From f68ba06c5e85b748f13f723373e1fbe79fa8e563 Mon Sep 17 00:00:00 2001
From: Tom Clegg <tom@curii.com>
Date: Tue, 8 Nov 2022 09:21:49 -0500
Subject: [PATCH] 19240: Treat localhost as a private-network client.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---
 lib/config/config.default.yml             | 6 +++---
 lib/controller/localdb/login.go           | 3 +++
 lib/controller/localdb/login_oidc_test.go | 7 ++++---
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index fd91442dbf..09c068a0b9 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -893,9 +893,9 @@ Clusters:
       TrustedClients:
         SAMPLE: {}
 
-      # Treat any origin whose host part is a private IP address
-      # (e.g., http://10.0.0.123/) as if it were listed in
-      # TrustedClients.
+      # Treat any origin whose host part is "localhost" or a private
+      # IP address (e.g., http://10.0.0.123:3000/) as if it were
+      # listed in TrustedClients.
       #
       # Intended only for test/development use. Not appropriate for
       # production use.
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 866db08669..a1ac2c55b0 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -186,6 +186,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
 		return nil
 	}
 	if cluster.Login.TrustPrivateNetworks {
+		if u.Hostname() == "localhost" {
+			return nil
+		}
 		if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
 			for _, n := range privateNetworks {
 				if n.Contains(ip) {
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 49629bb222..0fe3bdf7f6 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -669,14 +669,15 @@ func (s *OIDCLoginSuite) TestValidateLoginRedirectTarget(c *check.C) {
 		{true, false, "https://app.example.com/"},
 		{true, false, "https://app.example.com:443/foo?bar=baz"},
 		// non-listed hostname => deny (regardless of TrustPrivateNetworks)
-		{false, false, "https://localhost/"},
-		{false, true, "https://localhost/"},
+		{false, false, "https://bad.example/"},
 		{false, true, "https://bad.example/"},
 		// non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
 		{false, true, "https://1.2.3.4/"},
 		{false, true, "https://1.2.3.4/"},
 		{false, true, "https://[ab::cd]:1234/"},
-		// non-listed private IP addr => accept only if TrustPrivateNetworks is set
+		// localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+		{false, false, "https://localhost/"},
+		{true, true, "https://localhost/"},
 		{false, false, "https://[10.9.8.7]:80/foo"},
 		{true, true, "https://[10.9.8.7]:80/foo"},
 		{false, false, "https://[::1]:80/foo"},
-- 
2.30.2