hendrik/lens
1
0
Fork 0
mirror of https://github.com/lensapp/lens.git synced 2025-05-20 05:10:56 +00:00
Code Issues Projects Releases Wiki Activity

kube-auth-proxy: accept only target cluster hostname (#1433)

Browse Source 
Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>
This commit is contained in:
Jari Kolehmainen 2020-11-19 08:32:07 +02:00 committed by GitHub
parent 3197e3a1fe
commit c4b98534dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/main/__test__/kube-auth-proxy.test.ts
View File

@ -58,6 +58,7 @@ describe("kube auth proxy tests", () => {
let port: number let port: number
let mockedCP: MockProxy<ChildProcess> let mockedCP: MockProxy<ChildProcess>
let listeners: Record<string, (...args: any[]) => void> let listeners: Record<string, (...args: any[]) => void>
let proxy: KubeAuthProxy
beforeEach(async () => { beforeEach(async () => {
port = await getFreePort() port = await getFreePort()
@ -85,43 +86,41 @@ describe("kube auth proxy tests", () => {
return mockedCP return mockedCP
}) })
mockWaitUntilUsed.mockReturnValueOnce(Promise.resolve()) mockWaitUntilUsed.mockReturnValueOnce(Promise.resolve())
const cluster = new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" })
jest.spyOn(cluster, "apiUrl", "get").mockReturnValue("https://fake.k8s.internal")
proxy = new KubeAuthProxy(cluster, port, {})
}) })
it("should call spawn and broadcast errors", async () => { it("should call spawn and broadcast errors", async () => {
const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) await proxy.run()
await kap.run()
listeners["error"]({ message: "foobarbat" }) listeners["error"]({ message: "foobarbat" })
expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "foobarbat", error: true }] }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "foobarbat", error: true }] })
}) })
it("should call spawn and broadcast exit", async () => { it("should call spawn and broadcast exit", async () => {
const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) await proxy.run()
await kap.run()
listeners["exit"](0) listeners["exit"](0)
expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "proxy exited with code: 0", error: false }] }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "proxy exited with code: 0", error: false }] })
}) })
it("should call spawn and broadcast errors from stderr", async () => { it("should call spawn and broadcast errors from stderr", async () => {
const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) await proxy.run()
await kap.run()
listeners["stderr/data"]("an error") listeners["stderr/data"]("an error")
expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "an error", error: true }] }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "an error", error: true }] })
}) })
it("should call spawn and broadcast stdout serving info", async () => { it("should call spawn and broadcast stdout serving info", async () => {
const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) await proxy.run()
await kap.run()
listeners["stdout/data"]("Starting to serve on") listeners["stdout/data"]("Starting to serve on")
expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "Authentication proxy started\n" }] }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "Authentication proxy started\n" }] })
}) })
it("should call spawn and broadcast stdout other info", async () => { it("should call spawn and broadcast stdout other info", async () => {
const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) await proxy.run()
await kap.run()
listeners["stdout/data"]("some info") listeners["stdout/data"]("some info")
expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "some info" }] }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "some info" }] })

8
src/main/kube-auth-proxy.ts
View File

@ -4,6 +4,7 @@ import { broadcastIpc } from "../common/ipc";
import type { Cluster } from "./cluster" import type { Cluster } from "./cluster"
import { Kubectl } from "./kubectl" import { Kubectl } from "./kubectl"
import logger from "./logger" import logger from "./logger"
import * as url from "url"
export interface KubeAuthProxyLog { export interface KubeAuthProxyLog {
data: string; data: string;
@ -26,17 +27,22 @@ export class KubeAuthProxy {
this.kubectl = Kubectl.bundled() this.kubectl = Kubectl.bundled()
} }
get acceptHosts() {
return url.parse(this.cluster.apiUrl).hostname;
}
public async run(): Promise<void> { public async run(): Promise<void> {
if (this.proxyProcess) { if (this.proxyProcess) {
return; return;
} }
const proxyBin = await this.kubectl.getPath() const proxyBin = await this.kubectl.getPath()
const args = [ const args = [
"proxy", "proxy",
"-p", `${this.port}`, "-p", `${this.port}`,
"--kubeconfig", `${this.cluster.kubeConfigPath}`, "--kubeconfig", `${this.cluster.kubeConfigPath}`,
"--context", `${this.cluster.contextName}`, "--context", `${this.cluster.contextName}`,
"--accept-hosts", ".*", "--accept-hosts", this.acceptHosts,
"--reject-paths", "^[^/]" "--reject-paths", "^[^/]"
] ]
if (process.env.DEBUG_PROXY === "true") { if (process.env.DEBUG_PROXY === "true") {