From 306f064ad96be0e2e014b484c4ec4768a3fd7565 Mon Sep 17 00:00:00 2001 From: Eike Kettner Date: Mon, 4 Jan 2021 14:52:24 +0100 Subject: [PATCH] Create a place for admin routes And move re-creation of fulltext index in this place. --- .../src/main/resources/reference.conf | 12 +++++ .../scala/docspell/restserver/Config.scala | 5 +- .../docspell/restserver/RestServer.scala | 11 +++- .../restserver/http4s/Responses.scala | 5 ++ .../restserver/routes/AdminRoutes.scala | 54 +++++++++++++++++++ .../routes/FullTextIndexRoutes.scala | 14 ++--- 6 files changed, 89 insertions(+), 12 deletions(-) create mode 100644 modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala diff --git a/modules/restserver/src/main/resources/reference.conf b/modules/restserver/src/main/resources/reference.conf index d1c94119..b76082af 100644 --- a/modules/restserver/src/main/resources/reference.conf +++ b/modules/restserver/src/main/resources/reference.conf @@ -111,6 +111,18 @@ docspell.server { } } + # This is a special endpoint that allows some basic administration. + # + # It is intended to be used by admins only, that is users who + # installed the app and have access to the system. Normal users + # should not have access and therefore a secret must be provided in + # order to access it. + admin-endpoint { + # The secret. If empty, the endpoint is disabled. + secret = "" + + } + # Configuration of the full-text search engine. full-text-search { # The full-text search feature can be disabled. It requires an diff --git a/modules/restserver/src/main/scala/docspell/restserver/Config.scala b/modules/restserver/src/main/scala/docspell/restserver/Config.scala index f90616a6..8c9dd7b9 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/Config.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/Config.scala @@ -18,13 +18,16 @@ case class Config( integrationEndpoint: Config.IntegrationEndpoint, maxItemPageSize: Int, maxNoteLength: Int, - fullTextSearch: Config.FullTextSearch + fullTextSearch: Config.FullTextSearch, + adminEndpoint: Config.AdminEndpoint ) object Config { case class Bind(address: String, port: Int) + case class AdminEndpoint(secret: String) + case class IntegrationEndpoint( enabled: Boolean, priority: Priority, diff --git a/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala b/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala index d0f987b6..92754340 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/RestServer.scala @@ -35,6 +35,9 @@ object RestServer { "/api/v1/sec/" -> Authenticate(restApp.backend.login, cfg.auth) { token => securedRoutes(cfg, pools, restApp, token) }, + "/api/v1/admin" -> AdminRoutes(cfg.adminEndpoint) { + adminRoutes(cfg, restApp) + }, "/api/doc" -> templates.doc, "/app/assets" -> WebjarRoutes.appRoutes[F](pools.blocker), "/app" -> templates.app, @@ -95,8 +98,12 @@ object RestServer { "signup" -> RegisterRoutes(restApp.backend, cfg), "upload" -> UploadRoutes.open(restApp.backend, cfg), "checkfile" -> CheckFileRoutes.open(restApp.backend), - "integration" -> IntegrationEndpointRoutes.open(restApp.backend, cfg), - "fts" -> FullTextIndexRoutes.open(cfg, restApp.backend) + "integration" -> IntegrationEndpointRoutes.open(restApp.backend, cfg) + ) + + def adminRoutes[F[_]: Effect](cfg: Config, restApp: RestApp[F]): HttpRoutes[F] = + Router( + "fts" -> FullTextIndexRoutes.admin(cfg, restApp.backend) ) def redirectTo[F[_]: Effect](path: String): HttpRoutes[F] = { diff --git a/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala b/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala index fbd300a3..7a722d44 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/http4s/Responses.scala @@ -1,6 +1,8 @@ package docspell.restserver.http4s import cats.data.NonEmptyList +import cats.data.OptionT +import cats.effect.Sync import fs2.text.utf8Encode import fs2.