Restrict metadata routes #110
Conversation
Sure, let's gets that PR merged and I'll rebase |
samb1729
force-pushed
the
restrict-metadata-routes
branch
from
5f30658 to
93794bd
Compare
|
I've just pushed having rebased onto |
Codecov Report
@@ Coverage Diff @@
## api-v3 #110 +/- ##
==========================================
+ Coverage 37.79% 39.73% +1.93%
==========================================
Files 21 22 +1
Lines 799 828 +29
==========================================
+ Hits 302 329 +27
- Misses 469 471 +2
Partials 28 28
|
samb1729
force-pushed
the
restrict-metadata-routes
branch
from
93794bd to
6ae2c26
Compare
cmd/kiam/agent.go
Outdated
| @@ -45,6 +47,7 @@ func (cmd *agentCommand) Bind(parser parser) { | |||
|
|
|||
| parser.Flag("port", "HTTP port").Default("3100").IntVar(&cmd.port) | |||
| parser.Flag("allow-ip-query", "Allow client IP to be specified with ?ip. Development use only.").Default("false").BoolVar(&cmd.allowIPQuery) | |||
| parser.Flag("allowed-routes", "Proxy routes matching this regular expression").Default(".*").RegexpVar(&cmd.allowedRoutes) | |||
There was a problem hiding this comment.
Should the flag be plural - routes - if we only allow it to be specified once?
There was a problem hiding this comment.
it's a regular expression which can match many routes
There was a problem hiding this comment.
Perhaps then we could rename to specify that it's a regexp? So, change it to:
kiam server --whitelist-route-regexp=.*
Thoughts @Sambooo and @ewbankkit? Agree about the plural name though- we don't support multiple regexes so it'd be good to name it singularly to avoid confusion.
There was a problem hiding this comment.
Naming is the hardest problem 😄.
No particular opinion on this one but I think some documented examples would be good.
pkg/aws/metadata/handler_proxy.go
Outdated
| p.reverseProxy.ServeHTTP(writer, r) | ||
| return writer.status, nil | ||
| } else { | ||
| return http.StatusForbidden, fmt.Errorf("request blocked by allowedRoutes pattern %q: %s", p.allowedRoutes, route) |
There was a problem hiding this comment.
Is 403 the correct HTTP status code to return?
From RFC 7231:
An origin server that wishes to "hide" the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).
There was a problem hiding this comment.
the request is not allowed by (does not match) the allowed-routes regular expression, so the request is forbidden by the configuration. which status code should be returned in this case?
There was a problem hiding this comment.
I don't think there's a "correct" answer. Either would be valid.
There was a problem hiding this comment.
Given that RFC maybe we should favour 404?
We should still log that it was blocked via a warning because of the path regexp (so that its easy for operators to record/debug) but 404 feels like it leaks less information to clients.
@uswitch/cloud any other thoughts? Feels pretty close to a coin toss though 😄
There was a problem hiding this comment.
I have no issues with changing the status code here since I went with my gut and MAY means it's up to us. Flip that coin.
At the moment the flag parsing library we use will tell a user that this parameter is a regular expression, but it's possible that a migration to cobra or similar will make that help string disappear or change to 'string'. Since we don't test the output of `--help`, instead make the name reflect the type.
|
Awesome. Last piece of the puzzle is that we want to require metadata API routes to be whitelisted, rather than permitting all by default (this was originally raised in #60). I think once that's changed we're good to merge! |
| clientIP clientIPFunc | ||
| client server.Client | ||
| client server.Client | ||
| ipResolver clientIPFunc |
There was a problem hiding this comment.
I'd rename ipResolver to getClientIP
| ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) | ||
| defer cancel() | ||
|
|
||
| allowedRoutes := regexp.MustCompile("^$") |
There was a problem hiding this comment.
If we're not going to move this statement inside newProxyHandler I'd like the expression stored in a const for something like WhitelistDefaultBlockEverything so that it can be referenced in both the package and test.
| ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) | ||
| defer cancel() | ||
|
|
||
| allowedRoutes := regexp.MustCompile("foo.*") |
There was a problem hiding this comment.
Passing in a non-default regexp is fine though
| client server.Client | ||
| clientIP clientIPFunc | ||
| client server.Client | ||
| ipResolver clientIPFunc |
There was a problem hiding this comment.
As before, I'd prefer this to be named getClientIP.
pkg/aws/metadata/server.go
Outdated
| } | ||
|
|
||
| func NewConfig(port int) *ServerConfig { | ||
| func NewConfig(port int, allowIPQuery bool, whitelistRouteRegexp *regexp.Regexp) *ServerConfig { |
There was a problem hiding this comment.
I'd rather we didn't expand NewConfig to include all options.
To be honest, I'd prefer it didn't specify a port but set good defaults for everything and then clients set individual fields.
Otherwise, as the struct grows we're just adding more and more params to the function which isn't nice.
There was a problem hiding this comment.
Maybe we should rename the func to DefaultConfig too.
* Parameterise allowed metadata API routes * Add filtered metadata routes in the same way as other handlers * Add proxyHandler tests * Add whitelist-route-regexp flag * Block all non-kiam metadata api requests by default * Extract handler constructors to put default under test * Rename client IP func to getClientIP * Embed agent server options into CLI flags
Restrict metadata routes (#110) * Parameterise allowed metadata API routes * Add filtered metadata routes in the same way as other handlers * Add proxyHandler tests * Add whitelist-route-regexp flag * Block all non-kiam metadata api requests by default * Extract handler constructors to put default under test * Rename client IP func to getClientIP * Embed agent server options into CLI flags
* merging cherry-picked from missing v3 commit Restrict metadata routes (#110) * Parameterise allowed metadata API routes * Add filtered metadata routes in the same way as other handlers * Add proxyHandler tests * Add whitelist-route-regexp flag * Block all non-kiam metadata api requests by default * Extract handler constructors to put default under test * Rename client IP func to getClientIP * Embed agent server options into CLI flags * targets in Makefile to specify bin rather than phony
This set of changes adds a flag to
kiam agentwhich allows the user to provide a regular expression that a request path must match to be proxied to the metadata service. The parameter doesn't affect any requests that are handled by kiam directly.By default its value is set to
.*which means all requests are allowed.Resolves #60