SERVER-75121 Remove JWKS URI from OIDC configuration

4 files changed, 88 insertions, 4 deletions

diff --git a/src/mongo/util/net/SConscript b/src/mongo/util/net/SConscript
index 3d217c36ed4..4e226c849ce 100644
--- a/src/mongo/util/net/SConscript
+++ b/src/mongo/util/net/SConscript
@@ -180,6 +180,9 @@ env.Library(
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
     ],
+    LIBDEPS_PRIVATE=[
+        '$BUILD_DIR/mongo/db/commands/test_commands_enabled',
+    ],
 )
 
 if http_client == "off":
@@ -229,8 +232,10 @@ env.CppUnitTest(
     source=[
         'cidr_test.cpp',
         'hostandport_test.cpp',
+        'http_client_test.cpp',
     ],
     LIBDEPS=[
+        'http_client',
         'network',
     ],
 )
diff --git a/src/mongo/util/net/http_client.cpp b/src/mongo/util/net/http_client.cpp
index c1c31948024..00d404cdc16 100644
--- a/src/mongo/util/net/http_client.cpp
+++ b/src/mongo/util/net/http_client.cpp
@@ -28,7 +28,10 @@
  */
 
 #include "mongo/util/net/http_client.h"
+
 #include "mongo/base/status.h"
+#include "mongo/db/commands/test_commands_enabled.h"
+#include "mongo/util/ctype.h"
 
 namespace mongo {
 
@@ -43,8 +46,23 @@ void registerHTTPClientProvider(HttpClientProvider* factory) {
     _factory = factory;
 }
 
-Status HttpClient::endpointIsHTTPS(StringData url) {
-    if (url.startsWith("https://")) {
+Status HttpClient::endpointIsSecure(StringData url) {
+    bool isAcceptableLocalhost = [url]() mutable {
+        constexpr StringData localhostPrefix = "http://localhost"_sd;
+        if (!url.startsWith(localhostPrefix)) {
+            return false;
+        }
+        url = url.substr(localhostPrefix.size());
+        if (url[0] == ':') {
+            url = url.substr(1);
+            while (!url.empty() && ctype::isDigit(url[0])) {
+                url = url.substr(1);
+            }
+        }
+        return url.empty() || url[0] == '/';
+    }();
+
+    if (url.startsWith("https://") || (isAcceptableLocalhost && getTestCommandsEnabled())) {
         return Status::OK();
     }
     return Status(ErrorCodes::IllegalOperation, "Endpoint is not HTTPS");
diff --git a/src/mongo/util/net/http_client.h b/src/mongo/util/net/http_client.h
index 32daf8be031..ee19dd0be39 100644
--- a/src/mongo/util/net/http_client.h
+++ b/src/mongo/util/net/http_client.h
@@ -73,9 +73,13 @@ public:
     virtual void allowInsecureHTTP(bool allow) = 0;
 
     /**
-     * Returns Status::OK iff the provided URL endpoint uses HTTPS.
+     * Returns Status::OK iff the provided URL endpoint is "secure".
+     *
+     * HTTPS endpoints are secure. If test commands are enabled, localhost endpoints
+     * over HTTP with only a host, optional port, and optionally a slash and trailing
+     * content are considered secure.
      */
-    static Status endpointIsHTTPS(StringData url);
+    static Status endpointIsSecure(StringData url);
 
     /**
      * Assign a set of headers for this request.
diff --git a/src/mongo/util/net/http_client_test.cpp b/src/mongo/util/net/http_client_test.cpp
new file mode 100644
index 00000000000..f2b38ab832e
--- /dev/null
+++ b/src/mongo/util/net/http_client_test.cpp
@@ -0,0 +1,57 @@
+/**
+ *    Copyright (C) 2023-present MongoDB, Inc.
+ *
+ *    This program is free software: you can redistribute it and/or modify
+ *    it under the terms of the Server Side Public License, version 1,
+ *    as published by MongoDB, Inc.
+ *
+ *    This program is distributed in the hope that it will be useful,
+ *    but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *    Server Side Public License for more details.
+ *
+ *    You should have received a copy of the Server Side Public License
+ *    along with this program. If not, see
+ *    <http://www.mongodb.com/licensing/server-side-public-license>.
+ *
+ *    As a special exception, the copyright holders give permission to link the
+ *    code of portions of this program with the OpenSSL library under certain
+ *    conditions as described in each individual source file and distribute
+ *    linked combinations including the program with the OpenSSL library. You
+ *    must comply with the Server Side Public License in all respects for
+ *    all of the code used other than as permitted herein. If you modify file(s)
+ *    with this exception, you may extend this exception to your version of the
+ *    file(s), but you are not obligated to do so. If you do not wish to do so,
+ *    delete this exception statement from your version. If you delete this
+ *    exception statement from all source files in the program, then also delete
+ *    it in the license file.
+ */
+
+#include "mongo/unittest/unittest.h"
+#include "mongo/util/net/http_client.h"
+
+namespace mongo {
+
+TEST(HttpClient, HTTPSIsSecure) {
+    ASSERT_OK(HttpClient::endpointIsSecure("https://example.com"));
+}
+
+TEST(HttpClient, HTTPIsNotSecure) {
+    ASSERT_NOT_OK(HttpClient::endpointIsSecure("http://example.com"));
+}
+
+TEST(HttpClient, EvilHTTPIsNotSecure) {
+    ASSERT_NOT_OK(HttpClient::endpointIsSecure("http://localhost.example.com"));
+    ASSERT_NOT_OK(HttpClient::endpointIsSecure("http://localhost:password@example.com"));
+}
+
+TEST(HttpClient, LocalhostHTTPIsSecure) {
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost"));
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost/"));
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost/resource"));
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost:9001"));
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost:9001/"));
+    ASSERT_OK(HttpClient::endpointIsSecure("http://localhost:9001/resource"));
+}
+
+}  // namespace mongo