Allow wildcard for redirect_urls in OAuth2 apps

Author: TamiTakamiya

.github/workflows/pip_audit.yml

@@ -29,6 +29,7 @@ jobs:
         run: |
           python -m venv env/
           source env/bin/activate
+          python -m pip install --upgrade pip
           python -m pip install . -rrequirements.txt
           # See: https://github.com/advisories/GHSA-r9hx-vwmv-q579
           pip install --upgrade setuptools

.github/workflows/pip_compile.yml

@@ -27,6 +27,7 @@ jobs:
         python-version: 3.9
     - name: install
       run: |
+        pip install --upgrade pip
         pip install pip-tools
         pip-compile --quiet requirements.in
         pip-compile --quiet requirements-dev.in

ansible_wisdom/main/settings/base.py

@@ -11,6 +11,7 @@
 """
 
 import os
+import sys
 from pathlib import Path
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
@@ -170,6 +171,15 @@
     'REFRESH_TOKEN_EXPIRE_SECONDS': 1_209_600,  # = 2 weeks
 }
 
+#
+# We need to run 'manage.py migrate' before adding our own OAuth2 application model.
+# See https://django-oauth-toolkit.readthedocs.io/en/latest/advanced_topics.html
+# #extending-the-application-model
+#
+if sys.argv[1:2] not in [['migrate'], ['test']]:
+    INSTALLED_APPS.append('wildcard_oauth2')
+    OAUTH2_PROVIDER_APPLICATION_MODEL = 'wildcard_oauth2.Application'
+
 # OAUTH: todo
 # - remove ansible_wisdom/users/auth.py module
 # - remove ansible_wisdom/users/views.py module

ansible_wisdom/wildcard_oauth2/__init__.py

@@ -0,0 +1,9 @@
+"""
+The module offers a custom OAuth2 Application that allows wildcard URLs.
+ (From: https://github.com/open-craft/oauth2-wildcard-application)
+"""
+
+
+default_app_config = (
+    'wildcard_oauth2.apps.WildcardOauth2ApplicationConfig'  # pylint: disable=invalid-name
+)

ansible_wisdom/wildcard_oauth2/apps.py

@@ -0,0 +1,14 @@
+"""
+Django App Configuration
+"""
+
+from django.apps import AppConfig
+
+
+class WildcardOauth2ApplicationConfig(AppConfig):
+    """
+    Configures wildcard_oauth2 as a Django app plugin
+    """
+
+    name = 'wildcard_oauth2'
+    verbose_name = "Wildcard OAuth2 Application"

