mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:37:32 +00:00
feat: app handling compliance (#527)
* feat: check oidc compliance * fix: add tests * fix: add oidc config tests * fix: add oidc config tests user agent * fix: test oidc config compliance * fix: test oidc config compliance * fix: useragent implicit authmethod none * fix: merge master * feat: translate compliance problems * feat: check native app for custom url * fix: better compliance handling * fix: better compliance handling * feat: add odidc dev mode * fix: remove deprecated request fro management api * fix: oidc package version * fix: migration * fix: tests * fix: remove unused functions * fix: generate proto files * fix: native implicit and code none compliant * fix: create project * Update internal/project/model/oidc_config_test.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi
@@ -14,6 +14,7 @@ type ApplicationView struct {
|
||||
State AppState
|
||||
|
||||
IsOIDC bool
|
||||
OIDCVersion OIDCVersion
|
||||
OIDCClientID string
|
||||
OIDCRedirectUris []string
|
||||
OIDCResponseTypes []OIDCResponseType
|
||||
@@ -21,6 +22,9 @@ type ApplicationView struct {
|
||||
OIDCApplicationType OIDCApplicationType
|
||||
OIDCAuthMethodType OIDCAuthMethodType
|
||||
OIDCPostLogoutRedirectUris []string
|
||||
NoneCompliant bool
|
||||
ComplianceProblems []string
|
||||
DevMode bool
|
||||
|
||||
Sequence uint64
|
||||
}
|
||||
|
||||
@@ -12,6 +12,13 @@ import (
|
||||
"github.com/caos/zitadel/internal/id"
|
||||
)
|
||||
|
||||
const (
|
||||
http = "http://"
|
||||
httpLocalhost = "http://localhost:"
|
||||
httpLocalhost2 = "http://localhost/"
|
||||
https = "https://"
|
||||
)
|
||||
|
||||
type OIDCConfig struct {
|
||||
es_models.ObjectRoot
|
||||
AppID string
|
||||
@@ -24,8 +31,17 @@ type OIDCConfig struct {
|
||||
ApplicationType OIDCApplicationType
|
||||
AuthMethodType OIDCAuthMethodType
|
||||
PostLogoutRedirectUris []string
|
||||
OIDCVersion OIDCVersion
|
||||
Compliance *Compliance
|
||||
DevMode bool
|
||||
}
|
||||
|
||||
type OIDCVersion int32
|
||||
|
||||
const (
|
||||
OIDCVersionV1 OIDCVersion = iota
|
||||
)
|
||||
|
||||
type OIDCResponseType int32
|
||||
|
||||
const (
|
||||
@@ -58,10 +74,15 @@ const (
|
||||
OIDCAuthMethodTypeNone
|
||||
)
|
||||
|
||||
type Compliance struct {
|
||||
NoneCompliant bool
|
||||
Problems []string
|
||||
}
|
||||
|
||||
func (c *OIDCConfig) IsValid() bool {
|
||||
grantTypes := c.getRequiredGrantTypes()
|
||||
for _, grantType := range grantTypes {
|
||||
ok := c.containsGrantType(grantType)
|
||||
ok := containsOIDCGrantType(c.GrantTypes, grantType)
|
||||
if !ok {
|
||||
return false
|
||||
}
|
||||
@@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
|
||||
return stringSecret, nil
|
||||
}
|
||||
|
||||
func (c *OIDCConfig) FillCompliance() {
|
||||
c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
|
||||
}
|
||||
|
||||
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
|
||||
switch version {
|
||||
case OIDCVersionV1:
|
||||
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
|
||||
compliance := &Compliance{NoneCompliant: false}
|
||||
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
|
||||
CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
|
||||
} else {
|
||||
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
|
||||
CheckRedirectUrisImplicit(compliance, appType, redirectUris)
|
||||
}
|
||||
if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
|
||||
CheckRedirectUrisCode(compliance, appType, redirectUris)
|
||||
}
|
||||
}
|
||||
|
||||
switch appType {
|
||||
case OIDCApplicationTypeNative:
|
||||
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
|
||||
case OIDCApplicationTypeUserAgent:
|
||||
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
|
||||
}
|
||||
if compliance.NoneCompliant {
|
||||
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
|
||||
}
|
||||
return compliance
|
||||
}
|
||||
|
||||
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
|
||||
if authMethod != OIDCAuthMethodTypeNone {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
|
||||
}
|
||||
}
|
||||
|
||||
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
|
||||
if authMethod != OIDCAuthMethodTypeNone {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
|
||||
}
|
||||
}
|
||||
|
||||
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
||||
if urlsAreHttps(redirectUris) {
|
||||
return
|
||||
}
|
||||
if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
|
||||
}
|
||||
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
|
||||
}
|
||||
}
|
||||
|
||||
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
||||
if urlsAreHttps(redirectUris) {
|
||||
return
|
||||
}
|
||||
if containsCustom(redirectUris) {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
|
||||
}
|
||||
if urlContainsPrefix(redirectUris, http) {
|
||||
if appType == OIDCApplicationTypeNative {
|
||||
if !onlyLocalhostIsHttp(redirectUris) {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
|
||||
}
|
||||
return
|
||||
}
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
|
||||
}
|
||||
}
|
||||
|
||||
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
||||
if urlsAreHttps(redirectUris) {
|
||||
return
|
||||
}
|
||||
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
|
||||
}
|
||||
if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
|
||||
}
|
||||
if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
|
||||
compliance.NoneCompliant = true
