TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: add loopback for native apps redirect_uri (#1690)

Browse Source 
* fix: allow loopback redirect_uri for native apps

* add loopback to native redirect_uri

* fix loopback

* update oidc pkg

* merge

* fix: oidc compliance in read model
This commit is contained in:
Livio Amstutz
2021-05-03 09:07:54 +02:00
committed by GitHub
parent f70adec022
commit 5277dd0818
8 changed files with 140 additions and 1039 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
internal/project/model/oidc_config.go
View File

@@ -8,19 +8,13 @@ import (
"github.com/caos/logging"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/domain"
"github.com/caos/zitadel/internal/errors"
es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
"github.com/caos/zitadel/internal/id"
key_model "github.com/caos/zitadel/internal/key/model"
)
const (
http = "http://"
httpLocalhost = "http://localhost:"
httpLocalhost2 = "http://localhost/"
https = "https://"
)
type OIDCConfig struct {
es_models.ObjectRoot
AppID string
@@ -162,110 +156,19 @@ func (c *OIDCConfig) FillCompliance() {
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
switch version {
case OIDCVersionV1:
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
domainGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))
for i, grantType := range grantTypes {
domainGrantTypes[i] = domain.OIDCGrantType(grantType)
}
compliance := domain.GetOIDCV1Compliance(domain.OIDCApplicationType(appType), domainGrantTypes, domain.OIDCAuthMethodType(authMethod), redirectUris)
return &Compliance{
NoneCompliant: compliance.NoneCompliant,
Problems: compliance.Problems,
}
}
return nil
}
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
compliance := &Compliance{NoneCompliant: false}
if redirectUris == nil || len(redirectUris) == 0 {
compliance.NoneCompliant = true
compliance.Problems = append([]string{"Application.OIDC.V1.NoRedirectUris"}, compliance.Problems...)
}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
} else {
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
CheckRedirectUrisImplicit(compliance, appType, redirectUris)
}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisCode(compliance, appType, redirectUris)
}
}
switch appType {
case OIDCApplicationTypeNative:
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeUserAgent:
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
}
if compliance.NoneCompliant {
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
}
return compliance
}
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
}
}
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
}
}
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
}
}
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeNative {
if !onlyLocalhostIsHttp(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
}
return
}
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
}
}
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
}
if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if !compliance.NoneCompliant {
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
}
}
func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
grantTypes := make([]OIDCGrantType, 0)
implicit := false
@@ -291,41 +194,3 @@ func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType)
}
return false
}
func urlsAreHttps(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, https) {
return false
}
}
return true
}
func urlContainsPrefix(uris []string, prefix string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, prefix) {
return true
}
}
return false
}
func containsCustom(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
return true
}
}
return false
}
func onlyLocalhostIsHttp(uris []string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, http) {
if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
return false
}
}
}
return true
}

869
internal/project/model/oidc_config_test.go
View File

@@ -1,869 +0,0 @@
package model
import (
"reflect"
"testing"
)
func TestGetOIDCC1Compliance(t *testing.T) {
type args struct {
appType OIDCApplicationType
grantTypes []OIDCGrantType
authMethod OIDCAuthMethodType
redirectUris []string
}
type result struct {
noneCompliant bool
complianceProblems []string
}
tests := []struct {
name string
args args
result result
}{
{
name: "Native: codeflow custom redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow invalid authmethod type (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Native.AuthMethodType.NotNone",
},
},
},
{
name: "Native: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Native: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
},
},
},
{
name: "Native: implicit http://localhost redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit http://localhost: redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Web: code https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code http redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "Web: implicit https uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost: redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: code https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: code http redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code custom redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "UserAgent: code authmethod type not none (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.chauth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit auth method not none (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
if tt.result.noneCompliant != result.NoneCompliant {
t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
}
if tt.result.noneCompliant {
if len(tt.result.complianceProblems) != len(result.Problems) {
t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
}
if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
}
}
})
}
}
func TestGetRequiredGrantTypes(t *testing.T) {
type args struct {
oidcConfig OIDCConfig
}
tests := []struct {
name string
args args
result []OIDCGrantType
}{
{
name: "oidc response type code",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
},
{
name: "oidc response type id_token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type code, id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := tt.args.oidcConfig.getRequiredGrantTypes()
if !reflect.DeepEqual(tt.result, result) {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestContainsOIDCGrantType(t *testing.T) {
type args struct {
grantTypes []OIDCGrantType
grantType OIDCGrantType
}
tests := []struct {
name string
args args
result bool
}{
{
name: "contains grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeImplicit,
},
grantType: OIDCGrantTypeImplicit,
},
result: true,
},
{
name: "doesnt contain grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeRefreshToken,
},
grantType: OIDCGrantTypeImplicit,
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestUrlsAreHttps(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "only https uris",
args: args{
uris: []string{
"https://zitadel.ch",
"https://caos.ch",
},
},
result: true,
},
{
name: "http localhost uris",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost",
},
},
result: false,
},
{
name: "http not localhsot",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := urlsAreHttps(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestOnlyLocalhostIsHttp(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
{
name: "http localhost/",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost/auth/callback",
},
},
result: true,
},
{
name: "http not localhost:",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
},
},
result: true,
},
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
"http://zitadel.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := onlyLocalhostIsHttp(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}