Document client registration policy config and improve error messages (#299)

2025-08-06 06:02:40 +03:00 · 2022-07-09 13:47:40 +01:00
parent 0e21f00d17
commit fa1f71452c
2 changed files with 40 additions and 4 deletions
--- a/crates/policy/policies/client_registration.rego
+++ b/crates/policy/policies/client_registration.rego
@@ -10,15 +10,21 @@ allow {

 parse_uri(url) = obj {
 	is_string(url)
-	[matches] := regex.find_all_string_submatch_n("^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|\\[::1\\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)$", url, 1)
+	[matches] := regex.find_all_string_submatch_n("^(?P<scheme>[a-z][a-z0-9+.-]*):(?://(?P<host>((?:(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])\\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9-]*[a-z0-9])|127.0.0.1|0.0.0.0|\\[::1\\])(?::(?P<port>[0-9]+))?))?(?P<path>/[A-Za-z0-9/.-]*)$", url, 1)
 	obj := {"scheme": matches[1], "authority": matches[2], "host": matches[3], "port": matches[4], "path": matches[5]}
 }

 secure_url(x) {
 	url := parse_uri(x)
 	url.scheme == "https"
+
+	# Disallow localhost variants
+	url.host != "localhost"
 	url.host != "127.0.0.1"
+	url.host != "0.0.0.0"
 	url.host != "[::1]"
+
+	# Must be standard port for HTTPS
 	url.port == ""
 }

@@ -43,7 +49,7 @@ violation[{"msg": "invalid tos_uri"}] {
 	not secure_url(input.client_metadata.tos_uri)
 }

-violation[{"msg": "tos_uri not on the same domain as the client_uri"}] {
+violation[{"msg": "tos_uri not on the same host as the client_uri"}] {
 	input.client_metadata.tos_uri
 	not data.client_registration.allow_host_mismatch
 	not host_matches_client_uri(input.client_metadata.tos_uri)
@@ -55,7 +61,7 @@ violation[{"msg": "invalid policy_uri"}] {
 	not secure_url(input.client_metadata.policy_uri)
 }

-violation[{"msg": "policy_uri not on the same domain as the client_uri"}] {
+violation[{"msg": "policy_uri not on the same host as the client_uri"}] {
 	input.client_metadata.policy_uri
 	not data.client_registration.allow_host_mismatch
 	not host_matches_client_uri(input.client_metadata.policy_uri)
@@ -67,7 +73,7 @@ violation[{"msg": "invalid logo_uri"}] {
 	not secure_url(input.client_metadata.logo_uri)
 }

-violation[{"msg": "logo_uri not on the same domain as the client_uri"}] {
+violation[{"msg": "logo_uri not on the same host as the client_uri"}] {
 	input.client_metadata.logo_uri
 	not data.client_registration.allow_host_mismatch
 	not host_matches_client_uri(input.client_metadata.logo_uri)
--- a/docs/usage/configuration.md
+++ b/docs/usage/configuration.md
@@ -216,3 +216,33 @@ secrets:
        V4CiFiDQsDX+3znAGxqhTuoOkVn/G5lwgE1cgTX57r9cyYkso9UY
        -----END PRIVATE KEY-----
 ```
+
+### `policy`
+
+Policy settings
+
+```yaml
+policy:
+  data:
+    admin_users:
+      - person1
+      - person2
+
+    # Dynamic Client Registration
+    client_registration:
+      # don't require URIs to be on the same host. default: false
+      allow_host_mismatch: true
+      # allow non-SSL and localhost URIs. default: false
+      allow_insecure_uris: true
+
+    # Registration using passwords
+    passwords: 
+      # minimum length of a password. default: ?
+      min_length: 8
+      # require at least one lowercase character in a password. default: false
+      require_lowercase: true
+      # require at least one uppercase character in a password. default: false
+      require_uppercase: true
+      # require at least one number in a password. default: false
+      require_number: true
+```