hashicorp · fairclothjm · Mar 13, 2024 · Mar 12, 2024 · Mar 13, 2024 · Mar 13, 2024
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -537,6 +538,17 @@ func (b *jwtAuthBackend) verifyOIDCRequest(stateID string) *oidcRequest {
 	return nil
 }
 
+func isLocalAddr(hostname string) bool {
+	ip := net.ParseIP(hostname)
+	if ip != nil {
+		return ip.IsLoopback()
+	} else {
+		// localhost is not guaranteed to map back to a loopback interface address
+		// however, this is historically how the plugin has behaved
+		return hostname == "localhost"
+	}
+}
+
 // validRedirect checks whether uri is in allowed using special handling for loopback uris.
 // Ref: https://tools.ietf.org/html/rfc8252#section-7.3
 func validRedirect(uri string, allowed []string) bool {
@@ -546,8 +558,8 @@ func validRedirect(uri string, allowed []string) bool {
 	}
 
 	// if uri isn't a loopback, just string search the allowed list
-	if !strutil.StrListContains([]string{"localhost", "127.0.0.1", "::1"}, inputURI.Hostname()) {
-		return strutil.StrListContains(allowed, uri)
+	if !isLocalAddr(inputURI.Hostname()) {
+		return strutil.StrListContainsCaseInsensitive(allowed, uri)
 	}
 
 	// otherwise, search for a match in a port-agnostic manner, per the OAuth RFC.

@@ -122,6 +122,53 @@ func TestOIDC_AuthURL(t *testing.T) {
 		}
 	})
 
+	t.Run("case insensitive", func(t *testing.T) {
+		t.Parallel()
+
+		// normal cases, both passing the role name explicitly and relying on the default
+		for _, rolename := range []string{"test", ""} {
+			data := map[string]interface{}{
+				"role":         rolename,
+				"redirect_uri": "https://EXAMPLE.com",
+			}
+			req := &logical.Request{
+				Operation: logical.UpdateOperation,
+				Path:      "oidc/auth_url",
+				Storage:   storage,
+				Data:      data,
+			}
+
+			resp, err := b.HandleRequest(context.Background(), req)
+			if err != nil || (resp != nil && resp.IsError()) {
+				t.Fatalf("err:%v resp:%#v\n", err, resp)
+			}
+
+			authURL := resp.Data["auth_url"].(string)
+
+			expected := []string{
+				`client_id=abc`,
+				`https://team-vault\.auth0\.com/authorize`,
+				`scope=openid`,
+				`nonce=n_\w{20}`,
+				`state=st_\w{20}`,
+				`redirect_uri=https%3A%2F%2FEXAMPLE.com`,
+				`response_type=code`,
+				`code_challenge=\w+`,
+				`scope=openid`,
+			}
+
+			for _, testPattern := range expected {
+				matched, err := regexp.MatchString(testPattern, authURL)
+				if err != nil {
+					t.Fatal(err)
+				}
+				if !matched {
+					t.Fatalf("expected auth_url %q to match regex: %s", authURL, testPattern)
+				}
+			}
+		}
+	})
+
 	t.Run("missing role", func(t *testing.T) {
 		t.Parallel()
 
@@ -1516,8 +1563,10 @@ func TestOIDC_ValidRedirect(t *testing.T) {
 		{"https://example.com/a/b/c", []string{"a", "b", "https://example.com/a/b/c"}, true},
 		{"https://localhost:9000", []string{"a", "b", "https://localhost:5000"}, true},
 		{"https://127.0.0.1:9000", []string{"a", "b", "https://127.0.0.1:5000"}, true},
+		{"https://127.0.0.2:9000", []string{"a", "b", "https://127.0.0.2:5000"}, true},
 		{"https://[::1]:9000", []string{"a", "b", "https://[::1]:5000"}, true},
 		{"https://[::1]:9000/x/y?r=42", []string{"a", "b", "https://[::1]:5000/x/y?r=42"}, true},
+		{"https://EXAMPLE.com:5000", []string{"a", "b", "https://example.com:5000"}, true},
 
 		// invalid
 		{"https://example.com", []string{}, false},