Move scheme validation to OAuth2Application.clean()

Author: jleclanche

CHANGELOG.md

@@ -4,6 +4,7 @@
 * **Compatibility**: Django 2.0 is the new minimum required version.
 * **New feature**: Added TokenMatchesOASRequirements Permissions.
 * validators.URIValidator has been updated to match URLValidator behaviour more closely.
+* Moved `redirect_uris` validation to the application clean() method.
 
 
 ### 1.1.2 [2018-05-12]

oauth2_provider/migrations/0001_initial.py

@@ -18,7 +18,7 @@ class Migration(migrations.Migration):
             fields=[
                 ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
                 ('client_id', models.CharField(default=oauth2_provider.generators.generate_client_id, unique=True, max_length=100, db_index=True)),
-                ('redirect_uris', models.TextField(help_text='Allowed URIs list, space separated', blank=True, validators=[oauth2_provider.validators.validate_uris])),
+                ('redirect_uris', models.TextField(help_text='Allowed URIs list, space separated', blank=True)),
                 ('client_type', models.CharField(max_length=32, choices=[('confidential', 'Confidential'), ('public', 'Public')])),
                 ('authorization_grant_type', models.CharField(max_length=32, choices=[('authorization-code', 'Authorization code'), ('implicit', 'Implicit'), ('password', 'Resource owner password-based'), ('client-credentials', 'Client credentials')])),
                 ('client_secret', models.CharField(default=oauth2_provider.generators.generate_client_secret, max_length=255, db_index=True, blank=True)),

oauth2_provider/models.py

@@ -12,7 +12,7 @@
 from .generators import generate_client_id, generate_client_secret
 from .scopes import get_scopes_backend
 from .settings import oauth2_settings
-from .validators import validate_uris
+from .validators import RedirectURIValidator, WildcardSet
 
 
 class AbstractApplication(models.Model):
@@ -65,7 +65,6 @@ class AbstractApplication(models.Model):
 
     redirect_uris = models.TextField(
         blank=True, help_text=_("Allowed URIs list, space separated"),
-        validators=[validate_uris]
     )
     client_type = models.CharField(max_length=32, choices=CLIENT_TYPES)
     authorization_grant_type = models.CharField(
@@ -125,12 +124,29 @@ def redirect_uri_allowed(self, uri):
 
     def clean(self):
         from django.core.exceptions import ValidationError
-        if not self.redirect_uris \
-            and self.authorization_grant_type \
-            in (AbstractApplication.GRANT_AUTHORIZATION_CODE,
-                AbstractApplication.GRANT_IMPLICIT):
-            error = _("Redirect_uris could not be empty with {grant_type} grant_type")
-            raise ValidationError(error.format(grant_type=self.authorization_grant_type))
+
+        grant_types = (
+            AbstractApplication.GRANT_AUTHORIZATION_CODE,
+            AbstractApplication.GRANT_IMPLICIT,
+        )
+
+        redirect_uris = self.redirect_uris.strip().split()
+        allowed_schemes = set(s.lower() for s in self.get_allowed_schemes())
+
+        if redirect_uris:
+            validator = RedirectURIValidator(WildcardSet())
+            for uri in redirect_uris:
+                validator(uri)
+                scheme = urlparse(uri).scheme
+                if scheme not in allowed_schemes:
+                    raise ValidationError(_(
+                        "Unauthorized redirect scheme: {scheme}"
+                    ).format(scheme=scheme))
+
+        elif self.authorization_grant_type in grant_types:
+            raise ValidationError(_(
+                "redirect_uris cannot be empty with grant_type {grant_type}"
+            ).format(grant_type=self.authorization_grant_type))
 
     def get_absolute_url(self):
         return reverse("oauth2_provider:detail", args=[str(self.id)])

oauth2_provider/validators.py

@@ -1,20 +1,17 @@
 import re
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import urlsplit
 
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
 from django.utils.encoding import force_text
-from django.utils.translation import ugettext_lazy as _
-
-from .settings import oauth2_settings
 
 
 class URIValidator(URLValidator):
     scheme_re = r"^(?:[a-z][a-z0-9\.\-\+]*)://"
 
     dotless_domain_re = r"(?!-)[A-Z\d-]{1,63}(?<!-)"
     host_re = "|".join((
-        r"(?:"+ URLValidator.host_re,
+        r"(?:" + URLValidator.host_re,
         URLValidator.ipv4_re,
         URLValidator.ipv6_re,
         dotless_domain_re + ")"
@@ -35,17 +32,16 @@ def __call__(self, value):
         scheme, netloc, path, query, fragment = urlsplit(value)
         if fragment and not self.allow_fragments:
             raise ValidationError("Redirect URIs must not contain fragments")
-        if scheme.lower() not in self.schemes:
-            raise ValidationError("Redirect URI scheme is not allowed.")
 
 
-def validate_uris(value):
+##
+# WildcardSet is a special set that contains everything.
+# This is required in order to move validation of the scheme from
+# URLValidator (the base class of URIValidator), to OAuth2Application.clean().
+
+class WildcardSet(set):
     """
-    This validator ensures that `value` contains valid blank-separated URIs"
+    A set that always returns True on `in`.
     """
-    v = RedirectURIValidator(oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES)
-    uris = value.split()
-    if not uris:
-        raise ValidationError("Redirect URI cannot be empty")
-    for uri in uris:
-        v(uri)
+    def __contains__(self, item):
+        return True

tests/test_validators.py

@@ -2,7 +2,7 @@
 from django.test import TestCase
 
 from oauth2_provider.settings import oauth2_settings
-from oauth2_provider.validators import RedirectURIValidator, validate_uris
+from oauth2_provider.validators import RedirectURIValidator
 
 
 class TestValidators(TestCase):
@@ -35,12 +35,6 @@ def test_validate_custom_uri_scheme(self):
             # Check ValidationError not thrown
             validator(uri)
 
-    def test_validate_whitespace_separators(self):
-        # Check that whitespace can be used as a separator
-        good_uris = "https://example.com\r\nhttps://example.com\thttps://example.com"
-        # Check ValidationError not thrown
-        validate_uris(good_uris)
-
     def test_validate_bad_uris(self):
         validator = RedirectURIValidator(allowed_schemes=["https"])
         oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES = ["https", "good"]