feat(op): allow double star globs (#507)

Related to zitadel/zitadel#5110

go.mod

@@ -3,6 +3,7 @@ module github.com/zitadel/oidc/v3
 go 1.19
 
 require (
+	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/go-chi/chi/v5 v5.0.11
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/golang/mock v1.6.0

go.sum

@@ -1,3 +1,5 @@
+github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
+github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

pkg/op/auth_request.go

@@ -7,10 +7,10 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"path"
 	"strings"
 	"time"
 
+	"github.com/bmatcuk/doublestar/v4"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	str "github.com/zitadel/oidc/v3/pkg/strings"
@@ -283,7 +283,7 @@ func checkURIAgainstRedirects(client Client, uri string) error {
 	}
 	if globClient, ok := client.(HasRedirectGlobs); ok {
 		for _, uriGlob := range globClient.RedirectURIGlobs() {
-			isMatch, err := path.Match(uriGlob, uri)
+			isMatch, err := doublestar.Match(uriGlob, uri)
 			if err != nil {
 				return oidc.ErrServerError().WithParent(err)
 			}

pkg/op/auth_request_test.go

@@ -583,6 +583,60 @@ func TestValidateAuthReqRedirectURI(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"code flow dev mode has redirect globs regular ok",
+			args{
+				"http://registered.com/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://registered.com/*"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			false,
+		},
+		{
+			"code flow dev mode has redirect globs wildcard ok",
+			args{
+				"http://registered.com/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://registered.com/*"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			false,
+		},
+		{
+			"code flow dev mode has redirect globs double star ok",
+			args{
+				"http://registered.com/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://**/*"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			false,
+		},
+		{
+			"code flow dev mode has redirect globs double star ok",
+			args{
+				"http://registered.com/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://**/*"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			false,
+		},
+		{
+			"code flow dev mode has redirect globs IPv6 ok",
+			args{
+				"http://[::1]:80/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://\\[::1\\]:80/*"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			false,
+		},
+		{
+			"code flow dev mode has redirect globs bad pattern",
+			args{
+				"http://registered.com/callback",
+				mock.NewHasRedirectGlobsWithConfig(t, []string{"http://**/\\"}, op.ApplicationTypeUserAgent, nil, true),
+				oidc.ResponseTypeCode,
+			},
+			true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/op/client.go

@@ -63,6 +63,7 @@ type Client interface {
 // such as DevMode for the client being enabled.
 // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
 type HasRedirectGlobs interface {
+	Client
 	RedirectURIGlobs() []string
 	PostLogoutRedirectURIGlobs() []string
 }

pkg/op/mock/generate.go

@@ -4,6 +4,7 @@ package mock
 //go:generate mockgen -package mock -destination ./storage.mock.go github.com/zitadel/oidc/v3/pkg/op Storage
 //go:generate mockgen -package mock -destination ./authorizer.mock.go github.com/zitadel/oidc/v3/pkg/op Authorizer
 //go:generate mockgen -package mock -destination ./client.mock.go github.com/zitadel/oidc/v3/pkg/op Client
+//go:generate mockgen -package mock -destination ./glob.mock.go github.com/zitadel/oidc/v3/pkg/op HasRedirectGlobs
 //go:generate mockgen -package mock -destination ./configuration.mock.go github.com/zitadel/oidc/v3/pkg/op Configuration
 //go:generate mockgen -package mock -destination ./discovery.mock.go github.com/zitadel/oidc/v3/pkg/op DiscoverStorage
 //go:generate mockgen -package mock -destination ./signer.mock.go github.com/zitadel/oidc/v3/pkg/op SigningKey,Key

pkg/op/mock/glob.go

@@ -0,0 +1,24 @@
+package mock
+
+import (
+	"testing"
+
+	gomock "github.com/golang/mock/gomock"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	op "github.com/zitadel/oidc/v3/pkg/op"
+)
+
+func NewHasRedirectGlobs(t *testing.T) op.HasRedirectGlobs {
+	return NewMockHasRedirectGlobs(gomock.NewController(t))
+}
+
+func NewHasRedirectGlobsWithConfig(t *testing.T, uri []string, appType op.ApplicationType, responseTypes []oidc.ResponseType, devMode bool) op.HasRedirectGlobs {
+	c := NewHasRedirectGlobs(t)
+	m := c.(*MockHasRedirectGlobs)
+	m.EXPECT().RedirectURIs().AnyTimes().Return(uri)
+	m.EXPECT().RedirectURIGlobs().AnyTimes().Return(uri)
+	m.EXPECT().ApplicationType().AnyTimes().Return(appType)
+	m.EXPECT().ResponseTypes().AnyTimes().Return(responseTypes)
+	m.EXPECT().DevMode().AnyTimes().Return(devMode)
+	return c
+}