From 1f1d04ac29490deb8a9125af52477c220ea3e08a Mon Sep 17 00:00:00 2001 From: Akshay Gaikwad Date: Fri, 6 May 2022 12:31:19 +0530 Subject: [PATCH] OIdC Provider: Validate Urls The mapperUrl, issuerUrl, authUrl and tokenUrl supports file://, http(s):// and base64:// urls. --- pkg/service/oidc_provider.go | 54 +++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 16 deletions(-) diff --git a/pkg/service/oidc_provider.go b/pkg/service/oidc_provider.go index abb82a8..5edb5d0 100644 --- a/pkg/service/oidc_provider.go +++ b/pkg/service/oidc_provider.go @@ -6,7 +6,7 @@ import ( "errors" "fmt" "net" - "net/url" + "strings" "time" "github.com/RafayLabs/rcloud-base/internal/dao" @@ -51,9 +51,20 @@ func generateCallbackUrl(id string, kUrl string) string { return fmt.Sprintf("%s://%s/self-service/methods/oidc/callback/%s", scheme, host, id) } -func validateURL(rawURL string) error { - _, err := url.ParseRequestURI(rawURL) - return err +func validateURL(rawURL string) bool { + var valid bool + pfx := []string{ + "file://", + "http://", + "https://", + "base64://", + } + for _, p := range pfx { + if strings.HasPrefix(rawURL, p) { + valid = true + } + } + return valid } func (s *oidcProvider) getPartnerOrganization(ctx context.Context, provider *systemv3.OIDCProvider) (uuid.UUID, uuid.UUID, error) { @@ -108,7 +119,7 @@ func (s *oidcProvider) Create(ctx context.Context, provider *systemv3.OIDCProvid if p != nil { return nil, fmt.Errorf("DUPLICATE ISSUER URL") } - if validateURL(issUrl) != nil { + if !validateURL(issUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID ISSUER URL") } @@ -116,13 +127,13 @@ func (s *oidcProvider) Create(ctx context.Context, provider *systemv3.OIDCProvid authUrl := provider.Spec.GetAuthUrl() tknUrl := provider.Spec.GetTokenUrl() - if len(mapUrl) != 0 && validateURL(mapUrl) != nil { + if len(mapUrl) != 0 && !validateURL(mapUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID MAPPER URL") } - if len(authUrl) != 0 && validateURL(authUrl) != nil { + if len(authUrl) != 0 && !validateURL(authUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID AUTH URL") } - if len(tknUrl) != 0 && validateURL(tknUrl) != nil { + if len(tknUrl) != 0 && !validateURL(tknUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID TOKEN URL") } @@ -316,7 +327,11 @@ func (s *oidcProvider) Update(ctx context.Context, provider *systemv3.OIDCProvid } scopes := provider.GetSpec().GetScopes() if scopes == nil || len(scopes) == 0 { - return &systemv3.OIDCProvider{}, fmt.Errorf("EMPTY SCOPES") + return &systemv3.OIDCProvider{}, fmt.Errorf("NO SCOPES") + } + issUrl := provider.GetSpec().GetIssuerUrl() + if len(issUrl) == 0 { + return &systemv3.OIDCProvider{}, fmt.Errorf("EMPTY ISSUER URL") } partnerId, organizationId, err := s.getPartnerOrganization(ctx, provider) @@ -333,22 +348,29 @@ func (s *oidcProvider) Update(ctx context.Context, provider *systemv3.OIDCProvid return &systemv3.OIDCProvider{}, status.Error(codes.Internal, codes.Internal.String()) } } + p, _ := dao.GetM(ctx, s.db, map[string]interface{}{ + "issuer_url": issUrl, + "partner_id": partnerId, + "organization_id": organizationId, + }, &models.OIDCProvider{}) + if p != nil { + return nil, fmt.Errorf("DUPLICATE ISSUER URL") + } + if !validateURL(issUrl) { + return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID ISSUER URL") + } mapUrl := provider.Spec.GetMapperUrl() - issUrl := provider.Spec.GetIssuerUrl() authUrl := provider.Spec.GetAuthUrl() tknUrl := provider.Spec.GetTokenUrl() - if len(mapUrl) != 0 && validateURL(mapUrl) != nil { + if len(mapUrl) != 0 && !validateURL(mapUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID MAPPER URL") } - if len(issUrl) != 0 && validateURL(issUrl) != nil { - return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID ISSUER URL") - } - if len(authUrl) != 0 && validateURL(authUrl) != nil { + if len(authUrl) != 0 && !validateURL(authUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID AUTH URL") } - if len(tknUrl) != 0 && validateURL(tknUrl) != nil { + if len(tknUrl) != 0 && !validateURL(tknUrl) { return &systemv3.OIDCProvider{}, fmt.Errorf("INVALID TOKEN URL") }