Don't expose endpoint URLs in the login form

Instead of using endpoint URLs to designate regions in the login form and its cookies, use numbers. This way, if internal URLs are configured, they won't be exposed to the outside. Change-Id: Ifed089e7cee3075bf2dc5d1ce77b0e1b1d091ca0 Closes-bug: #1787943
2018-08-20 16:41:30 +02:00 · 2018-08-20 16:41:30 +02:00 · 16c4f4c3a2
parent 122bbcace9
commit 16c4f4c3a2
2 changed files with 16 additions and 6 deletions
--- a/openstack_auth/forms.py
+++ b/openstack_auth/forms.py
@ -108,10 +108,12 @@ class Login(django_auth_forms.AuthenticationForm):

    @staticmethod
    def get_region_choices():
-        default_region = (settings.OPENSTACK_KEYSTONE_URL, "Default Region")
-        regions = getattr(settings, 'AVAILABLE_REGIONS', [])
-        if not regions:
-            regions = [default_region]
+        all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
+        if all_regions:
+            regions = [("%d" % i, name) for i, (url, name) in
+                       enumerate(all_regions)]
+        else:
+            regions = [("default", _("Default Region"))]
        return regions

    @sensitive_variables()
@ -121,8 +123,16 @@ class Login(django_auth_forms.AuthenticationForm):
                                 'Default')
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')
-        region = self.cleaned_data.get('region')
        domain = self.cleaned_data.get('domain', default_domain)
+        region_id = self.cleaned_data.get('region')
+        if region_id == "default":
+            region = settings.OPENSTACK_KEYSTONE_URL
+        else:
+            all_regions = getattr(settings, 'AVAILABLE_REGIONS', [])
+            try:
+                region = all_regions[int(region_id)][0]
+            except (ValueError, IndexError, TypeError):
+                raise forms.ValidationError("Invalid region %r" % region_id)

        if not (username and password):
            # Don't authenticate, just let the other validators handle it.
--- a/openstack_auth/tests/unit/test_auth.py
+++ b/openstack_auth/tests/unit/test_auth.py
@ -89,7 +89,7 @@ class OpenStackAuthTestsMixin(object):
                auth=plugin)

    def get_form_data(self, user):
-        return {'region': settings.OPENSTACK_KEYSTONE_URL,
+        return {'region': "default",
                'domain': DEFAULT_DOMAIN,
                'password': user.password,
                'username': user.name}