Add authn for graphql and http admin endpoints

dgraph/cmd/alpha/admin.go

@@ -17,76 +17,98 @@
 package alpha
 
 import (
-	"bytes"
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
 
+	"github.com/dgraph-io/dgraph/edgraph"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/worker"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/golang/glog"
 )
 
-// handlerInit does some standard checks. Returns false if something is wrong.
-func handlerInit(w http.ResponseWriter, r *http.Request, allowedMethods map[string]bool) bool {
-	if _, ok := allowedMethods[r.Method]; !ok {
-		x.SetStatus(w, x.ErrorInvalidMethod, "Invalid method")
-		return false
-	}
+// adminAuthOptions are used by adminAuthHandler
+type adminAuthOptions struct {
+	allowedMethods     map[string]bool
+	skipIpWhitelisting bool
+	skipPoormansAuth   bool
+	skipGuardianAuth   bool
+}
 
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil || (!ipInIPWhitelistRanges(ip) && !net.ParseIP(ip).IsLoopback()) {
-		x.SetStatus(w, x.ErrorUnauthorized, fmt.Sprintf("Request from IP: %v", ip))
+// hasPoormansAuth check if poorman's auth is required and if so whether the given http request has
+// poorman's auth in it or not
+func hasPoormansAuth(r *http.Request) bool {
+	if worker.Config.AuthToken != "" && worker.Config.AuthToken != r.Header.Get(
+		"X-Dgraph-AuthToken") {
 		return false
 	}
 	return true
 }
 
-func drainingHandler(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case http.MethodPut, http.MethodPost:
-		enableStr := r.URL.Query().Get("enable")
+// adminAuthHandler does some standard checks for admin endpoints.
+// It returns if something is wrong. Otherwise, it lets the given handler serve the request.
+func adminAuthHandler(handler http.Handler, options adminAuthOptions) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if _, ok := options.allowedMethods[r.Method]; !ok {
+			x.SetStatus(w, x.ErrorInvalidMethod, "Invalid method")
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
 
-		enable, err := strconv.ParseBool(enableStr)
-		if err != nil {
-			x.SetStatus(w, x.ErrorInvalidRequest,
-				"Found invalid value for the enable parameter")
+		if !options.skipIpWhitelisting {
+			ip, _, err := net.SplitHostPort(r.RemoteAddr)
+			if err != nil || !x.IsIpWhitelisted(ip) {
+				x.SetStatus(w, x.ErrorUnauthorized, fmt.Sprintf("Request from IP: %v", ip))
+				return
+			}
+		}
+
+		if !options.skipPoormansAuth && !hasPoormansAuth(r) {
+			x.SetStatus(w, x.ErrorUnauthorized, "Invalid X-Dgraph-AuthToken")
 			return
 		}
 
-		x.UpdateDrainingMode(enable)
-		_, err = w.Write([]byte(fmt.Sprintf(`{"code": "Success",`+
-			`"message": "draining mode has been set to %v"}`, enable)))
-		if err != nil {
-			glog.Errorf("Failed to write response: %v", err)
+		if !options.skipGuardianAuth {
+			err := edgraph.AuthorizeGuardians(x.AttachAccessJwt(context.Background(), r))
+			if err != nil {
+				x.SetStatus(w, x.ErrorUnauthorized, err.Error())
+				return
+			}
 		}
-	default:
-		w.WriteHeader(http.StatusMethodNotAllowed)
-	}
+
+		handler.ServeHTTP(w, r)
+	})
 }
 
-func shutDownHandler(w http.ResponseWriter, r *http.Request) {
-	if !handlerInit(w, r, map[string]bool{
-		http.MethodGet: true,
-	}) {
+func drainingHandler(w http.ResponseWriter, r *http.Request) {
+	enableStr := r.URL.Query().Get("enable")
+
+	enable, err := strconv.ParseBool(enableStr)
+	if err != nil {
+		x.SetStatus(w, x.ErrorInvalidRequest,
+			"Found invalid value for the enable parameter")
 		return
 	}
 
