Revert "Optionally Ignore trailing "/" at end of boundAudience (#323)" (#343)

jaireddjawed · web-flow · commit 1da91e23ccd1 · 2025-05-08T17:41:35.000-07:00
This reverts commit e9b60da.
diff --git a/path_role.go b/path_role.go
@@ -96,19 +96,19 @@ func pathRole(b *jwtAuthBackend) *framework.Path {
 			},
 			"expiration_leeway": {
 				Type: framework.TypeSignedDurationSecond,
-				Description: `Duration in seconds of leeway when validating expiration of a token to account for clock skew.
+				Description: `Duration in seconds of leeway when validating expiration of a token to account for clock skew. 
 Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.`,
 				Default: claimDefaultLeeway,
 			},
 			"not_before_leeway": {
 				Type: framework.TypeSignedDurationSecond,
-				Description: `Duration in seconds of leeway when validating not before values of a token to account for clock skew.
+				Description: `Duration in seconds of leeway when validating not before values of a token to account for clock skew. 
 Defaults to 150 (2.5 minutes) if set to 0 and can be disabled if set to -1.`,
 				Default: claimDefaultLeeway,
 			},
 			"clock_skew_leeway": {
 				Type: framework.TypeSignedDurationSecond,
-				Description: `Duration in seconds of leeway when validating all claims to account for clock skew.
+				Description: `Duration in seconds of leeway when validating all claims to account for clock skew. 
 Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.`,
 				Default: jwt.DefaultLeeway,
 			},
@@ -120,10 +120,6 @@ Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.`,
 				Type:        framework.TypeCommaStringSlice,
 				Description: `Comma-separated list of 'aud' claims that are valid for login; any match is sufficient`,
 			},
-			"bound_audience_disregard_trailing_slash": {
-				Type:        framework.TypeBool,
-				Description: `If true, ignores the trailing slash in each bound audience when matching the audience claim in the token.`,
-			},
 			"bound_claims_type": {
 				Type:        framework.TypeString,
 				Description: `How to interpret values in the map of claims/values (which must match for login): allowed values are 'string' or 'glob'`,
@@ -143,7 +139,7 @@ Defaults to 60 (1 minute) if set to 0 and can be disabled if set to -1.`,
 			},
 			"user_claim_json_pointer": {
 				Type: framework.TypeBool,
-				Description: `If true, the user_claim value will use JSON pointer syntax
+				Description: `If true, the user_claim value will use JSON pointer syntax 
 for referencing claims.`,
 			},
 			"groups_claim": {
@@ -160,13 +156,13 @@ for referencing claims.`,
 			},
 			"verbose_oidc_logging": {
 				Type: framework.TypeBool,
-				Description: `Log received OIDC tokens and claims when debug-level logging is active.
-Not recommended in production since sensitive information may be present
+				Description: `Log received OIDC tokens and claims when debug-level logging is active. 
+Not recommended in production since sensitive information may be present 
 in OIDC responses.`,
 			},
 			"max_age": {
 				Type: framework.TypeDurationSecond,
-				Description: `Specifies the allowable elapsed time in seconds since the last time the
+				Description: `Specifies the allowable elapsed time in seconds since the last time the 
 user was actively authenticated.`,
 			},
 		},
@@ -462,26 +458,6 @@ func (b *jwtAuthBackend) pathRoleCreateUpdate(ctx context.Context, req *logical.
 		role.BoundAudiences = boundAudiences.([]string)
 	}
 
-	// disregard the trailing slash (if it exists) on all bound audiences if the flag is set
-	if _, ok := data.GetOk("bound_audience_disregard_trailing_slash"); ok {
-		boundAudiences := []string{}
-		processed := map[string]bool{} // used to prevent duplicate entries
-
-		for _, audience := range role.BoundAudiences {
-			// trim the trailing slash from the audience if it exists
-			audienceWithoutTrailingSlash := strings.TrimRight(audience, "/")
-
-			// add the audience to the list of bound audiences if the audience
-			// without the trailing slash has not already been processed
-			if _, ok := processed[audienceWithoutTrailingSlash]; !ok {
-				boundAudiences = append(boundAudiences, audienceWithoutTrailingSlash)
-				processed[audienceWithoutTrailingSlash] = true
-			}
-		}
-
-		role.BoundAudiences = boundAudiences
-	}
-
 	if boundSubject, ok := data.GetOk("bound_subject"); ok {
 		role.BoundSubject = boundSubject.(string)
 	}
diff --git a/path_role_test.go b/path_role_test.go
@@ -516,84 +516,6 @@ func TestPath_Create(t *testing.T) {
 			t.Fatalf("unexpected err: %v", resp)
 		}
 	})
-
-	t.Run("audiences have trailing slash removed if exists", func(t *testing.T) {
-		b, storage := getBackend(t)
-		originalAudiences := []string{"audience-1/", "audience-2/", "audience-3"}
-
-		data := map[string]interface{}{
-			"role_type":       "jwt",
-			"user_claim":      "user",
-			"policies":        "test",
-			"bound_audiences": strings.Join(originalAudiences, ", "),
-			"bound_audience_disregard_trailing_slash": true,
-		}
-
-		req := &logical.Request{
-			Operation: logical.CreateOperation,
-			Path:      "role/test13",
-			Storage:   storage,
-			Data:      data,
-		}
-
-		resp, err := b.HandleRequest(context.Background(), req)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if resp != nil && resp.IsError() {
-			t.Fatalf("did not expect error")
-		}
-
-		role, err := b.(*jwtAuthBackend).role(context.Background(), storage, "test13")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		// compare the expected audiences with the actual result
-		expectedAudiences := []string{"audience-1", "audience-2", "audience-3"}
-		if !reflect.DeepEqual(role.BoundAudiences, expectedAudiences) {
-			t.Fatalf("expected audiences: %v, got: %v", expectedAudiences, role.BoundAudiences)
-		}
-	})
-
-	t.Run("duplicate audiences are not included", func(t *testing.T) {
-		b, storage := getBackend(t)
-		originalAudiences := []string{"audience-1/", "audience-1", "audience-3/"}
-
-		data := map[string]interface{}{
-			"role_type":       "jwt",
-			"user_claim":      "user",
-			"policies":        "test",
-			"bound_audiences": strings.Join(originalAudiences, ", "),
-			"bound_audience_disregard_trailing_slash": true,
-		}
-
-		req := &logical.Request{
-			Operation: logical.CreateOperation,
-			Path:      "role/test14",
-			Storage:   storage,
-			Data:      data,
-		}
-
-		resp, err := b.HandleRequest(context.Background(), req)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if resp != nil && resp.IsError() {
-			t.Fatalf("did not expect error")
-		}
-
-		role, err := b.(*jwtAuthBackend).role(context.Background(), storage, "test14")
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		// compare the expected audiences with the actual result
-		expectedAudiences := []string{"audience-1", "audience-3"}
-		if !reflect.DeepEqual(role.BoundAudiences, expectedAudiences) {
-			t.Fatalf("expected audiences: %v, got: %v", expectedAudiences, role.BoundAudiences)
-		}
-	})
 }
 
 func TestPath_OIDCCreate(t *testing.T) {
