From c4b98534dca859f9f3f4e549b5aba99207851737 Mon Sep 17 00:00:00 2001 From: Jari Kolehmainen Date: Thu, 19 Nov 2020 08:32:07 +0200 Subject: [PATCH] kube-auth-proxy: accept only target cluster hostname (#1433) Signed-off-by: Jari Kolehmainen --- src/main/__test__/kube-auth-proxy.test.ts | 19 +++++++++---------- src/main/kube-auth-proxy.ts | 8 +++++++- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/src/main/__test__/kube-auth-proxy.test.ts b/src/main/__test__/kube-auth-proxy.test.ts index e7bee67c07..dead980f82 100644 --- a/src/main/__test__/kube-auth-proxy.test.ts +++ b/src/main/__test__/kube-auth-proxy.test.ts @@ -58,6 +58,7 @@ describe("kube auth proxy tests", () => { let port: number let mockedCP: MockProxy let listeners: Record void> + let proxy: KubeAuthProxy beforeEach(async () => { port = await getFreePort() @@ -85,43 +86,41 @@ describe("kube auth proxy tests", () => { return mockedCP }) mockWaitUntilUsed.mockReturnValueOnce(Promise.resolve()) + const cluster = new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }) + jest.spyOn(cluster, "apiUrl", "get").mockReturnValue("https://fake.k8s.internal") + proxy = new KubeAuthProxy(cluster, port, {}) }) it("should call spawn and broadcast errors", async () => { - const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) - await kap.run() + await proxy.run() listeners["error"]({ message: "foobarbat" }) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "foobarbat", error: true }] }) }) it("should call spawn and broadcast exit", async () => { - const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) - await kap.run() + await proxy.run() listeners["exit"](0) expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "proxy exited with code: 0", error: false }] }) }) it("should call spawn and broadcast errors from stderr", async () => { - const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) - await kap.run() + await proxy.run() listeners["stderr/data"]("an error") expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "an error", error: true }] }) }) it("should call spawn and broadcast stdout serving info", async () => { - const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) - await kap.run() + await proxy.run() listeners["stdout/data"]("Starting to serve on") expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "Authentication proxy started\n" }] }) }) it("should call spawn and broadcast stdout other info", async () => { - const kap = new KubeAuthProxy(new Cluster({ id: "foobar", kubeConfigPath: "fake-path.yml" }), port, {}) - await kap.run() + await proxy.run() listeners["stdout/data"]("some info") expect(mockBroadcastIpc).toBeCalledWith({ channel: "kube-auth:foobar", args: [{ data: "some info" }] }) diff --git a/src/main/kube-auth-proxy.ts b/src/main/kube-auth-proxy.ts index 7192425466..0bea0e720a 100644 --- a/src/main/kube-auth-proxy.ts +++ b/src/main/kube-auth-proxy.ts @@ -4,6 +4,7 @@ import { broadcastIpc } from "../common/ipc"; import type { Cluster } from "./cluster" import { Kubectl } from "./kubectl" import logger from "./logger" +import * as url from "url" export interface KubeAuthProxyLog { data: string; @@ -26,17 +27,22 @@ export class KubeAuthProxy { this.kubectl = Kubectl.bundled() } + get acceptHosts() { + return url.parse(this.cluster.apiUrl).hostname; + } + public async run(): Promise { if (this.proxyProcess) { return; } + const proxyBin = await this.kubectl.getPath() const args = [ "proxy", "-p", `${this.port}`, "--kubeconfig", `${this.cluster.kubeConfigPath}`, "--context", `${this.cluster.contextName}`, - "--accept-hosts", ".*", + "--accept-hosts", this.acceptHosts, "--reject-paths", "^[^/]" ] if (process.env.DEBUG_PROXY === "true") {