streamlined access info check, especially for insecure_mode

Author: hrissan

internal/api/access.go

@@ -8,6 +8,7 @@ package api
 
 import (
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -18,7 +19,6 @@ import (
 type accessInfo struct {
 	user              string
 	service           bool
-	insecureMode      bool // full access to everything; can not be obtained from bits
 	protectedPrefixes []string
 	bitAdmin          bool
 	bitDeveloper      bool
@@ -37,19 +37,22 @@ func parseAccessToken(jwtHelper *vkuth.JWTHelper,
 	insecureMode bool) (accessInfo, error) {
 	if localMode || insecureMode {
 		ai := accessInfo{
-			user:              "@local_mode",
+			user:              "@insecure_mode",
 			protectedPrefixes: protectedPrefixes,
 			bitViewDefault:    true,
 			bitEditDefault:    true,
+			bitAdmin:          localMode,
 			bitDeveloper:      localMode,
 			bitViewPrefix:     map[string]bool{},
 			bitEditPrefix:     map[string]bool{},
 			bitViewMetric:     map[string]bool{},
 			bitEditMetric:     map[string]bool{},
-			insecureMode:      insecureMode,
 		}
 		return ai, nil
 	}
+	if accessToken == "" { // For better error text. Validation would return cryptic "invalid number of segments"
+		return accessInfo{}, httpErr(http.StatusUnauthorized, fmt.Errorf("empty access token, auth service (vkuth) is down"))
+	}
 	data, err := jwtHelper.ParseVkuthData(accessToken)
 	if err != nil {
 		return accessInfo{}, httpErr(http.StatusUnauthorized, err)
@@ -62,7 +65,6 @@ func parseAccessToken(jwtHelper *vkuth.JWTHelper,
 		bitEditPrefix:     map[string]bool{},
 		bitViewMetric:     map[string]bool{},
 		bitEditMetric:     map[string]bool{},
-		insecureMode:      insecureMode,
 	}
 
 	bits := data.Bits
@@ -120,9 +122,6 @@ func (ai *accessInfo) protectedMetric(name string) bool {
 }
 
 func (ai *accessInfo) CanViewMetricName(name string) bool {
-	if ai.insecureMode {
-		return true
-	}
 	if format.RemoteConfigMetric(name) && !ai.bitAdmin {
 		return false // remote config can only be viewed by administrators
 	}
@@ -136,7 +135,7 @@ func (ai *accessInfo) CanViewMetric(metric format.MetricMetaValue) bool {
 }
 
 func (ai *accessInfo) canChangeMetricByName(create bool, old format.MetricMetaValue, new_ format.MetricMetaValue) bool {
-	if ai.insecureMode || ai.bitAdmin {
+	if ai.bitAdmin {
 		return true
 	}
 
@@ -152,9 +151,6 @@ func (ai *accessInfo) canChangeMetricByName(create bool, old format.MetricMetaVa
 }
 
 func (ai *accessInfo) CanEditMetric(create bool, old format.MetricMetaValue, new_ format.MetricMetaValue) bool {
-	if ai.insecureMode {
-		return true
-	}
 	if ai.canChangeMetricByName(create, old, new_) {
 		if ai.bitAdmin {
 			return true
@@ -177,13 +173,6 @@ func (ai *accessInfo) CanEditMetric(create bool, old format.MetricMetaValue, new
 	return false
 }
 
-func (ai *accessInfo) isAdmin() bool {
-	if ai.insecureMode {
-		return true
-	}
-	return ai.bitAdmin
-}
-
 func preKey(m format.MetricMetaValue) uint32 {
 	return m.PreKeyFrom
 }

internal/api/handler.go

@@ -159,7 +159,7 @@ const (
 	journalUpdateTimeout = 2 * time.Second
 
 	// healthcheck should query any lightweight metric, this one was chosen randomly
-	healthcheckMetric = "__agg_bucket_receive_delay_sec"
+	healthcheckMetric = "__agg_bucket_receive_delay_sec" // format.BuiltinMetricMetaAggBucketReceiveDelaySec.Name
 	healthcheckQuery  = `{@name="` + healthcheckMetric + `",@what="avg"}`
 )
 
