fix(sdk): fixes trusted host is the same as index url. Fixes #10743 #10720
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@diegolovison This looks like that tests need to be updated with that change. Can you take a look? |
diegolovison
changed the title
|
Two errors from the test suite. I don't see the relationship with my PR |
|
@connor-mccarthy Hi, could you please help us review the PR? Thanks |
|
@diegolovison: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Hi @chensun, here is the description of the problem. Create a pipeline with the following If you compile the code, the output will be
We believe that the problem is that the --trusted-host parameter value should not start with [https://|https://,/] , as it is supposed to be just hostname. So, the output provided by the SDK should be instead: The workaround is to have a pip server only with protocol:URL ( without any port and path ). Example {{pip_index_urls=['https://my-bastion.node.com']}} It has been tracked internally this is why I forgot to mention the description here. For having a testing like that we need to have a pip server configured with https. Do you believe we should start having this kind of testing? |
Is this documented somewhere? |
|
Hi @gregsheremeta, thanks for asking. If you type: |
Signed-off-by: Diego Lovison <[email protected]>
|
@chensun does the above satisfy your concerns? could we get another look? |
| options.extend( | ||
| f'--extra-index-url {extra_index_url} --trusted-host {extra_index_url}' | ||
| f'--extra-index-url {extra_index_url} --trusted-host {urllib.parse.urlparse(extra_index_url).hostname}' |
There was a problem hiding this comment.
Should we consider the hostname as good enough? No need to specify also the port in case it's present in the original URL? In other words - we trust all apps on that domain in such case, right?
There was a problem hiding this comment.
Should we consider the hostname as good enough?
Yes, it is sufficient.
No need to specify also the port in case it's present in the original URL?
Correct. The fix doesn't involve the port number.
In other words - we trust all apps on that domain in such case, right?
Could you please rephrase your question?
There was a problem hiding this comment.
That all was basically one question only - whether we feel confident and secure enough if we put just the hostname without the port here. IIUC the way it is done now means we trust all the services running on that hostname/domain. If we put also port number we would give our approval to only that one and only service that is listening on that one and only port.
Determining the port may be a bit tricky, though, since it may not be present in the URL explicitly but may need to be determined based on the default port of appropriate protocol in use in that URL. Though, we expect just HTTP(S) here, so it should be easy in the end, I guess.
|
Closed in favor of #11151 |
Description of your changes:
Create a pipeline with the following
If you compile the code, the output will be
We believe that the problem is that the --trusted-host parameter value should not start with [https://|https://,/] , as it is supposed to be just hostname. So, the output provided by the SDK should be instead:
The workaround is to have a pip server only with protocol:URL ( without any port and path ). Example {{pip_index_urls=['https://my-bastion.node.com']}}
Checklist: