← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #31111

[Bug 1440958] [NEW] loosen validation on matching trusted dashboard

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In the current implementation for verifying where the SSO request came
from, the host is grabbed from the 'origin' query parameter, and
compared to the list of 'trusted_dashboards' in the config file.

  origin = context['query_string'].get('origin')
  host = urllib.parse.unquote_plus(origin)
  if host in CONF.federation.trusted_dashboard:
    ...

https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287

This works, but unless the entry is marked perfectly in the config file,
it won't match. We should loosen the validation that is performed, and
maybe even use the HTTP Referer instead (and no longer require the
'origin' parameter from horizon).

We should be able to decompose the Refer to figure out the scheme +
hostname + path, and use that hostname to check against the trusted
dashboards.

** Affects: keystone
     Importance: Medium
         Status: Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
    Milestone: None => liberty-1

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1440958

Title:
  loosen validation on matching trusted dashboard

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  In the current implementation for verifying where the SSO request came
  from, the host is grabbed from the 'origin' query parameter, and
  compared to the list of 'trusted_dashboards' in the config file.

    origin = context['query_string'].get('origin')
    host = urllib.parse.unquote_plus(origin)
    if host in CONF.federation.trusted_dashboard:
      ...

  https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287

  This works, but unless the entry is marked perfectly in the config
  file, it won't match. We should loosen the validation that is
  performed, and maybe even use the HTTP Referer instead (and no longer
  require the 'origin' parameter from horizon).

  We should be able to decompose the Refer to figure out the scheme +
  hostname + path, and use that hostname to check against the trusted
  dashboards.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next