Conditionally deny access to web console

pkg/cmd/server/origin/auth_config.go

@@ -62,7 +62,10 @@ func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) {
 	// Build the list of valid redirect_uri prefixes for a login using the openshift-web-console client to redirect to
 	// TODO: allow configuring this
 	// TODO: remove hard-coding of development UI server
-	assetPublicURLs := []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
+	assetPublicURLs := []string{}
+	if !options.DisabledFeatures.Has(configapi.FeatureWebConsole) {
+		assetPublicURLs = []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
+	}
 
 	userStorage := useretcd.NewREST(etcdHelper)
 	userRegistry := userregistry.NewRegistry(userStorage)

pkg/cmd/server/origin/master.go

@@ -170,7 +170,7 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
 		handler = apiserver.CORS(handler, origins, nil, nil, "true")
 	}
 
-	if c.Options.AssetConfig != nil {
+	if c.WebConsoleEnabled() {
 		handler = assetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
 	}
 

pkg/cmd/server/origin/master_config.go

@@ -428,6 +428,11 @@ func (c *MasterConfig) RouteAllocatorClients() (*osclient.Client, *kclient.Clien
 	return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
 }
 
+// WebConsoleEnabled says whether web ui is not a disabled feature and asset service is configured.
+func (c *MasterConfig) WebConsoleEnabled() bool {
+	return c.Options.AssetConfig != nil && !c.Options.DisabledFeatures.Has(configapi.FeatureWebConsole)
+}
+
 // OriginNamespaceControllerClients returns a client for openshift and kubernetes.
 // The openshift client object must have authority to delete openshift content in any namespace
 // The kubernetes client object must have authority to execute a finalize request on a namespace

pkg/cmd/server/start/start_master.go

@@ -358,7 +358,7 @@ func StartMaster(openshiftMasterConfig *configapi.MasterConfig) error {
 	}
 
 	var standaloneAssetConfig *origin.AssetConfig
-	if openshiftMasterConfig.AssetConfig != nil {
+	if openshiftConfig.WebConsoleEnabled() {
 		config, err := origin.BuildAssetConfig(*openshiftMasterConfig.AssetConfig)
 		if err != nil {
 			return err

test/integration/web_console_access_test.go

@@ -0,0 +1,104 @@
+// +build integration,!no-etcd
+
+package integration
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	testutil "github.com/openshift/origin/test/util"
+)
+
+func tryAccessURL(t *testing.T, url string, expectedStatus int, expectedRedirectLocation string) *http.Response {
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+
+	req, err := http.NewRequest("GET", url, nil)
+	req.Header.Set("Accept", "text/html")
+	resp, err := transport.RoundTrip(req)
+	if err != nil {
+		t.Errorf("Unexpected error while accessing %q: %v", url, err)
+		return nil
+	}
+	if resp.StatusCode != expectedStatus {
+		t.Errorf("Expected status %d for %q, got %d", expectedStatus, url, resp.StatusCode)
+	}
+	// ignore query parameters
+	location := resp.Header.Get("Location")
+	location = strings.SplitN(location, "?", 2)[0]
+	if location != expectedRedirectLocation {
+		t.Errorf("Expected redirecttion to %q for %q, got %q instead", expectedRedirectLocation, url, location)
+	}
+	return resp
+}
+
+func TestAccessOriginWebConsole(t *testing.T) {
+	masterOptions, err := testutil.DefaultMasterOptions()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if _, err = testutil.StartConfiguredMaster(masterOptions); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	for endpoint, exp := range map[string]struct {
+		statusCode int
+		location   string
+	}{
+		"":                    {http.StatusFound, masterOptions.AssetConfig.PublicURL},
+		"healthz":             {http.StatusOK, ""},
+		"login":               {http.StatusOK, ""},
+		"oauth/token/request": {http.StatusFound, masterOptions.AssetConfig.MasterPublicURL + "/oauth/authorize"},
+		"console":             {http.StatusMovedPermanently, "/console/"},
+		"console/":            {http.StatusOK, ""},
+		"console/java":        {http.StatusOK, ""},
+	} {
+		url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
+		tryAccessURL(t, url, exp.statusCode, exp.location)
+	}
+}
+
+func TestAccessDisabledWebConsole(t *testing.T) {
+	masterOptions, err := testutil.DefaultMasterOptions()
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	masterOptions.DisabledFeatures.Add(configapi.FeatureWebConsole)
+	if _, err := testutil.StartConfiguredMaster(masterOptions); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	resp := tryAccessURL(t, masterOptions.AssetConfig.MasterPublicURL+"/", http.StatusOK, "")
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Errorf("failed to read reposponse's body: %v", err)
+	} else {
+		var value interface{}
+		if err = json.Unmarshal(body, &value); err != nil {
+			t.Errorf("expected json body which couldn't be parsed: %v, got: %s", err, body)
+		}
+	}
+
+	for endpoint, exp := range map[string]struct {
+		statusCode int
+		location   string
+	}{
+		"healthz":             {http.StatusOK, ""},
+		"login":               {http.StatusOK, ""},
+		"oauth/token/request": {http.StatusFound, masterOptions.AssetConfig.MasterPublicURL + "/oauth/authorize"},
+		"console":             {http.StatusForbidden, ""},
+		"console/":            {http.StatusForbidden, ""},
+		"console/java":        {http.StatusForbidden, ""},
+	} {
+		url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
+		tryAccessURL(t, url, exp.statusCode, exp.location)
+	}
+}