feat: app handling compliance (#527)

* feat: check oidc compliance * fix: add tests * fix: add oidc config tests * fix: add oidc config tests user agent * fix: test oidc config compliance * fix: test oidc config compliance * fix: useragent implicit authmethod none * fix: merge master * feat: translate compliance problems * feat: check native app for custom url * fix: better compliance handling * fix: better compliance handling * feat: add odidc dev mode * fix: remove deprecated request fro management api * fix: oidc package version * fix: migration * fix: tests * fix: remove unused functions * fix: generate proto files * fix: native implicit and code none compliant * fix: create project * Update internal/project/model/oidc_config_test.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 01:37:31 +00:00 · 2020-08-10 09:34:56 +02:00
parent 64f0b191b5
commit 5699fe80d5
27 changed files with 15925 additions and 16502 deletions
--- a/internal/project/model/oidc_config.go
+++ b/internal/project/model/oidc_config.go
@@ -12,6 +12,13 @@ import (
 	"github.com/caos/zitadel/internal/id"
 )

+const (
+	http           = "http://"
+	httpLocalhost  = "http://localhost:"
+	httpLocalhost2 = "http://localhost/"
+	https          = "https://"
+)
+
 type OIDCConfig struct {
 	es_models.ObjectRoot
 	AppID                  string
@@ -24,8 +31,17 @@ type OIDCConfig struct {
 	ApplicationType        OIDCApplicationType
 	AuthMethodType         OIDCAuthMethodType
 	PostLogoutRedirectUris []string
+	OIDCVersion            OIDCVersion
+	Compliance             *Compliance
+	DevMode                bool
 }

+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
 type OIDCResponseType int32

 const (
@@ -58,10 +74,15 @@ const (
 	OIDCAuthMethodTypeNone
 )

+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
 func (c *OIDCConfig) IsValid() bool {
 	grantTypes := c.getRequiredGrantTypes()
 	for _, grantType := range grantTypes {
-		ok := c.containsGrantType(grantType)
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
 		if !ok {
 			return false
 		}
@@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
 	return stringSecret, nil
 }

+func (c *OIDCConfig) FillCompliance() {
+	c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
+}
+
+func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	switch version {
+	case OIDCVersionV1:
+		return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
+	}
+	return nil
+}
+
+func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	compliance := &Compliance{NoneCompliant: false}
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
+	} else {
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
+			CheckRedirectUrisImplicit(compliance, appType, redirectUris)
+		}
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+			CheckRedirectUrisCode(compliance, appType, redirectUris)
+		}
+	}
+
+	switch appType {
+	case OIDCApplicationTypeNative:
+		GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
+	case OIDCApplicationTypeUserAgent:
+		GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
+	}
+	if compliance.NoneCompliant {
+		compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
+	}
+	return compliance
+}
+
+func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
+	}
+}
+
+func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
+	}
+}
+
+func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
+	}
+}
+
+func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeNative {
+			if !onlyLocalhostIsHttp(redirectUris) {
+				compliance.NoneCompliant = true
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			}
+			return
+		}
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
+	}
+}
+
+func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
+	}
+	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if !compliance.NoneCompliant {
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
+	}
+}
+
 func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	grantTypes := make([]OIDCGrantType, 0)
 	implicit := false
@@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
 		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
 			if !implicit {
+				implicit = true
 				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
 			}
 		}
@@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	return grantTypes
 }

-func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
-	for _, t := range c.GrantTypes {
-		if t == grantType {
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
 			return true
 		}
 	}
 	return false
 }
+
+func urlsAreHttps(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, https) {
+			return false
+		}
+	}
+	return true
+}
+
+func urlContainsPrefix(uris []string, prefix string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func containsCustom(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
+			return true
+		}
+	}
+	return false
+}
+
+func onlyLocalhostIsHttp(uris []string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, http) {
+			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
+				return false
+			}
+		}
+	}
+	return true
+}