+	x.UpdateDrainingMode(enable)
+	_, err = w.Write([]byte(fmt.Sprintf(`{"code": "Success",`+
+		`"message": "draining mode has been set to %v"}`, enable)))
+	if err != nil {
+		glog.Errorf("Failed to write response: %v", err)
+	}
+}
+
+func shutDownHandler(w http.ResponseWriter, r *http.Request) {
 	close(worker.ShutdownCh)
 	w.Header().Set("Content-Type", "application/json")
 	x.Check2(w.Write([]byte(`{"code": "Success", "message": "Server is shutting down"}`)))
 }
 
 func exportHandler(w http.ResponseWriter, r *http.Request) {
-	if !handlerInit(w, r, map[string]bool{
-		http.MethodGet: true,
-	}) {
-		return
-	}
 	if err := r.ParseForm(); err != nil {
 		x.SetHttpStatus(w, http.StatusBadRequest, "Parse of export request failed.")
 		return
@@ -119,8 +141,6 @@ func memoryLimitHandler(w http.ResponseWriter, r *http.Request) {
 		memoryLimitGetHandler(w, r)
 	case http.MethodPut:
 		memoryLimitPutHandler(w, r)
-	default:
-		w.WriteHeader(http.StatusMethodNotAllowed)
 	}
 }
 
@@ -153,18 +173,3 @@ func memoryLimitGetHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
 }
-
-func ipInIPWhitelistRanges(ipString string) bool {
-	ip := net.ParseIP(ipString)
-
-	if ip == nil {
-		return false
-	}
-
-	for _, ipRange := range x.WorkerConfig.WhiteListedIPRanges {
-		if bytes.Compare(ip, ipRange.Lower) >= 0 && bytes.Compare(ip, ipRange.Upper) <= 0 {
-			return true
-		}
-	}
-	return false
-}

dgraph/cmd/alpha/admin_backup.go

@@ -28,17 +28,14 @@ import (
 )
 
 func init() {
-	http.HandleFunc("/admin/backup", backupHandler)
+	http.Handle("/admin/backup", adminAuthHandler(http.HandlerFunc(backupHandler),
+		adminAuthOptions{allowedMethods: map[string]bool{
+			http.MethodPost: true,
+		}}))
 }
 
 // backupHandler handles backup requests coming from the HTTP endpoint.
 func backupHandler(w http.ResponseWriter, r *http.Request) {
-	if !handlerInit(w, r, map[string]bool{
-		http.MethodPost: true,
-	}) {
-		return
-	}
-
 	destination := r.FormValue("destination")
 	accessKey := r.FormValue("access_key")
 	secretKey := r.FormValue("secret_key")

dgraph/cmd/alpha/http.go

@@ -581,6 +581,11 @@ func adminSchemaHandler(w http.ResponseWriter, r *http.Request, adminServer web.
 		return
 	}
 
+	if !hasPoormansAuth(r) {
+		x.SetStatus(w, x.ErrorUnauthorized, "Invalid X-Dgraph-AuthToken")
+		return
+	}
+
 	b := readRequest(w, r)
 	if b == nil {
 		return

dgraph/cmd/alpha/http_test.go

@@ -735,30 +735,21 @@ func TestHealth(t *testing.T) {
 	require.True(t, info[0].Uptime > int64(time.Duration(1)))
 }
 
-func setDrainingMode(t *testing.T, enable bool) {
+func setDrainingMode(t *testing.T, enable bool, accessJwt string) {
 	drainingRequest := `mutation drain($enable: Boolean) {
 		draining(enable: $enable) {
 			response {
 				code
 			}
 		}
 	}`
-	adminUrl := fmt.Sprintf("%s/admin", addr)
-	params := testutil.GraphQLParams{
+	params := &testutil.GraphQLParams{
 		Query:     drainingRequest,
 		Variables: map[string]interface{}{"enable": enable},
 	}
-	b, err := json.Marshal(params)
-	require.NoError(t, err)
-
-	resp, err := http.Post(adminUrl, "application/json", bytes.NewBuffer(b))
-	require.NoError(t, err)
-
-	defer resp.Body.Close()
-	b, err = ioutil.ReadAll(resp.Body)
-	require.NoError(t, err)
-	require.JSONEq(t, `{"data":{"draining":{"response":{"code":"Success"}}}}`,
-		string(b))
+	resp := testutil.MakeGQLRequestWithAccessJwt(t, params, accessJwt)
+	resp.RequireNoGraphQLErrors(t)
+	require.JSONEq(t, `{"draining":{"response":{"code":"Success"}}}`, string(resp.Data))
 }
 
 func TestDrainingMode(t *testing.T) {
@@ -800,10 +791,12 @@ func TestDrainingMode(t *testing.T) {
 
