19240: Treat localhost as a private-network client.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index fd91442dbf5b5ecb03688b20b0424713d50e3f7a..09c068a0b9f701db70c9724f84d59b4845924f68 100644 (file)
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -893,9 +893,9 @@ Clusters:
       TrustedClients:
         SAMPLE: {}
 
-      # Treat any origin whose host part is a private IP address
-      # (e.g., http://10.0.0.123/) as if it were listed in
-      # TrustedClients.
+      # Treat any origin whose host part is "localhost" or a private
+      # IP address (e.g., http://10.0.0.123:3000/) as if it were
+      # listed in TrustedClients.
       #
       # Intended only for test/development use. Not appropriate for
       # production use.

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 866db086691ae6821eba0bca234b45939e78b036..a1ac2c55b02657462ce1c78d860df4a4fdc94186 100644 (file)
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -186,6 +186,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
                return nil
        }
        if cluster.Login.TrustPrivateNetworks {
+               if u.Hostname() == "localhost" {
+                       return nil
+               }
                if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
                        for _, n := range privateNetworks {
                                if n.Contains(ip) {

diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 49629bb222c0ab0b11dcfd3007603cbda6120977..0fe3bdf7f6b684652cad9c71f3c0a63fba15b925 100644 (file)
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -669,14 +669,15 @@ func (s *OIDCLoginSuite) TestValidateLoginRedirectTarget(c *check.C) {
                {true, false, "https://app.example.com/"},
                {true, false, "https://app.example.com:443/foo?bar=baz"},
                // non-listed hostname => deny (regardless of TrustPrivateNetworks)
-               {false, false, "https://localhost/"},
-               {false, true, "https://localhost/"},
+               {false, false, "https://bad.example/"},
                {false, true, "https://bad.example/"},
                // non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
                {false, true, "https://1.2.3.4/"},
                {false, true, "https://1.2.3.4/"},
                {false, true, "https://[ab::cd]:1234/"},
-               // non-listed private IP addr => accept only if TrustPrivateNetworks is set
+               // localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+               {false, false, "https://localhost/"},
+               {true, true, "https://localhost/"},
                {false, false, "https://[10.9.8.7]:80/foo"},
                {true, true, "https://[10.9.8.7]:80/foo"},
                {false, false, "https://[::1]:80/foo"},