claim", func(t *testing.T) {
+		var emptydefScopeClaim apidef.ScopeClaim
+
+		scope := Scopes{
+			Claims:    []string{"test", "second"},
+			ClaimName: "test",
+		}
+
+		scope.ExtractTo(&emptydefScopeClaim)
+		assert.Equal(t, emptydefScopeClaim.ScopeClaimName, "test")
+	})
 
-	assert.Equal(t, emptyScopes, resultScopes)
 }
 
 func TestAuthSources(t *testing.T) {

apidef/oas/default.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"slices"
 	"strconv"
 	"strings"
 
@@ -220,22 +221,42 @@ func (s *OAS) importMiddlewares(overRideValues TykExtensionConfigParams) {
 		xTykAPIGateway.Middleware = &Middleware{}
 	}
 
+	currentOperations := make([]string, 0)
+
 	for path, pathItem := range s.Paths.Map() {
 		overRideValues.pathItemHasParameters = len(pathItem.Parameters) > 0
 		for _, method := range allowedMethods {
 			if operation := pathItem.GetOperation(method); operation != nil {
 				tykOperation := s.getTykOperation(method, path)
 				tykOperation.Import(operation, overRideValues)
+				currentOperations = append(currentOperations, s.getOperationID(path, method))
 				s.deleteTykOperationIfEmpty(tykOperation, method, path)
 			}
 		}
 	}
 
+	s.removeObsoleteOperations(currentOperations)
+
 	if ShouldOmit(xTykAPIGateway.Middleware) {
 		xTykAPIGateway.Middleware = nil
 	}
 }
 
+func (s *OAS) removeObsoleteOperations(currentOperations []string) {
+	tykOperations := s.getTykOperations()
+	obsoleteOperations := make([]string, 0)
+
+	for id := range tykOperations {
+		if !slices.Contains(currentOperations, id) {
+			obsoleteOperations = append(obsoleteOperations, id)
+		}
+	}
+
+	for _, operationID := range obsoleteOperations {
+		delete(tykOperations, operationID)
+	}
+}
+
 func (s *OAS) getTykOperation(method, path string) *Operation {
 	xTykAPIGateway := s.GetTykExtension()
 	operationID := s.getOperationID(path, method)

apidef/oas/default_test.go

@@ -563,6 +563,34 @@ func TestOAS_BuildDefaultTykExtension(t *testing.T) {
 			return operations
 		}
 
+		t.Run("operations not present in new oas paths definition should be removed", func(t *testing.T) {
+			fakeOperationName := "fakeOperation"
+			fakeOperation := &Operation{
+				MockResponse: &MockResponse{
+					Enabled: true,
+				},
+			}
+			oasDef := getOASDef(true, true)
+
+			tykExtensionConfigParams := TykExtensionConfigParams{
+				MockResponse: &trueVal,
+			}
+
+			extension := &XTykAPIGateway{
+				Middleware: &Middleware{
+					Operations: map[string]*Operation{fakeOperationName: fakeOperation},
+				},
+			}
+			oasDef.SetTykExtension(extension)
+			assert.Greater(t, len(oasDef.getTykOperations()), 0)
+
+			expectedOperations := getExpectedOperations(true, true, middlewareMockResponse)
+			err := oasDef.BuildDefaultTykExtension(tykExtensionConfigParams, true)
+
+			assert.NoError(t, err)
+			assert.Equal(t, expectedOperations, oasDef.getTykOperations())
+		})
+
 		t.Run("allowList", func(t *testing.T) {
 			t.Run("enable allowList for all paths when no configured operationID in OAS", func(t *testing.T) {
 				oasDef := getOASDef(false, false)

apidef/oas/schema/x-tyk-api-gateway.json

@@ -218,6 +218,10 @@
         "claimName": {
           "type": "string"
         },
+        "claims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "scopeToPolicyMapping": {
           "type": "array",
           "items": [
@@ -920,8 +924,7 @@
       },
       "required": [
         "in",
-        "pattern",
-        "negate"
+        "pattern"
       ]
     },
     "X-Tyk-URLRewriteRule": {
@@ -949,8 +952,7 @@
       "required": [
         "in",
         "name",
-        "pattern",
-        "negate"
+        "pattern"
       ]
     },
     "X-Tyk-EndpointPostPlugin": {
@@ -1614,12 +1616,36 @@
         "identityBaseField": {
           "type": "string"
         },
+        "subjectClaims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "skipKid": {
           "type": "boolean"
         },
         "policyFieldName": {
           "type": "string"
         },
+        "basePolicyClaims": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedIssuers": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedAudiences": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "jtiValidation": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
+        "allowedSubjects": {
+          "type": "array",
+          "items": {"type": "string"}
+        },
         "clientBaseField": {
           "type": "string"
         },

apidef/oas/schema/x-tyk-api-gateway.strict.json

@@ -229,6 +229,12 @@
         "claimName": {
           "type": "string"
         },
+        "claims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "scopeToPolicyMapping": {
           "type": "array",
           "items": [
@@ -959,8 +965,7 @@
       },
       "required": [
         "in",
-        "pattern",
-        "negate"
+        "pattern"
       ],
       "additionalProperties": false
     },
@@ -989,8 +994,7 @@
       "required": [
         "in",
         "name",
-        "pattern",
-        "negate"
+        "pattern"
       ],
       "additionalProperties": false
     },
@@ -1680,12 +1684,48 @@
         "identityBaseField": {
           "type": "string"
         },
+        "subjectClaims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "skipKid": {
           "type": "boolean"
         },
         "policyFieldName": {
           "type": "string"
         },
+        "basePolicyClaims": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedIssuers": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedAudiences": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "jtiValidation": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "allowedSubjects": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "clientBaseField": {
           "type": "string"
         },