add authentication for the metrics endpoint

Author: pietroalbini

src/config.rs

@@ -21,6 +21,7 @@ pub struct Config {
     pub allowed_origins: Vec<String>,
     pub downloads_persist_interval_ms: usize,
     pub ownership_invitations_expiration_days: u64,
+    pub metrics_authorization_token: Option<String>,
 }
 
 impl Default for Config {
@@ -47,8 +48,10 @@ impl Default for Config {
     /// - `DATABASE_URL`: The URL of the postgres database to use.
     /// - `READ_ONLY_REPLICA_URL`: The URL of an optional postgres read-only replica database.
     /// - `BLOCKED_TRAFFIC`: A list of headers and environment variables to use for blocking
-    ///.  traffic. See the `block_traffic` module for more documentation.
+    ///   traffic. See the `block_traffic` module for more documentation.
     /// - `DOWNLOADS_PERSIST_INTERVAL_MS`: how frequent to persist download counts (in ms).
+    /// - `METRICS_AUTHORIZATION_TOKEN`: authorization token needed to query metrics. If missing,
+    ///   querying metrics will be completely disabled.
     fn default() -> Config {
         let api_protocol = String::from("https");
         let mirror = if dotenv::var("MIRROR").is_ok() {
@@ -156,6 +159,7 @@ impl Default for Config {
                 })
                 .unwrap_or(60_000), // 1 minute
             ownership_invitations_expiration_days: 30,
+            metrics_authorization_token: dotenv::var("METRICS_AUTHORIZATION_TOKEN").ok(),
         }
     }
 }

src/controllers/metrics.rs

@@ -1,12 +1,28 @@
 use crate::controllers::frontend_prelude::*;
-use crate::util::errors::not_found;
+use crate::util::errors::{forbidden, not_found, MetricsDisabled};
 use conduit::{Body, Response};
 use prometheus::{Encoder, TextEncoder};
 
 /// Handles the `GET /api/private/metrics/:kind` endpoint.
 pub fn prometheus(req: &mut dyn RequestExt) -> EndpointResult {
     let app = req.app();
 
+    if let Some(expected_token) = &app.config.metrics_authorization_token {
+        let provided_token = req
+            .headers()
+            .get(header::AUTHORIZATION)
+            .and_then(|value| value.to_str().ok())
+            .and_then(|value| value.strip_prefix("Bearer "));
+
+        if provided_token != Some(expected_token.as_str()) {
+            return Err(forbidden());
+        }
+    } else {
+        // To avoid accidentally leaking metrics if the environment variable is not set, prevent
+        // access to any metrics endpoint if the authorization token is not configured.
+        return Err(Box::new(MetricsDisabled));
+    }
+
     let metrics = match req.params()["kind"].as_str() {
         "service" => app.service_metrics.gather(&*req.db_read_only()?)?,
         "instance" => app.instance_metrics.gather(app)?,

src/tests/metrics.rs

@@ -1,16 +1,85 @@
+use crate::util::{MockAnonymousUser, Response};
+use crate::{RequestHelper, TestApp};
 use conduit::StatusCode;
-use crate::{TestApp, RequestHelper};
 
 #[test]
 fn metrics_endpoint_works() {
-    let (_, anon) = TestApp::init().empty();
+    let (_, anon) = TestApp::init()
+        .with_config(|config| config.metrics_authorization_token = Some("foobar".into()))
+        .empty();
 
-    let resp = anon.get::<()>("/api/private/metrics/service");
+    let resp = request_metrics(&anon, "service", Some("foobar"));
     assert_eq!(StatusCode::OK, resp.status());
 
-    let resp = anon.get::<()>("/api/private/metrics/instance");
+    let resp = request_metrics(&anon, "instance", Some("foobar"));
     assert_eq!(StatusCode::OK, resp.status());
 
-    let resp = anon.get::<()>("/api/private/metrics/missing");
+    let resp = request_metrics(&anon, "missing", Some("foobar"));
     assert_eq!(StatusCode::NOT_FOUND, resp.status());
 }
+
+#[test]
+fn metrics_endpoint_wrong_auth() {
+    let (_, anon) = TestApp::init()
+        .with_config(|config| config.metrics_authorization_token = Some("secret".into()))
+        .empty();
+
+    // Wrong secret
+
+    let resp = request_metrics(&anon, "service", Some("foobar"));
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+
+    let resp = request_metrics(&anon, "instance", Some("foobar"));
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+
+    let resp = request_metrics(&anon, "missing", Some("foobar"));
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+
+    // No secret
+
+    let resp = request_metrics(&anon, "service", None);
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+
+    let resp = request_metrics(&anon, "instance", None);
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+
+    let resp = request_metrics(&anon, "missing", None);
+    assert_eq!(StatusCode::FORBIDDEN, resp.status());
+}
+
+#[test]
+fn metrics_endpoint_auth_disabled() {
+    let (_, anon) = TestApp::init()
+        .with_config(|config| config.metrics_authorization_token = None)
+        .empty();
+
+    // Wrong secret
+
+    let resp = request_metrics(&anon, "service", Some("foobar"));
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+
+    let resp = request_metrics(&anon, "instance", Some("foobar"));
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+
+    let resp = request_metrics(&anon, "missing", Some("foobar"));
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+
+    // No secret
+
+    let resp = request_metrics(&anon, "service", None);
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+
+    let resp = request_metrics(&anon, "instance", None);
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+
+    let resp = request_metrics(&anon, "missing", None);
+    assert_eq!(StatusCode::NOT_FOUND, resp.status());
+}
+
+fn request_metrics(anon: &MockAnonymousUser, kind: &str, token: Option<&str>) -> Response<()> {
+    let mut req = anon.get_request(&format!("/api/private/metrics/{}", kind));
+    if let Some(token) = token {
+        req.header("Authorization", &format!("Bearer {}", token));
+    }
+    anon.run(req)
+}

src/tests/util/test_app.rs

@@ -317,6 +317,7 @@ fn simple_config() -> Config {
         allowed_origins: Vec::new(),
         downloads_persist_interval_ms: 1000,
         ownership_invitations_expiration_days: 30,
+        metrics_authorization_token: None,
     }
 }
 

src/util/errors.rs

@@ -26,8 +26,8 @@ mod json;
 
 pub use json::TOKEN_FORMAT_ERROR;
 pub(crate) use json::{
-    InsecurelyGeneratedTokenRevoked, NotFound, OwnershipInvitationExpired, ReadOnlyMode,
-    TooManyRequests,
+    InsecurelyGeneratedTokenRevoked, MetricsDisabled, NotFound, OwnershipInvitationExpired,
+    ReadOnlyMode, TooManyRequests,
 };
 
 /// Returns an error with status 200 and the provided description as JSON

src/util/errors/json.rs

@@ -251,3 +251,18 @@ impl fmt::Display for OwnershipInvitationExpired {
         )
     }
 }
+
+#[derive(Debug)]
+pub(crate) struct MetricsDisabled;
+
+impl AppError for MetricsDisabled {
+    fn response(&self) -> Option<AppResponse> {
+        Some(json_error(&self.to_string(), StatusCode::NOT_FOUND))
+    }
+}
+
+impl fmt::Display for MetricsDisabled {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.write_str("Metrics are disabled on this crates.io instance")
+    }
+}