From ca7b24f6fa7fc23932f5db582f4fec9cd482718d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus456@gmail.com>
Date: Thu, 11 May 2017 12:04:36 +0300
Subject: [PATCH] MXS-1220: Allow admin interface to be disabled

Allowing the admin interface to be disabled completely makes it possible
to remove any security concerns that could arise from its use.
---
 .../Getting-Started/Configuration-Guide.md    |  7 ++++++-
 include/maxscale/config.h                     |  2 ++
 server/core/config.cc                         |  6 ++++++
 server/core/gateway.cc                        | 21 +++++++++++--------
 4 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/Documentation/Getting-Started/Configuration-Guide.md b/Documentation/Getting-Started/Configuration-Guide.md
index 086a939dc..dbe271171 100644
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@@ -542,7 +542,7 @@ The port where the HTTP admin interface listens on. The default value is port
 
 Enable HTTP admin interface authentication using HTTP Basic Access
 authentication. This is not a secure method of authentication but it does add a
-small layer of security. This option id disabled by default.
+small layer of security. This option is disabled by default.
 
 #### `admin_user`
 
@@ -573,6 +573,11 @@ documentation for more details.
 The path to the TLS CA certificate in PEM format. See `admin_ssl_key`
 documentation for more details.
 
+#### `admin_enabled`
+
+Enable or disable the admin interface. This allows the admin interface to
+be completely disabled to prevent access to it.
+
 ### Service
 
 A service represents the database service that MariaDB MaxScale offers to the
diff --git a/include/maxscale/config.h b/include/maxscale/config.h
index 2afffa84d..a84d520fd 100644
--- a/include/maxscale/config.h
+++ b/include/maxscale/config.h
@@ -69,6 +69,7 @@ MXS_BEGIN_DECLS
  */
 extern const char CN_ADDRESS[];
 extern const char CN_ADMIN_AUTH[];
+extern const char CN_ADMIN_ENABLED[];
 extern const char CN_ADMIN_HOST[];
 extern const char CN_ADMIN_PASSWORD[];
 extern const char CN_ADMIN_PORT[];
@@ -196,6 +197,7 @@ typedef struct
     char          admin_host[MAX_ADMIN_HOST_LEN];      /**< Admin interface host */
     uint16_t      admin_port;                          /**< Admin interface port */
     bool          admin_auth;                          /**< Admin interface authentication */
+    bool          admin_enabled;                       /**< Admin interface is enabled */
     char          admin_ssl_key[PATH_MAX];             /**< Admin SSL key */
     char          admin_ssl_cert[PATH_MAX];            /**< Admin SSL cert */
     char          admin_ssl_ca_cert[PATH_MAX];         /**< Admin SSL CA cert */
diff --git a/server/core/config.cc b/server/core/config.cc
index 58fce45a9..06408c03c 100644
--- a/server/core/config.cc
+++ b/server/core/config.cc
@@ -54,6 +54,7 @@ using std::string;
 
 const char CN_ADDRESS[]                       = "address";
 const char CN_ADMIN_AUTH[]                    = "admin_auth";
+const char CN_ADMIN_ENABLED[]                 = "admin_enabled";
 const char CN_ADMIN_HOST[]                    = "admin_host";
 const char CN_ADMIN_PASSWORD[]                = "admin_password";
 const char CN_ADMIN_PORT[]                    = "admin_port";
@@ -1552,6 +1553,10 @@ handle_global_item(const char *name, const char *value)
     {
         gateway.admin_auth = config_truth_value(value);
     }
+    else if (strcmp(name, CN_ADMIN_ENABLED) == 0)
+    {
+        gateway.admin_enabled = config_truth_value(value);
+    }
     else
     {
         for (i = 0; lognames[i].name; i++)
@@ -1774,6 +1779,7 @@ global_defaults()
     gateway.skip_permission_checks = false;
     gateway.admin_port = DEFAULT_ADMIN_HTTP_PORT;
     gateway.admin_auth = false;
+    gateway.admin_enabled = true;
     strcpy(gateway.admin_host, DEFAULT_ADMIN_HOST);
     strcpy(gateway.admin_user, INET_DEFAULT_USERNAME);
     strcpy(gateway.admin_password, INET_DEFAULT_PASSWORD);
diff --git a/server/core/gateway.cc b/server/core/gateway.cc
index 47425c8cd..2cbf3329f 100644
--- a/server/core/gateway.cc
+++ b/server/core/gateway.cc
@@ -1982,16 +1982,19 @@ int main(int argc, char **argv)
         }
     }
 
-    if (mxs_admin_init())
+    if (cnf->admin_enabled)
     {
-        MXS_NOTICE("Started REST API on [%s]:%u", cnf->admin_host, cnf->admin_port);
-    }
-    else
-    {
-        const char* logerr = "Failed to initialize admin interface";
-        print_log_n_stderr(true, true, logerr, logerr, 0);
-        rc = MAXSCALE_INTERNALERROR;
-        goto return_main;
+        if (mxs_admin_init())
+        {
+            MXS_NOTICE("Started REST API on [%s]:%u", cnf->admin_host, cnf->admin_port);
+        }
+        else
+        {
+            const char* logerr = "Failed to initialize admin interface";
+            print_log_n_stderr(true, true, logerr, logerr, 0);
+            rc = MAXSCALE_INTERNALERROR;
+            goto return_main;
+        }
     }
 
     MXS_NOTICE("MaxScale started with %d server threads.", config_threadcount());