authelia/internal/utils/url.go

package utils

import (
	"net/url"
	"path"
	"strings"
)

// URLPathFullClean returns a URL path with the query parameters appended (full path) with the path portion parsed
// through path.Clean given a *url.URL.
func URLPathFullClean(u *url.URL) (output string) {
	lengthPath := len(u.Path)
	lengthQuery := len(u.RawQuery)
	appendForwardSlash := lengthPath > 1 && u.Path[lengthPath-1] == '/'

	switch {
	case lengthPath == 1 && lengthQuery == 0:
		return u.Path
	case lengthPath == 1:
		return path.Clean(u.Path) + "?" + u.RawQuery
	case lengthQuery != 0 && appendForwardSlash:
		return path.Clean(u.Path) + "/?" + u.RawQuery
	case lengthQuery != 0:
		return path.Clean(u.Path) + "?" + u.RawQuery
	case appendForwardSlash:
		return path.Clean(u.Path) + "/"
	default:
		return path.Clean(u.Path)
	}
}

// IsURISafeRedirection returns true if the URI passes the IsURISecure and HasURIDomainSuffix, i.e. if the scheme is
// secure and the given URI has a hostname that is either exactly equal to the given domain or if it has a suffix of the
// domain prefixed with a period.
func IsURISafeRedirection(uri *url.URL, domain string) bool {
	return IsURISecure(uri) && HasURIDomainSuffix(uri, domain)
}

// IsURISecure returns true if the URI has a secure schemes (https or wss).
func IsURISecure(uri *url.URL) bool {
	switch uri.Scheme {
	case https, wss:
		return true
	default:
		return false
	}
}

// HasURIDomainSuffix returns true if the URI hostname is equal to the domain suffix or if it has a suffix of the domain
// suffix prefixed with a period.
func HasURIDomainSuffix(uri *url.URL, domainSuffix string) bool {
	return HasDomainSuffix(uri.Hostname(), domainSuffix)
}

// HasDomainSuffix returns true if the URI hostname is equal to the domain or if it has a suffix of the domain
// prefixed with a period.
func HasDomainSuffix(domain, domainSuffix string) bool {
	if domainSuffix == "" {
		return false
	}

	if domain == domainSuffix {
		return true
	}

	if strings.HasSuffix(domain, period+domainSuffix) {
		return true
	}

	return false
}
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized. 2022-07-05 01:32:10 +00:00			`package utils`

			`import (`
			`"net/url"`
			`"path"`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00			`"strings"`
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized. 2022-07-05 01:32:10 +00:00			`)`

			`// URLPathFullClean returns a URL path with the query parameters appended (full path) with the path portion parsed`
			`// through path.Clean given a *url.URL.`
fix(authorization): final slash in url matches ignored (#3717) This fixes an issue with the URL matching machinery which ignores the final slash of a URL. Introduced in 664d65d7fb4cd77f66629dc42c0a2c4a3ccc36a4. Fixes #3692 2022-07-18 04:59:13 +00:00			`func URLPathFullClean(u *url.URL) (output string) {`
			`lengthPath := len(u.Path)`
			`lengthQuery := len(u.RawQuery)`
			`appendForwardSlash := lengthPath > 1 && u.Path[lengthPath-1] == '/'`

			`switch {`
			`case lengthPath == 1 && lengthQuery == 0:`
			`return u.Path`
			`case lengthPath == 1:`
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized. 2022-07-05 01:32:10 +00:00			`return path.Clean(u.Path) + "?" + u.RawQuery`
fix(authorization): final slash in url matches ignored (#3717) This fixes an issue with the URL matching machinery which ignores the final slash of a URL. Introduced in 664d65d7fb4cd77f66629dc42c0a2c4a3ccc36a4. Fixes #3692 2022-07-18 04:59:13 +00:00			`case lengthQuery != 0 && appendForwardSlash:`
			`return path.Clean(u.Path) + "/?" + u.RawQuery`
			`case lengthQuery != 0:`
			`return path.Clean(u.Path) + "?" + u.RawQuery`
			`case appendForwardSlash:`
			`return path.Clean(u.Path) + "/"`
			`default:`
			`return path.Clean(u.Path)`
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized. 2022-07-05 01:32:10 +00:00			`}`
			`}`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00
refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`// IsURISafeRedirection returns true if the URI passes the IsURISecure and HasURIDomainSuffix, i.e. if the scheme is`
			`// secure and the given URI has a hostname that is either exactly equal to the given domain or if it has a suffix of the`
			`// domain prefixed with a period.`
			`func IsURISafeRedirection(uri *url.URL, domain string) bool {`
			`return IsURISecure(uri) && HasURIDomainSuffix(uri, domain)`
			`}`

			`// IsURISecure returns true if the URI has a secure schemes (https or wss).`
			`func IsURISecure(uri *url.URL) bool {`
			`switch uri.Scheme {`
			`case https, wss:`
			`return true`
			`default:`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00			`return false`
			`}`
refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`}`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-12 10:57:44 +00:00			`// HasURIDomainSuffix returns true if the URI hostname is equal to the domain suffix or if it has a suffix of the domain`
			`// suffix prefixed with a period.`
			`func HasURIDomainSuffix(uri *url.URL, domainSuffix string) bool {`
			`return HasDomainSuffix(uri.Hostname(), domainSuffix)`
			`}`

			`// HasDomainSuffix returns true if the URI hostname is equal to the domain or if it has a suffix of the domain`
refactor: clean up uri checking functions (#3943) 2022-09-03 01:51:02 +00:00			`// prefixed with a period.`
feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-12 10:57:44 +00:00			`func HasDomainSuffix(domain, domainSuffix string) bool {`
			`if domainSuffix == "" {`
			`return false`
			`}`

			`if domain == domainSuffix {`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00			`return true`
			`}`

feat(session): multiple session cookie domains (#3754) This adds support to configure multiple session cookie domains. Closes #1198 Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-12 10:57:44 +00:00			`if strings.HasSuffix(domain, period+domainSuffix) {`
fix(utils): domain suffix improperly checked (#3799) 2022-08-07 11:13:56 +00:00			`return true`
			`}`

			`return false`
			`}`