prevent panic caused by accessing unexported fields

This PR fixes a panic caused by predicate trying to access unexported
fields without properly checking if the field is exported.

Instead of accessing the fields by calling `.Interface()`, we always use
the reflect.Value and only call `Interface()` when we reached out to the
last key.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>

Author: tigrato

lib.go

@@ -131,7 +131,7 @@ func Not(a BoolPredicate) BoolPredicate {
 
 // GetFieldByTag returns a field from the object based on the tag.
 func GetFieldByTag(ival interface{}, tagName string, fieldNames []string) (interface{}, error) {
-	i, err := getFieldByTag(ival, tagName, fieldNames)
+	i, err := getFieldByTag(reflect.ValueOf(ival), tagName, fieldNames)
 	if err == nil {
 		return i, nil
 	}
@@ -161,12 +161,11 @@ func (n notFoundError) Error() string {
 	return fmt.Sprintf("field name %v is not found", strings.Join(n.fieldNames, "."))
 }
 
-func getFieldByTag(ival interface{}, tagName string, fieldNames []string) (interface{}, error) {
+func getFieldByTag(val reflect.Value, tagName string, fieldNames []string) (interface{}, error) {
 	if len(fieldNames) == 0 {
 		return nil, trace.BadParameter("missing field names")
 	}
 
-	val := reflect.ValueOf(ival)
 	if val.Kind() == reflect.Interface || val.Kind() == reflect.Ptr {
 		val = val.Elem()
 	}
@@ -183,7 +182,7 @@ func getFieldByTag(ival interface{}, tagName string, fieldNames []string) (inter
 
 		// If it's an embedded field, traverse it.
 		if tagValue == "" && valType.Field(i).Anonymous {
-			value := val.Field(i).Interface()
+			value := val.Field(i)
 			val, err := getFieldByTag(value, tagName, fieldNames)
 			if err == nil {
 				return val, nil
@@ -192,9 +191,12 @@ func getFieldByTag(ival interface{}, tagName string, fieldNames []string) (inter
 
 		parts := strings.Split(tagValue, ",")
 		if parts[0] == fieldName {
-			value := val.Field(i).Interface()
+			value := val.Field(i)
 			if len(rest) == 0 {
-				return value, nil
+				if value.CanInterface() {
+					return value.Interface(), nil
+				}
+				return nil, trace.BadParameter("field %v is not accessible", fieldName)
 			}
 
 			return getFieldByTag(value, tagName, rest)

parse_test.go

@@ -408,6 +408,38 @@ func (s *PredicateSuite) TestContains() {
 	s.False(pr.(BoolPredicate)())
 }
 
+func (s *PredicateSuite) TestContainsUnexportedFieldAvoidPanic() {
+	type embedTestStruct struct {
+		Param struct {
+			Key1 map[string][]string `json:"key1,omitempty"`
+			Key2 map[string]string   `json:"key2,omitempty"`
+		} `json:"param,omitempty"`
+	}
+	type LocalTestStruct struct {
+		embedTestStruct
+	}
+	val := LocalTestStruct{
+		embedTestStruct: embedTestStruct{
+			Param: struct {
+				Key1 map[string][]string "json:\"key1,omitempty\""
+				Key2 map[string]string   "json:\"key2,omitempty\""
+			}{
+				Key1: map[string][]string{"key": {"a", "b", "c"}},
+			},
+		},
+	}
+
+	getID := func(fields []string) (interface{}, error) {
+		return GetFieldByTag(val, "json", fields[1:])
+	}
+	p := s.getParserWithOpts(getID, GetStringMapValue)
+
+	pr, err := p.Parse(`Contains(val.param.key1["key"], "a")`)
+	s.NoError(err)
+	s.True(pr.(BoolPredicate)())
+
+}
+
 func (s *PredicateSuite) TestEquals() {
 	val := TestStruct{}
 	val.Param.Key2 = map[string]string{"key": "a"}