Receiving x-openstack-keystore-url for authenticating the user is a security concern

[yoramw]

Malicious user can provide his own x-openstack-keystore-url and login to the system without authorization.

Please change to a pre set keystone url (or a list of keystone urls) that are preconfigured and verify this url is within this list.

[0lvin]

What logic place do you mean?

We have check on login step: https://github.com/Cloudify-PS/walle-service/blob/00e0c8ee1bd393c52fb8d14ca9bada34796fed7f/walle-api-server/walle_api_server/resources/login_openstack.py#L74

On every requests we check: https://github.com/Cloudify-PS/walle-service/blob/00e0c8ee1bd393c52fb8d14ca9bada34796fed7f/walle-api-server/walle_api_server/cli/app.py#L96