diff --git a/crates/policy/policies/client_registration.rego b/crates/policy/policies/client_registration.rego index e0b46ef7..3c125c8f 100644 --- a/crates/policy/policies/client_registration.rego +++ b/crates/policy/policies/client_registration.rego @@ -10,15 +10,21 @@ allow { parse_uri(url) = obj { is_string(url) - [matches] := regex.find_all_string_submatch_n("^(?P[a-z][a-z0-9+.-]*):(?://(?P((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|\\[::1\\])(?::(?P[0-9]+))?))?(?P/[A-Za-z0-9/.-]*)$", url, 1) + [matches] := regex.find_all_string_submatch_n("^(?P[a-z][a-z0-9+.-]*):(?://(?P((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\\[::1\\])(?::(?P[0-9]+))?))?(?P/[A-Za-z0-9/.-]*)$", url, 1) obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]} } secure_url(x) { url := parse_uri(x) url.scheme == "https" + + # Disallow localhost variants + url.host != "localhost" url.host != "127.0.0.1" + url.host != "0.0.0.0" url.host != "[::1]" + + # Must be standard port for HTTPS url.port == "" } @@ -43,7 +49,7 @@ violation[{"msg": "invalid tos_uri"}] { not secure_url(input.client_metadata.tos_uri) } -violation[{"msg": "tos_uri not on the same domain as the client_uri"}] { +violation[{"msg": "tos_uri not on the same host as the client_uri"}] { input.client_metadata.tos_uri not data.client_registration.allow_host_mismatch not host_matches_client_uri(input.client_metadata.tos_uri) @@ -55,7 +61,7 @@ violation[{"msg": "invalid policy_uri"}] { not secure_url(input.client_metadata.policy_uri) } -violation[{"msg": "policy_uri not on the same domain as the client_uri"}] { +violation[{"msg": "policy_uri not on the same host as the client_uri"}] { input.client_metadata.policy_uri not data.client_registration.allow_host_mismatch not host_matches_client_uri(input.client_metadata.policy_uri) @@ -67,7 +73,7 @@ violation[{"msg": "invalid logo_uri"}] { not secure_url(input.client_metadata.logo_uri) } -violation[{"msg": "logo_uri not on the same domain as the client_uri"}] { +violation[{"msg": "logo_uri not on the same host as the client_uri"}] { input.client_metadata.logo_uri not data.client_registration.allow_host_mismatch not host_matches_client_uri(input.client_metadata.logo_uri) diff --git a/docs/usage/configuration.md b/docs/usage/configuration.md index c993c157..39e3e9b7 100644 --- a/docs/usage/configuration.md +++ b/docs/usage/configuration.md @@ -216,3 +216,33 @@ secrets: V4CiFiDQsDX+3znAGxqhTuoOkVn/G5lwgE1cgTX57r9cyYkso9UY -----END PRIVATE KEY----- ``` + +### `policy` + +Policy settings + +```yaml +policy: + data: + admin_users: + - person1 + - person2 + + # Dynamic Client Registration + client_registration: + # don't require URIs to be on the same host. default: false + allow_host_mismatch: true + # allow non-SSL and localhost URIs. default: false + allow_insecure_uris: true + + # Registration using passwords + passwords: + # minimum length of a password. default: ? + min_length: 8 + # require at least one lowercase character in a password. default: false + require_lowercase: true + # require at least one uppercase character in a password. default: false + require_uppercase: true + # require at least one number in a password. default: false + require_number: true +```