Expand Origin header check for serial console
Serial consoles can use the ws or wss protocols which correspond to http and https respectively from a security perspective. The Origin header check failed has been expanded to allow for those protocols and to match appropriately with http/https when verifying the protocol security level. Change-Id: I7155607488495ba70e6edd550b12abc21b3e69c4 Closes-Bug: 1434611
This commit is contained in:
parent
fc2e754ec6
commit
11d5ded6d5
|
@ -49,19 +49,26 @@ class NovaProxyRequestHandlerBase(object):
|
|||
|
||||
def verify_origin_proto(self, console_type, origin_proto):
|
||||
if console_type == 'novnc':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.novncproxy_base_url).scheme
|
||||
expected_protos = \
|
||||
[urlparse.urlparse(CONF.novncproxy_base_url).scheme]
|
||||
elif console_type == 'spice-html5':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme
|
||||
expected_protos = \
|
||||
[urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme]
|
||||
elif console_type == 'serial':
|
||||
expected_proto = \
|
||||
urlparse.urlparse(CONF.serial_console.base_url).scheme
|
||||
expected_protos = \
|
||||
[urlparse.urlparse(CONF.serial_console.base_url).scheme]
|
||||
# NOTE: For serial consoles the expected protocol could be ws or
|
||||
# wss which correspond to http and https respectively in terms of
|
||||
# security.
|
||||
if 'ws' in expected_protos:
|
||||
expected_protos.append('http')
|
||||
if 'wss' in expected_protos:
|
||||
expected_protos.append('https')
|
||||
else:
|
||||
detail = _("Invalid Console Type for WebSocketProxy: '%s'") % \
|
||||
console_type
|
||||
raise exception.ValidationError(detail=detail)
|
||||
return origin_proto == expected_proto
|
||||
return origin_proto in expected_protos
|
||||
|
||||
def new_websocket_client(self):
|
||||
"""Called after a new WebSocket connection has been established."""
|
||||
|
|
|
@ -41,7 +41,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
|
|||
'https://example.net:6080/vnc_auto.html',
|
||||
'spice')
|
||||
CONF.set_override('base_url',
|
||||
'https://example.net:6080/vnc_auto.html',
|
||||
'ws://example.net:6080',
|
||||
'serial_console')
|
||||
|
||||
def _fake_getheader(self, header):
|
||||
|
@ -149,6 +149,23 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
|
|||
self.wh.socket.assert_called_with('node1', 10000, connect=True)
|
||||
self.wh.do_proxy.assert_called_with('<socket>')
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_serial(self, check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'serial'
|
||||
}
|
||||
self.wh.socket.return_value = '<socket>'
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_http
|
||||
|
||||
self.wh.new_websocket_client()
|
||||
|
||||
check_token.assert_called_with(mock.ANY, token="123-456-789")
|
||||
self.wh.socket.assert_called_with('node1', 10000, connect=True)
|
||||
self.wh.do_proxy.assert_called_with('<socket>')
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_token_invalid(self, check_token):
|
||||
check_token.return_value = False
|
||||
|
@ -332,16 +349,16 @@ class NovaProxyRequestHandlerBaseTestCase(test.NoDBTestCase):
|
|||
self.wh.new_websocket_client)
|
||||
|
||||
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
|
||||
def test_new_websocket_client_novnc_bad_origin_proto_serial(self,
|
||||
check_token):
|
||||
def test_new_websocket_client_novnc_https_origin_proto_serial(self,
|
||||
check_token):
|
||||
check_token.return_value = {
|
||||
'host': 'node1',
|
||||
'port': '10000',
|
||||
'console_type': 'serial'
|
||||
}
|
||||
|
||||
self.wh.path = "http://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader_http
|
||||
self.wh.path = "https://127.0.0.1/"
|
||||
self.wh.headers.getheader = self._fake_getheader
|
||||
|
||||
self.assertRaises(exception.ValidationError,
|
||||
self.wh.new_websocket_client)
|
||||
|
|
Loading…
Reference in New Issue