Fix cookie handling in Firefox when using HTTP (#5160)

* Fix cookie handling in Firefox when using HTTP * Fix test
kubernetes · May 21, 2020 · 53115e0 · 53115e0
1 parent 50abf41
commit 53115e0
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 44 deletions.
diff --git a/aio/gulp/conf.js b/aio/gulp/conf.js
@@ -69,10 +69,40 @@ const version = {
  */
 const imageNameBase = 'dashboard';
 
+function envToArgv() {
+  let envArgs = process.env.DASHBOARD_ARGS;
+  let result = {};
+
+  const args = minimist(process.argv.splice(2));
+  delete args._;
+  Object.keys(args).forEach(key => result[key] = args[key]);
+
+  if(!envArgs) {
+    return result;
+  }
+
+  envArgs = envArgs.split(';');
+  if(envArgs.length === 0) {
+    return result;
+  }
+
+  envArgs.forEach(arg => {
+    const parts = arg.split('=');
+    if(parts.length === 2) {
+      result[parts[0]] = parts[1];
+      return;
+    }
+
+    result[parts[0]] = true;
+  })
+
+  return result;
+}
+
 /**
  * Arguments
  */
-const argv = minimist(process.argv.slice(2));
+const argv = envToArgv();
 
 /**
  * Exported configuration object with common constants used in build pipeline.
@@ -184,6 +214,13 @@ export default {
     enableSkipButton: argv.enableSkipButton !== undefined ?
         argv.enableSkipButton :
         false,
+
+    /**
+     * Allows to enable login view when serving on http.
+     */
+    enableInsecureLogin: argv.enableInsecureLogin !== undefined ?
+      argv.enableInsecureLogin :
+      false,
   },
 
   /**

diff --git a/aio/gulp/serve.js b/aio/gulp/serve.js
@@ -38,6 +38,8 @@ function getBackendArgs() {
     `--tls-cert-file=${conf.backend.tlsCert}`,
     `--tls-key-file=${conf.backend.tlsKey}`,
     `--auto-generate-certificates=${conf.backend.autoGenerateCerts}`,
+    `--enable-insecure-login=${conf.backend.enableInsecureLogin}`,
+    `--enable-skip-login=${conf.backend.enableSkipButton}`
   ];
 
   if (conf.backend.systemBanner.length > 0) {
@@ -58,10 +60,6 @@ function getBackendArgs() {
     args.push(`--apiserver-host=${conf.backend.apiServerHost}`);
   }
 
-  if (conf.backend.enableSkipButton) {
-    args.push(`--enable-skip-login=${conf.backend.enableSkipButton}`);
-  }
-
   return args;
 }
 

diff --git a/src/app/frontend/common/services/global/authentication.ts b/src/app/frontend/common/services/global/authentication.ts
@@ -34,14 +34,6 @@ import {KdStateService} from './state';
 export class AuthService {
   private readonly _config = CONFIG;
 
-  get allowedProtocol(): string {
-    return 'https';
-  }
-
-  get domainWhitelist(): string[] {
-    return ['localhost', '127.0.0.1'];
-  }
-
   constructor(
     private readonly cookies_: CookieService,
     private readonly router_: Router,
@@ -61,34 +53,40 @@ export class AuthService {
   }
 
   private setTokenCookie_(token: string): void {
-    // This will only work for HTTPS connection
-    this.cookies_.set(this._config.authTokenCookieName, token, null, null, null, true, 'Strict');
-    // This will only work when accessing Dashboard at 'localhost' or
-    // '127.0.0.1'
-    this.cookies_.set(
-      this._config.authTokenCookieName,
-      token,
-      null,
-      null,
-      'localhost',
-      false,
-      'Strict',
-    );
-    this.cookies_.set(
-      this._config.authTokenCookieName,
-      token,
-      null,
-      null,
-      '127.0.0.1',
-      false,
-      'Strict',
-    );
+    if (!this.isLoginEnabled()) {
+      return;
+    }
+
+    if (this.isCurrentProtocolSecure_()) {
+      this.cookies_.set(this._config.authTokenCookieName, token, null, null, null, true, 'Strict');
+      return;
+    }
+
+    if (this.isCurrentDomainSecure_()) {
+      this.cookies_.set(
+        this._config.authTokenCookieName,
+        token,
+        null,
+        null,
+        location.hostname,
+        false,
+        'Strict',
+      );
+    }
   }
 
   private getTokenCookie_(): string {
     return this.cookies_.get(this._config.authTokenCookieName) || '';
   }
 
+  private isCurrentDomainSecure_(): boolean {
+    return ['localhost', '127.0.0.1'].indexOf(location.hostname) > -1;
+  }
+
+  private isCurrentProtocolSecure_(): boolean {
+    return location.protocol.includes('https');
+  }
+
   removeAuthCookies(): void {
     this.cookies_.delete(this._config.authTokenCookieName);
     this.cookies_.delete(this._config.skipLoginPageCookieName);
@@ -193,4 +191,12 @@ export class AuthService {
   isLoginPageEnabled(): boolean {
     return !(this.cookies_.get(this._config.skipLoginPageCookieName) === 'true');
   }
+
+  /**
+   * Returns true if domain is localhost/127.0.0.1 or if the connection
+   * protocol is HTTPS, false otherwise.
+   */
+  isLoginEnabled(): boolean {
+    return this.isCurrentDomainSecure_() || this.isCurrentProtocolSecure_();
+  }
 }
diff --git a/src/app/frontend/login/component.spec.ts b/src/app/frontend/login/component.spec.ts
@@ -65,12 +65,8 @@ class MockAuthService {
 
   skipLoginPage(): void {}
 
-  get allowedProtocol(): string {
-    return 'https';
-  }
-
-  get domainWhitelist(): string[] {
-    return ['localhost', '127.0.0.1'];
+  isLoginEnabled(): boolean {
+    return true;
   }
 }
 

diff --git a/src/app/frontend/login/component.ts b/src/app/frontend/login/component.ts
@@ -117,9 +117,7 @@ export class LoginComponent implements OnInit {
   }
 
   isLoginEnabled(): boolean {
-    return this.authService_.domainWhitelist.indexOf(location.hostname) > -1
-      ? true
-      : location.protocol === this.authService_.allowedProtocol;
+    return this.authService_.isLoginEnabled();
   }
 
   onChange(event: Event & KdFile): void {