feat(cli): add validation to endpoint urls

relates to STACKITCLI-340

Author: Manuelvaas

internal/pkg/auth/utils.go

@@ -98,12 +98,21 @@ func parseWellKnownConfiguration(httpClient apiClient, wellKnownConfigURL string
 	if wellKnownConfig.Issuer == "" {
 		return nil, fmt.Errorf("found no issuer")
 	}
+	if utils.ValidateURLDomain(wellKnownConfig.Issuer) != nil {
+		return nil, err
+	}
 	if wellKnownConfig.AuthorizationEndpoint == "" {
 		return nil, fmt.Errorf("found no authorization endpoint")
 	}
+	if utils.ValidateURLDomain(wellKnownConfig.AuthorizationEndpoint) != nil {
+		return nil, err
+	}
 	if wellKnownConfig.TokenEndpoint == "" {
 		return nil, fmt.Errorf("found no token endpoint")
 	}
+	if utils.ValidateURLDomain(wellKnownConfig.TokenEndpoint) != nil {
+		return nil, err
+	}
 
 	err = SetAuthField(IDP_TOKEN_ENDPOINT, wellKnownConfig.TokenEndpoint)
 	if err != nil {

internal/pkg/utils/utils.go

@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/url"
+	"slices"
 	"strings"
 	"time"
 
@@ -82,11 +83,19 @@ func ValidateURLDomain(value string) error {
 	if err != nil {
 		return fmt.Errorf("parse url: %w", err)
 	}
+
 	urlHost := urlStruct.Hostname()
 	if urlHost == "" {
 		return fmt.Errorf("bad url")
 	}
 
+	allowedSchemes := []string{
+		"https",
+	}
+	if !slices.Contains(allowedSchemes, urlStruct.Scheme) {
+		return fmt.Errorf("unsupported protocol: %s", urlStruct.Scheme)
+	}
+
 	allowedUrlDomain := viper.GetString(config.AllowedUrlDomainKey)
 
 	if !strings.HasSuffix(urlHost, allowedUrlDomain) {

internal/pkg/utils/utils_test.go

@@ -97,6 +97,16 @@ func TestValidateURLDomain(t *testing.T) {
 			input:   "",
 			isValid: false,
 		},
+		{
+			name:    "invalid protocol",
+			input:   "http://example.stackit.cloud",
+			isValid: false,
+		},
+		{
+			name:    "no protocol",
+			input:   "example.stackit.cloud",
+			isValid: false,
+		},
 	}
 
 	for _, tt := range tests {