48ec350 Integration tests for verifying Referer header in the UI

5 files Authored by rcritten 11 months ago, Committed by antorres 11 months ago,
    Integration tests for verifying Referer header in the UI
    
    Validate that the change_password and login_password endpoints
    verify the HTTP Referer header. There is some overlap in the
    tests: belt and suspenders.
    
    All endpoints except session/login_x509 are covered, sometimes
    having to rely on expected bad results (see the i18n endpoint).
    
    session/login_x509 is not tested yet as it requires significant
    additional setup in order to associate a user certificate with
    a user entry, etc.
    
    This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
    and adding:
    
    Satisfy Any
    Require all granted
    
    Then comment out Auth and SSLVerify, etc. and restart httpd.
    
    With a valid Referer will fail with a 401 and log that there is no
    KRB5CCNAME. This comes after the referer check.
    
    With an invalid Referer it will fail with a 400 Bad Request as
    expected.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit ef158764a97490211b9fe2e53f40826c3acfb19b)
    
        
file modified
+2 -2