From 86338e6ea215cd1410eb8459070b604f76eca3a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Mon, 12 Feb 2018 18:43:32 +0100
Subject: [PATCH] Introduce new validation checks in
 OpenIddictApplicationManager.ValidateAsync() to ensure app permissions are
 consistent

---
 .../Managers/OpenIddictApplicationManager.cs  | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index f5e35ebb..84c3ed7d 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -955,6 +955,56 @@ namespace OpenIddict.Core
                 }
             }
 
+            var permissions = await Store.GetPermissionsAsync(application, cancellationToken);
+            if (permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode))
+            {
+                if (!permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Authorization) &&
+                     permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+                {
+                    results.Add(new ValidationResult(
+                        "The authorization code flow permission requires adding the authorization endpoint permission."));
+                }
+
+                if (!permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Token) &&
+                     permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+                {
+                    results.Add(new ValidationResult(
+                        "The authorization code flow permission requires adding the token endpoint permission."));
+                }
+            }
+
+            if (permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.ClientCredentials) &&
+               !permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Token) &&
+                permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+            {
+                results.Add(new ValidationResult(
+                    "The client credentials flow permission requires adding the token endpoint permission."));
+            }
+
+            if (permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.Implicit) &&
+               !permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Authorization) &&
+                permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+            {
+                results.Add(new ValidationResult(
+                    "The implicit flow permission requires adding the authorization endpoint permission."));
+            }
+
+            if (permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.Password) &&
+               !permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Token) &&
+                permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+            {
+                results.Add(new ValidationResult(
+                    "The password flow permission requires adding the token endpoint permission."));
+            }
+
+            if (permissions.Contains(OpenIddictConstants.Permissions.GrantTypes.RefreshToken) &&
+               !permissions.Contains(OpenIddictConstants.Permissions.Endpoints.Token) &&
+                permissions.Any(permission => permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
+            {
+                results.Add(new ValidationResult(
+                    "The refresh token flow permission requires adding the token endpoint permission."));
+            }
+
             return results.ToImmutable();
         }