Improve handling of challenging OAuth clients #1684
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@jcantrill you'll need to add an "X-CSRF-Token" header (any value is allowed, it just has to be set) when making requests to /oauth/authorize with the openshift-challenging-client client_id. |
|
@brenton I think you also made use of the openshift-challenging-client... a custom header is now required when using that client to prevent CSRF browser attacks |
|
@deads2k review |
liggitt
changed the title
|
@TomasTomecek not sure what mechanism you are using to get OAuth tokens, but if you are using something that requires a basic-auth "WWW-Authenticate: Basic" challenge from the OpenShift OAuth server, you may need to start sending a "X-CSRF-Token: 1" header to continue getting the challenges. |
|
@liggitt am using basic auth for testing since I don't have kerberos on my dev instance. On prod it's requestheader provider. Thanks for headsup. |
|
|
||
| var ( | ||
| // http://tools.ietf.org/html/rfc2616#section-14.46 | ||
| warningRegex = regexp.MustCompile(`([0-9]{3}) ([^ ]+) "([^"]+)".*`) |
There was a problem hiding this comment.
I'm just going to trust you on this...
There was a problem hiding this comment.
Oh great, it's used. Three numbers, a space, one or more non-space characters, a space, a non-empty quoted string, and then whatever I want? If you're going to do this, handle the date instead of punting it and have fixed start and end.
Surely this is built into some library.
There was a problem hiding this comment.
Also, my pre-8am mind wants you to write tests for this regex, because they're always broken.
There was a problem hiding this comment.
clarified? commented and tested, anyway...
|
Making me read a regex first thing in the morning makes me grumpy. |
|
@liggitt Thanks. Updated the java client: openshift/openshift-restclient-java#6 |
|
comments addressed |
Before sending a basic-auth challenge, require a custom header.
|
lgtm. Well, I should clarify. That regex makes me want to run and hide, but now that it looks like a standard regex that we definitely can't read, squash and merge at will. |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1544/) (Image: devenv-fedora_1257) |
|
Evaluated for origin up to 7ecd59d |
openshift-bot
pushed a commit
that referenced
this pull request
Apr 10, 2015
Merged by openshift-bot
jpeeler
pushed a commit
to jpeeler/origin
that referenced
this pull request
Mar 1, 2018
…service-catalog/' changes from b758460ba7..c3e3071633 c3e3071633 origin build: add origin tooling 97ddbab chart changes for v0.1.9 (openshift#1776) b5168a7 Add unit tests for class, instance, plan backends in svcat (openshift#1763) 97d11cb prometheus: only return catalog specific metrics (openshift#1774) 0fb00e3 Bump dependency on go-open-service-broker-client to 0.0.4 (openshift#1775) 0a9f1e4 Reset RemovedFromBrokerCatalog when broker re-adds a removed service class (openshift#1770) 28ec5ed Bump dependency on go-open-service-broker-client to 0.0.3 (openshift#1768) ca83d18 handle binding deletion that occurs during async bind (openshift#1760) 858d467 2 of 4 fixes for golang 1.10 (openshift#1764) 656156b Add unit tests for binding and broker backends in svcat ec05486 In svcat verify service instance exists on unbind (openshift#1750) e6315a4 fix indentation from openshift#1725 (openshift#1759) 62284da Publish svcat binaries during build (openshift#1725) 8f986ae also build with golang tip and allow tip to fail (openshift#1734) 127561e use pvc for etcd volume (openshift#1684) 7d155e5 Ensure only href-checker runs on docs only commit (openshift#1693) 4ea44c4 log the version and build date on server startup (openshift#1746) 0db9519 allow getting and describing plans with class/plan name combo in svcat (openshift#1743) b1da783 print schemas when describing plan in svcat (openshift#1740) 7a7fcce Add constraint for go-open-service-broker-client (openshift#1738) 3070003 Increase timeout for broker condition polling in e2e (openshift#1745) b6878f7 Avoid Setting Authentication header twice (openshift#1685) 5317111 wrap "rm -rf" with docker (openshift#1735) d7c0bf2 Allow upper case letters in Plan names (openshift#1668) 6b27ba6 Add a constraint on go-autorest (openshift#1732) b3de6ec Added validation for ServiceBinding spec ParametersFrom REVERT: b758460ba7 origin build: modify hard coded path REVERT: 871582f73a origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: c3e3071633b91541cf9f1000d2d5115cdd31de1b
