diff --git a/.goreleaser.yaml b/.goreleaser.yaml index a17ce5c..19d29cf 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -101,5 +101,6 @@ release: draft: false footer: | Supports job archive version 1 and database version 6. + Please check out the [Release Notes](https://github.com/ClusterCockpit/cc-backend/blob/master/ReleaseNotes.md) for further details on breaking changes. # vim: set ts=2 sw=2 tw=0 fo=cnqoj diff --git a/Makefile b/Makefile index 3d44172..374d936 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ TARGET = ./cc-backend VAR = ./var CFG = config.json .env FRONTEND = ./web/frontend -VERSION = 1.2.0 +VERSION = 1.2.1 GIT_HASH := $(shell git rev-parse --short HEAD || echo 'development') CURRENT_TIME = $(shell date +"%Y-%m-%d:T%H:%M:%S") LD_FLAGS = '-s -X main.date=${CURRENT_TIME} -X main.version=${VERSION} -X main.commit=${GIT_HASH}' diff --git a/ReleaseNotes.md b/ReleaseNotes.md index c10ecd5..f655b13 100644 --- a/ReleaseNotes.md +++ b/ReleaseNotes.md @@ -1,4 +1,4 @@ -# `cc-backend` version 1.2.0 +# `cc-backend` version 1.2.1 Supports job archive version 1 and database version 6. @@ -25,6 +25,10 @@ is not the number of cores the core hours will be too high by a factor! validity. Some key names have changed, please refer to [config documentation](./configs/README.md) for details. +* The following API endpoints are only accessible from IPs registered using the apiAllowedIPs configuration option: + - `/users/` [GET, POST, DELETE] + - `/user/{id}` [POST] + ** NOTE ** If you are using the sqlite3 backend the `PRAGMA` option `foreign_keys` must be explicitly set to ON. If using the sqlite3 console it is per default set to diff --git a/api/swagger.json b/api/swagger.json index dfc2f75..6c3bc5c 100644 --- a/api/swagger.json +++ b/api/swagger.json @@ -29,7 +29,7 @@ "application/json" ], "tags": [ - "query" + "Job query" ], "summary": "Lists all jobs", "parameters": [ @@ -127,7 +127,7 @@ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -199,7 +199,7 @@ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -269,7 +269,7 @@ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -342,7 +342,7 @@ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Adds a new job as \"running\"", "parameters": [ @@ -408,7 +408,7 @@ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Marks job as completed and triggers archiving", "parameters": [ @@ -483,7 +483,7 @@ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Marks job as completed and triggers archiving", "parameters": [ @@ -565,7 +565,7 @@ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Adds one or more tags to a job", "parameters": [ @@ -638,7 +638,7 @@ "application/json" ], "tags": [ - "query" + "Job query" ], "summary": "Get complete job meta and metric data", "parameters": [ @@ -715,7 +715,7 @@ "ApiKeyAuth": [] } ], - "description": "Modifies user defined by username (id) in one of four possible ways.\nIf more than one formValue is set then only the highest priority field is used.", + "description": "Modifies user defined by username (id) in one of four possible ways.\nIf more than one formValue is set then only the highest priority field is used.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -723,7 +723,7 @@ "text/plain" ], "tags": [ - "add and modify" + "User" ], "summary": "Updates an existing user", "parameters": [ @@ -820,12 +820,12 @@ "ApiKeyAuth": [] } ], - "description": "Returns a JSON-encoded list of users.\nRequired query-parameter defines if all users or only users with additional special roles are returned.", + "description": "Returns a JSON-encoded list of users.\nRequired query-parameter defines if all users or only users with additional special roles are returned.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "produces": [ "application/json" ], "tags": [ - "query" + "User" ], "summary": "Returns a list of users", "parameters": [ @@ -879,7 +879,7 @@ "ApiKeyAuth": [] } ], - "description": "User specified in form data will be saved to database.", + "description": "User specified in form data will be saved to database.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -887,7 +887,7 @@ "text/plain" ], "tags": [ - "add and modify" + "User" ], "summary": "Adds a new user", "parameters": [ @@ -983,7 +983,7 @@ "ApiKeyAuth": [] } ], - "description": "User defined by username in form data will be deleted from database.", + "description": "User defined by username in form data will be deleted from database.