From 6b37093914af8236c35754689aadc6880a1c02a9 Mon Sep 17 00:00:00 2001 From: Andrew Lavery Date: Mon, 30 Oct 2023 19:02:05 +0200 Subject: [PATCH 1/2] block some unauthenticated routes in kurl-proxy --- kurl_proxy/cmd/main.go | 17 +++++++++++++++++ pkg/handlers/handlers.go | 3 +++ 2 files changed, 20 insertions(+) diff --git a/kurl_proxy/cmd/main.go b/kurl_proxy/cmd/main.go index bf408803be..c97505a667 100644 --- a/kurl_proxy/cmd/main.go +++ b/kurl_proxy/cmd/main.go @@ -449,6 +449,23 @@ func getHttpsServer(upstream, dexUpstream *url.URL, tlsSecretName string, secret }() }) + // these paths should not be exposed outside the cluster + r.PUT("/api/v1/troubleshoot/:appId/:bundleId", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + r.PUT("/api/v1/troubleshoot/supportbundle/:bundleId/redactions", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + r.POST("/api/v1/preflight/app/:appSlug/sequence/:sequence", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + r.GET("/license/v1/license", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + r.POST("/api/v1/app/custom-metrics", func(c *gin.Context) { + c.AbortWithStatus(http.StatusForbidden) + }) + if dexUpstream != nil { r.Any("/dex/*path", gin.WrapH(httputil.NewSingleHostReverseProxy(dexUpstream))) } diff --git a/pkg/handlers/handlers.go b/pkg/handlers/handlers.go index f8853fc4b1..7af485a2d1 100644 --- a/pkg/handlers/handlers.go +++ b/pkg/handlers/handlers.go @@ -339,6 +339,9 @@ func RegisterTokenAuthRoutes(handler *Handler, debugRouter *mux.Router, loggingR } func RegisterUnauthenticatedRoutes(handler *Handler, kotsStore store.Store, debugRouter *mux.Router, loggingRouter *mux.Router) { + // These routes are not authenticated + // if the route does not need to be accessed from outside the cluster, it should be blocked in kurl-proxy + debugRouter.HandleFunc("/healthz", handler.Healthz) loggingRouter.HandleFunc("/api/v1/login", handler.Login) loggingRouter.HandleFunc("/api/v1/login/info", handler.GetLoginInfo) From 4536345b8a4b9a4269a369936dd52b1f81774c93 Mon Sep 17 00:00:00 2001 From: Andrew Lavery Date: Fri, 3 Nov 2023 17:38:46 +0200 Subject: [PATCH 2/2] do not block troubleshoot routes --- kurl_proxy/cmd/main.go | 9 --------- 1 file changed, 9 deletions(-) diff --git a/kurl_proxy/cmd/main.go b/kurl_proxy/cmd/main.go index c97505a667..b0a69d0f59 100644 --- a/kurl_proxy/cmd/main.go +++ b/kurl_proxy/cmd/main.go @@ -450,15 +450,6 @@ func getHttpsServer(upstream, dexUpstream *url.URL, tlsSecretName string, secret }) // these paths should not be exposed outside the cluster - r.PUT("/api/v1/troubleshoot/:appId/:bundleId", func(c *gin.Context) { - c.AbortWithStatus(http.StatusForbidden) - }) - r.PUT("/api/v1/troubleshoot/supportbundle/:bundleId/redactions", func(c *gin.Context) { - c.AbortWithStatus(http.StatusForbidden) - }) - r.POST("/api/v1/preflight/app/:appSlug/sequence/:sequence", func(c *gin.Context) { - c.AbortWithStatus(http.StatusForbidden) - }) r.GET("/license/v1/license", func(c *gin.Context) { c.AbortWithStatus(http.StatusForbidden) })