@@ -1172,7 +1172,7 @@ func HandleGetMetric(r *httpRequestHandler) {
 }
 
 func HandleGetPromConfig(h *httpRequestHandler) {
-	if !h.accessInfo.isAdmin() {
+	if !h.accessInfo.bitAdmin {
 		err := httpErr(http.StatusNotFound, fmt.Errorf("config is not found"))
 		respondJSON(h, nil, 0, 0, err)
 		return
@@ -1186,7 +1186,7 @@ func HandleGetPromConfig(h *httpRequestHandler) {
 }
 
 func HandleGetPromConfigGenerated(h *httpRequestHandler) {
-	if !h.accessInfo.isAdmin() {
+	if !h.accessInfo.bitAdmin {
 		err := httpErr(http.StatusNotFound, fmt.Errorf("config is not found"))
 		respondJSON(h, nil, 0, 0, err)
 		return
@@ -1288,7 +1288,7 @@ func HandlePostResetFlood(r *httpRequestHandler) {
 	if r.checkReadOnlyMode() {
 		return
 	}
-	if !r.accessInfo.isAdmin() {
+	if !r.accessInfo.bitAdmin {
 		err := httpErr(http.StatusForbidden, fmt.Errorf("admin access required"))
 		respondJSON(r, nil, 0, 0, err)
 		return
@@ -1316,7 +1316,7 @@ func HandlePostPromConfig(r *httpRequestHandler) {
 	if r.checkReadOnlyMode() {
 		return
 	}
-	if !r.accessInfo.isAdmin() {
+	if !r.accessInfo.bitAdmin {
 		err := httpErr(http.StatusNotFound, fmt.Errorf("config is not found"))
 		respondJSON(r, nil, 0, 0, err)
 		return
@@ -1357,7 +1357,7 @@ func HandlePostKnownTags(r *httpRequestHandler) {
 	if r.checkReadOnlyMode() {
 		return
 	}
-	if !r.accessInfo.isAdmin() {
+	if !r.accessInfo.bitAdmin {
 		err := httpErr(http.StatusNotFound, fmt.Errorf("not found"))
 		respondJSON(r, nil, 0, 0, err)
 		return
@@ -1393,7 +1393,7 @@ func HandlePostKnownTags(r *httpRequestHandler) {
 }
 
 func HandleGetKnownTags(h *httpRequestHandler) {
-	if !h.accessInfo.isAdmin() {
+	if !h.accessInfo.bitAdmin {
 		err := httpErr(http.StatusNotFound, fmt.Errorf("config is not found"))
 		respondJSON(h, nil, 0, 0, err)
 		return
@@ -1621,7 +1621,7 @@ func (h *Handler) handleGetNamespaceList(ai accessInfo, showInvisible bool) (*Ge
 }
 
 func (h *Handler) handlePostNamespace(ctx context.Context, ai accessInfo, namespace format.NamespaceMeta, create bool) (*NamespaceInfo, error) {
-	if !ai.isAdmin() {
+	if !ai.bitAdmin {
 		return nil, httpErr(http.StatusNotFound, fmt.Errorf("namespace %s not found", namespace.Name))
 	}
 	if !create {
@@ -1656,7 +1656,7 @@ func (h *Handler) handlePostNamespace(ctx context.Context, ai accessInfo, namesp
 }
 
 func (h *Handler) handlePostGroup(ctx context.Context, ai accessInfo, group format.MetricsGroup, create bool) (*MetricsGroupInfo, error) {
-	if !ai.isAdmin() {
+	if !ai.bitAdmin {
 		return nil, httpErr(http.StatusNotFound, fmt.Errorf("group %s not found", group.Name))
 	}
 	if !create {
@@ -2177,15 +2177,19 @@ func HandleFrontendStat(r *httpRequestHandler) {
 func (h *requestHandler) queryBadges(ctx context.Context, req seriesRequest, meta *format.MetricMetaValue) (res seriesResponse, cleanup func()) {
 	timeNow := time.Now()
 	badges := requestHandler{
-		Handler:    h.Handler,
-		accessInfo: accessInfo{insecureMode: true},
+		Handler: h.Handler,
+		accessInfo: accessInfo{
+			user:          h.accessInfo.user,
+			service:       h.accessInfo.service,
+			bitViewMetric: map[string]bool{format.BuiltinMetricMetaBadges.Name: true},
+		},
 		endpointStat: endpointStat{
 			timestamp:  timeNow,
 			endpoint:   h.endpointStat.endpoint,
 			protocol:   h.endpointStat.protocol,
 			method:     h.endpointStat.method,
 			dataFormat: h.endpointStat.dataFormat,
-			metric:     "-35", // format.BuiltinMetricIDBadges
+			metric:     "-35", // strconv.Itoa(format.BuiltinMetricIDBadges)
 			tokenName:  h.endpointStat.tokenName,
 			user:       h.endpointStat.user,
 			priority:   h.endpointStat.priority,
@@ -3267,7 +3271,7 @@ func (r *DashboardTimeShifts) UnmarshalJSON(bs []byte) error {
 }
 
