Merge pull request #2082 from sanfrancrisko/feat/main/odic_redirect_relative_uri

david22swan · web-flow · commit 935acd446966 · 2020-11-04T15:37:03.000Z
Allow relative paths in oidc_redirect_uri
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -2411,6 +2411,46 @@
             end
           end
         end
+        context 'oidc_settings RedirectURL' do
+          describe 'with VALID relative URI' do
+            let :params do
+              default_params.merge(
+                'auth_oidc' => true,
+                'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration',
+                                     'ClientID'                  => 'test',
+                                     'RedirectURI'               => '/some/valid/relative/uri',
+                                     'ProviderTokenEndpointAuth' => 'client_secret_basic',
+                                     'RemoteUserClaim'           => 'sub',
+                                     'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+                                     'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
+              )
+            end
+
+            it { is_expected.to compile }
+            it {
+              is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+                content: %r{^\s+OIDCRedirectURI\s/some/valid/relative/uri$},
+              )
+            }
+          end
+
+          describe 'with INVALID relative URI' do
+            let :params do
+              default_params.merge(
+                'auth_oidc' => true,
+                'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration',
+                                     'ClientID'                  => 'test',
+                                     'RedirectURI'               => 'invalid_uri',
+                                     'ProviderTokenEndpointAuth' => 'client_secret_basic',
+                                     'RemoteUserClaim'           => 'sub',
+                                     'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+                                     'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
+              )
+            end
+
+            it { is_expected.not_to compile }
+          end
+        end
       end
     end
   end
diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp
@@ -1,7 +1,7 @@
 # https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
 type Apache::OIDCSettings = Struct[
   {
-    Optional['RedirectURI']                             => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl],
+    Optional['RedirectURI']                             => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl,Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]],
     Optional['CryptoPassphrase']                        => String,
     Optional['MetadataDir']                             => String,
     Optional['ProviderMetadataURL']                     => Stdlib::HTTPSUrl,

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`# https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf`
`2`	`2`	`type Apache::OIDCSettings = Struct[`
`3`	`3`	`{`
`4`		`- Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl],`
	`4`	`+ Optional['RedirectURI'] => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl,Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]],`
`5`	`5`	`Optional['CryptoPassphrase'] => String,`
`6`	`6`	`Optional['MetadataDir'] => String,`
`7`	`7`	`Optional['ProviderMetadataURL'] => Stdlib::HTTPSUrl,`