Startsida Utforska Hjälp
Logga in
kestrel
/
uidc
1
0
Fork 0
Filer Ärenden 5 Pull-förfrågningar 0 Wiki
Bläddra i källkod

Add untested redirect URI verification.

Kestrel 11 månader sedan
förälder
cf3d18c7d8
incheckning
58ab124311
7 ändrade filer med 74 tillägg och 6 borttagningar
Delad Vy Visa Diff Statistik
  1. 7 0
      Cargo.lock
  2. 1 0
      Cargo.toml
  3. 4 0
      src/cli/client.rs
  4. 23 0
      src/client.rs
  5. 16 0
      src/client_management.rs
  6. 1 0
      src/main.rs
  7. 22 6
      src/server/oidc/authorize.rs

+ 7 - 0
Cargo.lock
Visa fil 

@@ -985,6 +985,12 @@ dependencies = [
 
  "polyval",
 
 ]
 
 
+[[package]]
 
+name = "glob"
 
+version = "0.3.1"
 
+source = "registry+https://github.com/rust-lang/crates.io-index"
 
+checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
 
+
 
 [[package]]
 
 name = "gloo-timers"
 
 version = "0.2.6"
 
@@ -2454,6 +2460,7 @@ dependencies = [
 
  "base64 0.13.1",
 
  "bincode",
 
  "clap",
 
+ "glob",
 
  "handlebars",
 
  "hmac 0.12.1",
 
  "itertools",

+ 1 - 0
Cargo.toml
Visa fil 

@@ -13,6 +13,7 @@ serde = { version =  "1.0", features = ["derive"] }
 
 lazy_static = "1.4.0"
 
 time = { version = "0.3", features = ["std", "formatting"] }
 
 itertools = "0.12"
 
+glob = "0.3"
 
 
 # crypto
 
 ring = { version = "0.16", features = ["std"] }

+ 4 - 0
src/cli/client.rs
Visa fil 

@@ -10,6 +10,7 @@ pub struct ClientInterface;
 
 pub enum ClientCommands {
 
     Create { name: String, key_type: String },
 
     RotateSecret { name: String },
 
+    AddRedirect { name: String, pattern: String },
 
 }
 
 
 impl microrm::cli::EntityInterface for ClientInterface {
 
@@ -31,6 +32,9 @@ impl microrm::cli::EntityInterface for ClientInterface {
 
             ClientCommands::RotateSecret { name } => {
 
                 client_management::rotate_secret(ctx, &name)?;
 
             }
 
+            ClientCommands::AddRedirect { name, pattern } => {
 
+                client_management::add_redirect(ctx, name.as_str(), pattern.as_str())?;
 
+            }
 
         }
 
 
         Ok(())

+ 23 - 0
src/client.rs
Visa fil 

@@ -0,0 +1,23 @@
 
+use crate::{schema, UIDCError};
 
+use microrm::prelude::*;
 
+
 
+pub trait ClientExt {
 
+    fn client_instance(&self) -> &schema::Client;
 
+
 
+    fn check_redirect(&self, uri: &str) -> Result<bool, UIDCError> {
 
+        for redirect in self.client_instance().redirects.get()?.into_iter() {
 
+            let pattern = glob::Pattern::new(redirect.redirect_pattern.as_str())
 
+                .map_err(|_| UIDCError::Abort("couldn't parse redirect URI as glob pattern"))?;
 
+            if pattern.matches(uri) {
 
+                return Ok(true);
 
+            }
 
+        }
 
+        Ok(false)
 
+    }
 
+}
 
+
 
+impl ClientExt for schema::Client {
 
+    fn client_instance(&self) -> &schema::Client {
 
+        self
 
+    }
 
+}

+ 16 - 0
src/client_management.rs
Visa fil 

@@ -41,3 +41,19 @@ pub fn rotate_secret(realm: &microrm::Stored<schema::Realm>, name: &str) -> Resu
 
 
     Ok(())
 
 }
 
+
 
+pub fn add_redirect(
 
+    realm: &microrm::Stored<schema::Realm>,
 
+    name: &str,
 
+    pattern: &str,
 
+) -> Result<(), UIDCError> {
 
+    let Some(client) = realm.clients.keyed((realm.id(), name)).get()? else {
 
+        return Err(UIDCError::Abort("no such client"));
 
+    };
 
+
 
+    client.redirects.insert(schema::ClientRedirect {
 
+        redirect_pattern: pattern.into(),
 
+    })?;
 
+
 
+    Ok(())
 
+}

+ 1 - 0
src/main.rs
Visa fil 

@@ -1,6 +1,7 @@
 
 #![doc = include_str!("../README.md")]
 
 
 mod cli;
 
+mod client;
 
 mod client_management;
 
 mod config;
 
 mod error;

+ 22 - 6
src/server/oidc/authorize.rs
Visa fil 

@@ -1,5 +1,5 @@
 
 use super::{api, OIDCError, OIDCErrorType, Request};
 
-use crate::{config, schema, server::session::SessionHelper};
 
+use crate::{client::ClientExt, config, schema, server::session::SessionHelper};
 
 use microrm::prelude::*;
 
 
 fn do_code_authorize<'l, 's>(
 
@@ -108,8 +108,7 @@ pub(super) fn do_authorize(
 
         ));
 
     };
 
 
-    // verify the realm and client_id and redirect_uri
 
-
 
+    // verify the client_id refers to an extant client
 
     let client = realm
 
         .clients
 
         .with(schema::Client::Shortname, &qp.client_id)
 
@@ -120,14 +119,31 @@ pub(super) fn do_authorize(
 
         .ok_or_else(|| {
 
             OIDCError(
 
                 OIDCErrorType::UnauthorizedClient,
 
-                "Client does not exist".into(),
 
+                "client does not exist".into(),
 
                 state,
 
             )
 
         })?;
 
 
     let scopes = qp.scope.as_deref().unwrap_or("").split_whitespace();
 
 
-    // TODO: check that redirect URI matches
 
+    // check that redirect URI matches
 
+    match client.check_redirect(qp.redirect_uri.as_str()) {
 
+        Ok(true) => (),
 
+        Ok(false) => {
 
+            return Err(OIDCError(
 
+                OIDCErrorType::InvalidRequest,
 
+                "invalid redirect URI".into(),
 
+                state,
 
+            ))
 
+        }
 
+        Err(_) => {
 
+            return Err(OIDCError(
 
+                OIDCErrorType::ServerError,
 
+                "invalid stored redirect uri".into(),
 
+                state,
 
+            ))
 
+        }
 
+    }
 
 
     if qp.response_type == "code" {
 
         do_code_authorize(
 
@@ -167,7 +183,7 @@ pub(super) fn do_authorize(
 
     } else {
 
         Err(OIDCError(
 
             OIDCErrorType::UnsupportedResponseType,
 
-            "Only code and token are understood.".into(),
 
+            "only 'code' and 'token' are understood".into(),
 
             state,
 
         ))
 
     }