19240: Treat localhost as a private-network client.

[arvados.git] / lib / controller / localdb / login_oidc_test.go

diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 49629bb222c0ab0b11dcfd3007603cbda6120977..0fe3bdf7f6b684652cad9c71f3c0a63fba15b925 100644 (file)
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -669,14 +669,15 @@ func (s *OIDCLoginSuite) TestValidateLoginRedirectTarget(c *check.C) {
                {true, false, "https://app.example.com/"},
                {true, false, "https://app.example.com:443/foo?bar=baz"},
                // non-listed hostname => deny (regardless of TrustPrivateNetworks)
-               {false, false, "https://localhost/"},
-               {false, true, "https://localhost/"},
+               {false, false, "https://bad.example/"},
                {false, true, "https://bad.example/"},
                // non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
                {false, true, "https://1.2.3.4/"},
                {false, true, "https://1.2.3.4/"},
                {false, true, "https://[ab::cd]:1234/"},
-               // non-listed private IP addr => accept only if TrustPrivateNetworks is set
+               // localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+               {false, false, "https://localhost/"},
+               {true, true, "https://localhost/"},
                {false, false, "https://[10.9.8.7]:80/foo"},
                {true, true, "https://[10.9.8.7]:80/foo"},
                {false, false, "https://[::1]:80/foo"},