Make WebSSO trusted_dashboard hostname case-insensitive

Ensure the hostname in the trusted_dashboard config is lowercase to prevent failures when comparing against the origin query URL. Closes-Bug: #1538754 Change-Id: I807a567e7d93c09c5c370065509c106b7d1c973b
2016-01-28 00:11:02 -08:00 · 2016-01-28 00:11:02 -08:00 · 78c9ccc9ee
commit 78c9ccc9ee
parent 720b83ffd1
3 changed files with 32 additions and 1 deletions
--- a/keystone/common/utils.py
+++ b/keystone/common/utils.py
@ -559,3 +559,14 @@ def list_url_unsafe_chars(name):
        if i in URL_RESERVED_CHARS:
            reserved_chars += i
    return reserved_chars
+
+
+def lower_case_hostname(url):
+    """Change the URL's hostname to lowercase"""
+    # NOTE(gyee): according to
+    # https://www.w3.org/TR/WD-html40-970708/htmlweb.html, the netloc portion
+    # of the URL is case-insensitive
+    parsed = moves.urllib.parse.urlparse(url)
+    # Note: _replace method for named tuples is public and defined in docs
+    replaced = parsed._replace(netloc=parsed.netloc.lower())
+    return moves.urllib.parse.urlunparse(replaced)
--- a/keystone/federation/controllers.py
+++ b/keystone/federation/controllers.py
@ -24,6 +24,7 @@ from keystone.auth import controllers as auth_controllers
 from keystone.common import authorization
 from keystone.common import controller
 from keystone.common import dependency
+from keystone.common import utils as k_utils
 from keystone.common import validation
 from keystone.common import wsgi
 from keystone import exception
@ -269,7 +270,11 @@ class Auth(auth_controllers.Auth):
            LOG.error(msg)
            raise exception.ValidationError(msg)

-        if host not in CONF.federation.trusted_dashboard:
+        # change trusted_dashboard hostnames to lowercase before comparison
+        trusted_dashboards = [k_utils.lower_case_hostname(trusted)
+                              for trusted in CONF.federation.trusted_dashboard]
+
+        if host not in trusted_dashboards:
            msg = _('%(host)s is not a trusted dashboard host')
            msg = msg % {'host': host}
            LOG.error(msg)
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -3349,6 +3349,21 @@ class WebSSOTests(FederatedTokenTests):
        resp = self.api.federated_sso_auth(context, self.PROTOCOL)
        self.assertIn(self.TRUSTED_DASHBOARD, resp.body)

+    def test_get_sso_origin_host_case_insensitive(self):
+        # test lowercase hostname in trusted_dashboard
+        context = {
+            'query_string': {
+                'origin': "http://horizon.com",
+            },
+        }
+        host = self.api._get_sso_origin_host(context)
+        self.assertEqual("http://horizon.com", host)
+        # test uppercase hostname in trusted_dashboard
+        self.config_fixture.config(group='federation',
+                                   trusted_dashboard=['http://Horizon.com'])
+        host = self.api._get_sso_origin_host(context)
+        self.assertEqual("http://horizon.com", host)
+
    def test_federated_sso_auth_with_protocol_specific_remote_id(self):
        self.config_fixture.config(
            group=self.PROTOCOL,