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
|
||||
}
|
||||
if !compliance.NoneCompliant {
|
||||
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
|
||||
}
|
||||
}
|
||||
|
||||
func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
|
||||
grantTypes := make([]OIDCGrantType, 0)
|
||||
implicit := false
|
||||
@@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
|
||||
grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
|
||||
case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
|
||||
if !implicit {
|
||||
implicit = true
|
||||
grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
|
||||
}
|
||||
}
|
||||
@@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
|
||||
return grantTypes
|
||||
}
|
||||
|
||||
func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
|
||||
for _, t := range c.GrantTypes {
|
||||
if t == grantType {
|
||||
func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
|
||||
for _, gt := range grantTypes {
|
||||
if gt == grantType {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func urlsAreHttps(uris []string) bool {
|
||||
for _, uri := range uris {
|
||||
if !strings.HasPrefix(uri, https) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func urlContainsPrefix(uris []string, prefix string) bool {
|
||||
for _, uri := range uris {
|
||||
if strings.HasPrefix(uri, prefix) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func containsCustom(uris []string) bool {
|
||||
for _, uri := range uris {
|
||||
if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func onlyLocalhostIsHttp(uris []string) bool {
|
||||
for _, uri := range uris {
|
||||
if strings.HasPrefix(uri, http) {
|
||||
if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
869
internal/project/model/oidc_config_test.go
Normal file
869
internal/project/model/oidc_config_test.go
Normal file
@@ -0,0 +1,869 @@
|
||||
package model
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestGetOIDCC1Compliance(t *testing.T) {
|
||||
type args struct {
|
||||
appType OIDCApplicationType
|
||||
grantTypes []OIDCGrantType
|
||||
authMethod OIDCAuthMethodType
|
||||
redirectUris []string
|
||||
}
|
||||
type result struct {
|
||||
noneCompliant bool
|
||||
complianceProblems []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result result
|
||||
}{
|
||||
{
|
||||
name: "Native: codeflow custom redirect (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: codeflow http redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: codeflow http://localhost redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: codeflow http://localhost: redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost:1234/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: codeflow https redirect (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: codeflow invalid authmethod type (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypePost,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Native.AuthMethodType.NotNone",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit custom redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit http redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit http://localhost redirect uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit http://localhost: redirect uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost:1234/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit https redirect uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit and code (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Native: implicit and code (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeNative,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: code https redirect uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: code http redirect uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: code custom redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit https uri (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit http redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit custom redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit http://localhost redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit http://localhost: redirect uri (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost:1234/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit and code (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "Web: implicit and code (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeWeb,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code https redirect (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code http redirect (not compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code http:localhost redirect (not compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code http:localhost redirect (not compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost:1234/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code custom redirect (not compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: code authmethod type not none (not compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypePost,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.chauth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit https redirect (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit http redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit custom redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit http://localhost redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit http://localhost: redirect (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"http://localhost:1234/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit auth method not none (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
