Skip to content

Commit 30e693f

Browse files
olamilekan000olamilekan000
authored
add validation for --oidc-issuer-url and --oidc-callback-url (#464)
Signed-off-by: olalekan odukoya <odukoyaonline@gmail.com>
1 parent ffd88d7 commit 30e693f

2 files changed

Lines changed: 73 additions & 4 deletions

File tree

backend/options/oidc.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"crypto/tls"
2121
"fmt"
2222
"net"
23+
"net/url"
2324
"os"
2425
"strings"
2526

@@ -123,6 +124,7 @@ func (options *OIDC) Validate() error {
123124
if options.CallbackURL == "" {
124125
return fmt.Errorf("OIDC callback URL cannot be empty")
125126
}
127+
126128
if options.CAFile != "" && options.TLSConfig != nil {
127129
return fmt.Errorf("cannot use both CA file and embedded OIDC server")
128130
}
@@ -131,6 +133,25 @@ func (options *OIDC) Validate() error {
131133
return fmt.Errorf("invalid OIDC provider type: %s", options.Type)
132134
}
133135

136+
issuerURL, err := url.Parse(options.IssuerURL)
137+
if err != nil {
138+
return fmt.Errorf("--oidc-issuer-url must be a valid URL: %w", err)
139+
}
140+
if issuerURL.Scheme != "http" && issuerURL.Scheme != "https" {
141+
return fmt.Errorf("--oidc-issuer-url must use http or https scheme, got: %s", issuerURL.Scheme)
142+
}
143+
144+
callbackURL, err := url.Parse(options.CallbackURL)
145+
if err != nil {
146+
return fmt.Errorf("--oidc-callback-url must be a valid URL: %w", err)
147+
}
148+
if callbackURL.Scheme != "http" && callbackURL.Scheme != "https" {
149+
return fmt.Errorf("--oidc-callback-url must use http or https scheme, got: %s", callbackURL.Scheme)
150+
}
151+
if !strings.HasSuffix(callbackURL.Path, "/api/callback") {
152+
return fmt.Errorf("--oidc-callback-url must end with '/api/callback', got path: %s", callbackURL.Path)
153+
}
154+
134155
if options.Type == string(kubebindv1alpha2.OIDCProviderTypeEmbedded) && !strings.HasSuffix(options.IssuerURL, "/oidc") {
135156
return fmt.Errorf("--oidc-issuer-url must end with '/oidc' when using embedded OIDC provider")
136157
}

backend/options/oidc_test.go

Lines changed: 52 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ func TestOIDCValidate(t *testing.T) {
3838
IssuerClientID: "test-client-id",
3939
IssuerClientSecret: "test-client-secret",
4040
IssuerURL: "http://localhost:8080/oidc",
41-
CallbackURL: "http://localhost:8080/callback",
41+
CallbackURL: "http://localhost:8080/api/callback",
4242
},
4343
wantErr: false,
4444
},
@@ -49,7 +49,7 @@ func TestOIDCValidate(t *testing.T) {
4949
IssuerClientID: "test-client-id",
5050
IssuerClientSecret: "test-client-secret",
5151
IssuerURL: "http://localhost:8080",
52-
CallbackURL: "http://localhost:8080/callback",
52+
CallbackURL: "http://localhost:8080/api/callback",
5353
},
5454
wantErr: true,
5555
errMsg: "--oidc-issuer-url must end with '/oidc' when using embedded OIDC provider",
@@ -61,7 +61,7 @@ func TestOIDCValidate(t *testing.T) {
6161
IssuerClientID: "test-client-id",
6262
IssuerClientSecret: "test-client-secret",
6363
IssuerURL: "http://localhost:8080/oidc/",
64-
CallbackURL: "http://localhost:8080/callback",
64+
CallbackURL: "http://localhost:8080/api/callback",
6565
},
6666
wantErr: true,
6767
errMsg: "--oidc-issuer-url must end with '/oidc' when using embedded OIDC provider",
@@ -73,11 +73,59 @@ func TestOIDCValidate(t *testing.T) {
7373
IssuerClientID: "test-client-id",
7474
IssuerClientSecret: "test-client-secret",
7575
IssuerURL: "http://localhost:8080",
76-
CallbackURL: "http://localhost:8080/callback",
76+
CallbackURL: "http://localhost:8080/api/callback",
7777
AllowedGroups: []string{"admins"},
7878
},
7979
wantErr: false,
8080
},
81+
{
82+
name: "malformed issuer URL",
83+
options: &OIDC{
84+
Type: string(kubebindv1alpha2.OIDCProviderTypeEmbedded),
85+
IssuerClientID: "test-client-id",
86+
IssuerClientSecret: "test-client-secret",
87+
IssuerURL: "not-a-valid-url",
88+
CallbackURL: "http://localhost:8080/api/callback",
89+
},
90+
wantErr: true,
91+
errMsg: "--oidc-issuer-url must use http or https scheme, got: ",
92+
},
93+
{
94+
name: "malformed callback URL",
95+
options: &OIDC{
96+
Type: string(kubebindv1alpha2.OIDCProviderTypeEmbedded),
97+
IssuerClientID: "test-client-id",
98+
IssuerClientSecret: "test-client-secret",
99+
IssuerURL: "http://localhost:8080/oidc",
100+
CallbackURL: "not-a-valid-url",
101+
},
102+
wantErr: true,
103+
errMsg: "--oidc-callback-url must use http or https scheme, got: ",
104+
},
105+
{
106+
name: "callback URL with invalid scheme",
107+
options: &OIDC{
108+
Type: string(kubebindv1alpha2.OIDCProviderTypeEmbedded),
109+
IssuerClientID: "test-client-id",
110+
IssuerClientSecret: "test-client-secret",
111+
IssuerURL: "http://localhost:8080/oidc",
112+
CallbackURL: "ftp://localhost:8080/api/callback",
113+
},
114+
wantErr: true,
115+
errMsg: "--oidc-callback-url must use http or https scheme, got: ftp",
116+
},
117+
{
118+
name: "callback URL with only /callback (missing /api prefix)",
119+
options: &OIDC{
120+
Type: string(kubebindv1alpha2.OIDCProviderTypeEmbedded),
121+
IssuerClientID: "test-client-id",
122+
IssuerClientSecret: "test-client-secret",
123+
IssuerURL: "http://localhost:8080/oidc",
124+
CallbackURL: "http://localhost:8080/callback",
125+
},
126+
wantErr: true,
127+
errMsg: "--oidc-callback-url must end with '/api/callback', got path: /callback",
128+
},
81129
}
82130

83131
for _, tt := range tests {

0 commit comments

Comments
 (0)