TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 01:47:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: app handling compliance (#527)

Browse Source 
* feat: check oidc compliance

* fix: add tests

* fix: add oidc config tests

* fix: add oidc config tests user agent

* fix: test oidc config compliance

* fix: test oidc config compliance

* fix: useragent implicit authmethod none

* fix: merge master

* feat: translate compliance problems

* feat: check native app for custom url

* fix: better compliance handling

* fix: better compliance handling

* feat: add odidc dev mode

* fix: remove deprecated request fro management api

* fix: oidc package version

* fix: migration

* fix: tests

* fix: remove unused functions

* fix: generate proto files

* fix: native implicit and code none compliant

* fix: create project

* Update internal/project/model/oidc_config_test.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi
2020-08-10 09:34:56 +02:00
committed by GitHub
parent 64f0b191b5
commit 5699fe80d5
27 changed files with 15925 additions and 16502 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/project/model/application_view.go
View File

@@ -14,6 +14,7 @@ type ApplicationView struct {
State AppState
IsOIDC bool
OIDCVersion OIDCVersion
OIDCClientID string
OIDCRedirectUris []string
OIDCResponseTypes []OIDCResponseType
@@ -21,6 +22,9 @@ type ApplicationView struct {
OIDCApplicationType OIDCApplicationType
OIDCAuthMethodType OIDCAuthMethodType
OIDCPostLogoutRedirectUris []string
NoneCompliant bool
ComplianceProblems []string
DevMode bool
Sequence uint64
}

175
internal/project/model/oidc_config.go
View File

@@ -12,6 +12,13 @@ import (
"github.com/caos/zitadel/internal/id"
)
const (
http = "http://"
httpLocalhost = "http://localhost:"
httpLocalhost2 = "http://localhost/"
https = "https://"
)
type OIDCConfig struct {
es_models.ObjectRoot
AppID string
@@ -24,8 +31,17 @@ type OIDCConfig struct {
ApplicationType OIDCApplicationType
AuthMethodType OIDCAuthMethodType
PostLogoutRedirectUris []string
OIDCVersion OIDCVersion
Compliance *Compliance
DevMode bool
}
type OIDCVersion int32
const (
OIDCVersionV1 OIDCVersion = iota
)
type OIDCResponseType int32
const (
@@ -58,10 +74,15 @@ const (
OIDCAuthMethodTypeNone
)
type Compliance struct {
NoneCompliant bool
Problems []string
}
func (c *OIDCConfig) IsValid() bool {
grantTypes := c.getRequiredGrantTypes()
for _, grantType := range grantTypes {
ok := c.containsGrantType(grantType)
ok := containsOIDCGrantType(c.GrantTypes, grantType)
if !ok {
return false
}
@@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
return stringSecret, nil
}
func (c *OIDCConfig) FillCompliance() {
c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
}
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
switch version {
case OIDCVersionV1:
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
}
return nil
}
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
compliance := &Compliance{NoneCompliant: false}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
} else {
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
CheckRedirectUrisImplicit(compliance, appType, redirectUris)
}
if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
CheckRedirectUrisCode(compliance, appType, redirectUris)
}
}
switch appType {
case OIDCApplicationTypeNative:
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
case OIDCApplicationTypeUserAgent:
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
}
if compliance.NoneCompliant {
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
}
return compliance
}
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
}
}
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
if authMethod != OIDCAuthMethodTypeNone {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
}
}
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
}
}
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if urlContainsPrefix(redirectUris, http) {
if appType == OIDCApplicationTypeNative {
if !onlyLocalhostIsHttp(redirectUris) {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
}
return
}
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
}
}
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
if urlsAreHttps(redirectUris) {
return
}
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
}
if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
}
if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
compliance.NoneCompliant = true
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
}
if !compliance.NoneCompliant {
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
}
}
func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
grantTypes := make([]OIDCGrantType, 0)
implicit := false
@@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
if !implicit {
implicit = true
grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
}
}
@@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
return grantTypes
}
func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
for _, t := range c.GrantTypes {
if t == grantType {
func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
for _, gt := range grantTypes {
if gt == grantType {
return true
}
}
return false
}
func urlsAreHttps(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, https) {
return false
}
}
return true
}
func urlContainsPrefix(uris []string, prefix string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, prefix) {
return true
}
}
return false
}
func containsCustom(uris []string) bool {
for _, uri := range uris {
if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
return true
}
}
return false
}
func onlyLocalhostIsHttp(uris []string) bool {
for _, uri := range uris {
if strings.HasPrefix(uri, http) {
if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
return false
}
}
}
return true
}

