Loosen validation on matching trusted dashboard

Instead of performing an exact matching for the validation if origin is in trusted dashboard, loosen the check by comparing the scheme and netloc of the URL instead. Change-Id: I995214058c4071d9089a8f00b9b8002fd125fda0 Closes-Bug: #1440958
2015-04-18 15:37:00 -07:00 · 2015-04-18 15:37:00 -07:00 · fb6920e5fe
parent 2f9a6668d9
commit fb6920e5fe
2 changed files with 32 additions and 1 deletions
--- a/keystone/contrib/federation/controllers.py
+++ b/keystone/contrib/federation/controllers.py
@ -266,6 +266,22 @@ class Auth(auth_controllers.Auth):

        return self.authenticate_for_token(context, auth=auth)

+    def _is_trusted_dashboard(self, host):
+        """Verify that host is a trusted dashboard.
+
+        Check if the host scheme and netloc matches one of listed
+        trusted_dashboard.
+
+        """
+        host_url = urllib.parse.urlparse(host)
+
+        for dashboard in CONF.federation.trusted_dashboard:
+            dashboard_url = urllib.parse.urlparse(dashboard)
+            if (host_url.scheme == dashboard_url.scheme
+                    and host_url.netloc == dashboard_url.netloc):
+                return True
+        return False
+
    def federated_sso_auth(self, context, protocol_id):
        try:
            remote_id_name = utils.get_remote_id_parameter(protocol_id)
@ -283,7 +299,7 @@ class Auth(auth_controllers.Auth):
            LOG.error(msg)
            raise exception.ValidationError(msg)

-        if host in CONF.federation.trusted_dashboard:
+        if self._is_trusted_dashboard(host):
            ref = self.federation_api.get_idp_from_remote_id(remote_id)
            # NOTE(stevemar): the returned object is a simple dict that
            # contains the idp_id and remote_id.
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@ -3770,6 +3770,21 @@ class WebSSOTests(FederatedTokenTests):
                          self.api.federated_sso_auth,
                          context, self.PROTOCOL)

+    def test_federated_sso_host_in_trusted_dashboard(self):
+        trusted_dashboard = self.TRUSTED_DASHBOARD + '/' + uuid.uuid4().hex
+        malformed_url = uuid.uuid4().hex
+        self.config_fixture.config(
+            group='federation',
+            trusted_dashboard=[trusted_dashboard,
+                               malformed_url])
+
+        environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
+        context = {'environment': environment}
+        query_string = {'origin': self.ORIGIN + '/' + uuid.uuid4().hex}
+        self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
+        resp = self.api.federated_sso_auth(context, self.PROTOCOL)
+        self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
+
    def test_federated_sso_untrusted_dashboard(self):
        environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
        context = {'environment': environment}