 func (r *seriesRequest) validate(h *requestHandler) error {
-	if r.avoidCache && !h.accessInfo.isAdmin() {
+	if r.avoidCache && !h.accessInfo.bitAdmin {
 		return httpErr(404, fmt.Errorf(""))
 	}
 	if r.step == _1M {
@@ -3322,14 +3326,14 @@ func HandleProfTrace(h *httpRequestHandler) {
 }
 
 func pprofAccessAllowed(h *httpRequestHandler) bool {
-	if ok := h.accessInfo.insecureMode || h.accessInfo.bitAdmin; !ok {
+	if !h.accessInfo.bitAdmin {
 		h.Response().WriteHeader(http.StatusForbidden)
 		return false
 	}
 	return true
 }
 
-func defaultAccessInfo(h *requestHandler) (accessInfo, bool) {
+func healthcheckAccessInfo(h *requestHandler) (accessInfo, bool) {
 	switch h.endpointStat.endpoint {
 	// healthcheck endpoint is used by nginx checks directly without token
 	case EndpointHealthcheck:
@@ -3356,7 +3360,7 @@ func (h *requestHandler) init(accessToken, version string) (err error) {
 		return fmt.Errorf("invalid version: %q", version)
 	}
 	if h.accessInfo, err = parseAccessToken(h.jwtHelper, accessToken, h.protectedMetricPrefixes, h.LocalMode, h.insecureMode); err != nil {
-		if ai, ok := defaultAccessInfo(h); !ok {
+		if ai, ok := healthcheckAccessInfo(h); !ok {
 			return err
 		} else {
 			h.accessInfo = ai

internal/api/http_router.go

@@ -162,7 +162,7 @@ func (r *httpRoute) handle(w http.ResponseWriter, req *http.Request) {
 
 func DumpInternalServerErrors(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -187,7 +187,7 @@ func DumpInternalServerErrors(r *httpRequestHandler) {
 
 func DumpQueryTopMemUsage(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -220,7 +220,7 @@ func DumpQueryTopMemUsage(r *httpRequestHandler) {
 
 func DumpQueryTopDuration(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}

internal/api/tscache2_debug.go

@@ -17,7 +17,7 @@ type cache2DebugLogMessage struct {
 
 func DebugCacheLog(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -46,7 +46,7 @@ func DebugCacheLog(r *httpRequestHandler) {
 
 func DebugCacheReset(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -57,7 +57,7 @@ func DebugCacheReset(r *httpRequestHandler) {
 
 func DebugCacheInfo(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -110,7 +110,7 @@ func DebugCacheInfo(r *httpRequestHandler) {
 
 func DebugCacheCreateMetrics(r *httpRequestHandler) {
 	w := r.Response()
-	if ok := r.accessInfo.insecureMode || r.accessInfo.bitAdmin; !ok {
+	if !r.accessInfo.bitAdmin {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
@@ -242,7 +242,7 @@ func debugCacheCreateMetric(r *httpRequestHandler, metric format.MetricMetaValue
 		metric.MetricID = v.MetricID
 		metric.Version = v.Version
 	}
-	if _, err := r.handlePostMetric(context.Background(), accessInfo{insecureMode: true}, "", metric); err != nil {
+	if _, err := r.handlePostMetric(context.Background(), r.accessInfo, "", metric); err != nil {
 		w.Write([]byte(err.Error()))
 	} else {
 		w.Write([]byte("OK"))