From c67d6aad79f100946caa6d0eaca94297367fdaf6 Mon Sep 17 00:00:00 2001
From: Matthias Hanel <mh@synadia.com>
Date: Tue, 16 Aug 2022 19:00:41 -0700
Subject: [PATCH] fix jwt template ordering issue and error message (#3373)

ordering of templates got messed up by a map (now removed)
Also improved error message when template generation fails

Signed-off-by: Matthias Hanel <mh@synadia.com>
---
 server/auth.go     | 16 ++++++++--------
 server/jwt_test.go |  5 +++++
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/server/auth.go b/server/auth.go
index 72d1fc0b..ffc9de94 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -423,7 +423,7 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
 			tokens := strings.Split(list[i], tsep)
 
 			newTokens := make([]string, len(tokens))
-			tagValues := map[int][]string{} // indexed by token
+			tagValues := [][]string{}
 
 			for tokenNum, tk := range tokens {
 				if strings.HasPrefix(tk, "{{") && strings.HasSuffix(tk, "}}") {
@@ -460,12 +460,16 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
 								strings.TrimSuffix(strings.TrimPrefix(op, "tag("), ")")))
 						}
 
+						valueList := []string{}
 						for _, tag := range tags {
 							if strings.HasPrefix(tag, tagPrefix) {
 								tagValue := strings.TrimPrefix(tag, tagPrefix)
-								tagValues[tokenNum] = append(tagValues[tokenNum], tagValue)
+								valueList = append(valueList, tagValue)
 							}
 						}
+						if len(valueList) != 0 {
+							tagValues = append(tagValues, valueList)
+						}
 					default:
 						// if macro is not recognized, throw off subject check on purpose
 						tk = " "
@@ -483,12 +487,8 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
 				}
 				// else skip emitting
 			} else {
-				orderedList := make([][]string, 0, len(tagValues))
-				for _, valueList := range tagValues {
-					orderedList = append(orderedList, valueList)
-				}
 				// compute the cartesian product and compute subject to emit for each combination
-				for _, valueList := range nArrayCartesianProduct(orderedList...) {
+				for _, valueList := range nArrayCartesianProduct(tagValues...) {
 					b := strings.Builder{}
 					for i, token := range newTokens {
 						if token == _EMPTY_ {
@@ -777,7 +777,7 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) boo
 				c.Debugf("User JWT is not valid")
 				return false
 			} else if juc.UserPermissionLimits, err = processUserPermissionsTemplate(uSc.Template, juc, acc); err != nil {
-				c.Debugf("User JWT is not valid")
+				c.Debugf("User JWT generated invalid permissions")
 				return false
 			}
 		}
diff --git a/server/jwt_test.go b/server/jwt_test.go
index 189ab22d..5b498445 100644
--- a/server/jwt_test.go
+++ b/server/jwt_test.go
@@ -4205,6 +4205,11 @@ func TestJwtTemplates(t *testing.T) {
 	require_True(t, len(resLim.Sub.Allow) == 0)
 	require_True(t, len(resLim.Sub.Deny) == 1)
 	require_Contains(t, resLim.Sub.Deny[0], fmt.Sprintf("foo.myname.%s.accname.%s.bar", upub, aPub))
+
+	lim.Pub.Deny.Add("{{tag(NOT_THERE)}}")
+	_, err = processUserPermissionsTemplate(lim, uclaim, acc)
+	require_Error(t, err)
+	require_Contains(t, err.Error(), "generated invalid subject")
 }
 
 func TestJWTLimitsTemplate(t *testing.T) {