Listen only on localhost for callbacks (#1125)

Co-authored-by: Marian Steinbach <marian@giantswarm.io>
giantswarm · Oct 16, 2023 · 6d39258 · 6d39258
1 parent b3847ce
commit 6d39258
Show file tree

Hide file tree

Showing 7 changed files with 123 additions and 53 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s
 
 - Make the `--organization` flag visible when templating App CR.
 
+### Fixed
+
+- `kubectl-gs login`: listen only on localhost for callbacks
+
 ## [2.43.0] - 2023-10-11
 
 ### Added

diff --git a/cmd/login/flag.go b/cmd/login/flag.go
@@ -9,10 +9,11 @@ import (
 )
 
 const (
-	flagClusterAdmin   = "cluster-admin"
-	flagInternalAPI    = "internal-api"
-	callbackServerPort = "callback-port"
-	flagKeepContext    = "keep-context"
+	flagClusterAdmin       = "cluster-admin"
+	flagInternalAPI        = "internal-api"
+	flagCallbackServerHost = "callback-host"
+	flagCallbackServerPort = "callback-port"
+	flagKeepContext        = "keep-context"
 
 	flagWCName              = "workload-cluster"
 	flagWCOrganization      = "organization"
@@ -33,6 +34,7 @@ const (
 )
 
 type flag struct {
+	CallbackServerHost string
 	CallbackServerPort int
 	ClusterAdmin       bool
 	InternalAPI        bool
@@ -57,7 +59,8 @@ type flag struct {
 }
 
 func (f *flag) Init(cmd *cobra.Command) {
-	cmd.Flags().IntVar(&f.CallbackServerPort, callbackServerPort, 0, "TCP port to use by the OIDC callback server. If not specified, a free port will be selected randomly.")
+	cmd.Flags().StringVar(&f.CallbackServerHost, flagCallbackServerHost, "localhost", "Address to listen on for the OIDC callback server. If not specified, it only listens on 'localhost'. Use an empty value or '0.0.0.0' to listen on all interfaces. The redirect URL will still contain 'http://localhost' since that is the allowed URL.")
+	cmd.Flags().IntVar(&f.CallbackServerPort, flagCallbackServerPort, 0, "TCP port to use by the OIDC callback server. If not specified, a free port will be selected randomly.")
 	cmd.Flags().BoolVar(&f.ClusterAdmin, flagClusterAdmin, false, "Log in as Giant Swarm staff member.")
 	cmd.Flags().BoolVar(&f.InternalAPI, flagInternalAPI, false, "Use Internal API in the kube config. Please check the documentation for more details.")
 	cmd.Flags().StringVar(&f.SelfContained, flagSelfContained, "", "Create a self-contained kubectl config with embedded credentials and write it to this path.")

diff --git a/cmd/login/login.go b/cmd/login/login.go
@@ -138,8 +138,7 @@ func (r *runner) loginWithInstallation(ctx context.Context, tokenOverride string
 				token:    tokenOverride,
 			}
 		} else {
-
-			authResult, err = handleOIDC(ctx, r.stdout, r.stderr, i, r.flag.ConnectorID, r.flag.ClusterAdmin, r.flag.CallbackServerPort, r.flag.LoginTimeout)
+			authResult, err = handleOIDC(ctx, r.stdout, r.stderr, i, r.flag.ConnectorID, r.flag.ClusterAdmin, r.flag.CallbackServerHost, r.flag.CallbackServerPort, r.flag.LoginTimeout)
 			if err != nil {
 				if errors.Is(err, context.DeadlineExceeded) || IsAuthResponseTimedOut(err) {
 					fmt.Fprintf(r.stderr, "\nYour authentication flow timed out after %s. Please execute the same command again.\n", r.flag.LoginTimeout.String())

diff --git a/cmd/login/oidc.go b/cmd/login/oidc.go
@@ -37,14 +37,15 @@ var (
 )
 
 // handleOIDC executes the OIDC authentication against an installation's authentication provider.
-func handleOIDC(ctx context.Context, out io.Writer, errOut io.Writer, i *installation.Installation, connectorID string, clusterAdmin bool, port int, oidcResultTimeout time.Duration) (authInfo, error) {
+func handleOIDC(ctx context.Context, out io.Writer, errOut io.Writer, i *installation.Installation, connectorID string, clusterAdmin bool, host string, port int, oidcResultTimeout time.Duration) (authInfo, error) {
 	ctx, cancel := context.WithTimeout(ctx, oidcResultTimeout)
 	defer cancel()
 
 	var err error
 	var authProxy *callbackserver.CallbackServer
 	{
 		config := callbackserver.Config{
+			Host:              host,
 			Port:              port,
 			RedirectURI:       oidcCallbackPath,
 			ReadHeaderTimeout: oidcReadHeaderTimeout,

diff --git a/go.mod b/go.mod
@@ -33,7 +33,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/xeipuuv/gojsonschema v1.2.0
 	go.mozilla.org/sops/v3 v3.7.3
-	golang.org/x/oauth2 v0.11.0
+	golang.org/x/oauth2 v0.13.0
 	gopkg.in/square/go-jose.v2 v2.6.0
 	gotest.tools/v3 v3.5.0
 	k8s.io/api v0.25.0
@@ -102,10 +102,10 @@ require (
 	github.com/google/go-github/v30 v30.1.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/s2a-go v0.1.4 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.3.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
+	github.com/google/uuid v1.3.1 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.1 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/goware/prefixer v0.0.0-20160118172347-395022866408 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
@@ -165,18 +165,17 @@ require (
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
 	go.opentelemetry.io/otel/trace v1.16.0 // indirect
 	go.starlark.net v0.0.0-20230807144010-2aa75752d1da // indirect
-	golang.org/x/crypto v0.12.0 // indirect
-	golang.org/x/net v0.15.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
-	golang.org/x/term v0.12.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
-	google.golang.org/api v0.135.0 // indirect
+	google.golang.org/api v0.147.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20230807174057-1744710a1577 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230807174057-1744710a1577 // indirect
-	google.golang.org/grpc v1.57.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231009173412-8bfb1ae86b6c // indirect
+	google.golang.org/grpc v1.58.2 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
@@ -205,8 +204,6 @@ replace (
 	github.com/hashicorp/vault/sdk v0.4.1 => github.com/hashicorp/vault/sdk v1.10.0
 	// CVE-2023-27561
 	github.com/opencontainers/runc v1.1.2 => github.com/opencontainers/runc v1.1.5
-	// CVE-2023-3978
-	golang.org/x/net => golang.org/x/net v0.13.0
 	golang.org/x/text => golang.org/x/text v0.11.0
 	helm.sh/helm/v3 => helm.sh/helm/v3 v3.11.1
 	sigs.k8s.io/cluster-api => sigs.k8s.io/cluster-api v1.0.4