869
internal/project/model/oidc_config_test.go Normal file
View File

@@ -0,0 +1,869 @@
package model
import (
"reflect"
"testing"
)
func TestGetOIDCC1Compliance(t *testing.T) {
type args struct {
appType OIDCApplicationType
grantTypes []OIDCGrantType
authMethod OIDCAuthMethodType
redirectUris []string
}
type result struct {
noneCompliant bool
complianceProblems []string
}
tests := []struct {
name string
args args
result result
}{
{
name: "Native: codeflow custom redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Native: codeflow https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: codeflow invalid authmethod type (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Native.AuthMethodType.NotNone",
},
},
},
{
name: "Native: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Native: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
},
},
},
{
name: "Native: implicit http://localhost redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit http://localhost: redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Native: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeNative,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "Web: code https redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code http redirect uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: code custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "Web: implicit https uri (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit http redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit custom redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit http://localhost: redirect uri (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "Web: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "Web: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeWeb,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: code https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: code http redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code http:localhost redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
},
},
},
{
name: "UserAgent: code custom redirect (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
},
},
},
{
name: "UserAgent: code authmethod type not none (not compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.chauth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit https redirect (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit http redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit custom redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit http://localhost: redirect (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"http://localhost:1234/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
},
},
},
{
name: "UserAgent: implicit auth method not none (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
authMethod: OIDCAuthMethodTypePost,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
},
},
},
{
name: "UserAgent: implicit and code (compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
},
},
result: result{
noneCompliant: false,
},
},
{
name: "UserAgent: implicit and code (none compliant)",
args: args{
appType: OIDCApplicationTypeUserAgent,
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
authMethod: OIDCAuthMethodTypeNone,
redirectUris: []string{
"https://zitadel.ch/auth/callback",
"zitadel://auth/callback",
},
},
result: result{
noneCompliant: true,
complianceProblems: []string{
"Application.OIDC.V1.NotCompliant",
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
if tt.result.noneCompliant != result.NoneCompliant {
t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
}
if tt.result.noneCompliant {
if len(tt.result.complianceProblems) != len(result.Problems) {
t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
}
if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
}
}
})
}
}
func TestGetRequiredGrantTypes(t *testing.T) {
type args struct {
oidcConfig OIDCConfig
}
tests := []struct {
name string
args args
result []OIDCGrantType
}{
{
name: "oidc response type code",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
},
{
name: "oidc response type id_token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeImplicit},
},
{
name: "oidc response type code, id_token and id_token token",
args: args{
oidcConfig: OIDCConfig{
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
},
},
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := tt.args.oidcConfig.getRequiredGrantTypes()
if !reflect.DeepEqual(tt.result, result) {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestContainsOIDCGrantType(t *testing.T) {
type args struct {
grantTypes []OIDCGrantType
grantType OIDCGrantType
}
tests := []struct {
name string
args args
result bool
}{
{
name: "contains grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeImplicit,
},
grantType: OIDCGrantTypeImplicit,
},
result: true,
},
{
name: "doesnt contain grant type",
args: args{
grantTypes: []OIDCGrantType{
OIDCGrantTypeAuthorizationCode,
OIDCGrantTypeRefreshToken,
},
grantType: OIDCGrantTypeImplicit,
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestUrlsAreHttps(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "only https uris",
args: args{
uris: []string{
"https://zitadel.ch",
"https://caos.ch",
},
},
result: true,
},
{
name: "http localhost uris",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost",
},
},
result: false,
},
{
name: "http not localhsot",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := urlsAreHttps(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}
func TestOnlyLocalhostIsHttp(t *testing.T) {
type args struct {
uris []string
}
tests := []struct {
name string
args args
result bool
}{
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://caos.ch",
},
},
result: false,
},
{
name: "http localhost/",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost/auth/callback",
},
},
result: true,
},
{
name: "http not localhost:",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
},
},
result: true,
},
{
name: "http not localhost",
args: args{
uris: []string{
"https://zitadel.com",
"http://localhost:9090",
"http://zitadel.ch",
},
},
result: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
result := onlyLocalhostIsHttp(tt.args.uris)
if result != tt.result {
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
}
})
}
}

