-
Notifications
You must be signed in to change notification settings - Fork 4.4k
/
util.go
38 lines (30 loc) · 1001 Bytes
/
util.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package oidcauth
import (
"net/url"
"github.com/hashicorp/consul/internal/go-sso/oidcauth/internal/strutil"
)
// validRedirect checks whether uri is in allowed using special handling for loopback uris.
// Ref: https://tools.ietf.org/html/rfc8252#section-7.3
func validRedirect(uri string, allowed []string) bool {
inputURI, err := url.Parse(uri)
if err != nil {
return false
}
// if uri isn't a loopback, just string search the allowed list
if !strutil.StrListContains([]string{"localhost", "127.0.0.1", "::1"}, inputURI.Hostname()) {
return strutil.StrListContains(allowed, uri)
}
// otherwise, search for a match in a port-agnostic manner, per the OAuth RFC.
inputURI.Host = inputURI.Hostname()
for _, a := range allowed {
allowedURI, err := url.Parse(a)
if err != nil {
return false // shouldn't happen due to (*Config).Validate checks
}
allowedURI.Host = allowedURI.Hostname()
if inputURI.String() == allowedURI.String() {
return true
}
}
return false
}