Bug 1512708

Summary: vague behavior of a "corsAllowedOrigins" parameter in a "master-config.yaml" configuration file
Product: OpenShift Container Platform Reporter: Scott Dodson <sdodson>
Component: InstallerAssignee: Kenny Woodson <kwoodson>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: high    
Version: 3.7.0CC: aos-bugs, dcaldwel, jokerman, kwoodson, mmccomas, vigoyal, xtian
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: 1482903 Environment:
Last Closed: 2017-11-28 22:22:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1482903    
Bug Blocks:    

Description Scott Dodson 2017-11-13 21:55:41 UTC 
+++ This bug was initially created as a clone of Bug #1482903 +++

Description of problem:

"corsAllowedOrigins" parameter in a "master-config.yaml" configuration file behavior is either not documented well or leads to a possible security leak.
It is possible to set it to "something" and both "something" and "something.hostile.com" in an "Origin:" HTTP header will be matched as valid.
It is also possible to set it to "127.0.0.1" and "127a0b0c1" will be matched as valid.

Version-Release number of selected component (if applicable):

- not applicable

How reproducible:

- see description above

Steps to Reproduce:

- see description above

Actual results:

- see description above

Expected results:

- see description above

Additional info:

https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L195
https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L145
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L91
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L46
https://golang.org/pkg/regexp/#Compile

--- Additional comment from Jordan Liggitt on 2017-08-18 21:12:38 EDT ---

Correct. It is a regular expression, fully under the control of the config field (i.e. no pinning or escaping is done to the value)

We can update documentation to make that clearer

--- Additional comment from Alexander Zagaynov on 2017-08-30 07:55:31 EDT ---

I've added a PR to `openshift-ansible` repo about that: https://github.com/openshift/openshift-ansible/pull/5264
Comment 1 Scott Dodson 2017-11-13 21:58:24 UTC 
The PR in comment 0 introduced a regression in 3.7 that would break the console when a regex were used so we should treat this as a blocker.
Comment 2 Kenny Woodson 2017-11-13 22:07:45 UTC 
While installing the latest version of openshift (atomic-openshift-3.7.4-1.git.0.472090f.el7.x86_64) I ran into an issue when attempting to access the console.

Here is what the api logs on the master showed:
---
Nov 13 17:37:43 ip-172-31-52-55.ec2.internal atomic-openshift-master-api[55302]: I1113 17:37:43.739788   55302 wrap.go:42] GET /console/error?error=&error_description=&error_uri=: (122.196µs) 304 [[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36] 172.31.50.4:22717]
---

The console stated that it had an error:
---
Error
An error has occurred


Return to the console.

---

Then I was pointed to look at the client side javascript which showed this error:
Failed to load https://api.opstest.openshift.com/apis/apiextensions.k8s.io/v1beta1: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://console.opstest.openshift.com' is therefore not allowed access.

After discussing the issue with Jordan, he stated that the regular expression in this PR wasn't quite correct:
https://github.com/openshift/openshift-ansible/pull/5264/files

It was starting at the beginning of the string with the \A (anchor) and was not including the protocol portion of the string.

It also does not include an optional :port.

The new PR https://github.com/openshift/openshift-ansible/pull/6104
attempts to encompass these.

I tested locally and it appeared to fix the console error.

To reproduce the console problem:
1. Install with changes from master
2. Visit the console of the cluster.  (My console was console.opstest.openshift.com)
3. Verify the console error appears.
Comment 3 Scott Dodson 2017-11-14 13:40:09 UTC 
Picked back into release-3.7 here https://github.com/openshift/openshift-ansible/pull/6107
Comment 5 Johnny Liu 2017-11-15 08:02:25 UTC 
Verified this bug with openshift-ansible-3.7.8-1.git.0.9a3db79.el7.noarch, and PASS.


corsAllowedOrigins:
- (?i)//127\.0\.0\.1(:|\z)
- (?i)//localhost(:|\z)
- (?i)//172\.18\.8\.68(:|\z)
- (?i)//54\.91\.243\.78(:|\z)
- (?i)//openshift\.default\.svc(:|\z)
- (?i)//kubernetes\.default(:|\z)
- (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes(:|\z)
- (?i)//openshift\.default(:|\z)
- (?i)//ec2\-54\-91\-243\-78\.compute\-1\.amazonaws\.com(:|\z)
- (?i)//172\.30\.0\.1(:|\z)
- (?i)//ip\-172\-18\-8\-68\.ec2\.internal(:|\z)
- (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes\.default\.svc(:|\z)
- (?i)//openshift(:|\z)
- (?i)//foo\.example\.com(:|\z)
- (?i)//bar\.example\.com(:|\z)


Because QE can not reproduce this bug in our own cluster, @Kenny, could you keep an eye on it, once it does not fix your issue, pls reopen this bug.
Comment 7 Johnny Liu 2017-11-16 02:32:26 UTC 
According to comment 5, move this bug to "VERIFIED".
Comment 10 errata-xmlrpc 2017-11-28 22:22:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188