Add Validation for External OAuth Config

openshift · Mar 16, 2018 · fd512ee · fd512ee
1 parent 96f1259
commit fd512ee
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/pkg/cmd/server/apis/config/validation/master.go b/pkg/cmd/server/apis/config/validation/master.go
@@ -25,6 +25,7 @@ import (
 	configapi "github.com/openshift/origin/pkg/cmd/server/apis/config"
 	"github.com/openshift/origin/pkg/cmd/server/bootstrappolicy"
 	"github.com/openshift/origin/pkg/cmd/server/cm"
+	oauthutil "github.com/openshift/origin/pkg/oauth/util"
 	"github.com/openshift/origin/pkg/security/mcs"
 	"github.com/openshift/origin/pkg/security/uid"
 	"github.com/openshift/origin/pkg/util/labelselector"
@@ -144,6 +145,21 @@ func ValidateMasterConfig(config *configapi.MasterConfig, fldPath *field.Path) V
 	if config.OAuthConfig != nil {
 		validationResults.Append(ValidateOAuthConfig(config.OAuthConfig, fldPath.Child("oauthConfig")))
 	}
+	if config.ExternalOAuthConfig != nil {
+		if config.OAuthConfig != nil {
+			validationResults.AddErrors(field.Invalid(fldPath.Child("externalOAuthConfig"), config.ExternalOAuthConfig, "Cannot specify External OAuth Config when the internal Oauth Server is configured"))
+		}
+		_, err := oauthutil.LoadOAuthMetadataFile(config.ExternalOAuthConfig.MetadataFile)
+		if err != nil {
+			validationResults.AddErrors(field.Invalid(fldPath.Child("externalOAuthConfig", "metadataFile"), config.ExternalOAuthConfig.MetadataFile, fmt.Sprintf("Metadata validation failed: %v", err)))
+		}
+		if len(config.ExternalOAuthConfig.MasterPublicURL) == 0 {
+			validationResults.AddErrors(field.Required(fldPath.Child("externalOAuthConfig", "masterPublicURL"), ""))
+		}
+		if len(config.ExternalOAuthConfig.AssetPublicURL) == 0 {
+			validationResults.AddErrors(field.Required(fldPath.Child("externalOAuthConfig", "assetPublicURL"), ""))
+		}
+	}
 
 	validationResults.Append(ValidateServiceAccountConfig(config.ServiceAccountConfig, builtInKubernetes, fldPath.Child("serviceAccountConfig")))
 

diff --git a/pkg/oauth/util/discovery.go b/pkg/oauth/util/discovery.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net/url"
 
 	"github.com/RangelReale/osin"
 	"github.com/openshift/origin/pkg/authorization/authorizer/scope"
@@ -56,6 +57,20 @@ func GetOauthMetadata(masterPublicURL string) OauthAuthorizationServerMetadata {
 	}
 }
 
+func validateURL(urlString string) error {
+	urlObj, err := url.Parse(urlString)
+	if err != nil {
+		return fmt.Errorf("%q is an invalid URL: %v", urlString, err)
+	}
+	if urlObj.Scheme != "https" {
+		return fmt.Errorf("must use https scheme")
+	}
+	if len(urlObj.Host) == 0 {
+		return fmt.Errorf("must contain a valid host")
+	}
+	return nil
+}
+
 func LoadOAuthMetadataFile(metadataFile string) ([]byte, error) {
 	data, err := ioutil.ReadFile(metadataFile)
 	if err != nil {
@@ -67,5 +82,17 @@ func LoadOAuthMetadataFile(metadataFile string) ([]byte, error) {
 		return nil, fmt.Errorf("Unable to decode External OAuth Metadata file: %v", err)
 	}
 
+	if err := validateURL(oauthMetadata.Issuer); err != nil {
+		return nil, fmt.Errorf("Error validating External OAuth Metadata Issuer field: %v", err)
+	}
+
+	if err := validateURL(oauthMetadata.AuthorizationEndpoint); err != nil {
+		return nil, fmt.Errorf("Error validating External OAuth Metadata AuthorizationEndpoint field: %v", err)
+	}
+
+	if err := validateURL(oauthMetadata.TokenEndpoint); err != nil {
+		return nil, fmt.Errorf("Error validating External OAuth Metadata TokenEndpoint field: %v", err)
+	}
+
 	return data, nil
 }