in src/go/configgenerator/filtergen/jwt_authn.go [263:311]
func makeJwtRequirement(requirements []*confpb.AuthRequirement, allow_missing bool) *jwtpb.JwtRequirement {
// By default, if there are multi requirements, treat it as RequireAny.
requires := &jwtpb.JwtRequirement{
RequiresType: &jwtpb.JwtRequirement_RequiresAny{
RequiresAny: &jwtpb.JwtRequirementOrList{},
},
}
for _, r := range requirements {
var require *jwtpb.JwtRequirement
if r.GetAudiences() == "" {
require = &jwtpb.JwtRequirement{
RequiresType: &jwtpb.JwtRequirement_ProviderName{
ProviderName: r.GetProviderId(),
},
}
} else {
// Note: Audiences in requirements is deprecated.
// But if it's specified, we should override the audiences for the provider.
var audiences []string
for _, a := range strings.Split(r.GetAudiences(), ",") {
audiences = append(audiences, strings.TrimSpace(a))
}
require = &jwtpb.JwtRequirement{
RequiresType: &jwtpb.JwtRequirement_ProviderAndAudiences{
ProviderAndAudiences: &jwtpb.ProviderWithAudiences{
ProviderName: r.GetProviderId(),
Audiences: audiences,
},
},
}
}
if len(requirements) == 1 && !allow_missing {
requires = require
} else {
requires.GetRequiresAny().Requirements = append(requires.GetRequiresAny().GetRequirements(), require)
}
}
if allow_missing {
require := &jwtpb.JwtRequirement{
RequiresType: &jwtpb.JwtRequirement_AllowMissing{
AllowMissing: &emptypb.Empty{},
},
}
requires.GetRequiresAny().Requirements = append(requires.GetRequiresAny().GetRequirements(), require)
}
return requires
}