ansible_wisdom/wildcard_oauth2/models.py

@@ -0,0 +1,79 @@
+"""
+A custom OAuth2 application that allows wildcard for redirect_uris
+
+https://github.com/jazzband/django-oauth-toolkit/issues/443#issuecomment-420255286
+"""
+import re
+from urllib.parse import parse_qsl, urlparse
+
+from django.core.exceptions import ValidationError
+from oauth2_provider.models import AbstractApplication
+from oauth2_provider.settings import oauth2_settings
+
+
+def validate_uris(value):
+    """Ensure that `value` contains valid blank-separated URIs."""
+    urls = value.split()
+    for url in urls:
+        obj = urlparse(url)
+        if obj.fragment:
+            raise ValidationError('Redirect URIs must not contain fragments')
+        if obj.scheme.lower() not in oauth2_settings.ALLOWED_REDIRECT_URI_SCHEMES:
+            raise ValidationError('Redirect URI scheme is not allowed.')
+        if not obj.netloc:
+            raise ValidationError('Redirect URI must contain a domain.')
+
+
+class Application(AbstractApplication):
+    """Subclass of application to allow for regular expressions for the redirect uri."""
+
+    @staticmethod
+    def _uri_is_allowed(allowed_uri, uri):
+        """Check that the URI conforms to these rules."""
+        schemes_match = allowed_uri.scheme == uri.scheme
+        netloc_matches_pattern = re.fullmatch(allowed_uri.netloc, uri.netloc)
+        paths_match = allowed_uri.path == uri.path
+
+        return all([schemes_match, netloc_matches_pattern, paths_match])
+
+    def __init__(self, *args, **kwargs):
+        """Relax the validator to allow for uris with regular expressions."""
+        self._meta.get_field('redirect_uris').validators = [
+            validate_uris,
+        ]
+        super().__init__(*args, **kwargs)
+
+    def redirect_uri_allowed(self, uri):
+        """
+        Check if given url is one of the items in :attr:`redirect_uris` string.
+        A Redirect uri domain may be a regular expression e.g. `^(.*).example.com$` will
+        match all subdomains of example.com.
+        A Redirect uri may be `https://(.*).example.com/some/path/?q=x`
+        :param uri: Url to check
+        """
+        for allowed_uri in self.redirect_uris.split():
+            parsed_allowed_uri = urlparse(allowed_uri)
+            parsed_uri = urlparse(uri)
+
+            if self._uri_is_allowed(parsed_allowed_uri, parsed_uri):
+                aqs_set = set(parse_qsl(parsed_allowed_uri.query))
+                uqs_set = set(parse_qsl(parsed_uri.query))
+
+                if aqs_set.issubset(uqs_set):
+                    return True
+
+        return False
+
+    def clean(self):
+        uris_with_wildcard = [uri for uri in self.redirect_uris.split(' ') if '*' in uri]
+        if uris_with_wildcard:
+            self.redirect_uris = ' '.join(
+                [uri for uri in self.redirect_uris.split(' ') if '*' not in uri]
+            )
+        super().clean()
+        if uris_with_wildcard:
+            self.redirect_uris += ' ' + ' '.join(uris_with_wildcard)
+
+    class Meta:
+        db_table = 'oauth2_provider_application'
+        app_label = 'wildcard_oauth2'

ansible_wisdom/wildcard_oauth2/tests/__init__.py

@@ -0,0 +1,64 @@
+from django.core.exceptions import ValidationError
+from django.test import TestCase
+
+from ..models import Application, validate_uris
+
+redirect_uris = [
+    'vscode://redhat.ansible',
+    r'https://(.*)\.github\.dev/extension-auth-callback?(.*)',
+]
+
+
+class _AppLabel:
+    app_label = 'wildcard_oauth2'
+
+
+class WildcardOAuth2Test(TestCase):
+    def setUp(self):
+        self.app = Application(redirect_uris=' '.join(redirect_uris))
+
+    def test_standalone_vscode_callback_uri(self):
+        rc = self.app.redirect_uri_allowed('vscode://redhat.ansible')
+        self.assertTrue(rc)
+        self.app.clean()
+
+    def test_invalid_callback_uri(self):
+        rc = self.app.redirect_uri_allowed('vscode://othercompany.ansible')
+        self.assertFalse(rc)
+
+    def test_valid_codespases_callback_uri(self):
+        rc = self.app.redirect_uri_allowed(
+            'https://estruyf-opulent-capybara-4grqx5g7953754v.github.dev/'
+            'extension-auth-callback?state=5d6adcfd65b9595ea01f177eccf938c7'
+        )
+        self.assertTrue(rc)
+
+    def test_invalid_codespases_callback_uri(self):
+        rc = self.app.redirect_uri_allowed(
+            'https://estruyf-opulent-capybara-4grqx5g7953754v.github.com/'
+            'extension-auth-callback?state=5d6adcfd65b9595ea01f177eccf938c7'
+        )
+        self.assertFalse(rc)
+
+
+class ValidateUrisTest(TestCase):
+    def test_uri_no_error(self):
+        validate_uris('https://example.com/callback')
+
+    def test_uri_containing_fragment(self):
+        try:
+            validate_uris('https://example.com/callback#fragment')
+        except ValidationError as e:
+            self.assertEqual(e.message, 'Redirect URIs must not contain fragments')
+
+    def test_uri_containing_invalid_scheme(self):
+        try:
+            validate_uris('myapp://example.com/callback')
+        except ValidationError as e:
+            self.assertEqual(e.message, 'Redirect URI scheme is not allowed.')
+
+    def test_uri_containing_no_domain(self):
+        try:
+            validate_uris('vscode:redhat.ansible')
+        except ValidationError as e:
+            self.assertEqual(e.message, 'Redirect URI must contain a domain.')

