[arvados] updated: 2.1.0-3022-g0fbb3f9f9

git repository hosting git at public.arvados.org
Mon Nov 7 21:39:03 UTC 2022 

Summary of changes:
 .../configure-s3-object-storage.html.textile.liquid        |  5 +++--
 lib/controller/localdb/login.go                            |  3 +++
 lib/controller/localdb/login_oidc_test.go                  |  7 ++++---
 services/keepstore/s3_volume.go                            |  7 ++-----
 services/keepstore/s3aws_volume.go                         | 14 ++++++++++----
 tools/arvbox/lib/arvbox/docker/common.sh                   |  5 +++++
 6 files changed, 27 insertions(+), 14 deletions(-)

       via  0fbb3f9f962fe11c6f81670bfa64a768f06979df (commit)
       via  e2149a153e3432c24320b7574934a5f1f4040df7 (commit)
       via  266512db4befdfa2bf7562e0e10a5c86ffa15ec9 (commit)
       via  c0626f50e9ff14d008ae93de48a04318dd93eef2 (commit)
       via  d0f3483739a0140802374e6a9f5d0ab5972bd951 (commit)
       via  78a6558918cbc38d01907682d480602a1351fa97 (commit)
       via  9e764431dc5e3b42eba5f5495b008625bf11d777 (commit)
       via  f6c7741002f3855663bf9ac4aef4cbf86f3b5d51 (commit)
       via  3070a6df84012867058b93c3941eb7feec353cc5 (commit)
      from  710dc7f830f65232389cf191028edfdfe4cefe77 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 0fbb3f9f962fe11c6f81670bfa64a768f06979df
Author: Tom Clegg <tom at curii.com>
Date:   Mon Nov 7 16:37:53 2022 -0500

    19240: Treat localhost as a private-network client.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 866db0866..a1ac2c55b 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -186,6 +186,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
 		return nil
 	}
 	if cluster.Login.TrustPrivateNetworks {
+		if u.Hostname() == "localhost" {
+			return nil
+		}
 		if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
 			for _, n := range privateNetworks {
 				if n.Contains(ip) {
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 49629bb22..0fe3bdf7f 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -669,14 +669,15 @@ func (s *OIDCLoginSuite) TestValidateLoginRedirectTarget(c *check.C) {
 		{true, false, "https://app.example.com/"},
 		{true, false, "https://app.example.com:443/foo?bar=baz"},
 		// non-listed hostname => deny (regardless of TrustPrivateNetworks)
-		{false, false, "https://localhost/"},
-		{false, true, "https://localhost/"},
+		{false, false, "https://bad.example/"},
 		{false, true, "https://bad.example/"},
 		// non-listed non-private IP addr => deny (regardless of TrustPrivateNetworks)
 		{false, true, "https://1.2.3.4/"},
 		{false, true, "https://1.2.3.4/"},
 		{false, true, "https://[ab::cd]:1234/"},
-		// non-listed private IP addr => accept only if TrustPrivateNetworks is set
+		// localhost or non-listed private IP addr => accept only if TrustPrivateNetworks is set
+		{false, false, "https://localhost/"},
+		{true, true, "https://localhost/"},
 		{false, false, "https://[10.9.8.7]:80/foo"},
 		{true, true, "https://[10.9.8.7]:80/foo"},
 		{false, false, "https://[::1]:80/foo"},

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list