policies: allow subdomains for the various URIs

policies/client_registration.rego

@@ -54,7 +54,7 @@ host_matches_client_uri(x) {
 host_matches_client_uri(x) {
 	client_uri := parse_uri(input.client_metadata.client_uri)
 	uri := parse_uri(x)
-	uri.host == client_uri.host
+	is_subdomain(client_uri.host, uri.host)
 }
 
 violation[{"msg": "missing client_uri"}] {
@@ -170,6 +170,21 @@ reverse_dns_match(host, reverse_dns) {
 	array.slice(dns_parts, 0, count(host_parts)) == host_parts
 }
 
+# Used to verify that all the various URIs are subdomains of the client_uri
+is_subdomain(host, subdomain) {
+    is_string(host)
+    is_string(subdomain)
+
+    # Split the host
+    host_parts := array.reverse(split(host, "."))
+
+    # Split the subdomain
+    subdomain_parts := array.reverse(split(subdomain, "."))
+
+    # Check that the subdomain strictly is a subdomain of the host
+    array.slice(subdomain_parts, 0, count(host_parts)) == host_parts
+}
+
 valid_native_redirector(x) {
 	url := parse_uri(x)
 	is_localhost(url.host)

policies/client_registration_test.rego

@@ -63,6 +63,14 @@ test_tos_uri {
 		"contacts": ["contact@example.com"],
 	}
 
+	# TOS on a subdomain of the client_uri host is allowed
+	allow with input.client_metadata as {
+		"grant_types": [],
+		"client_uri": "https://example.com/",
+		"tos_uri": "https://tos.example.com/",
+		"contacts": ["contact@example.com"],
+	}
+
 	# Host mistmatch, but allowed by the config
 	allow with input.client_metadata as {
 		"grant_types": [],
@@ -106,6 +114,14 @@ test_logo_uri {
 		"contacts": ["contact@example.com"],
 	}
 
+	# Logo on a subdomain of the client_uri host is allowed
+	allow with input.client_metadata as {
+		"grant_types": [],
+		"client_uri": "https://example.com/",
+		"logo_uri": "https://static.example.com/logo.png",
+		"contacts": ["contact@example.com"],
+	}
+
 	# Host mistmatch, but allowed by the config
 	allow with input.client_metadata as {
 		"grant_types": [],
@@ -149,6 +165,14 @@ test_policy_uri {
 		"contacts": ["contact@example.com"],
 	}
 
+	# Policy on a subdomain of the client_uri host is allowed
+	allow with input.client_metadata as {
+		"grant_types": [],
+		"client_uri": "https://example.com/",
+		"policy_uri": "https://policy.example.com/",
+		"contacts": ["contact@example.com"],
+	}
+
 	# Host mistmatch, but allowed by the config
 	allow with input.client_metadata as {
 		"grant_types": [],
@@ -244,6 +268,14 @@ test_web_redirect_uri {
 	}
 		with data.client_registration.allow_host_mismatch as true
 
+	# Redirect URI on a subdomain of the client_uri host is allowed
+	allow with input.client_metadata as {
+		"application_type": "web",
+		"client_uri": "https://example.com/",
+		"redirect_uris": ["https://app.example.com/callback"],
+		"contacts": ["contact@example.com"],
+	}
+
 	# No custom scheme allowed
 	not allow with input.client_metadata as {
 		"application_type": "web",
@@ -401,3 +433,17 @@ test_client_credentials_grant {
 		"contacts": ["contact@example.com"],
 	}
 }
+
+test_is_subdomain {
+    is_subdomain("example.com", "example.com")
+    is_subdomain("example.com", "app.example.com")
+    not is_subdomain("example.com", "example.org")
+    not is_subdomain("test.com", "example.com")
+}
+
+test_reverse_dns_match {
+    reverse_dns_match("example.com", "com.example")
+    reverse_dns_match("example.com", "com.example.app")
+    not reverse_dns_match("example.com", "org.example")
+    not reverse_dns_match("test.com", "com.example")
+}