ansible_wisdom/wildcard_oauth2/tests/test_wildcard_oauth2.py

@@ -6,30 +6,32 @@
 #
 black==22.10.0
     # via -r requirements-dev.in
-build==0.10.0
+build==1.0.3
     # via pip-tools
-cfgv==3.3.1
+cfgv==3.4.0
     # via pre-commit
-click==8.1.3
+click==8.1.7
     # via
     #   black
     #   pip-tools
 coverage==7.2.1
     # via -r requirements-dev.in
-distlib==0.3.6
+distlib==0.3.7
     # via virtualenv
 enum-compat==0.0.3
     # via torch-model-archiver
-filelock==3.12.0
+filelock==3.13.1
     # via virtualenv
 flake8==6.0.0
     # via -r requirements-dev.in
-grpcio==1.54.2
+grpcio==1.59.2
     # via grpcio-tools
 grpcio-tools==1.54.2
     # via -r requirements-dev.in
-identify==2.5.24
+identify==2.5.31
     # via pre-commit
+importlib-metadata==6.8.0
+    # via build
 isort==5.10.1
     # via -r requirements-dev.in
 mccabe==0.7.0
@@ -38,47 +40,50 @@ mypy-extensions==1.0.0
     # via black
 nodeenv==1.8.0
     # via pre-commit
-packaging==23.1
+packaging==23.2
     # via build
-pathspec==0.11.1
+pathspec==0.11.2
     # via
     #   black
     #   yamllint
-pip-tools==6.13.0
+pip-tools==7.3.0
     # via -r requirements-dev.in
-platformdirs==3.5.1
+platformdirs==3.11.0
     # via
     #   black
     #   virtualenv
-pre-commit==3.3.2
+pre-commit==3.5.0
     # via -r requirements-dev.in
-protobuf==4.23.2
+protobuf==4.25.0
     # via grpcio-tools
 pycodestyle==2.10.0
     # via flake8
 pyflakes==3.0.1
     # via flake8
 pyproject-hooks==1.0.0
     # via build
-pyyaml==6.0
+pyyaml==6.0.1
     # via
     #   pre-commit
     #   yamllint
 tomli==2.0.1
     # via
     #   black
     #   build
+    #   pip-tools
     #   pyproject-hooks
-torch-model-archiver==0.8.0
+torch-model-archiver==0.9.0
     # via -r requirements-dev.in
-typing-extensions==4.6.3
+typing-extensions==4.8.0
     # via black
-virtualenv==20.23.0
+virtualenv==20.24.6
     # via pre-commit
-wheel==0.40.0
+wheel==0.41.3
     # via pip-tools
 yamllint==1.29.0
     # via -r requirements-dev.in
+zipp==3.17.0
+    # via importlib-metadata
 
 # The following packages are considered to be unsafe in a requirements file:
 # pip

requirements-dev.txt

@@ -9,7 +9,7 @@ ansible-lint==6.20.3
 boto3==1.26.84
 # UPDATED MANUALLY: waiting for parent package to be updated
 cryptography==41.0.4
-datasets==2.10.1
+datasets==2.14.6
 Django==4.2.7
 django-extensions==3.2.1
 django-health-check==3.17.0
@@ -28,6 +28,8 @@ opensearch-py==2.1.1
 pillow==10.0.1
 protobuf==4.22.1
 psycopg[binary]==3.1.8
+# pin pyarrow on 14.0.1 to address GHSA-5wvp-7f3h-6wmm
+pyarrow==14.0.1
 pydantic==1.10.2
 pytz
 pyOpenSSL==23.2.0