[SECURITY-360] introduce a system switch to kill CLI

This basically is a convenient version of
https://github.com/jenkinsci-cert/SECURITY-218.

During the course of discussing how to fix SECURITY-360, it was agreed
by the CERT team that we provide this switch.

core/src/main/java/hudson/cli/CLIAction.java

@@ -62,12 +62,11 @@ public class CLIAction implements UnprotectedRootAction, StaplerProxy {
     }
 
     public String getDisplayName() {
-
         return "Jenkins CLI";
     }
 
     public String getUrlName() {
-        return "cli";
+        return jenkins.CLI.DISABLED ? null : "cli";
     }
 
     public void doCommand(StaplerRequest req, StaplerResponse rsp) throws ServletException, IOException {

core/src/main/java/hudson/cli/CliProtocol.java

@@ -32,7 +32,7 @@ public class CliProtocol extends AgentProtocol {
 
     @Override
     public String getName() {
-        return "CLI-connect";
+        return jenkins.CLI.DISABLED ? null : "CLI-connect";
     }
 
     @Override

core/src/main/java/hudson/cli/CliProtocol2.java

@@ -24,7 +24,7 @@ import java.security.Signature;
 public class CliProtocol2 extends CliProtocol {
     @Override
     public String getName() {
-        return "CLI2-connect";
+        return jenkins.CLI.DISABLED ? null : "CLI2-connect";
     }
 
     @Override

core/src/main/java/jenkins/CLI.java

+package jenkins;
+
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Kill switch to disable the entire Jenkins CLI system.
+ *
+ * Marked as no external use because the CLI subsystem is nearing EOL.
+ *
+ * @author Kohsuke Kawaguchi
+ */
+@Restricted(NoExternalUse.class)
+public class CLI {
+    // non-final to allow setting from $JENKINS_HOME/init.groovy.d
+    public static boolean DISABLED = Boolean.getBoolean(CLI.class.getName()+".disabled");
+}

test/src/test/java/jenkins/CLITest.java

+package jenkins;
+
+import hudson.cli.FullDuplexHttpStream;
+import hudson.model.Computer;
+import hudson.model.Failure;
+import hudson.remoting.Channel;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import java.io.FileNotFoundException;
+import java.net.URL;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class CLITest {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    /**
+     * Checks if the kill switch works correctly
+     */
+    @Test
+    public void killSwitch() throws Exception {
+        // this should succeed, as a control case
+        makeHttpCall();
+        makeJnlpCall();
+
+        CLI.DISABLED = true;
+        try {
+            try {
+                makeHttpCall();
+                fail("Should have been rejected");
+            } catch (FileNotFoundException e) {
+                // attempt to make a call should fail
+            }
+            try {
+                makeJnlpCall();
+                fail("Should have been rejected");
+            } catch (Exception e) {
+                // attempt to make a call should fail
+                e.printStackTrace();
+
+                // the current expected failure mode is EOFException, though we don't really care how it fails
+            }
+        } finally {
+            CLI.DISABLED = false;
+        }
+    }
+
+    private void makeHttpCall() throws Exception {
+        FullDuplexHttpStream con = new FullDuplexHttpStream(new URL(j.getURL(), "cli"));
+        Channel ch = new Channel("test connection", Computer.threadPoolForRemoting, con.getInputStream(), con.getOutputStream());
+        ch.close();
+    }
+
+    private void makeJnlpCall() throws Exception {
+        int r = hudson.cli.CLI._main(new String[]{"-s",j.getURL().toString(), "version"});
+        if (r!=0)
+            throw new Failure("CLI failed");
+    }
+}