fix: enforce apiAllowedIPs config option

Fixes #385
2025-04-29 22:51:42 +02:00 · 2025-04-28 09:54:22 +02:00 · 2025-04-28 09:54:22 +02:00 · 161f0744aa
commit 161f0744aa
parent 95de9ad3b3
9 changed files with 113 additions and 60 deletions
--- a/ReleaseNotes.md
+++ b/ReleaseNotes.md
@ -6,6 +6,20 @@ This is a bug fix release of `cc-backend`, the API backend and frontend
 implementation of ClusterCockpit.
 For release specific notes visit the [ClusterCockpit Documentation](https://clusterockpit.org/docs/release/).

+## Breaking changes
+
+The option `apiAllowedIPs` is now a required configuration attribute in
+`config.json`. This option restricts access to the admin API.
+
+To retain the previous behavior that the API is per default accessible from
+everywhere set:
+
+```json
+  "apiAllowedIPs": [
+    "*"
+  ]
+```
+
 ## Breaking changes for minor release 1.4.x

 - You need to perform a database migration. Depending on your database size the
--- a/cmd/cc-backend/init.go
+++ b/cmd/cc-backend/init.go
@ -32,6 +32,18 @@ const configString = `
    "jwts": {
        "max-age": "2000h"
    },
+    "apiAllowedIPs": [
+      "*"
+    ],
+    "enable-resampling": {
+      "trigger": 30,
+      "resolutions": [
+        600,
+        300,
+        120,
+        60
+      ]
+    },
    "clusters": [
        {
            "name": "name",
--- a/configs/config-demo.json
+++ b/configs/config-demo.json
@ -17,6 +17,9 @@
      60
    ]
  },
+  "apiAllowedIPs": [
+    "*"
+  ],
  "emission-constant": 317,
  "clusters": [
    {
--- a/configs/config.json
+++ b/configs/config.json
@ -15,7 +15,10 @@
    "kind": "file",
    "path": "./var/job-archive"
  },
-    "validate": true,
+  "validate": false,
+  "apiAllowedIPs": [
+    "*"
+  ],
  "clusters": [
    {
      "name": "test",
@ -46,5 +49,14 @@
    "max-age": "2000h",
    "trustedIssuer": ""
  },
+  "enable-resampling": {
+    "trigger": 30,
+    "resolutions": [
+      600,
+      300,
+      120,
+      60
+    ]
+  },
  "short-running-jobs-duration": 300
 }
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@ -45,6 +45,9 @@ func setup(t *testing.T) *api.RestApi {
    "jwts": {
        "max-age": "2m"
    },
+  "apiAllowedIPs": [
+    "*"
+  ],
 	"clusters": [
 	{
 	   "name": "testcluster",
--- a/internal/importer/importer_test.go
+++ b/internal/importer/importer_test.go
@ -45,6 +45,9 @@ func setup(t *testing.T) *repository.JobRepository {
    "jwts": {
        "max-age": "2m"
    },
+  "apiAllowedIPs": [
+    "*"
+  ],
 	"clusters": [
 	{
 	   "name": "testcluster",
--- a/internal/repository/userConfig_test.go
+++ b/internal/repository/userConfig_test.go
@ -25,6 +25,9 @@ func setupUserTest(t *testing.T) *UserCfgRepo {
    "jwts": {
        "max-age": "2m"
    },
+  "apiAllowedIPs": [
+    "*"
+  ],
 	"clusters": [
 	{
 	   "name": "testcluster",
--- a/pkg/schema/schemas/config.schema.json
+++ b/pkg/schema/schemas/config.schema.json
@ -492,6 +492,7 @@
  },
  "required": [
    "jwts",
-    "clusters"
+    "clusters",
+    "apiAllowedIPs"
  ]
 }
--- a/pkg/schema/validate_test.go
+++ b/pkg/schema/validate_test.go
@ -14,6 +14,9 @@ func TestValidateConfig(t *testing.T) {
    "jwts": {
        "max-age": "2m"
    },
+    "apiAllowedIPs": [
+      "*"
+    ],
    "clusters": [
    {
       "name": "testcluster",
@ -33,7 +36,6 @@ func TestValidateConfig(t *testing.T) {
 }

 func TestValidateJobMeta(t *testing.T) {
-
 }

 func TestValidateCluster(t *testing.T) {