github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add some XSRF protection to kubectl proxy.

Browse Source
This commit is contained in:
Brendan Burns
2015-06-04 16:21:11 -07:00
parent 5aa0219ada
commit 4aeee94603
6 changed files with 285 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
pkg/kubectl/proxy_server_test.go
View File

@@ -29,6 +29,157 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
)
func TestAccept(t *testing.T) {
tests := []struct {
acceptPaths string
rejectPaths string
acceptHosts string
path string
host string
method string
expectAccept bool
}{
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "127.0.0.1",
method: "GET",
expectAccept: true,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "localhost",
method: "GET",
expectAccept: true,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods/foo/exec",
host: "127.0.0.1",
method: "GET",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "evil.com",
method: "GET",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "localhost.evil.com",
method: "GET",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "127a0b0c1",
method: "GET",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/foo/v1/pods",
host: "localhost",
method: "GET",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods",
host: "localhost",
method: "POST",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods/somepod",
host: "localhost",
method: "PUT",
expectAccept: false,
},
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods/somepod",
host: "localhost",
method: "PATCH",
expectAccept: false,
},
}
for _, test := range tests {
filter := &FilterServer{
AcceptPaths: MakeRegexpArrayOrDie(test.acceptPaths),
RejectPaths: MakeRegexpArrayOrDie(test.rejectPaths),
AcceptHosts: MakeRegexpArrayOrDie(test.acceptHosts),
RejectMethods: MakeRegexpArrayOrDie(DefaultMethodRejectRE),
}
accept := filter.accept(test.method, test.path, test.host)
if accept != test.expectAccept {
t.Errorf("expected: %v, got %v for %#v", test.expectAccept, accept, test)
}
}
}
func TestRegexpMatch(t *testing.T) {
tests := []struct {
str string
regexps string
expectMatch bool
}{
{
str: "foo",
regexps: "bar,.*",
expectMatch: true,
},
{
str: "foo",
regexps: "bar,fo.*",
expectMatch: true,
},
{
str: "bar",
regexps: "bar,fo.*",
expectMatch: true,
},
{
str: "baz",
regexps: "bar,fo.*",
expectMatch: false,
},
}
for _, test := range tests {
match := matchesRegexp(test.str, MakeRegexpArrayOrDie(test.regexps))
if test.expectMatch != match {
t.Errorf("expected: %v, found: %v, for %s and %v", test.expectMatch, match, test.str, test.regexps)
}
}
}
func TestFileServing(t *testing.T) {
const (
fname = "test.txt"
@@ -136,7 +287,7 @@ func TestPathHandling(t *testing.T) {
for _, item := range table {
func() {
p, err := NewProxyServer("", item.prefix, "/not/used/for/this/test", cc)
p, err := NewProxyServer("", item.prefix, "/not/used/for/this/test", nil, cc)
if err != nil {
t.Fatalf("%#v: %v", item, err)
}