allow non-http developer key redirect URIs

fixes CNVS-30780 Change-Id: I0413e5c8f099bfe63d0bde235e5bef4c30189b5f Reviewed-on: https://gerrit.instructure.com/88452 Tested-by: Jenkins Reviewed-by: Simon Williams <simon@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com> QA-Review: Cody Cutrer <cody@instructure.com>
2016-08-22 16:05:03 -06:00 · 2016-08-22 16:05:03 -06:00 · 42e8ff44eb
parent ef4149106a
commit 42e8ff44eb
4 changed files with 14 additions and 7 deletions
--- a/app/models/developer_key.rb
+++ b/app/models/developer_key.rb
@ -35,7 +35,7 @@ class DeveloperKey < ActiveRecord::Base
  before_save :nullify_empty_icon_url
  after_save :clear_cache

-  validates_as_url :redirect_uri
+  validates_as_url :redirect_uri, allowed_schemes: nil
  validate :validate_redirect_uris

  scope :nondeleted, -> { where("workflow_state<>'deleted'") }
@ -57,7 +57,7 @@ class DeveloperKey < ActiveRecord::Base

  def validate_redirect_uris
    uris = redirect_uris.map do |value|
-      value, _ = CanvasHttp.validate_url(value)
+      value, _ = CanvasHttp.validate_url(value, allowed_schemes: nil)
      value
    end

--- a/gems/canvas_http/lib/canvas_http.rb
+++ b/gems/canvas_http/lib/canvas_http.rb
@ -48,7 +48,7 @@ module CanvasHttp
    loop do
      raise(TooManyRedirectsError) if redirect_limit <= 0

-      _, uri = CanvasHttp.validate_url(url_str, last_host, last_scheme) # uses the last host and scheme for relative redirects
+      _, uri = CanvasHttp.validate_url(url_str, host: last_host, scheme: last_scheme) # uses the last host and scheme for relative redirects
      http = CanvasHttp.connection_for_uri(uri)

      multipart_query = nil
@ -93,7 +93,7 @@ module CanvasHttp
  end

  # returns [normalized_url_string, URI] if valid, raises otherwise
-  def self.validate_url(value, host=nil, scheme=nil)
+  def self.validate_url(value, host: nil, scheme: nil, allowed_schemes: %w{http https})
    value = value.strip
    raise ArgumentError if value.empty?
    uri = URI.parse(value)
@ -108,7 +108,7 @@ module CanvasHttp
      end
      uri = URI.parse(value) # it's still a URI::Generic
    end
-    raise ArgumentError unless %w(http https).include?(uri.scheme.downcase)
+    raise ArgumentError if !allowed_schemes.nil? && !allowed_schemes.include?(uri.scheme.downcase)
    raise(RelativeUriError) if uri.host.nil? || uri.host.strip.empty?

    return value, uri
--- a/lib/custom_validations.rb
+++ b/lib/custom_validations.rb
@ -21,10 +21,10 @@ module CustomValidations

  module ClassMethods

-    def validates_as_url(*fields)
+    def validates_as_url(*fields, allowed_schemes: %w{http https})
      validates_each(fields, :allow_nil => true) do |record, attr, value|
        begin
-          value, uri = CanvasHttp.validate_url(value)
+          value, uri = CanvasHttp.validate_url(value, allowed_schemes: allowed_schemes)

          record.send("#{attr}=", value)
        rescue URI::Error, ArgumentError
--- a/spec/models/developer_key_spec.rb
+++ b/spec/models/developer_key_spec.rb
@ -48,6 +48,13 @@ describe DeveloperKey do
    end
  end

+  it "allows non-http redirect URIs" do
+    key = DeveloperKey.new
+    key.redirect_uri = 'tealpass://somewhere.edu/authentication'
+    key.redirect_uris = ['tealpass://somewhere.edu/authentication']
+    expect(key).to be_valid
+  end
+
  describe "#redirect_domain_matches?" do
    it "should match domains exactly, and sub-domains" do
      key = DeveloperKey.create!(:redirect_uri => "http://example.com/a/b")