add option to allow client redirects from IPs in specified CIDR range…

…s in SSO client logins (#44556) Co-authored-by: Andrew LeFevre <Andrew LeFevre>
gravitational · Jul 30, 2024 · bca2943 · bca2943
1 parent ee29097
commit bca2943
Show file tree

Hide file tree

Showing 30 changed files with 1,341 additions and 742 deletions.
diff --git a/api/gen/proto/go/teleport/userprovisioning/v1/statichostuser_service_grpc.pb.go b/api/gen/proto/go/teleport/userprovisioning/v1/statichostuser_service_grpc.pb.go
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -4436,6 +4436,8 @@ message MaxAge {
 message SSOClientRedirectSettings {
   // a list of hostnames allowed for https client redirect URLs
   repeated string allowed_https_hostnames = 1;
+  // a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
+  repeated string insecure_allowed_cidr_ranges = 2;
 }
 
 // OIDCAuthRequest is a request to authenticate with OIDC

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"net/netip"
 	"net/url"
 	"slices"
 	"time"
@@ -35,6 +36,11 @@ type OIDCConnector interface {
 	// ResourceWithSecrets provides common methods for objects
 	ResourceWithSecrets
 	ResourceWithOrigin
+	// Validate will preform checks not found in CheckAndSetDefaults
+	// that should only be preformed when the OIDC connector resource
+	// itself is being created or updated, not when a OIDCConnector
+	// object is being created or updated.
+	Validate() error
 	// Issuer URL is the endpoint of the provider, e.g. https://accounts.google.com
 	GetIssuerURL() string
 	// ClientID is id for authentication client (in our case it's our Auth server)
@@ -449,6 +455,23 @@ func (o *OIDCConnectorV3) CheckAndSetDefaults() error {
 	return nil
 }
 
+// Validate will preform checks not found in CheckAndSetDefaults
+// that should only be preformed when the OIDC connector resource
+// itself is being created or updated, not when a OIDCConnector
+// object is being created or updated.
+func (o *OIDCConnectorV3) Validate() error {
+	if o.Spec.ClientRedirectSettings != nil {
+		for _, cidrStr := range o.Spec.ClientRedirectSettings.InsecureAllowedCidrRanges {
+			_, err := netip.ParsePrefix(cidrStr)
+			if err != nil {
+				return trace.BadParameter("bad CIDR range in insecure_allowed_cidr_ranges '%s': %v", cidrStr, err)
+			}
+		}
+	}
+
+	return nil
+}
+
 // GetAllowUnverifiedEmail returns true if unverified emails should be allowed in received users.
 func (o *OIDCConnectorV3) GetAllowUnverifiedEmail() bool {
 	return o.Spec.AllowUnverifiedEmail