#49 Simple kubecfg.yaml endpoint security. #54
Conversation
Codecov Report
@@ Coverage Diff @@
## master #54 +/- ##
==========================================
- Coverage 39.6% 39.21% -0.39%
==========================================
Files 1 1
Lines 202 204 +2
==========================================
Hits 80 80
- Misses 116 118 +2
Partials 6 6
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Thanks for tackling this!
I've taken a first pass review. It seems like this PR needs a bit of cleanup before it can be merged; there's a few fmt statements that I assume were intended for debugging, as well as a bunch of spurious whitespace changes and permission changes on the shell scripts. Please clean these things up and I'll take another look.
kuberos.go
Outdated
| if err := decoder.Decode(p, r.Form); err != nil { | ||
| http.Error(w, errors.Wrap(err, "cannot parse URL parameter").Error(), http.StatusBadRequest) | ||
| return | ||
| } else if len(p.Username) == 0 { | ||
| http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) |
There was a problem hiding this comment.
I'd prefer to return HTTP 401 Unauthorized in this case.
|
So I accidentally added a commit from experimenting/exploring with Kubernetes, go-client and OIDC where I added/removed a bunch of log lines and code as I'm making my way through this tech stack. Removed that commit as it's not part of the scope of this PR. Permission changes are a result from me moving away from macOS and tweaking with WSL for the scripts to work, also should not be in this commit. I personally prefer to to have 404 in pages that shouldn't be accessible from the outside, and believe it's industry standard as well, but 401 is also a valid status code, changed it to that. |
Added simple verification to the kubecfg.yaml endpoint, should show the 404 page when user not logged in and by doing so preventing partial credentials from being exposed publicly.