mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-18 05:47:32 +00:00
2e8fa82261
* feat: add additional origins on applications * app additional redirects * chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console (#1706) * fix: show org with regex (#1688) * fix: flag mapping (#1699) * chore(deps-dev): bump @angular/cli from 11.2.8 to 11.2.11 in /console Bumps [@angular/cli](https://github.com/angular/angular-cli) from 11.2.8 to 11.2.11. - [Release notes](https://github.com/angular/angular-cli/releases) - [Commits](https://github.com/angular/angular-cli/compare/v11.2.8...v11.2.11) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console (#1703) * fix: show org with regex (#1688) * fix: flag mapping (#1699) * chore(deps-dev): bump stylelint from 13.10.0 to 13.13.1 in /console Bumps [stylelint](https://github.com/stylelint/stylelint) from 13.10.0 to 13.13.1. - [Release notes](https://github.com/stylelint/stylelint/releases) - [Changelog](https://github.com/stylelint/stylelint/blob/master/CHANGELOG.md) - [Commits](https://github.com/stylelint/stylelint/compare/13.10.0...13.13.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console (#1702) * fix: show org with regex (#1688) * fix: flag mapping (#1699) * chore(deps-dev): bump @types/node from 14.14.37 to 15.0.1 in /console Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 14.14.37 to 15.0.1. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console (#1701) * fix: show org with regex (#1688) * fix: flag mapping (#1699) * chore(deps): bump ts-protoc-gen from 0.14.0 to 0.15.0 in /console Bumps [ts-protoc-gen](https://github.com/improbable-eng/ts-protoc-gen) from 0.14.0 to 0.15.0. - [Release notes](https://github.com/improbable-eng/ts-protoc-gen/releases) - [Changelog](https://github.com/improbable-eng/ts-protoc-gen/blob/master/CHANGELOG.md) - [Commits](https://github.com/improbable-eng/ts-protoc-gen/compare/0.14.0...0.15.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump @types/jasmine from 3.6.9 to 3.6.10 in /console (#1682) Bumps [@types/jasmine](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jasmine) from 3.6.9 to 3.6.10. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jasmine) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump @types/google-protobuf in /console (#1681) Bumps [@types/google-protobuf](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/google-protobuf) from 3.7.4 to 3.15.2. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/google-protobuf) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump grpc from 1.24.5 to 1.24.7 in /console (#1666) Bumps [grpc](https://github.com/grpc/grpc-node) from 1.24.5 to 1.24.7. - [Release notes](https://github.com/grpc/grpc-node/releases) - [Commits](https://github.com/grpc/grpc-node/compare/grpc@1.24.5...grpc@1.24.7) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * lock * chore(deps-dev): bump @angular/language-service from 11.2.9 to 11.2.12 in /console (#1704) * fix: show org with regex (#1688) * fix: flag mapping (#1699) * chore(deps-dev): bump @angular/language-service in /console Bumps [@angular/language-service](https://github.com/angular/angular/tree/HEAD/packages/language-service) from 11.2.9 to 11.2.12. - [Release notes](https://github.com/angular/angular/releases) - [Changelog](https://github.com/angular/angular/blob/master/CHANGELOG.md) - [Commits](https://github.com/angular/angular/commits/11.2.12/packages/language-service) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Silvan <silvan.reusser@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * package lock * downgrade grpc * downgrade protobuf types * revert npm packs 🥸 Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Silvan <silvan.reusser@gmail.com>
340 lines
10 KiB
Go
340 lines
10 KiB
Go
package domain
|
|
|
|
import (
|
|
"strings"
|
|
"time"
|
|
|
|
http_util "github.com/caos/zitadel/internal/api/http"
|
|
"github.com/caos/zitadel/internal/crypto"
|
|
"github.com/caos/zitadel/internal/eventstore/v1/models"
|
|
)
|
|
|
|
const (
|
|
http = "http://"
|
|
httpLocalhostWithPort = "http://localhost:"
|
|
httpLocalhostWithoutPort = "http://localhost/"
|
|
httpLoopbackV4WithPort = "http://127.0.0.1:"
|
|
httpLoopbackV4WithoutPort = "http://127.0.0.1/"
|
|