{Pure, Stream} @@ -36,4 +38,7 @@ object Responses { ) ) + def notFoundRoute[F[_]: Sync]: HttpRoutes[F] = + HttpRoutes(_ => OptionT.pure(Response.notFound[F])) + } diff --git a/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala b/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala new file mode 100644 index 00000000..fe3d1f5d --- /dev/null +++ b/modules/restserver/src/main/scala/docspell/restserver/routes/AdminRoutes.scala @@ -0,0 +1,54 @@ +package docspell.restserver.routes + +import cats.data.{Kleisli, OptionT} +import cats.effect._ +import cats.implicits._ + +import docspell.restserver.Config +import docspell.restserver.http4s.Responses + +import org.http4s._ +import org.http4s.circe.CirceEntityEncoder._ +import org.http4s.dsl.Http4sDsl +import org.http4s.server._ +import org.http4s.util.CaseInsensitiveString + +object AdminRoutes { + private val adminHeader = CaseInsensitiveString("Docspell-Admin-Secret") + + def apply[F[_]: Effect](cfg: Config.AdminEndpoint)( + f: HttpRoutes[F] + ): HttpRoutes[F] = { + val dsl: Http4sDsl[F] = new Http4sDsl[F] {} + import dsl._ + + val authUser = checkSecret[F](cfg) + + val onFailure: AuthedRoutes[String, F] = + Kleisli(req => OptionT.liftF(Forbidden(req.context))) + + val middleware: AuthMiddleware[F, Unit] = + AuthMiddleware(authUser, onFailure) + + if (cfg.secret.isEmpty) Responses.notFoundRoute[F] + else middleware(AuthedRoutes(authReq => f.run(authReq.req))) + } + + private def checkSecret[F[_]: Effect]( + cfg: Config.AdminEndpoint + ): Kleisli[F, Request[F], Either[String, Unit]] = + Kleisli(req => + extractSecret[F](req) + .filter(compareSecret(cfg.secret)) + .toRight("Secret invalid") + .map(_ => ()) + .pure[F] + ) + + private def extractSecret[F[_]](req: Request[F]): Option[String] = + req.headers.get(adminHeader).map(_.value) + + private def compareSecret(s1: String)(s2: String): Boolean = + s1.length > 0 && s1.length == s2.length && + s1.zip(s2).forall({ case (a, b) => a == b }) +} diff --git a/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala b/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala index 301e086c..d6d927c4 100644 --- a/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala +++ b/modules/restserver/src/main/scala/docspell/restserver/routes/FullTextIndexRoutes.scala @@ -1,14 +1,13 @@ package docspell.restserver.routes -import cats.data.OptionT import cats.effect._ import cats.implicits._ import docspell.backend.BackendApp import docspell.backend.auth.AuthToken -import docspell.common._ import docspell.restserver.Config import docspell.restserver.conv.Conversions +import docspell.restserver.http4s.Responses import org.http4s._ import org.http4s.circe.CirceEntityEncoder._ @@ -34,23 +33,20 @@ object FullTextIndexRoutes { } } - def open[F[_]: Effect](cfg: Config, backend: BackendApp[F]): HttpRoutes[F] = + def admin[F[_]: Effect](cfg: Config, backend: BackendApp[F]): HttpRoutes[F] = if (!cfg.fullTextSearch.enabled) notFound[F] else { val dsl = Http4sDsl[F] import dsl._ - HttpRoutes.of { case POST -> Root / "reIndexAll" / Ident(id) => + HttpRoutes.of { case POST -> Root / "reIndexAll" => for { - res <- - if (id.nonEmpty && id == cfg.fullTextSearch.recreateKey) - backend.fulltext.reindexAll.attempt - else Left(new Exception("The provided key is invalid.")).pure[F] + res <- backend.fulltext.reindexAll.attempt resp <- Ok(Conversions.basicResult(res, "Full-text index will be re-created.")) } yield resp } } private def notFound[F[_]: Effect]: HttpRoutes[F] = - HttpRoutes(_ => OptionT.pure(Response.notFound[F])) + Responses.notFoundRoute[F] }