hack/scripts-dev: test "--host-whitelist"

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
etcd-io · Feb 28, 2018 · edd327c · edd327c
1 parent eeab945
commit edd327c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/hack/scripts-dev/docker-dns/certs/run.sh b/hack/scripts-dev/docker-dns/certs/run.sh
@@ -32,7 +32,6 @@ ETCDCTL_API=3 ./etcdctl \
   --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \
   get abc
 
-# TODO: add host header check to enforce same-origin-policy
 printf "\nWriting v2 key...\n"
 curl -L https://127.0.0.1:2379/v2/keys/queue \
   --cacert /certs/ca.crt \

diff --git a/hack/scripts-dev/docker-dns/insecure/Procfile b/hack/scripts-dev/docker-dns/insecure/Procfile
@@ -1,6 +1,6 @@
 # Use goreman to run `go get github.com/mattn/goreman`
-etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380
+etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local
 
-etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380
+etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local
 
-etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380
+etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local
diff --git a/hack/scripts-dev/docker-dns/insecure/run.sh b/hack/scripts-dev/docker-dns/insecure/run.sh
@@ -23,7 +23,6 @@ ETCDCTL_API=3 ./etcdctl \
   --endpoints=http://m1.etcd.local:2379,http://m2.etcd.local:22379,http://m3.etcd.local:32379 \
   get abc
 
-# TODO: add host header check to enforce same-origin-policy
 printf "\nWriting v2 key...\n"
 curl \
   -L http://127.0.0.1:2379/v2/keys/queue \
@@ -58,4 +57,11 @@ printf "\n\nFetching 'curl http://m1.etcd.local:2379/metrics'...\n"
 curl \
   -L http://m1.etcd.local:2379/metrics | grep Put | tail -3
 
+
+# this will be rejected because "m2.etcd.local"
+# is not secured and not whitelisted
+printf "\n\nFetching 'curl http://m2.etcd.local:2379/metrics'...\n"
+curl \
+  -L http://m2.etcd.local:2379/metrics
+
 printf "\n\nDone!!!\n\n"