New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate escaped regexes for cors config #16204
Conversation
cc @openshift/sig-security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment about func. Otherwise LGTM.
pkg/cmd/server/start/master_args.go
Outdated
@@ -149,7 +150,15 @@ func (args MasterArgs) BuildSerializeableMasterConfig() (*configapi.MasterConfig | |||
// always include localhost as an allowed CORS origin | |||
// always include master public address as an allowed CORS origin | |||
corsAllowedOrigins := sets.NewString(args.CORSAllowedOrigins...) | |||
corsAllowedOrigins.Insert(assetPublicAddr.Host, masterPublicAddr.Host, "localhost", "127.0.0.1") | |||
matchLiteralHost := func(s string) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why an inline function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no reason, fixed
How is this list used by the API server? It looks to me like the https://www.w3.org/TR/cors/#access-control-allow-origin-response-header |
It tries to match the incoming Origin header against one of these regexes, and if one matches, echoes the Origin header back as origin/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/filters/cors.go Lines 42 to 51 in 72f5bc5
|
pkg/cmd/server/start/master_args.go
Outdated
makeExactMatchRegex(assetPublicAddr.Host), | ||
makeExactMatchRegex(masterPublicAddr.Host), | ||
makeExactMatchRegex("localhost"), | ||
makeExactMatchRegex("127.0.0.1"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like this will now block origins like https://localhost:9000
? If so, I wonder if it's still worth settings these as defaults.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we trust localhost, I assume we trust it on any port and protocol?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do assetPublicAddres.Host
and masterPublicAddres.Host
include scheme and port as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, yeah... need to rethink the scheme/port bit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, pinned to the beginning of the host with //
and the end of the host with (:|$)
or $
, depending on whether host already contained a port.
This results in output like this:
corsAllowedOrigins:
- //127\.0\.0\.1(:|$)
- //192\.168\.1\.101:8443$
- //localhost(:|$)
@spadgett, are you able to check if that works across browsers for the cross-domain case?
/retest |
@liggitt Built and tested the cross-domain case with Chrome, Firefox, Safari, and IE 11. It works in all browsers. I also checked using curl that substituting another character for /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, spadgett The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
4 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest |
Automatic merge from submit-queue |
this ensures the generated config matches hosts exactly instead of treating
.
like a "match any character" rule