1
internal/project/repository/eventsourcing/eventstore.go
View File

@@ -534,6 +534,7 @@ func (es *ProjectEventstore) AddApplication(ctx context.Context, app *proj_model
if _, a := model.GetApplication(repoProject.Applications, app.AppID); a != nil {
converted := model.AppToModel(a)
converted.OIDCConfig.ClientSecretString = stringPw
converted.OIDCConfig.FillCompliance()
return converted, nil
}
return nil, caos_errs.ThrowInternal(nil, "EVENT-GvPct", "Errors.Internal")

16
internal/project/repository/eventsourcing/model/oidc_config.go
View File

@@ -11,6 +11,7 @@ import (
type OIDCConfig struct {
es_models.ObjectRoot
Version int32 `json:"oidcVersion,omitempty"`
AppID string `json:"appId"`
ClientID string `json:"clientId,omitempty"`
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
@@ -20,6 +21,7 @@ type OIDCConfig struct {
ApplicationType int32 `json:"applicationType,omitempty"`
AuthMethodType int32 `json:"authMethodType,omitempty"`
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
DevMode bool `json:"devMode,omitempty"`
}
func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -40,9 +42,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
if c.AuthMethodType != changed.AuthMethodType {
changes["authMethodType"] = changed.AuthMethodType
}
if c.Version != changed.Version {
changes["oidcVersion"] = changed.Version
}
if !reflect.DeepEqual(c.PostLogoutRedirectUris, changed.PostLogoutRedirectUris) {
changes["postLogoutRedirectUris"] = changed.PostLogoutRedirectUris
}
if c.DevMode != changed.DevMode {
changes["devMode"] = changed.DevMode
}
return changes
}
@@ -58,6 +66,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
return &OIDCConfig{
ObjectRoot: config.ObjectRoot,
AppID: config.AppID,
Version: int32(config.OIDCVersion),
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectUris: config.RedirectUris,
@@ -66,6 +75,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
ApplicationType: int32(config.ApplicationType),
AuthMethodType: int32(config.AuthMethodType),
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
DevMode: config.DevMode,
}
}
@@ -78,9 +88,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
for i, rt := range config.GrantTypes {
grantTypes[i] = model.OIDCGrantType(rt)
}
return &model.OIDCConfig{
oidcConfig := &model.OIDCConfig{
ObjectRoot: config.ObjectRoot,
AppID: config.AppID,
OIDCVersion: model.OIDCVersion(config.Version),
ClientID: config.ClientID,
ClientSecret: config.ClientSecret,
RedirectUris: config.RedirectUris,
@@ -89,7 +100,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
ApplicationType: model.OIDCApplicationType(config.ApplicationType),
AuthMethodType: model.OIDCAuthMethodType(config.AuthMethodType),
PostLogoutRedirectUris: config.PostLogoutRedirectUris,
DevMode: config.DevMode,
}
oidcConfig.FillCompliance()
return oidcConfig
}
func (p *Project) appendAddOIDCConfigEvent(event *es_models.Event) error {

