From e91861ae66d407fadfe3699a896edb128a120fa8 Mon Sep 17 00:00:00 2001
From: psaiz <psaiz@users.noreply.github.com>
Date: Tue, 20 Oct 2020 12:36:30 +0200
Subject: [PATCH 1/3] Update oidcsettings.pp

---
 types/oidcsettings.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/types/oidcsettings.pp b/types/oidcsettings.pp
index bc3ce5c7da..9c07e42345 100644
--- a/types/oidcsettings.pp
+++ b/types/oidcsettings.pp
@@ -1,7 +1,7 @@
 # https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf
 type Apache::OIDCSettings = Struct[
   {
-    Optional['RedirectURI']                             => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl],
+    Optional['RedirectURI']                             => Variant[Stdlib::HTTPSUrl,Stdlib::HttpUrl,Pattern[/^\/[A-Za-z0-9\-\._%\/]*$/]],
     Optional['CryptoPassphrase']                        => String,
     Optional['MetadataDir']                             => String,
     Optional['ProviderMetadataURL']                     => Stdlib::HTTPSUrl,

From e7d36e8e5b5fc8c1a93069bf90740a93dba53691 Mon Sep 17 00:00:00 2001
From: Ciaran McCrisken <ciaran.mccrisken@puppet.com>
Date: Mon, 2 Nov 2020 11:55:07 +0000
Subject: [PATCH 2/3] (maint) Add tests for OIDC RedirectURL values

---
 spec/defines/vhost_spec.rb | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index 148bd7a98f..c85b52d666 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -2411,6 +2411,46 @@
             end
           end
         end
+        context 'oidc_settings RedirectURL' do
+          describe 'with VALID relative URI' do
+            let :params do
+              default_params.merge(
+                'auth_oidc' => true,
+                'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration',
+                                     'ClientID'                  => 'test',
+                                     'RedirectURI'               => '/some/valid/relative/uri',
+                                     'ProviderTokenEndpointAuth' => 'client_secret_basic',
+                                     'RemoteUserClaim'           => 'sub',
+                                     'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+                                     'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
+              )
+            end
+
+            it { is_expected.to compile }
+            it {
+              is_expected.to contain_concat__fragment('rspec.example.com-auth_oidc').with(
+                content: %r{^\s+OIDCRedirectURI\s/some/valid/relative/uri$},
+              )
+            }
+          end
+
+          describe 'with INVALID relative URI' do
+            let :params do
+              default_params.merge(
+                'auth_oidc' => true,
+                'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration',
+                                     'ClientID'                  => 'test',
+                                     'RedirectURI'               => 'total_garbage',
+                                     'ProviderTokenEndpointAuth' => 'client_secret_basic',
+                                     'RemoteUserClaim'           => 'sub',
+                                     'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',
+                                     'CryptoPassphrase'          => '4ad1bb46-9979-450e-ae58-c696967df3cd' },
+              )
+            end
+
+            it { is_expected.not_to compile }
+          end
+        end
       end
     end
   end

From a57bd5adcc6840a09b8e928c5d8baefe3f7a76a1 Mon Sep 17 00:00:00 2001
From: Ciaran McCrisken <ciaran.mccrisken@puppet.com>
Date: Wed, 4 Nov 2020 12:28:05 +0000
Subject: [PATCH 3/3] Fix negative test data

---
 spec/defines/vhost_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
index c85b52d666..f7de631e9a 100644
--- a/spec/defines/vhost_spec.rb
+++ b/spec/defines/vhost_spec.rb
@@ -2440,7 +2440,7 @@
                 'auth_oidc' => true,
                 'oidc_settings' => { 'ProviderMetadataURL' => 'https://login.example.com/.well-known/openid-configuration',
                                      'ClientID'                  => 'test',
-                                     'RedirectURI'               => 'total_garbage',
+                                     'RedirectURI'               => 'invalid_uri',
                                      'ProviderTokenEndpointAuth' => 'client_secret_basic',
                                      'RemoteUserClaim'           => 'sub',
                                      'ClientSecret'              => 'aae053a9-4abf-4824-8956-e94b2af335c8',