httpLoopbackV6WithPort = "http://[::1]:"
|
|
httpLoopbackV6WithoutPort = "http://[::1]/"
|
|
httpLoopbackV6LongWithPort = "http://[0:0:0:0:0:0:0:1]:"
|
|
httpLoopbackV6LongWithoutPort = "http://[0:0:0:0:0:0:0:1]/"
|
|
https = "https://"
|
|
)
|
|
|
|
type OIDCApp struct {
|
|
models.ObjectRoot
|
|
|
|
AppID string
|
|
AppName string
|
|
ClientID string
|
|
ClientSecret *crypto.CryptoValue
|
|
ClientSecretString string
|
|
RedirectUris []string
|
|
ResponseTypes []OIDCResponseType
|
|
GrantTypes []OIDCGrantType
|
|
ApplicationType OIDCApplicationType
|
|
AuthMethodType OIDCAuthMethodType
|
|
PostLogoutRedirectUris []string
|
|
OIDCVersion OIDCVersion
|
|
Compliance *Compliance
|
|
DevMode bool
|
|
AccessTokenType OIDCTokenType
|
|
AccessTokenRoleAssertion bool
|
|
IDTokenRoleAssertion bool
|
|
IDTokenUserinfoAssertion bool
|
|
ClockSkew time.Duration
|
|
AdditionalOrigins []string
|
|
|
|
State AppState
|
|
}
|
|
|
|
func (a *OIDCApp) GetApplicationName() string {
|
|
return a.AppName
|
|
}
|
|
|
|
func (a *OIDCApp) GetState() AppState {
|
|
return a.State
|
|
}
|
|
|
|
func (a *OIDCApp) setClientID(clientID string) {
|
|
a.ClientID = clientID
|
|
}
|
|
|
|
func (a *OIDCApp) setClientSecret(clientSecret *crypto.CryptoValue) {
|
|
a.ClientSecret = clientSecret
|
|
}
|
|
|
|
func (a *OIDCApp) requiresClientSecret() bool {
|
|
return a.AuthMethodType == OIDCAuthMethodTypeBasic || a.AuthMethodType == OIDCAuthMethodTypePost
|
|
}
|
|
|
|
type OIDCVersion int32
|
|
|
|
const (
|
|
OIDCVersionV1 OIDCVersion = iota
|
|
)
|
|
|
|
type OIDCResponseType int32
|
|
|
|
const (
|
|
OIDCResponseTypeCode OIDCResponseType = iota
|
|
OIDCResponseTypeIDToken
|
|
OIDCResponseTypeIDTokenToken
|
|
)
|
|
|
|
type OIDCGrantType int32
|
|
|
|
const (
|
|
OIDCGrantTypeAuthorizationCode OIDCGrantType = iota
|
|
OIDCGrantTypeImplicit
|
|
OIDCGrantTypeRefreshToken
|
|
)
|
|
|
|
type OIDCApplicationType int32
|
|
|
|
const (
|
|
OIDCApplicationTypeWeb OIDCApplicationType = iota
|
|
OIDCApplicationTypeUserAgent
|
|
OIDCApplicationTypeNative
|
|
)
|
|
|
|
type OIDCAuthMethodType int32
|
|
|
|
const (
|
|
OIDCAuthMethodTypeBasic OIDCAuthMethodType = iota
|
|
OIDCAuthMethodTypePost
|
|
OIDCAuthMethodTypeNone
|
|
OIDCAuthMethodTypePrivateKeyJWT
|
|
)
|
|
|
|
type Compliance struct {
|
|
NoneCompliant bool
|
|
Problems []string
|
|
}
|
|
|
|
type OIDCTokenType int32
|
|
|
|
const (
|
|
OIDCTokenTypeBearer OIDCTokenType = iota
|
|
OIDCTokenTypeJWT
|
|
)
|
|
|
|
func (a *OIDCApp) IsValid() bool {
|
|
if a.ClockSkew > time.Second*5 || a.ClockSkew < time.Second*0 || !a.OriginsValid() {
|
|
return false
|
|
}
|
|
grantTypes := a.getRequiredGrantTypes()
|
|
if len(grantTypes) == 0 {
|
|
return false
|
|
}
|
|
for _, grantType := range grantTypes {
|
|
ok := containsOIDCGrantType(a.GrantTypes, grantType)
|
|
if !ok {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (a *OIDCApp) OriginsValid() bool {
|
|
for _, origin := range a.AdditionalOrigins {
|
|
if !http_util.IsOrigin(origin) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (a *OIDCApp) getRequiredGrantTypes() []OIDCGrantType {
|
|
grantTypes := make([]OIDCGrantType, 0)
|
|
implicit := false
|
|
for _, r := range a.ResponseTypes {
|
|
switch r {
|
|
case OIDCResponseTypeCode:
|
|
grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
|
|
case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
|
|
if !implicit {
|
|
implicit = true
|
|
grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
|
|
}
|
|
}
|
|
}
|
|
return grantTypes
|
|
}
|
|
|
|
func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
|
|
for _, gt := range grantTypes {
|
|
if gt == grantType {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func (a *OIDCApp) FillCompliance() {
|
|
a.Compliance = GetOIDCCompliance(a.OIDCVersion, a.ApplicationType, a.GrantTypes, a.ResponseTypes, a.AuthMethodType, a.RedirectUris)
|
|
}
|
|
|
|
func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
|
|
switch version {
|
|
case OIDCVersionV1:
|
|
return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
|
|
compliance := &Compliance{NoneCompliant: false}
|
|
if redirectUris == nil || len(redirectUris) == 0 {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append([]string{"Application.OIDC.V1.NoRedirectUris"}, compliance.Problems...)
