Validate that clientId does not contain ':' (#266)

Signed-off-by: Ignasi Barrera <ignasi@tetrate.io>
istio-ecosystem · Oct 10, 2024 · af1e088 · af1e088
1 parent e99c3eb
commit af1e088
Show file tree

Hide file tree

Showing 10 changed files with 161 additions and 112 deletions.
diff --git a/config/Makefile b/config/Makefile
@@ -12,14 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-BUF ?= github.com/bufbuild/buf/cmd/buf@v1.17.0
+BUF ?= github.com/bufbuild/buf/cmd/buf@v1.32.2
 
 PROTO_SOURCES := $(shell find . -name '*.proto')
 
 .PHONY: build
 build: $(PROTO_SOURCES) ## Generate the Go code from the protobuf definitions
 	@echo "Generating Go code from protobuf definitions"
-	@go run $(BUF) mod update
 	@go run $(BUF) build
 	@go run $(BUF) generate
 	@go mod tidy

diff --git a/config/buf.gen.yaml b/config/buf.gen.yaml
@@ -24,7 +24,7 @@ plugins:
     out: gen/go
     opt:
       - paths=source_relative
-  - plugin: buf.build/bufbuild/validate-go
+  - plugin: buf.build/bufbuild/validate-go:v1.0.4
     out: gen/go
     opt:
       - paths=source_relative
diff --git a/config/buf.lock b/config/buf.lock
@@ -4,5 +4,5 @@ deps:
   - remote: buf.build
     owner: envoyproxy
     repository: protoc-gen-validate
-    commit: 6607b10f00ed4a3d98f906807131c44a
-    digest: shake256:acc7b2ededb2f88d296862943a003b157bdb68ec93ed13dcd8566b2d06e47993ea6daf12013b9655658aaf6bbdb141cf65bfe400ce2870f4654b0a5b45e57c09
+    commit: daf171c6cdb54629b5f51e345a79e4dd
+    digest: shake256:4ae167d7eed10da5f83a3f5df8c670d249170f11b1f2fd19afda06be2cff4d47dcc95e9e4a15151ecc8ce2d3d3614caf9a04d3ad82fb768a3870dedfa9455f36
diff --git a/config/buf.yaml b/config/buf.yaml
@@ -15,7 +15,7 @@
 version: v1
 name: buf.build/authservice/config
 deps:
-  - buf.build/envoyproxy/protoc-gen-validate:6607b10f00ed4a3d98f906807131c44a
+  - buf.build/envoyproxy/protoc-gen-validate
 lint:
   use:
     - DEFAULT

diff --git a/config/gen/go/v1/oidc/config.pb.go b/config/gen/go/v1/oidc/config.pb.go
diff --git a/config/gen/go/v1/oidc/config.pb.validate.go b/config/gen/go/v1/oidc/config.pb.validate.go
diff --git a/config/v1/oidc/config.proto b/config/v1/oidc/config.proto
@@ -132,7 +132,9 @@ message OIDCConfig {
   // The OIDC client ID assigned to the filter to be used in the
   // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
   // Required.
-  string client_id = 5 [(validate.rules).string.min_len = 1];
+  // The client ID is used to authenticate to the Token endpoint using HTTP Basic Auth and it
+  // must not contain a colon (":") character.
+  string client_id = 5 [(validate.rules).string = {min_len: 1, not_contains: ":"}];
 
   // This message defines a reference to a Kubernetes Secret resource.
   message SecretReference {

diff --git a/env.mk b/env.mk
@@ -18,7 +18,7 @@ NAME      ?= authservice
 
 -include $(ROOT)/.makerc  # Pick up any local overrides.
 
-GOLANGCI_LINT ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.60.3
+GOLANGCI_LINT ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.61.0
 GOSIMPORTS    ?= github.com/rinchsan/gosimports/cmd/gosimports@v0.3.8
 LICENSER      ?= github.com/liamawhite/licenser@v0.6.1-0.20210729145742-be6c77bf6a1f
 KIND          ?= sigs.k8s.io/kind@v0.18.0

diff --git a/internal/config_test.go b/internal/config_test.go
@@ -47,7 +47,10 @@ func (e errCheck) Check(t *testing.T, err error) {
 	}
 }
 
-const msgLengthValidation = "value length must be at least 1 runes"
+const (
+	msgLengthValidation = "value length must be at least 1 runes"
+	msgInvalidClientID  = `invalid OIDCConfig.ClientId: value contains substring ":"`
+)
 
 func TestValidateConfig(t *testing.T) {
 	tests := []struct {
@@ -64,6 +67,7 @@ func TestValidateConfig(t *testing.T) {
 		{"multiple-oidc", "testdata/multiple-oidc.json", errCheck{is: ErrMultipleOIDCConfig}},
 		{"invalid-redis", "testdata/invalid-redis.json", errCheck{is: ErrInvalidURL}},
 		{"invalid-oidc-uris", "testdata/invalid-oidc-uris.json", errCheck{is: ErrRequiredURL}},
+		{"invalid-oidc-client-id", "testdata/invalid-oidc-client-id.json", errCheck{msg: msgInvalidClientID}},
 		{"invalid-health-port", "testdata/invalid-health-port.json", errCheck{is: ErrHealthPortInUse}},
 		{"invalid-callback-uri", "testdata/invalid-callback.json", errCheck{is: ErrMustNotBeRootPath}},
 		{"invalid-logout-path", "testdata/invalid-logout.json", errCheck{is: ErrMustNotBeRootPath}},

diff --git a/internal/testdata/invalid-oidc-client-id.json b/internal/testdata/invalid-oidc-client-id.json
@@ -0,0 +1,30 @@
+{
+  "listen_address": "0.0.0.0",
+  "listen_port": 8080,
+  "log_level": "debug",
+  "chains": [
+    {
+      "name": "oidc",
+      "filters": [
+        {
+          "oidc": {
+            "configuration_uri": "http://fake",
+            "callback_uri": "http://fake/callback",
+            "proxy_uri": "http://fake",
+            "jwks": "fake-jwks",
+            "client_id": "invalid:clientId",
+            "client_secret": "fake-client-secret",
+            "id_token": {
+              "preamble": "Bearer",
+              "header": "authorization"
+            },
+            "redis_session_store_config": {
+              "server_uri": "redis://localhost:6379/0"
+            },
+            "skip_verify_peer_cert": true
+          }
+        }
+      ]
+    }
+  ]
+}