2
internal/project/repository/eventsourcing/project.go
View File

@@ -2,6 +2,7 @@ package eventsourcing
import (
"context"
"github.com/caos/zitadel/internal/api/authz"
"github.com/caos/zitadel/internal/crypto"
"github.com/caos/zitadel/internal/errors"
@@ -46,6 +47,7 @@ func ProjectCreateAggregate(aggCreator *es_models.AggregateCreator, project *mod
}
validationQuery := es_models.NewSearchQuery().
AggregateTypeFilter(model.ProjectAggregate).
ResourceOwnerFilter(authz.GetCtxData(ctx).OrgID).
EventTypesFilter(model.ProjectAdded, model.ProjectChanged, model.ProjectRemoved)
validation := addProjectValidation(project.Name)

23
internal/project/repository/view/model/application.go
View File

@@ -28,6 +28,7 @@ type ApplicationView struct {
State int32 `json:"-" gorm:"column:app_state"`
IsOIDC bool `json:"-" gorm:"column:is_oidc"`
OIDCVersion int32 `json:"oidcVersion" gorm:"column:oidc_version"`
OIDCClientID string `json:"clientId" gorm:"column:oidc_client_id"`
OIDCRedirectUris pq.StringArray `json:"redirectUris" gorm:"column:oidc_redirect_uris"`
OIDCResponseTypes pq.Int64Array `json:"responseTypes" gorm:"column:oidc_response_types"`
@@ -35,6 +36,9 @@ type ApplicationView struct {
OIDCApplicationType int32 `json:"applicationType" gorm:"column:oidc_application_type"`
OIDCAuthMethodType int32 `json:"authMethodType" gorm:"column:oidc_auth_method_type"`
OIDCPostLogoutRedirectUris pq.StringArray `json:"postLogoutRedirectUris" gorm:"column:oidc_post_logout_redirect_uris"`
NoneCompliant bool `json:"-" gorm:"column:none_compliant"`
ComplianceProblems pq.StringArray `json:"-" gorm:"column:compliance_problems"`
DevMode bool `json:"devMode" gorm:"column:dev_mode"`
Sequence uint64 `json:"-" gorm:"sequence"`
}
@@ -57,6 +61,7 @@ func ApplicationViewFromModel(app *model.ApplicationView) *ApplicationView {
OIDCApplicationType: int32(app.OIDCApplicationType),
OIDCAuthMethodType: int32(app.OIDCAuthMethodType),
OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
DevMode: app.DevMode,
}
}
@@ -87,6 +92,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
ChangeDate: app.ChangeDate,
IsOIDC: app.IsOIDC,
OIDCVersion: model.OIDCVersion(app.OIDCVersion),
OIDCClientID: app.OIDCClientID,
OIDCRedirectUris: app.OIDCRedirectUris,
OIDCResponseTypes: OIDCResponseTypesToModel(app.OIDCResponseTypes),
@@ -94,6 +100,9 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
OIDCApplicationType: model.OIDCApplicationType(app.OIDCApplicationType),
OIDCAuthMethodType: model.OIDCAuthMethodType(app.OIDCAuthMethodType),
OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
NoneCompliant: app.NoneCompliant,
ComplianceProblems: app.ComplianceProblems,
DevMode: app.DevMode,
}
}
@@ -132,9 +141,17 @@ func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
case es_model.OIDCConfigAdded:
a.IsOIDC = true
err = a.SetData(event)
if err != nil {
return err
}
a.setCompliance()
case es_model.OIDCConfigChanged,
es_model.ApplicationChanged:
err = a.SetData(event)
if err != nil {
return err
}
a.setCompliance()
case es_model.ApplicationDeactivated:
a.State = int32(model.AppStateInactive)
case es_model.ApplicationReactivated:
@@ -154,3 +171,9 @@ func (a *ApplicationView) SetData(event *models.Event) error {
}
return nil
}
func (a *ApplicationView) setCompliance() {
compliance := model.GetOIDCCompliance(model.OIDCVersion(a.OIDCVersion), model.OIDCApplicationType(a.OIDCApplicationType), OIDCGrantTypesToModel(a.OIDCGrantTypes), OIDCResponseTypesToModel(a.OIDCResponseTypes), model.OIDCAuthMethodType(a.OIDCAuthMethodType), a.OIDCPostLogoutRedirectUris)
a.NoneCompliant = compliance.NoneCompliant
a.ComplianceProblems = compliance.Problems
}