authMethod: OIDCAuthMethodTypePost,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit and code (compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: false,
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "UserAgent: implicit and code (none compliant)",
|
||||
args: args{
|
||||
appType: OIDCApplicationTypeUserAgent,
|
||||
grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
|
||||
authMethod: OIDCAuthMethodTypeNone,
|
||||
redirectUris: []string{
|
||||
"https://zitadel.ch/auth/callback",
|
||||
"zitadel://auth/callback",
|
||||
},
|
||||
},
|
||||
result: result{
|
||||
noneCompliant: true,
|
||||
complianceProblems: []string{
|
||||
"Application.OIDC.V1.NotCompliant",
|
||||
"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
|
||||
if tt.result.noneCompliant != result.NoneCompliant {
|
||||
t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
|
||||
}
|
||||
if tt.result.noneCompliant {
|
||||
if len(tt.result.complianceProblems) != len(result.Problems) {
|
||||
t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
|
||||
}
|
||||
if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
|
||||
t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetRequiredGrantTypes(t *testing.T) {
|
||||
type args struct {
|
||||
oidcConfig OIDCConfig
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result []OIDCGrantType
|
||||
}{
|
||||
{
|
||||
name: "oidc response type code",
|
||||
args: args{
|
||||
oidcConfig: OIDCConfig{
|
||||
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
|
||||
},
|
||||
},
|
||||
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
|
||||
},
|
||||
{
|
||||
name: "oidc response type id_token",
|
||||
args: args{
|
||||
oidcConfig: OIDCConfig{
|
||||
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
|
||||
},
|
||||
},
|
||||
result: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
},
|
||||
{
|
||||
name: "oidc response type id_token and id_token token",
|
||||
args: args{
|
||||
oidcConfig: OIDCConfig{
|
||||
ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
|
||||
},
|
||||
},
|
||||
result: []OIDCGrantType{OIDCGrantTypeImplicit},
|
||||
},
|
||||
{
|
||||
name: "oidc response type code, id_token and id_token token",
|
||||
args: args{
|
||||
oidcConfig: OIDCConfig{
|
||||
ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
|
||||
},
|
||||
},
|
||||
result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := tt.args.oidcConfig.getRequiredGrantTypes()
|
||||
if !reflect.DeepEqual(tt.result, result) {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestContainsOIDCGrantType(t *testing.T) {
|
||||
type args struct {
|
||||
grantTypes []OIDCGrantType
|
||||
grantType OIDCGrantType
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result bool
|
||||
}{
|
||||
{
|
||||
name: "contains grant type",
|
||||
args: args{
|
||||
grantTypes: []OIDCGrantType{
|
||||
OIDCGrantTypeAuthorizationCode,
|
||||
OIDCGrantTypeImplicit,
|
||||
},
|
||||
grantType: OIDCGrantTypeImplicit,
|
||||
},
|
||||
result: true,
|
||||
},
|
||||
{
|
||||
name: "doesnt contain grant type",
|
||||
args: args{
|
||||
grantTypes: []OIDCGrantType{
|
||||
OIDCGrantTypeAuthorizationCode,
|
||||
OIDCGrantTypeRefreshToken,
|
||||
},
|
||||
grantType: OIDCGrantTypeImplicit,
|
||||
},
|
||||
result: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
|
||||
if result != tt.result {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestUrlsAreHttps(t *testing.T) {
|
||||
type args struct {
|
||||
uris []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result bool
|
||||
}{
|
||||
{
|
||||
name: "only https uris",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.ch",
|
||||
"https://caos.ch",
|
||||
},
|
||||
},
|
||||
result: true,
|
||||
},
|
||||
{
|
||||
name: "http localhost uris",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://localhost",
|
||||
},
|
||||
},
|
||||
result: false,
|
||||
},
|
||||
{
|
||||
name: "http not localhsot",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://caos.ch",
|
||||
},
|
||||
},
|
||||
result: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := urlsAreHttps(tt.args.uris)
|
||||
if result != tt.result {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestOnlyLocalhostIsHttp(t *testing.T) {
|
||||
type args struct {
|
||||
uris []string
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
result bool
|
||||
}{
|
||||
|
||||
{
|
||||
name: "http not localhost",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://caos.ch",
|
||||
},
|
||||
},
|
||||
result: false,
|
||||
},
|
||||
{
|
||||
name: "http localhost/",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://localhost/auth/callback",
|
||||
},
|
||||
},
|
||||
result: true,
|
||||
},
|
||||
{
|
||||
name: "http not localhost:",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://localhost:9090",
|
||||
},
|
||||
},
|
||||
result: true,
|
||||
},
|
||||
{
|
||||
name: "http not localhost",
|
||||
args: args{
|
||||
uris: []string{
|
||||
"https://zitadel.com",
|
||||
"http://localhost:9090",
|
||||
"http://zitadel.ch",
|
||||
},
|
||||
},
|
||||
result: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
result := onlyLocalhostIsHttp(tt.args.uris)
|
||||
if result != tt.result {
|
||||
t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user