 	}
 
-	setDrainingMode(t, true)
+	grootJwt, _ := testutil.GrootHttpLogin(addr + "/admin")
+
+	setDrainingMode(t, true, grootJwt)
 	runRequests(true)
 
-	setDrainingMode(t, false)
+	setDrainingMode(t, false, grootJwt)
 	runRequests(false)
 }
 

dgraph/cmd/alpha/run.go

@@ -453,10 +453,24 @@ func setupServer(closer *y.Closer) {
 	// TODO: Figure out what this is for?
 	http.HandleFunc("/debug/store", storeStatsHandler)
 
-	http.HandleFunc("/admin/shutdown", shutDownHandler)
-	http.HandleFunc("/admin/draining", drainingHandler)
-	http.HandleFunc("/admin/export", exportHandler)
-	http.HandleFunc("/admin/config/lru_mb", memoryLimitHandler)
+	http.Handle("/admin/shutdown", adminAuthHandler(http.HandlerFunc(shutDownHandler),
+		adminAuthOptions{allowedMethods: map[string]bool{
+			http.MethodGet: true,
+		}}))
+	http.Handle("/admin/draining", adminAuthHandler(http.HandlerFunc(drainingHandler),
+		adminAuthOptions{allowedMethods: map[string]bool{
+			http.MethodPut:  true,
+			http.MethodPost: true,
+		}}))
+	http.Handle("/admin/export", adminAuthHandler(http.HandlerFunc(exportHandler),
+		adminAuthOptions{allowedMethods: map[string]bool{
+			http.MethodGet: true,
+		}}))
+	http.Handle("/admin/config/lru_mb", adminAuthHandler(http.HandlerFunc(memoryLimitHandler),
+		adminAuthOptions{allowedMethods: map[string]bool{
+			http.MethodGet: true,
+			http.MethodPut: true,
+		}}))
 
 	introspection := Alpha.Conf.GetBool("graphql_introspection")
 
@@ -476,20 +490,16 @@ func setupServer(closer *y.Closer) {
 	globalEpoch := uint64(0)
 	mainServer, adminServer := admin.NewServers(introspection, &globalEpoch, closer)
 	http.Handle("/graphql", mainServer.HTTPHandler())
-
-	whitelist := func(h http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if !handlerInit(w, r, map[string]bool{
-				http.MethodPost:    true,
+	http.Handle("/admin", adminAuthHandler(adminServer.HTTPHandler(),
+		adminAuthOptions{
+			allowedMethods: map[string]bool{
 				http.MethodGet:     true,
+				http.MethodPost:    true,
 				http.MethodOptions: true,
-			}) {
-				return
-			}
-			h.ServeHTTP(w, r)
-		})
-	}
-	http.Handle("/admin", whitelist(adminServer.HTTPHandler()))
+			},
+			skipIpWhitelisting: true,
+			skipGuardianAuth:   true,
+		}))
 	http.HandleFunc("/admin/schema", func(w http.ResponseWriter, r *http.Request) {
 		adminSchemaHandler(w, r, adminServer)
 	})

edgraph/access.go

@@ -65,7 +65,7 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
-func authorizeGuardians(ctx context.Context) error {
+func AuthorizeGuardians(ctx context.Context) error {
 	// always allow access
 	return nil
 }

edgraph/access_ee.go

@@ -794,8 +794,8 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
-// authorizeGuardians authorizes the operation for users which belong to Guardians group.
-func authorizeGuardians(ctx context.Context) error {
+// AuthorizeGuardians authorizes the operation for users which belong to Guardians group.
+func AuthorizeGuardians(ctx context.Context) error {
 	if len(worker.Config.HmacSecret) == 0 {
 		// the user has not turned on the acl feature
 		return nil

edgraph/server.go

@@ -699,7 +699,7 @@ func (s *Server) Health(ctx context.Context, all bool) (*api.Response, error) {
 
 	var healthAll []pb.HealthInfo
 	if all {
-		if err := authorizeGuardians(ctx); err != nil {
+		if err := AuthorizeGuardians(ctx); err != nil {
 			return nil, err
 		}
 		pool := conn.GetPools().GetAll()
@@ -738,7 +738,7 @@ func (s *Server) State(ctx context.Context) (*api.Response, error) {
 		return nil, ctx.Err()
 	}
 
-	if err := authorizeGuardians(ctx); err != nil {
+	if err := AuthorizeGuardians(ctx); err != nil {
 		return nil, err
 	}