AAP-49728 Allow absolute paths for LOGIN_REDIRECT_OVERRIDE (#784)

bhavenst · web-flow · commit a0f40383ae13 · 2025-08-05T10:04:21.000-06:00
LOGIN_REDIRECT_OVERRIDE can be an absolute path or a URL.
diff --git a/ansible_base/authentication/views/ui_auth.py b/ansible_base/authentication/views/ui_auth.py
@@ -1,4 +1,5 @@
 import logging
+from typing import Union
 
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
@@ -8,7 +9,7 @@
 from ansible_base.authentication.models import Authenticator
 from ansible_base.authentication.serializers import UIAuthResponseSerializer
 from ansible_base.lib.utils.settings import get_setting, is_aoc_instance
-from ansible_base.lib.utils.validation import validate_image_data, validate_url
+from ansible_base.lib.utils.validation import validate_absolute_path, validate_image_data, validate_url
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 
 logger = logging.getLogger('ansible_base.authentication.views.ui_auth')
@@ -39,6 +40,23 @@ def get(self):
             return self._get()
 
 
+def _validate_and_get_login_redirect_override() -> Union[str, None]:
+    try:
+        login_redirect_override = get_setting('LOGIN_REDIRECT_OVERRIDE', '')
+        # ignore validation if login_redirect_override is None or empty string
+        if login_redirect_override is not None and login_redirect_override != '':
+            validate_url(url=login_redirect_override, schemes=['https', 'http'], allow_plain_hostname=True)
+            return login_redirect_override
+    except ValidationError:
+        # login_redirect_override can also be an absolute path
+        try:
+            validate_absolute_path(path=login_redirect_override)
+            return login_redirect_override
+        except ValidationError:
+            logger.error('LOGIN_REDIRECT_OVERRIDE was set but was not a valid URL or absolute path, ignoring')
+    return None
+
+
 def generate_ui_auth_data():
     authenticators = Authenticator.objects.filter(enabled=True)
     response = {
@@ -68,14 +86,9 @@ def generate_ui_auth_data():
         else:
             logger.error(f"Don't know how to handle authenticator of type {authenticator.type}")
 
-    try:
-        login_redirect_override = get_setting('LOGIN_REDIRECT_OVERRIDE', '')
-        # ignore validation if login_redirect_override is None or empty string
-        if login_redirect_override is not None and login_redirect_override != '':
-            validate_url(url=login_redirect_override, allow_plain_hostname=True)
-            response['login_redirect_override'] = login_redirect_override
-    except ValidationError:
-        logger.error('LOGIN_REDIRECT_OVERRIDE was set but was not a valid URL, ignoring')
+    login_redirect_override = _validate_and_get_login_redirect_override()
+    if login_redirect_override:
+        response['login_redirect_override'] = login_redirect_override
 
     custom_login_info = get_setting('custom_login_info', '')
     if isinstance(custom_login_info, str):
diff --git a/ansible_base/lib/utils/validation.py b/ansible_base/lib/utils/validation.py
@@ -2,6 +2,7 @@
 import binascii
 import re
 import secrets
+from pathlib import Path
 from urllib.parse import urlparse, urlunsplit
 
 from cryptography.exceptions import InvalidSignature
@@ -32,6 +33,12 @@ def validate_url_list(urls: list, schemes: list = ['https'], allow_plain_hostnam
         raise ValidationError(', '.join(errors))
 
 
+def validate_absolute_path(path: str) -> None:
+    path = Path(path)
+    if not path.is_absolute():
+        raise ValidationError(f"{path} is not an absolute path")
+
+
 def validate_url(url: str, schemes: list = ['https'], allow_plain_hostname: bool = False) -> None:
     if type(url) is not str:
         raise ValidationError(VALID_STRING)
diff --git a/test_app/tests/authentication/views/test_ui_auth.py b/test_app/tests/authentication/views/test_ui_auth.py
@@ -24,7 +24,14 @@ def test_generate_ui_auth_data_no_authenticators_or_settings():
 
 @override_settings(LOGIN_REDIRECT_OVERRIDE='https://example.com')
 @pytest.mark.django_db
-def test_generate_ui_auth_data_valid_login_redirect():
+def test_generate_ui_auth_data_valid_login_redirect_url():
+    response = generate_ui_auth_data()
+    assert response['login_redirect_override'] == settings.LOGIN_REDIRECT_OVERRIDE
+
+
+@override_settings(LOGIN_REDIRECT_OVERRIDE='/an/absolute/path')
+@pytest.mark.django_db
+def test_generate_ui_auth_data_valid_login_redirect_path():
     response = generate_ui_auth_data()
     assert response['login_redirect_override'] == settings.LOGIN_REDIRECT_OVERRIDE
 
@@ -34,7 +41,15 @@ def test_generate_ui_auth_data_valid_login_redirect():
 @pytest.mark.django_db
 def test_generate_ui_auth_data_invalid_login_redirect_function(logger):
     generate_ui_auth_data()
-    logger.error.assert_called_with('LOGIN_REDIRECT_OVERRIDE was set but was not a valid URL, ignoring')
+    logger.error.assert_called_with('LOGIN_REDIRECT_OVERRIDE was set but was not a valid URL or absolute path, ignoring')
+
+
+@mock.patch("ansible_base.authentication.views.ui_auth.logger")
+@override_settings(LOGIN_REDIRECT_OVERRIDE='a/relative/path')
+@pytest.mark.django_db
+def test_generate_ui_auth_invalid_path_login_redirect_function(logger):
+    generate_ui_auth_data()
+    logger.error.assert_called_with('LOGIN_REDIRECT_OVERRIDE was set but was not a valid URL or absolute path, ignoring')
 
 
 @override_settings(custom_login_info='Login with your username and password')
