Validate sector identifier uri and redirect uri

app/controllers/api/openid_connect/clients_controller.rb

@@ -5,10 +5,15 @@ module Api
         http_error_page_as_json(e)
       end
 
-      rescue_from OpenIDConnect::ValidationFailed, ActiveRecord::RecordInvalid do |e|
+      rescue_from OpenIDConnect::ValidationFailed,
+                  ActiveRecord::RecordInvalid, Api::OpenidConnect::Exception::InvalidSectorIdentifierUri do |e|
         validation_fail_as_json(e)
       end
 
+      rescue_from Api::OpenidConnect::Exception::InvalidRedirectUri do |e|
+        validation_fail_redirect_uri(e)
+      end
+
       def create
         registrar = OpenIDConnect::Client::Registrar.new(request.url, params)
         client = Api::OpenidConnect::OAuthApplication.register! registrar
@@ -27,19 +32,15 @@ module Api
       private
 
       def http_error_page_as_json(e)
-        render json:
-                 {
-                   error:             :invalid_request,
-                   error_description: e.message
-                 }, status: 400
+        render json: { error: :invalid_request, error_description: e.message}, status: 400
       end
 
       def validation_fail_as_json(e)
-        render json:
-                 {
-                   error:             :invalid_client_metadata,
-                   error_description: e.message
-                 }, status: 400
+        render json: {error: :invalid_client_metadata, error_description: e.message}, status: 400
+      end
+
+      def validation_fail_redirect_uri(e)
+        render json: {error: :invalid_redirect_uri, error_description: e.message}, status: 400
       end
     end
   end

app/models/api/openid_connect/o_auth_application.rb

@@ -39,7 +39,30 @@ module Api
         private
 
         def build_client_application(registrar)
-          create! registrar_attributes(registrar)
+          attributes = registrar_attributes(registrar)
+          check_sector_identifier_uri(attributes)
+          check_redirect_uris(attributes)
+          create! attributes
+        end
+
+        def check_sector_identifier_uri(attributes)
+          sector_identifier_uri = attributes[:sector_identifier_uri]
+          return unless sector_identifier_uri
+          uri = URI.parse(sector_identifier_uri)
+          response = Net::HTTP.get_response(uri)
+          sector_identifier_uri_json = JSON.parse(response.body)
+          redirect_uris = attributes[:redirect_uris]
+          sector_identifier_uri_includes_redirect_uris = (redirect_uris - sector_identifier_uri_json).empty?
+          return if sector_identifier_uri_includes_redirect_uris
+          raise Api::OpenidConnect::Exception::InvalidSectorIdentifierUri.new
+        end
+
+        def check_redirect_uris(attributes)
+          redirect_uris = attributes[:redirect_uris]
+          uri_array = redirect_uris.map {|uri| URI(uri) }
+          any_uri_contains_fragment = uri_array.any? {|uri| !uri.fragment.nil? }
+          return unless any_uri_contains_fragment
+          raise Api::OpenidConnect::Exception::InvalidRedirectUri.new
         end
 
         def supported_metadata

lib/api/openid_connect/exception/invalid_redirect_uri.rb

@@ -0,0 +1,11 @@
+module Api
+  module OpenidConnect
+    module Exception
+      class InvalidRedirectUri < ::ArgumentError
+        def initialize
+          super "Redirect uri contains fragment"
+        end
+      end
+    end
+  end
+end

lib/api/openid_connect/exception/invalid_sector_identifier_uri.rb

@@ -0,0 +1,11 @@
+module Api
+  module OpenidConnect
+    module Exception
+      class InvalidSectorIdentifierUri < ::ArgumentError
+        def initialize
+          super "Invalid sector identifier uri"
+        end
+      end
+    end
+  end
+end

spec/controllers/api/openid_connect/clients_controller_spec.rb

@@ -4,6 +4,10 @@ describe Api::OpenidConnect::ClientsController, type: :controller do
   describe "#create" do
     context "when valid parameters are passed" do
       it "should return a client id" do
+        stub_request(:get, "http://example.com/uris")
+          .with(headers: {"Accept" => "*/*", "Accept-Encoding" => "gzip;q=1.0,deflate;q=0.6,identity;q=0.3",
+                          "Host" => "example.com", "User-Agent" => "Ruby"})
+          .to_return(status: 200, body: "[\"http://localhost\"]", headers: {})
         post :create, redirect_uris: ["http://localhost"], client_name: "diaspora client",
              response_types: [], grant_types: [], application_type: "web", contacts: [],
              logo_uri: "http://example.com/logo.png", client_uri: "http://example.com/client",