Loosen validation on matching trusted dashboard
Instead of performing an exact matching for the validation if origin is in trusted dashboard, loosen the check by comparing the scheme and netloc of the URL instead. Change-Id: I995214058c4071d9089a8f00b9b8002fd125fda0 Closes-Bug: #1440958
This commit is contained in:
parent
2f9a6668d9
commit
fb6920e5fe
|
@ -266,6 +266,22 @@ class Auth(auth_controllers.Auth):
|
|||
|
||||
return self.authenticate_for_token(context, auth=auth)
|
||||
|
||||
def _is_trusted_dashboard(self, host):
|
||||
"""Verify that host is a trusted dashboard.
|
||||
|
||||
Check if the host scheme and netloc matches one of listed
|
||||
trusted_dashboard.
|
||||
|
||||
"""
|
||||
host_url = urllib.parse.urlparse(host)
|
||||
|
||||
for dashboard in CONF.federation.trusted_dashboard:
|
||||
dashboard_url = urllib.parse.urlparse(dashboard)
|
||||
if (host_url.scheme == dashboard_url.scheme
|
||||
and host_url.netloc == dashboard_url.netloc):
|
||||
return True
|
||||
return False
|
||||
|
||||
def federated_sso_auth(self, context, protocol_id):
|
||||
try:
|
||||
remote_id_name = utils.get_remote_id_parameter(protocol_id)
|
||||
|
@ -283,7 +299,7 @@ class Auth(auth_controllers.Auth):
|
|||
LOG.error(msg)
|
||||
raise exception.ValidationError(msg)
|
||||
|
||||
if host in CONF.federation.trusted_dashboard:
|
||||
if self._is_trusted_dashboard(host):
|
||||
ref = self.federation_api.get_idp_from_remote_id(remote_id)
|
||||
# NOTE(stevemar): the returned object is a simple dict that
|
||||
# contains the idp_id and remote_id.
|
||||
|
|
|
@ -3770,6 +3770,21 @@ class WebSSOTests(FederatedTokenTests):
|
|||
self.api.federated_sso_auth,
|
||||
context, self.PROTOCOL)
|
||||
|
||||
def test_federated_sso_host_in_trusted_dashboard(self):
|
||||
trusted_dashboard = self.TRUSTED_DASHBOARD + '/' + uuid.uuid4().hex
|
||||
malformed_url = uuid.uuid4().hex
|
||||
self.config_fixture.config(
|
||||
group='federation',
|
||||
trusted_dashboard=[trusted_dashboard,
|
||||
malformed_url])
|
||||
|
||||
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
|
||||
context = {'environment': environment}
|
||||
query_string = {'origin': self.ORIGIN + '/' + uuid.uuid4().hex}
|
||||
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
|
||||
resp = self.api.federated_sso_auth(context, self.PROTOCOL)
|
||||
self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
|
||||
|
||||
def test_federated_sso_untrusted_dashboard(self):
|
||||
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
|
||||
context = {'environment': environment}
|
||||
|
|
Loading…
Reference in New Issue