mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
fix(configuration): sector identifier not parsed correctly (#3142)
This fixes an issue preventing the sector identifier for OpenID Connect clients from being parsed.
This commit is contained in:
parent
66a450ed38
commit
44bd70712c
|
@ -171,6 +171,10 @@ func validateOIDCClients(config *schema.OpenIDConnectConfiguration, validator *s
|
||||||
|
|
||||||
func validateOIDCClientSectorIdentifier(client schema.OpenIDConnectClientConfiguration, validator *schema.StructValidator) {
|
func validateOIDCClientSectorIdentifier(client schema.OpenIDConnectClientConfiguration, validator *schema.StructValidator) {
|
||||||
if client.SectorIdentifier.String() != "" {
|
if client.SectorIdentifier.String() != "" {
|
||||||
|
if utils.IsURLHostComponent(client.SectorIdentifier) || utils.IsURLHostComponentWithPort(client.SectorIdentifier) {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
if client.SectorIdentifier.Scheme != "" {
|
if client.SectorIdentifier.Scheme != "" {
|
||||||
validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "scheme", client.SectorIdentifier.Scheme))
|
validator.Push(fmt.Errorf(errFmtOIDCClientInvalidSectorIdentifier, client.ID, client.SectorIdentifier.String(), client.SectorIdentifier.Host, "scheme", client.SectorIdentifier.Scheme))
|
||||||
|
|
||||||
|
|
|
@ -245,6 +245,34 @@ func TestShouldRaiseErrorWhenOIDCServerClientBadValues(t *testing.T) {
|
||||||
fmt.Sprintf(errFmtOIDCClientRedirectURIAbsolute, "client-check-uri-abs", "google.com"),
|
fmt.Sprintf(errFmtOIDCClientRedirectURIAbsolute, "client-check-uri-abs", "google.com"),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Name: "ValidSectorIdentifier",
|
||||||
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
{
|
||||||
|
ID: "client-valid-sector",
|
||||||
|
Secret: "a-secret",
|
||||||
|
Policy: policyTwoFactor,
|
||||||
|
RedirectURIs: []string{
|
||||||
|
"https://google.com",
|
||||||
|
},
|
||||||
|
SectorIdentifier: mustParseURL("example.com"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Name: "ValidSectorIdentifierWithPort",
|
||||||
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
{
|
||||||
|
ID: "client-valid-sector",
|
||||||
|
Secret: "a-secret",
|
||||||
|
Policy: policyTwoFactor,
|
||||||
|
RedirectURIs: []string{
|
||||||
|
"https://google.com",
|
||||||
|
},
|
||||||
|
SectorIdentifier: mustParseURL("example.com:2000"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
Name: "InvalidSectorIdentifierInvalidURL",
|
Name: "InvalidSectorIdentifierInvalidURL",
|
||||||
Clients: []schema.OpenIDConnectClientConfiguration{
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
||||||
|
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
"unicode"
|
"unicode"
|
||||||
|
@ -287,6 +288,26 @@ func JoinAndCanonicalizeHeaders(sep []byte, headers ...string) (joined []byte) {
|
||||||
return joined
|
return joined
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsURLHostComponent returns true if the provided url.URL that was parsed from a string to a url.URL via url.Parse is
|
||||||
|
// just a hostname. This is needed because of the way this function parses such strings.
|
||||||
|
func IsURLHostComponent(u url.URL) (isHostComponent bool) {
|
||||||
|
return u.Path != "" && u.Scheme == "" && u.Host == "" && u.RawPath == "" && u.Opaque == "" &&
|
||||||
|
u.RawQuery == "" && u.Fragment == "" && u.RawFragment == ""
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsURLHostComponentWithPort returns true if the provided url.URL that was parsed from a string to a url.URL via
|
||||||
|
// url.Parse is just a hostname with a port. This is needed because of the way this function parses such strings.
|
||||||
|
func IsURLHostComponentWithPort(u url.URL) (isHostComponentWithPort bool) {
|
||||||
|
if u.Opaque != "" && u.Scheme != "" && u.Host == "" && u.Path == "" && u.RawPath == "" &&
|
||||||
|
u.RawQuery == "" && u.Fragment == "" && u.RawFragment == "" {
|
||||||
|
_, err := strconv.Atoi(u.Opaque)
|
||||||
|
|
||||||
|
return err == nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
rand.Seed(time.Now().UnixNano())
|
rand.Seed(time.Now().UnixNano())
|
||||||
}
|
}
|
||||||
|
|
|
@ -262,3 +262,53 @@ func TestJoinAndCanonicalizeHeaders(t *testing.T) {
|
||||||
|
|
||||||
assert.Equal(t, []byte("X-Example-One, X-Egg-Two"), result)
|
assert.Equal(t, []byte("X-Example-One, X-Egg-Two"), result)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestIsURLHostComponent(t *testing.T) {
|
||||||
|
testCases := []struct {
|
||||||
|
desc, have string
|
||||||
|
expectedA, expectedB bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
desc: "ShouldBeFalseWithScheme",
|
||||||
|
have: "https://google.com",
|
||||||
|
expectedA: false, expectedB: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "ShouldBeTrueForHostComponentButFalseForWithPort",
|
||||||
|
have: "google.com",
|
||||||
|
expectedA: true, expectedB: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "ShouldBeFalseForHostComponentButTrueForWithPort",
|
||||||
|
have: "google.com:8000",
|
||||||
|
expectedA: false, expectedB: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "ShouldBeFalseWithPath",
|
||||||
|
have: "google.com:8000/path",
|
||||||
|
expectedA: false, expectedB: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "ShouldBeFalseWithFragment",
|
||||||
|
have: "google.com:8000#test",
|
||||||
|
expectedA: false, expectedB: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
desc: "ShouldBeFalseWithQuery",
|
||||||
|
have: "google.com:8000?test=1",
|
||||||
|
expectedA: false, expectedB: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range testCases {
|
||||||
|
t.Run(tc.desc, func(t *testing.T) {
|
||||||
|
u, err := url.Parse(tc.have)
|
||||||
|
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.NotNil(t, u)
|
||||||
|
|
||||||
|
assert.Equal(t, tc.expectedA, IsURLHostComponent(*u))
|
||||||
|
assert.Equal(t, tc.expectedB, IsURLHostComponentWithPort(*u))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user