New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conditionally deny access to web console #4046
Conversation
Auth is needed for OAuth and CLI login. Only disable the asset bits |
@@ -22,6 +22,10 @@ import ( | |||
// then returns an array of strings indicating what endpoints were started | |||
// (these are format strings that will expect to be sent a single string value). | |||
func (c *AssetConfig) InstallAPI(container *restful.Container) []string { | |||
if c.WebConsoleDisabled { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doesn't belong here... just skip building the AssetConfig entirely if web console is disabled
Thanks @liggitt, rework has just started. |
Haven't touched the authentication part yet. Need to investigate a bit further. CLI login works with Web Console disabled (tested with default TODO: write some tests. Update: Access to
Looks unfriendly to me. |
cli uses the |
e.g. https://master.example.com:8443/oauth/token/request, which is needed in order to get a token for the CLI if an identity provider that doesn't support challenge headers is configured |
@@ -72,6 +73,7 @@ func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) { | |||
ret := &AuthConfig{ | |||
Options: *options.OAuthConfig, | |||
|
|||
WebConsoleDisabled: options.DisabledFeatures.Has(configapi.FeatureWebConsole), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this... the only difference the web console being disabled should make to auth is that assetPublicURLs be empty
37b39ab
to
05936e2
Compare
If the web console component is disabled through `FeatureConfig`, deny all the access to it. Signed-off-by: Michal Minar <miminar@redhat.com>
05936e2
to
c8ca2fd
Compare
Rebased, reverted auth part and added simple tests. @liggitt, is it any better now? |
@@ -253,6 +241,10 @@ oc get services | |||
mv ${HOME}/.kube/config ${HOME}/.kube/non-default-config | |||
echo "config files: ok" | |||
|
|||
# Test access to /console/ | |||
$(which curl) -sfL --max-time 5 "${API_SCHEME}://${API_HOST}:${API_PORT}/console/" | grep '<title>' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't this fail with cert errors?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CURL_*
variables are set above.
looks a lot cleaner, a good integration test and we should be ok |
update the PR title and description with the updated content |
@liggitt Added integration test. I'm concerned about |
} | ||
if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL { | ||
t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location")) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should also GET the asset public URL to make sure the UI is served
09917a9
to
465193b
Compare
@@ -428,6 +428,10 @@ func (c *MasterConfig) RouteAllocatorClients() (*osclient.Client, *kclient.Clien | |||
return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient | |||
} | |||
|
|||
func (c *MasterConfig) WebConsoleEnabled() bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
godoc, since the two conditions aren't obvious from the name of the function
Signed-off-by: Michal Minar <miminar@redhat.com>
Signed-off-by: Michal Minar <miminar@redhat.com>
@liggitt could you take one more look? |
Signed-off-by: Michal Minar <miminar@redhat.com>
if resp.StatusCode != expectedStatus { | ||
t.Errorf("Expected status %d for %s, got %d", expectedStatus, url, resp.StatusCode) | ||
} else { | ||
if expectedRedirectLocation != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this shouldn't be in an else
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually, the check shouldn't even be conditional... if we expect ""
, and get "foo"
, that's an error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Signed-off-by: Michal Minar <miminar@redhat.com>
}{ | ||
"": {http.StatusFound, masterOptions.AssetConfig.PublicURL}, | ||
"healthz": {http.StatusOK, ""}, | ||
"login": {http.StatusOK, ""}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add "oauth/token/request" expecting a redirect to "oauth/authorize?..." to make sure OAuth is still hooked up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added, good suggestions.
a couple last checks for OAuth, then LGTM |
Signed-off-by: Michal Minar <miminar@redhat.com>
@liggitt another ping :) |
LGTM, [merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/2940/) (Image: devenv-fedora_2147) |
Evaluated for origin merge up to 70af553 |
[Test]ing while waiting on the merge queue |
@liggitt Thanks! |
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/4040/) |
Evaluated for origin test up to 70af553 |
Merged by openshift-bot
@stevekuznetsov actually the tests run just fine. The problem is they can't be disabled :-). Adding Update: Looks like you've already taken care of it :-) |
@miminar Yes, interestingly enough the logic for running tests did run yours. All is well. |
If the web console component is disabled through
masterConfig.DisabledFeatures
, deny all the access to:$MASTER_URL/console
$MASTER_URL/console/*
And prevent http server for static assets from running.
Signed-off-by: Michal Minar miminar@redhat.com