From 0e4472e07fe887b3b3b1156fdfa3821937831bbe Mon Sep 17 00:00:00 2001
From: Wayne Starr <me@racer159.com>
Date: Fri, 2 Aug 2024 14:00:37 -0600
Subject: [PATCH] add more public client checks

---
 .../crd/validators/package-validator.ts         | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts
index cba4640fe..e0d28bb37 100644
--- a/src/pepr/operator/crd/validators/package-validator.ts
+++ b/src/pepr/operator/crd/validators/package-validator.ts
@@ -101,6 +101,23 @@ export async function validator(req: PeprValidateRequest<UDSPackage>) {
         `The client ID "${client.clientId}" must specify redirectUris if standardFlowEnabled is turned on`,
       );
     }
+    // If standardFlowEnabled is undefined (defaults to `true`) or explicitly true and there are no redirectUris set, deny the req
+    if (
+      client.publicClient &&
+      (
+        (client.standardFlowEnabled === undefined || client.standardFlowEnabled) ||
+        (client.secret) ||
+        (client.secretName) ||
+        (client.secretTemplate) ||
+        (client.enableAuthserviceSelector) ||
+        (client.protocol === "saml") ||
+        (!client.attributes || client.attributes["oauth2.device.authorization.grant.enabled"] != "true")
+      )
+    ) {
+      return req.Deny(
+        `The client ID "${client.clientId}" must _only_ configure the OAuth Device Flow as a public client`,
+      );
+    }
   }
 
   return req.Approve();