openstack
/
nova
Code Issues Proposed changes

Expand Origin header check for serial console 

Serial consoles can use the ws or wss protocols which correspond to http
and https respectively from a security perspective.  The Origin header
check failed has been expanded to allow for those protocols and to match
appropriately with http/https when verifying the protocol security
level.

Change-Id: I7155607488495ba70e6edd550b12abc21b3e69c4
Closes-Bug: 1434611
This commit is contained in:
Andrew Laski 2015-03-31 11:40:12 -04:00
parent fc2e754ec6
commit 11d5ded6d5
2 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nova/console/websocketproxy.py
View File

@ -49,19 +49,26 @@ class NovaProxyRequestHandlerBase(object):
def verify_origin_proto(self, console_type, origin_proto):
if console_type == 'novnc':
expected_proto = \
urlparse.urlparse(CONF.novncproxy_base_url).scheme
expected_protos = \
[urlparse.urlparse(CONF.novncproxy_base_url).scheme]
elif console_type == 'spice-html5':
expected_proto = \
urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme
expected_protos = \
[urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme]
elif console_type == 'serial':
expected_proto = \
urlparse.urlparse(CONF.serial_console.base_url).scheme
expected_protos = \
[urlparse.urlparse(CONF.serial_console.base_url).scheme]
# NOTE: For serial consoles the expected protocol could be ws or
# wss which correspond to http and https respectively in terms of
# security.
if 'ws' in expected_protos:
expected_protos.append('http')
if 'wss' in expected_protos:
expected_protos.append('https')
else:
detail = _("Invalid Console Type for WebSocketProxy: '%s'") % \
console_type
raise exception.ValidationError(detail=detail)
return origin_proto == expected_proto
return origin_proto in expected_protos
def new_websocket_client(self):
"""Called after a new WebSocket connection has been established."""

27
nova/tests/unit/console/test_websocketproxy.py
View File

@ -41,7 +41,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
'https://example.net:6080/vnc_auto.html',
'spice')
CONF.set_override('base_url',
'https://example.net:6080/vnc_auto.html',
'ws://example.net:6080',
'serial_console')
def _fake_getheader(self, header):
@ -149,6 +149,23 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
self.wh.socket.assert_called_with('node1', 10000, connect=True)
self.wh.do_proxy.assert_called_with('<socket>')
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client_serial(self, check_token):
check_token.return_value = {
'host': 'node1',
'port': '10000',
'console_type': 'serial'
}
self.wh.socket.return_value = '<socket>'
self.wh.path = "http://127.0.0.1/"
self.wh.headers.getheader = self._fake_getheader_http
self.wh.new_websocket_client()
check_token.assert_called_with(mock.ANY, token="123-456-789")
self.wh.socket.assert_called_with('node1', 10000, connect=True)
self.wh.do_proxy.assert_called_with('<socket>')
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client_novnc_token_invalid(self, check_token):
check_token.return_value = False
@ -332,16 +349,16 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
self.wh.new_websocket_client)
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client_novnc_bad_origin_proto_serial(self,
check_token):
def test_new_websocket_client_novnc_https_origin_proto_serial(self,
check_token):
check_token.return_value = {
'host': 'node1',
'port': '10000',
'console_type': 'serial'
}
self.wh.path = "http://127.0.0.1/"
self.wh.headers.getheader = self._fake_getheader_http
self.wh.path = "https://127.0.0.1/"
self.wh.headers.getheader = self._fake_getheader
self.assertRaises(exception.ValidationError,
self.wh.new_websocket_client)