-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sdk): fixes trusted host is the same as index url. Fixes #10743 #10720
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@diegolovison This looks like that tests need to be updated with that change. Can you take a look? |
Two errors from the test suite. I don't see the relationship with my PR
|
@connor-mccarthy Hi, could you please help us review the PR? Thanks |
@diegolovison: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please describe why the change is needed? Is it due to changes from pip side? What kind of testing has been done? (IIRC, I don't think we have automated test covering this)
Hi @chensun, here is the description of the problem. Create a pipeline with the following
If you compile the code, the output will be
We believe that the problem is that the --trusted-host parameter value should not start with [https://|https://,/] , as it is supposed to be just hostname. So, the output provided by the SDK should be instead:
The workaround is to have a pip server only with protocol:URL ( without any port and path ). Example {{pip_index_urls=['https://my-bastion.node.com']}} It has been tracked internally this is why I forgot to mention the description here. For having a testing like that we need to have a pip server configured with https. Do you believe we should start having this kind of testing? |
Is this documented somewhere? |
Hi @gregsheremeta, thanks for asking. If you type:
|
Signed-off-by: Diego Lovison <[email protected]>
@chensun does the above satisfy your concerns? could we get another look? |
options.extend( | ||
f'--extra-index-url {extra_index_url} --trusted-host {extra_index_url}' | ||
f'--extra-index-url {extra_index_url} --trusted-host {urllib.parse.urlparse(extra_index_url).hostname}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider the hostname
as good enough? No need to specify also the port in case it's present in the original URL? In other words - we trust all apps on that domain in such case, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we consider the hostname as good enough?
Yes, it is sufficient.
No need to specify also the port in case it's present in the original URL?
Correct. The fix doesn't involve the port number.
In other words - we trust all apps on that domain in such case, right?
Could you please rephrase your question?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That all was basically one question only - whether we feel confident and secure enough if we put just the hostname without the port here. IIUC the way it is done now means we trust all the services running on that hostname/domain. If we put also port number we would give our approval to only that one and only service that is listening on that one and only port.
Determining the port may be a bit tricky, though, since it may not be present in the URL explicitly but may need to be determined based on the default port of appropriate protocol in use in that URL. Though, we expect just HTTP(S) here, so it should be easy in the end, I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Closed in favor of #11151 |
Description of your changes:
Create a pipeline with the following
If you compile the code, the output will be
We believe that the problem is that the --trusted-host parameter value should not start with [https://|https://,/] , as it is supposed to be just hostname. So, the output provided by the SDK should be instead:
The workaround is to have a pip server only with protocol:URL ( without any port and path ). Example {{pip_index_urls=['https://my-bastion.node.com']}}
Checklist: