Conditionally deny access to web console #4046
Conversation
|
Auth is needed for OAuth and CLI login. Only disable the asset bits |
| @@ -22,6 +22,10 @@ import ( | |||
| // then returns an array of strings indicating what endpoints were started | |||
| // (these are format strings that will expect to be sent a single string value). | |||
| func (c *AssetConfig) InstallAPI(container *restful.Container) []string { | |||
| if c.WebConsoleDisabled { | |||
There was a problem hiding this comment.
doesn't belong here... just skip building the AssetConfig entirely if web console is disabled
|
Thanks @liggitt, rework has just started. |
|
Haven't touched the authentication part yet. Need to investigate a bit further. CLI login works with Web Console disabled (tested with default TODO: write some tests. Update: Access to Looks unfriendly to me. |
|
cli uses the |
|
e.g. https://master.example.com:8443/oauth/token/request, which is needed in order to get a token for the CLI if an identity provider that doesn't support challenge headers is configured |
| @@ -72,6 +73,7 @@ func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) { | |||
| ret := &AuthConfig{ | |||
| Options: *options.OAuthConfig, | |||
|
|
|||
| WebConsoleDisabled: options.DisabledFeatures.Has(configapi.FeatureWebConsole), | |||
There was a problem hiding this comment.
remove this... the only difference the web console being disabled should make to auth is that assetPublicURLs be empty
miminar
force-pushed
the
disable-web-console
branch
from
37b39ab
to
05936e2
Compare
If the web console component is disabled through `FeatureConfig`, deny all the access to it. Signed-off-by: Michal Minar <miminar@redhat.com>
miminar
force-pushed
the
disable-web-console
branch
from
05936e2
to
c8ca2fd
Compare
|
Rebased, reverted auth part and added simple tests. @liggitt, is it any better now? |
| @@ -253,6 +241,10 @@ oc get services | |||
| mv ${HOME}/.kube/config ${HOME}/.kube/non-default-config | |||
| echo "config files: ok" | |||
|
|
|||
| # Test access to /console/ | |||
| $(which curl) -sfL --max-time 5 "${API_SCHEME}://${API_HOST}:${API_PORT}/console/" | grep '<title>' | |||
There was a problem hiding this comment.
won't this fail with cert errors?
There was a problem hiding this comment.
CURL_* variables are set above.
|
looks a lot cleaner, a good integration test and we should be ok |
|
update the PR title and description with the updated content |
miminar
changed the title
|
@liggitt Added integration test. I'm concerned about |
| } | ||
| if resp.Header.Get("Location") != masterConfig.AssetConfig.PublicURL { | ||
| t.Errorf("Expected %s, got %s", masterConfig.AssetConfig.PublicURL, resp.Header.Get("Location")) | ||
| } |
There was a problem hiding this comment.
should also GET the asset public URL to make sure the UI is served
miminar
force-pushed
the
disable-web-console
branch
from
09917a9
to
465193b
Compare
| @@ -428,6 +428,10 @@ func (c *MasterConfig) RouteAllocatorClients() (*osclient.Client, *kclient.Clien | |||
| return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient | |||
| } | |||
|
|
|||
| func (c *MasterConfig) WebConsoleEnabled() bool { | |||
There was a problem hiding this comment.
godoc, since the two conditions aren't obvious from the name of the function
Signed-off-by: Michal Minar <miminar@redhat.com>
Signed-off-by: Michal Minar <miminar@redhat.com>
|
@liggitt could you take one more look? |
Signed-off-by: Michal Minar <miminar@redhat.com>
| if resp.StatusCode != expectedStatus { | ||
| t.Errorf("Expected status %d for %s, got %d", expectedStatus, url, resp.StatusCode) | ||
| } else { | ||
| if expectedRedirectLocation != "" { |
There was a problem hiding this comment.
this shouldn't be in an else
There was a problem hiding this comment.
actually, the check shouldn't even be conditional... if we expect "", and get "foo", that's an error
Signed-off-by: Michal Minar <miminar@redhat.com>
| }{ | ||
| "": {http.StatusFound, masterOptions.AssetConfig.PublicURL}, | ||
| "healthz": {http.StatusOK, ""}, | ||
| "login": {http.StatusOK, ""}, |
There was a problem hiding this comment.
add "oauth/token/request" expecting a redirect to "oauth/authorize?..." to make sure OAuth is still hooked up
|
a couple last checks for OAuth, then LGTM |
Signed-off-by: Michal Minar <miminar@redhat.com>
|
@liggitt another ping :) |
|
LGTM, [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/2940/) (Image: devenv-fedora_2147) |
|
Evaluated for origin merge up to 70af553 |
|
[Test]ing while waiting on the merge queue |
|
@liggitt Thanks! |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/4040/) |
|
Evaluated for origin test up to 70af553 |
Merged by openshift-bot
|
@stevekuznetsov actually the tests run just fine. The problem is they can't be disabled :-). Adding Update: Looks like you've already taken care of it :-) |
|
@miminar Yes, interestingly enough the logic for running tests did run yours. All is well. |
If the web console component is disabled through
masterConfig.DisabledFeatures, deny all the access to:$MASTER_URL/console$MASTER_URL/console/*And prevent http server for static assets from running.
Signed-off-by: Michal Minar miminar@redhat.com