jpeeler
pushed a commit
to jpeeler/origin
that referenced
this pull request
Mar 1, 2018
…service-catalog/' changes from b758460ba7..c3e3071633 c3e3071633 origin build: add origin tooling 97ddbab chart changes for v0.1.9 (openshift#1776) b5168a7 Add unit tests for class, instance, plan backends in svcat (openshift#1763) 97d11cb prometheus: only return catalog specific metrics (openshift#1774) 0fb00e3 Bump dependency on go-open-service-broker-client to 0.0.4 (openshift#1775) 0a9f1e4 Reset RemovedFromBrokerCatalog when broker re-adds a removed service class (openshift#1770) 28ec5ed Bump dependency on go-open-service-broker-client to 0.0.3 (openshift#1768) ca83d18 handle binding deletion that occurs during async bind (openshift#1760) 858d467 2 of 4 fixes for golang 1.10 (openshift#1764) 656156b Add unit tests for binding and broker backends in svcat ec05486 In svcat verify service instance exists on unbind (openshift#1750) e6315a4 fix indentation from openshift#1725 (openshift#1759) 62284da Publish svcat binaries during build (openshift#1725) 8f986ae also build with golang tip and allow tip to fail (openshift#1734) 127561e use pvc for etcd volume (openshift#1684) 7d155e5 Ensure only href-checker runs on docs only commit (openshift#1693) 4ea44c4 log the version and build date on server startup (openshift#1746) 0db9519 allow getting and describing plans with class/plan name combo in svcat (openshift#1743) b1da783 print schemas when describing plan in svcat (openshift#1740) 7a7fcce Add constraint for go-open-service-broker-client (openshift#1738) 3070003 Increase timeout for broker condition polling in e2e (openshift#1745) b6878f7 Avoid Setting Authentication header twice (openshift#1685) 5317111 wrap "rm -rf" with docker (openshift#1735) d7c0bf2 Allow upper case letters in Plan names (openshift#1668) 6b27ba6 Add a constraint on go-autorest (openshift#1732) b3de6ec Added validation for ServiceBinding spec ParametersFrom REVERT: b758460ba7 origin build: modify hard coded path REVERT: 871582f73a origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: c3e3071633b91541cf9f1000d2d5115cdd31de1b
jpeeler
pushed a commit
to jpeeler/origin
that referenced
this pull request
Mar 8, 2018
…service-catalog/' changes from b758460ba7..c3e3071633 c3e3071633 origin build: add origin tooling 97ddbab chart changes for v0.1.9 (openshift#1776) b5168a7 Add unit tests for class, instance, plan backends in svcat (openshift#1763) 97d11cb prometheus: only return catalog specific metrics (openshift#1774) 0fb00e3 Bump dependency on go-open-service-broker-client to 0.0.4 (openshift#1775) 0a9f1e4 Reset RemovedFromBrokerCatalog when broker re-adds a removed service class (openshift#1770) 28ec5ed Bump dependency on go-open-service-broker-client to 0.0.3 (openshift#1768) ca83d18 handle binding deletion that occurs during async bind (openshift#1760) 858d467 2 of 4 fixes for golang 1.10 (openshift#1764) 656156b Add unit tests for binding and broker backends in svcat ec05486 In svcat verify service instance exists on unbind (openshift#1750) e6315a4 fix indentation from openshift#1725 (openshift#1759) 62284da Publish svcat binaries during build (openshift#1725) 8f986ae also build with golang tip and allow tip to fail (openshift#1734) 127561e use pvc for etcd volume (openshift#1684) 7d155e5 Ensure only href-checker runs on docs only commit (openshift#1693) 4ea44c4 log the version and build date on server startup (openshift#1746) 0db9519 allow getting and describing plans with class/plan name combo in svcat (openshift#1743) b1da783 print schemas when describing plan in svcat (openshift#1740) 7a7fcce Add constraint for go-open-service-broker-client (openshift#1738) 3070003 Increase timeout for broker condition polling in e2e (openshift#1745) b6878f7 Avoid Setting Authentication header twice (openshift#1685) 5317111 wrap "rm -rf" with docker (openshift#1735) d7c0bf2 Allow upper case letters in Plan names (openshift#1668) 6b27ba6 Add a constraint on go-autorest (openshift#1732) b3de6ec Added validation for ServiceBinding spec ParametersFrom REVERT: b758460ba7 origin build: modify hard coded path REVERT: 871582f73a origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: c3e3071633b91541cf9f1000d2d5115cdd31de1b
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
oscsend the custom headeroscwhen login fails (because of bad credentials or because cli login isn't supported)