[Openstack-security] [Bug 1440958] Re: loosen validation on matching trusted dashboard
Marek Denis
marek.denis at cern.ch
Tue May 5 22:14:24 UTC 2015
If the problem is that it's hard to add redirect urls in keystone config
i think we should improve error msgs and logging msgs (even though they
seemed to specify what was the input, so it should be easily to sketch
up a script that compares values with ones from keystone.conf) instead
of loosing restrictions on those checks.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1440958
Title:
loosen validation on matching trusted dashboard
Status in OpenStack Identity (Keystone):
Fix Committed
Bug description:
In the current implementation for verifying where the SSO request came
from, the host is grabbed from the 'origin' query parameter, and
compared to the list of 'trusted_dashboards' in the config file.
origin = context['query_string'].get('origin')
host = urllib.parse.unquote_plus(origin)
if host in CONF.federation.trusted_dashboard:
...
https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287
This works, but unless the entry is marked perfectly in the config
file, it won't match. We should loosen the validation that is
performed, and maybe even use the HTTP Referer instead (and no longer
require the 'origin' parameter from horizon).
We should be able to decompose the Refer to figure out the scheme +
hostname + path, and use that hostname to check against the trusted
dashboards.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions
More information about the Openstack-security
mailing list