From edd327c68ad489426e27e2d12302808844fe143b Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 27 Feb 2018 16:16:45 -0800 Subject: [PATCH] hack/scripts-dev: test "--host-whitelist" Signed-off-by: Gyuho Lee --- hack/scripts-dev/docker-dns/certs/run.sh | 1 - hack/scripts-dev/docker-dns/insecure/Procfile | 6 +++--- hack/scripts-dev/docker-dns/insecure/run.sh | 8 +++++++- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/hack/scripts-dev/docker-dns/certs/run.sh b/hack/scripts-dev/docker-dns/certs/run.sh index 1ef72d40f384..9311c618b411 100755 --- a/hack/scripts-dev/docker-dns/certs/run.sh +++ b/hack/scripts-dev/docker-dns/certs/run.sh @@ -32,7 +32,6 @@ ETCDCTL_API=3 ./etcdctl \ --endpoints=https://m1.etcd.local:2379,https://m2.etcd.local:22379,https://m3.etcd.local:32379 \ get abc -# TODO: add host header check to enforce same-origin-policy printf "\nWriting v2 key...\n" curl -L https://127.0.0.1:2379/v2/keys/queue \ --cacert /certs/ca.crt \ diff --git a/hack/scripts-dev/docker-dns/insecure/Procfile b/hack/scripts-dev/docker-dns/insecure/Procfile index 0029aeda67ff..5b91d01868d0 100644 --- a/hack/scripts-dev/docker-dns/insecure/Procfile +++ b/hack/scripts-dev/docker-dns/insecure/Procfile @@ -1,6 +1,6 @@ # Use goreman to run `go get github.com/mattn/goreman` -etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 +etcd1: ./etcd --name m1 --data-dir /tmp/m1.data --listen-client-urls http://127.0.0.1:2379 --advertise-client-urls http://m1.etcd.local:2379 --listen-peer-urls http://127.0.0.1:2380 --initial-advertise-peer-urls=http://m1.etcd.local:2380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local -etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 +etcd2: ./etcd --name m2 --data-dir /tmp/m2.data --listen-client-urls http://127.0.0.1:22379 --advertise-client-urls http://m2.etcd.local:22379 --listen-peer-urls http://127.0.0.1:22380 --initial-advertise-peer-urls=http://m2.etcd.local:22380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local -etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 \ No newline at end of file +etcd3: ./etcd --name m3 --data-dir /tmp/m3.data --listen-client-urls http://127.0.0.1:32379 --advertise-client-urls http://m3.etcd.local:32379 --listen-peer-urls http://127.0.0.1:32380 --initial-advertise-peer-urls=http://m3.etcd.local:32380 --initial-cluster-token tkn --initial-cluster=m1=http://m1.etcd.local:2380,m2=http://m2.etcd.local:22380,m3=http://m3.etcd.local:32380 --host-whitelist m1.etcd.local \ No newline at end of file diff --git a/hack/scripts-dev/docker-dns/insecure/run.sh b/hack/scripts-dev/docker-dns/insecure/run.sh index 683329b7ecd9..c6d54152932c 100755 --- a/hack/scripts-dev/docker-dns/insecure/run.sh +++ b/hack/scripts-dev/docker-dns/insecure/run.sh @@ -23,7 +23,6 @@ ETCDCTL_API=3 ./etcdctl \ --endpoints=http://m1.etcd.local:2379,http://m2.etcd.local:22379,http://m3.etcd.local:32379 \ get abc -# TODO: add host header check to enforce same-origin-policy printf "\nWriting v2 key...\n" curl \ -L http://127.0.0.1:2379/v2/keys/queue \ @@ -58,4 +57,11 @@ printf "\n\nFetching 'curl http://m1.etcd.local:2379/metrics'...\n" curl \ -L http://m1.etcd.local:2379/metrics | grep Put | tail -3 + +# this will be rejected because "m2.etcd.local" +# is not secured and not whitelisted +printf "\n\nFetching 'curl http://m2.etcd.local:2379/metrics'...\n" +curl \ + -L http://m2.etcd.local:2379/metrics + printf "\n\nDone!!!\n\n"