Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditionally deny access to web console #4046

Merged
merged 7 commits into from Aug 12, 2015
Merged

Conditionally deny access to web console #4046

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c8ca2fd
Deny access to Web Console
Jun 10, 2015
465193b
Added integration test for disabling web console
Aug 11, 2015
bbce458
Test improvements
Aug 11, 2015
82692ae
Godoced exported method
Aug 11, 2015
00894c5
Inline test cases
Aug 11, 2015
86a2523
More polishment for integration test
Aug 12, 2015
70af553
Extended tested endpoints
Aug 12, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 4 additions & 1 deletion pkg/cmd/server/origin/auth_config.go
View file
Open in desktop
Expand Up @@ -62,7 +62,10 @@ func BuildAuthConfig(options configapi.MasterConfig) (*AuthConfig, error) {
// Build the list of valid redirect_uri prefixes for a login using the openshift-web-console client to redirect to
// TODO: allow configuring this
// TODO: remove hard-coding of development UI server
assetPublicURLs := []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
assetPublicURLs := []string{}
if !options.DisabledFeatures.Has(configapi.FeatureWebConsole) {
assetPublicURLs = []string{options.OAuthConfig.AssetPublicURL, "http://localhost:9000", "https://localhost:9000"}
}

userStorage := useretcd.NewREST(etcdHelper)
userRegistry := userregistry.NewRegistry(userStorage)
Expand Down
2 changes: 1 addition & 1 deletion pkg/cmd/server/origin/master.go
View file
Open in desktop
Expand Up @@ -170,7 +170,7 @@ func (c *MasterConfig) Run(protected []APIInstaller, unprotected []APIInstaller)
handler = apiserver.CORS(handler, origins, nil, nil, "true")
}

if c.Options.AssetConfig != nil {
if c.WebConsoleEnabled() {
handler = assetServerRedirect(handler, c.Options.AssetConfig.PublicURL)
}

Expand Down
4 changes: 4 additions & 0 deletions pkg/cmd/server/origin/master_config.go
View file
Open in desktop
Expand Up @@ -428,6 +428,10 @@ func (c *MasterConfig) RouteAllocatorClients() (*osclient.Client, *kclient.Clien
return c.PrivilegedLoopbackOpenShiftClient, c.PrivilegedLoopbackKubernetesClient
}

func (c *MasterConfig) WebConsoleEnabled() bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

godoc, since the two conditions aren't obvious from the name of the function

return c.Options.AssetConfig != nil && !c.Options.DisabledFeatures.Has(configapi.FeatureWebConsole)
}

// OriginNamespaceControllerClients returns a client for openshift and kubernetes.
// The openshift client object must have authority to delete openshift content in any namespace
// The kubernetes client object must have authority to execute a finalize request on a namespace
Expand Down
2 changes: 1 addition & 1 deletion pkg/cmd/server/start/start_master.go
View file
Open in desktop
Expand Up @@ -358,7 +358,7 @@ func StartMaster(openshiftMasterConfig *configapi.MasterConfig) error {
}

var standaloneAssetConfig *origin.AssetConfig
if openshiftMasterConfig.AssetConfig != nil {
if openshiftConfig.WebConsoleEnabled() {
config, err := origin.BuildAssetConfig(*openshiftMasterConfig.AssetConfig)
if err != nil {
return err
Expand Down
76 changes: 76 additions & 0 deletions test/integration/web_console_access_test.go
View file
Open in desktop
@@ -0,0 +1,76 @@
// +build integration,!no-etcd

package integration

import (
"crypto/tls"
"net/http"
"testing"

configapi "github.com/openshift/origin/pkg/cmd/server/api"
testutil "github.com/openshift/origin/test/util"
)

var (
stableWebConsoleEndpoints = []string{"healthz", "login"}
switchableWebConsoleEndpoints = []string{"console", "console/", "console/java"}
)

func tryAccessURL(t *testing.T, url string, expectedStatus int) {
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}

req, err := http.NewRequest("GET", url, nil)
req.Header.Set("Accept", "text/html")
resp, err := transport.RoundTrip(req)
if err != nil {
t.Errorf("Unexpected error while accessing %s: %v", url, err)
}
if resp.StatusCode != expectedStatus {
t.Errorf("Expected status %d for %s, got %d", expectedStatus, url, resp.StatusCode)
}
}

func TestAccessOriginWebConsole(t *testing.T) {
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
if _, err = testutil.StartConfiguredMaster(masterOptions); err != nil {
t.Fatalf("unexpected error: %v", err)
}

allEndpoints := append(stableWebConsoleEndpoints, switchableWebConsoleEndpoints...)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this (potentially) mutates the global variable

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just inline the paths and statuses you expect in the tests

paths := map[string]int {
  "/console": 301,
  "/console/": 200,
  ...
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

access / with console enabled and disabled. With it enabled and an accept of text/html, you should get a redirect to the console URL.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points. Will do. Inlined. Added tests for /.

for _, endpoint := range allEndpoints {
url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
expectedStatus := http.StatusOK
if endpoint == "console" {
expectedStatus = http.StatusMovedPermanently
}
tryAccessURL(t, url, expectedStatus)
}
}

func TestAccessDisabledWebConsole(t *testing.T) {
masterOptions, err := testutil.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
masterOptions.DisabledFeatures.Add(configapi.FeatureWebConsole)
if _, err := testutil.StartConfiguredMaster(masterOptions); err != nil {
t.Fatalf("unexpected error: %v", err)
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

access / with console enabled and disabled. With it disabled and an accept of text/html, you should get a JSON listing

for _, endpoint := range stableWebConsoleEndpoints {
url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
tryAccessURL(t, url, http.StatusOK)
}

for _, endpoint := range switchableWebConsoleEndpoints {
url := masterOptions.AssetConfig.MasterPublicURL + "/" + endpoint
tryAccessURL(t, url, http.StatusForbidden)
}
}