|
|
}
|
|
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
|
|
CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
|
|
} else {
|
|
if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
|
|
CheckRedirectUrisImplicit(compliance, appType, redirectUris)
|
|
}
|
|
if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
|
|
CheckRedirectUrisCode(compliance, appType, redirectUris)
|
|
}
|
|
}
|
|
|
|
switch appType {
|
|
case OIDCApplicationTypeNative:
|
|
GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
|
|
case OIDCApplicationTypeUserAgent:
|
|
GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
|
|
}
|
|
if compliance.NoneCompliant {
|
|
compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
|
|
}
|
|
return compliance
|
|
}
|
|
|
|
func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
|
|
if authMethod != OIDCAuthMethodTypeNone {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
|
|
}
|
|
}
|
|
|
|
func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
|
|
if authMethod != OIDCAuthMethodTypeNone {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
|
|
}
|
|
}
|
|
|
|
func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
|
if urlsAreHttps(redirectUris) {
|
|
return
|
|
}
|
|
if urlContainsPrefix(redirectUris, http) {
|
|
if appType == OIDCApplicationTypeUserAgent {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
|
|
}
|
|
if appType == OIDCApplicationTypeNative && !onlyLocalhostIsHttp(redirectUris) {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.NativeShouldBeHttpLocalhost")
|
|
}
|
|
}
|
|
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
|
|
}
|
|
}
|
|
|
|
func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
|
if urlsAreHttps(redirectUris) {
|
|
return
|
|
}
|
|
if containsCustom(redirectUris) {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
|
|
}
|
|
if urlContainsPrefix(redirectUris, http) {
|
|
if appType == OIDCApplicationTypeNative {
|
|
if !onlyLocalhostIsHttp(redirectUris) {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
|
|
}
|
|
return
|
|
}
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
|
|
}
|
|
}
|
|
|
|
func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
|
|
if urlsAreHttps(redirectUris) {
|
|
return
|
|
}
|
|
if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
|
|
}
|
|
if urlContainsPrefix(redirectUris, http) {
|
|
if appType == OIDCApplicationTypeUserAgent {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
|
|
}
|
|
if !onlyLocalhostIsHttp(redirectUris) && appType == OIDCApplicationTypeNative {
|
|
compliance.NoneCompliant = true
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
|
|
}
|
|
}
|
|
if !compliance.NoneCompliant {
|
|
compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
|
|
}
|
|
}
|
|
|
|
func urlsAreHttps(uris []string) bool {
|
|
for _, uri := range uris {
|
|
if !strings.HasPrefix(uri, https) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func urlContainsPrefix(uris []string, prefix string) bool {
|
|
for _, uri := range uris {
|
|
if strings.HasPrefix(uri, prefix) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func containsCustom(uris []string) bool {
|
|
for _, uri := range uris {
|
|
if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func onlyLocalhostIsHttp(uris []string) bool {
|
|
for _, uri := range uris {
|
|
if strings.HasPrefix(uri, http) && !isHTTPLoopbackLocalhost(uri) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func isHTTPLoopbackLocalhost(uri string) bool {
|
|
return strings.HasPrefix(uri, httpLocalhostWithoutPort) ||
|
|
strings.HasPrefix(uri, httpLocalhostWithPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV4WithoutPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV4WithPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV6WithoutPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV6WithPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV6LongWithoutPort) ||
|
|
strings.HasPrefix(uri, httpLoopbackV6LongWithPort)
|
|
}
|