From 2d434d2c2a0163b3797664dc41a2621671299c2a Mon Sep 17 00:00:00 2001 From: Christopher Fry Date: Fri, 6 Oct 2023 10:20:48 -0700 Subject: [PATCH 1/2] chore: skip server certificate verification for http requests in e2e tests (#15733) * chore: skip verifying server certificate for http requests in e2e tests Signed-off-by: Chris Fry * chore: skip certificate verification only for remote tests Signed-off-by: Chris Fry --------- Signed-off-by: Chris Fry --- test/e2e/fixture/http.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/test/e2e/fixture/http.go b/test/e2e/fixture/http.go index 58c56046d3858..1e818f5262024 100644 --- a/test/e2e/fixture/http.go +++ b/test/e2e/fixture/http.go @@ -2,6 +2,7 @@ package fixture import ( "bytes" + "crypto/tls" "encoding/json" "io" "net/http" @@ -27,7 +28,14 @@ func DoHttpRequest(method string, path string, data ...byte) (*http.Response, er return nil, err } req.AddCookie(&http.Cookie{Name: common.AuthCookieName, Value: token}) - return http.DefaultClient.Do(req) + + httpClient := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: IsRemote()}, + }, + } + + return httpClient.Do(req) } // DoHttpJsonRequest executes a http request against the Argo CD API server and unmarshals the response body as JSON From 19130538dca7770e9cc775b99a77d6056eefc1c6 Mon Sep 17 00:00:00 2001 From: Alexander Matyushentsev Date: Tue, 16 Jan 2024 10:54:13 -0800 Subject: [PATCH 2/2] fix: enforce content type header for API requests (#16860) Signed-off-by: Alexander Matyushentsev --- cmd/argocd-server/commands/argocd_server.go | 4 ++++ .../server-commands/argocd-server.md | 1 + server/server.go | 18 ++++++++++++++++++ test/e2e/fixture/http.go | 1 + 4 files changed, 24 insertions(+) diff --git a/cmd/argocd-server/commands/argocd_server.go b/cmd/argocd-server/commands/argocd_server.go index eea346eaed03d..57e8c7e043018 100644 --- a/cmd/argocd-server/commands/argocd_server.go +++ b/cmd/argocd-server/commands/argocd_server.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "math" + "strings" "time" "github.com/argoproj/pkg/stats" @@ -58,6 +59,7 @@ func NewCommand() *cobra.Command { repoServerAddress string dexServerAddress string disableAuth bool + contentTypes string enableGZip bool tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error) cacheSrc func() (*servercache.Cache, error) @@ -177,6 +179,7 @@ func NewCommand() *cobra.Command { DexServerAddr: dexServerAddress, DexTLSConfig: dexTlsConfig, DisableAuth: disableAuth, + ContentTypes: strings.Split(contentTypes, ";"), EnableGZip: enableGZip, TLSConfigCustomizer: tlsConfigCustomizer, Cache: cache, @@ -224,6 +227,7 @@ func NewCommand() *cobra.Command { command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_SERVER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address") command.Flags().StringVar(&dexServerAddress, "dex-server", env.StringFromEnv("ARGOCD_SERVER_DEX_SERVER", common.DefaultDexServerAddr), "Dex server address") command.Flags().BoolVar(&disableAuth, "disable-auth", env.ParseBoolFromEnv("ARGOCD_SERVER_DISABLE_AUTH", false), "Disable client authentication") + command.Flags().StringVar(&contentTypes, "api-content-types", "application/json", "Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty.") command.Flags().BoolVar(&enableGZip, "enable-gzip", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_GZIP", true), "Enable GZIP compression") command.AddCommand(cli.NewVersionCmd(cliName)) command.Flags().StringVar(&listenHost, "address", env.StringFromEnv("ARGOCD_SERVER_LISTEN_ADDRESS", common.DefaultAddressAPIServer), "Listen on given address") diff --git a/docs/operator-manual/server-commands/argocd-server.md b/docs/operator-manual/server-commands/argocd-server.md index d39459ad181d6..bae01e493221a 100644 --- a/docs/operator-manual/server-commands/argocd-server.md +++ b/docs/operator-manual/server-commands/argocd-server.md @@ -16,6 +16,7 @@ argocd-server [flags] ``` --address string Listen on given address (default "0.0.0.0") + --api-content-types string Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty. (default "application/json") --app-state-cache-expiration duration Cache expiration for app state (default 1h0m0s) --application-namespaces strings List of additional namespaces where application resources can be managed in --as string Username to impersonate for the operation diff --git a/server/server.go b/server/server.go index d144575e7545a..69c3307066823 100644 --- a/server/server.go +++ b/server/server.go @@ -197,6 +197,7 @@ type ArgoCDServer struct { type ArgoCDServerOpts struct { DisableAuth bool + ContentTypes []string EnableGZip bool Insecure bool StaticAssetsDir string @@ -989,6 +990,9 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl if a.EnableGZip { handler = compressHandler(handler) } + if len(a.ContentTypes) > 0 { + handler = enforceContentTypes(handler, a.ContentTypes) + } mux.Handle("/api/", handler) terminal := application.NewHandler(a.appLister, a.Namespace, a.ApplicationNamespaces, a.db, a.enf, a.Cache, appResourceTreeFn, a.settings.ExecShells, *a.sessionMgr). @@ -1055,6 +1059,20 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl return &httpS } +func enforceContentTypes(handler http.Handler, types []string) http.Handler { + allowedTypes := map[string]bool{} + for _, t := range types { + allowedTypes[strings.ToLower(t)] = true + } + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.Method == http.MethodGet || allowedTypes[strings.ToLower(r.Header.Get("Content-Type"))] { + handler.ServeHTTP(w, r) + } else { + http.Error(w, "Invalid content type", http.StatusUnsupportedMediaType) + } + }) +} + // registerExtensions will try to register all configured extensions // in the given mux. If any error is returned while registering // extensions handlers, no route will be added in the given mux. diff --git a/test/e2e/fixture/http.go b/test/e2e/fixture/http.go index 1e818f5262024..00c123ab5d893 100644 --- a/test/e2e/fixture/http.go +++ b/test/e2e/fixture/http.go @@ -28,6 +28,7 @@ func DoHttpRequest(method string, path string, data ...byte) (*http.Response, er return nil, err } req.AddCookie(&http.Cookie{Name: common.AuthCookieName, Value: token}) + req.Header.Set("Content-Type", "application/json") httpClient := &http.Client{ Transport: &http.Transport{