From bdc375fc6bf5884f4e8d95e4c046e4c239de5791 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Fri, 15 Sep 2023 18:55:45 +0200 Subject: [PATCH] policies: allow subdomains for the various URIs --- policies/client_registration.rego | 17 +++++++++- policies/client_registration_test.rego | 46 ++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/policies/client_registration.rego b/policies/client_registration.rego index e63628afb..347c973c6 100644 --- a/policies/client_registration.rego +++ b/policies/client_registration.rego @@ -54,7 +54,7 @@ host_matches_client_uri(x) { host_matches_client_uri(x) { client_uri := parse_uri(input.client_metadata.client_uri) uri := parse_uri(x) - uri.host == client_uri.host + is_subdomain(client_uri.host, uri.host) } violation[{"msg": "missing client_uri"}] { @@ -170,6 +170,21 @@ reverse_dns_match(host, reverse_dns) { array.slice(dns_parts, 0, count(host_parts)) == host_parts } +# Used to verify that all the various URIs are subdomains of the client_uri +is_subdomain(host, subdomain) { + is_string(host) + is_string(subdomain) + + # Split the host + host_parts := array.reverse(split(host, ".")) + + # Split the subdomain + subdomain_parts := array.reverse(split(subdomain, ".")) + + # Check that the subdomain strictly is a subdomain of the host + array.slice(subdomain_parts, 0, count(host_parts)) == host_parts +} + valid_native_redirector(x) { url := parse_uri(x) is_localhost(url.host) diff --git a/policies/client_registration_test.rego b/policies/client_registration_test.rego index a80d21a90..a37e19f37 100644 --- a/policies/client_registration_test.rego +++ b/policies/client_registration_test.rego @@ -63,6 +63,14 @@ test_tos_uri { "contacts": ["contact@example.com"], } + # TOS on a subdomain of the client_uri host is allowed + allow with input.client_metadata as { + "grant_types": [], + "client_uri": "https://example.com/", + "tos_uri": "https://tos.example.com/", + "contacts": ["contact@example.com"], + } + # Host mistmatch, but allowed by the config allow with input.client_metadata as { "grant_types": [], @@ -106,6 +114,14 @@ test_logo_uri { "contacts": ["contact@example.com"], } + # Logo on a subdomain of the client_uri host is allowed + allow with input.client_metadata as { + "grant_types": [], + "client_uri": "https://example.com/", + "logo_uri": "https://static.example.com/logo.png", + "contacts": ["contact@example.com"], + } + # Host mistmatch, but allowed by the config allow with input.client_metadata as { "grant_types": [], @@ -149,6 +165,14 @@ test_policy_uri { "contacts": ["contact@example.com"], } + # Policy on a subdomain of the client_uri host is allowed + allow with input.client_metadata as { + "grant_types": [], + "client_uri": "https://example.com/", + "policy_uri": "https://policy.example.com/", + "contacts": ["contact@example.com"], + } + # Host mistmatch, but allowed by the config allow with input.client_metadata as { "grant_types": [], @@ -244,6 +268,14 @@ test_web_redirect_uri { } with data.client_registration.allow_host_mismatch as true + # Redirect URI on a subdomain of the client_uri host is allowed + allow with input.client_metadata as { + "application_type": "web", + "client_uri": "https://example.com/", + "redirect_uris": ["https://app.example.com/callback"], + "contacts": ["contact@example.com"], + } + # No custom scheme allowed not allow with input.client_metadata as { "application_type": "web", @@ -401,3 +433,17 @@ test_client_credentials_grant { "contacts": ["contact@example.com"], } } + +test_is_subdomain { + is_subdomain("example.com", "example.com") + is_subdomain("example.com", "app.example.com") + not is_subdomain("example.com", "example.org") + not is_subdomain("test.com", "example.com") +} + +test_reverse_dns_match { + reverse_dns_match("example.com", "com.example") + reverse_dns_match("example.com", "com.example.app") + not reverse_dns_match("example.com", "org.example") + not reverse_dns_match("test.com", "com.example") +} \ No newline at end of file