Last active
October 28, 2019 22:28
-
-
Save jwmatthews/78b69e670672c3e2f9c6d51754792120 to your computer and use it in GitHub Desktop.
Explore CORS verification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1) On 'master' of OCP 3 cluster | |
/etc/origin/master/master-config.yaml | |
corsAllowedOrigins: | |
- (?i)//migration-openshift-migration\.apps\.cluster-jwm1023ocp4b\.jwm1023ocp4b\.mg\.dog8code\.com(:|\z) | |
2) Assume script below: | |
$ cat check_cors.sh | |
#!/bin/sh | |
OCP3="https://master.jwm1023ocp3b.mg.dog8code.com:443" | |
CAM_URL="migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com" | |
curl -v -k -X OPTIONS ${OCP3}/apis/migration.openshift.io/v1alpha1/namespaces/openshift-migration/migclusters \ | |
-H "Access-Control-Request-Method: GET" \ | |
-H "Access-Control-Request-Headers: authorization" \ | |
-H "Origin: ${CAM_URL}" | |
3) When we run we see failure | |
$ ./check_cors.sh | |
* Trying 52.8.184.238... | |
* TCP_NODELAY set | |
* Connected to master.jwm1023ocp3b.mg.dog8code.com (52.8.184.238) port 443 (#0) | |
* ALPN, offering h2 | |
* ALPN, offering http/1.1 | |
* ignoring certificate verify locations due to disabled peer verification | |
* TLSv1.2 (OUT), TLS handshake, Client hello (1): | |
* TLSv1.2 (IN), TLS handshake, Server hello (2): | |
* TLSv1.2 (IN), TLS handshake, Certificate (11): | |
* TLSv1.2 (IN), TLS handshake, Server key exchange (12): | |
* TLSv1.2 (IN), TLS handshake, Request CERT (13): | |
* TLSv1.2 (IN), TLS handshake, Server finished (14): | |
* TLSv1.2 (OUT), TLS handshake, Certificate (11): | |
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): | |
* TLSv1.2 (OUT), TLS change cipher, Client hello (1): | |
* TLSv1.2 (OUT), TLS handshake, Finished (20): | |
* TLSv1.2 (IN), TLS handshake, Finished (20): | |
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 | |
* ALPN, server accepted to use h2 | |
* Server certificate: | |
* subject: CN=172.30.0.1 | |
* start date: Oct 23 14:37:04 2019 GMT | |
* expire date: Oct 22 14:37:05 2021 GMT | |
* issuer: CN=openshift-signer@1571841423 | |
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. | |
* Using HTTP2, server supports multi-use | |
* Connection state changed (HTTP/2 confirmed) | |
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 | |
* Using Stream ID: 1 (easy handle 0x55e7c6812270) | |
> OPTIONS /apis/migration.openshift.io/v1alpha1/namespaces/openshift-migration/migclusters HTTP/2 | |
> Host: master.jwm1023ocp3b.mg.dog8code.com | |
> User-Agent: curl/7.59.0 | |
> Accept: */* | |
> Access-Control-Request-Method: GET | |
> Access-Control-Request-Headers: authorization | |
> Origin: migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com | |
> | |
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)! | |
< HTTP/2 403 | |
< cache-control: no-store | |
< content-type: application/json | |
< x-content-type-options: nosniff | |
< content-length: 417 | |
< date: Mon, 28 Oct 2019 22:22:42 GMT | |
< | |
{ | |
"kind": "Status", | |
"apiVersion": "v1", | |
"metadata": { | |
}, | |
"status": "Failure", | |
"message": "migclusters.migration.openshift.io is forbidden: User \"system:anonymous\" cannot migclusters.migration.openshift.io in the namespace \"openshift-migration\": no RBAC policy matched", | |
"reason": "Forbidden", | |
"details": { | |
"group": "migration.openshift.io", | |
"kind": "migclusters" | |
}, | |
"code": 403 | |
* Connection #0 to host master.jwm1023ocp3b.mg.dog8code.com left intact | |
} | |
We saw failure in above because in our script we set the 'Origin' to | |
"Origin: migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com" | |
This failure is correct as when we look more at the setting of corsAllowedOrigin we can see: | |
See: https://docs.openshift.com/container-platform/3.9/architecture/infrastructure_components/web_console.html | |
We are using the below value | |
- (?i)//migration-openshift-migration\.apps\.cluster-jwm1023ocp4b\.jwm1023ocp4b\.mg\.dog8code\.com(:|\z) | |
The (?i) makes it case-insensitive. | |
The // pins to the beginning of the domain (and matches the double slash following http: or https:). | |
The \. escapes dots in the domain name. | |
The (:|\z) matches the end of the domain name (\z) or a port separator (:). | |
So when we send in a request with "Origin: migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com" | |
It fails to match with the "//" we put in. | |
4) If we update our script to: | |
CAM_URL="https://migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com" | |
$ ./check_cors.sh | |
* Trying 52.8.184.238... | |
* TCP_NODELAY set | |
* Connected to master.jwm1023ocp3b.mg.dog8code.com (52.8.184.238) port 443 (#0) | |
* ALPN, offering h2 | |
* ALPN, offering http/1.1 | |
* ignoring certificate verify locations due to disabled peer verification | |
* TLSv1.2 (OUT), TLS handshake, Client hello (1): | |
* TLSv1.2 (IN), TLS handshake, Server hello (2): | |
* TLSv1.2 (IN), TLS handshake, Certificate (11): | |
* TLSv1.2 (IN), TLS handshake, Server key exchange (12): | |
* TLSv1.2 (IN), TLS handshake, Request CERT (13): | |
* TLSv1.2 (IN), TLS handshake, Server finished (14): | |
* TLSv1.2 (OUT), TLS handshake, Certificate (11): | |
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16): | |
* TLSv1.2 (OUT), TLS change cipher, Client hello (1): | |
* TLSv1.2 (OUT), TLS handshake, Finished (20): | |
* TLSv1.2 (IN), TLS handshake, Finished (20): | |
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 | |
* ALPN, server accepted to use h2 | |
* Server certificate: | |
* subject: CN=172.30.0.1 | |
* start date: Oct 23 14:37:04 2019 GMT | |
* expire date: Oct 22 14:37:05 2021 GMT | |
* issuer: CN=openshift-signer@1571841423 | |
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. | |
* Using HTTP2, server supports multi-use | |
* Connection state changed (HTTP/2 confirmed) | |
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 | |
* Using Stream ID: 1 (easy handle 0x55df75077270) | |
> OPTIONS /apis/migration.openshift.io/v1alpha1/namespaces/openshift-migration/migclusters HTTP/2 | |
> Host: master.jwm1023ocp3b.mg.dog8code.com | |
> User-Agent: curl/7.59.0 | |
> Accept: */* | |
> Access-Control-Request-Method: GET | |
> Access-Control-Request-Headers: authorization | |
> Origin: https://migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com | |
> | |
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)! | |
< HTTP/2 204 | |
< access-control-allow-credentials: true | |
< access-control-allow-headers: Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-Requested-With, If-Modified-Since | |
< access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE, PATCH | |
< access-control-allow-origin: https://migration-openshift-migration.apps.cluster-jwm1023ocp4b.jwm1023ocp4b.mg.dog8code.com | |
< access-control-expose-headers: Date | |
< cache-control: no-store | |
< date: Mon, 28 Oct 2019 22:27:42 GMT | |
< | |
* Connection #0 to host master.jwm1023ocp3b.mg.dog8code.com left intact | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment