From 6d94dd1a05b72b397458b642186864a033885b49 Mon Sep 17 00:00:00 2001 From: Pengcheng Tang Date: Wed, 11 Nov 2015 11:35:22 +0800 Subject: [PATCH] Change order of CORS and authenticatedHandler for secureHandler. --- pkg/master/master.go | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/pkg/master/master.go b/pkg/master/master.go index 193b1acafd9..d6aa3a9212c 100644 --- a/pkg/master/master.go +++ b/pkg/master/master.go @@ -711,21 +711,12 @@ func (m *Master) init(c *Config) { } handler := http.Handler(m.mux.(*http.ServeMux)) + insecureHandler := handler // TODO: handle CORS and auth using go-restful // See github.com/emicklei/go-restful/blob/master/examples/restful-CORS-filter.go, and // github.com/emicklei/go-restful/blob/master/examples/restful-basic-authentication.go - if len(c.CorsAllowedOriginList) > 0 { - allowedOriginRegexps, err := util.CompileRegexps(c.CorsAllowedOriginList) - if err != nil { - glog.Fatalf("Invalid CORS allowed origin, --cors-allowed-origins flag was set to %v - %v", strings.Join(c.CorsAllowedOriginList, ","), err) - } - handler = apiserver.CORS(handler, allowedOriginRegexps, nil, nil, "true") - } - - m.InsecureHandler = handler - attributeGetter := apiserver.NewRequestAttributeGetter(m.requestContextMapper, m.newRequestInfoResolver()) handler = apiserver.WithAuthorizationCheck(handler, attributeGetter, m.authorizer) @@ -738,6 +729,19 @@ func (m *Master) init(c *Config) { handler = authenticatedHandler } + // Since OPTIONS request cannot carry authn headers (by w3c standards), we are doing CORS check + // before auth check. Otherwise all the CORS request will be rejected. + if len(c.CorsAllowedOriginList) > 0 { + allowedOriginRegexps, err := util.CompileRegexps(c.CorsAllowedOriginList) + if err != nil { + glog.Fatalf("Invalid CORS allowed origin, --cors-allowed-origins flag was set to %v - %v", strings.Join(c.CorsAllowedOriginList, ","), err) + } + handler = apiserver.CORS(handler, allowedOriginRegexps, nil, nil, "true") + insecureHandler = apiserver.CORS(insecureHandler, allowedOriginRegexps, nil, nil, "true") + } + + m.InsecureHandler = insecureHandler + // Install root web services m.handlerContainer.Add(m.rootWebService)