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -991,7 +991,7 @@ "text/plain" ], "tags": [ - "remove" + "User" ], "summary": "Deletes a user", "parameters": [ @@ -1757,10 +1757,5 @@ "name": "X-Auth-Token", "in": "header" } - }, - "tags": [ - { - "name": "Job API" - } - ] + } } \ No newline at end of file diff --git a/api/swagger.yaml b/api/swagger.yaml index 2ba47a0..cf3b3e3 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -607,7 +607,7 @@ paths: - ApiKeyAuth: [] summary: Lists all jobs tags: - - query + - Job query /jobs/{id}: post: consumes: @@ -665,7 +665,7 @@ paths: - ApiKeyAuth: [] summary: Get complete job meta and metric data tags: - - query + - Job query /jobs/delete_job/: delete: consumes: @@ -715,7 +715,7 @@ paths: - ApiKeyAuth: [] summary: Remove a job from the sql database tags: - - remove + - Job remove /jobs/delete_job/{id}: delete: description: Job to remove is specified by database ID. This will not remove @@ -762,7 +762,7 @@ paths: - ApiKeyAuth: [] summary: Remove a job from the sql database tags: - - remove + - Job remove /jobs/delete_job_before/{ts}: delete: description: Remove all jobs with start time before timestamp. The jobs will @@ -809,7 +809,7 @@ paths: - ApiKeyAuth: [] summary: Remove a job from the sql database tags: - - remove + - Job remove /jobs/start_job/: post: consumes: @@ -856,7 +856,7 @@ paths: - ApiKeyAuth: [] summary: Adds a new job as "running" tags: - - add and modify + - Job add and modify /jobs/stop_job/: post: description: |- @@ -905,7 +905,7 @@ paths: - ApiKeyAuth: [] summary: Marks job as completed and triggers archiving tags: - - add and modify + - Job add and modify /jobs/stop_job/{id}: post: consumes: @@ -961,7 +961,7 @@ paths: - ApiKeyAuth: [] summary: Marks job as completed and triggers archiving tags: - - add and modify + - Job add and modify /jobs/tag_job/{id}: post: consumes: @@ -1010,7 +1010,7 @@ paths: - ApiKeyAuth: [] summary: Adds one or more tags to a job tags: - - add and modify + - Job add and modify /user/{id}: post: consumes: @@ -1018,6 +1018,7 @@ paths: description: |- Modifies user defined by username (id) in one of four possible ways. If more than one formValue is set then only the highest priority field is used. + Only accessible from IPs registered with apiAllowedIPs configuration option. parameters: - description: Database ID of User in: path @@ -1083,12 +1084,14 @@ paths: - ApiKeyAuth: [] summary: Updates an existing user tags: - - add and modify + - User /users/: delete: consumes: - multipart/form-data - description: User defined by username in form data will be deleted from database. + description: |- + User defined by username in form data will be deleted from database. + Only accessible from IPs registered with apiAllowedIPs configuration option. parameters: - description: User ID to delete in: formData @@ -1124,11 +1127,12 @@ paths: - ApiKeyAuth: [] summary: Deletes a user tags: - - remove + - User get: description: |- Returns a JSON-encoded list of users. Required query-parameter defines if all users or only users with additional special roles are returned. + Only accessible from IPs registered with apiAllowedIPs configuration option. parameters: - description: If returned list should contain all users or only users with additional special roles @@ -1165,11 +1169,13 @@ paths: - ApiKeyAuth: [] summary: Returns a list of users tags: - - query + - User post: consumes: - multipart/form-data - description: User specified in form data will be saved to database. + description: |- + User specified in form data will be saved to database. + Only accessible from IPs registered with apiAllowedIPs configuration option. parameters: - description: Unique user ID in: formData @@ -1235,12 +1241,10 @@ paths: - ApiKeyAuth: [] summary: Adds a new user tags: - - add and modify + - User securityDefinitions: ApiKeyAuth: in: header name: X-Auth-Token type: apiKey swagger: "2.0" -tags: -- name: Job API diff --git a/configs/README.md b/configs/README.md index 76029d1..1ee8cb8 100644 --- a/configs/README.md +++ b/configs/README.md @@ -9,6 +9,7 @@ It is supported to set these by means of a `.env` file in the project root. ## Configuration Options * `addr`: Type string. Address where the http (or https) server will listen on (for example: 'localhost:80'). Default `:8080`. +* `apiAllowedIPs`: Type string array. Addresses from which the secured API endpoints (/users and other auth related endpoints) can be reached * `user`: Type string. Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port. * `group`: Type string. Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port. * `disable-authentication`: Type bool. Disable authentication (for everything: API, Web-UI, ...). Default `false`. diff --git a/configs/config-demo.json b/configs/config-demo.json index 578aa37..8423758 100644 --- a/configs/config-demo.json +++ b/configs/config-demo.json @@ -5,7 +5,7 @@ "path": "./var/job-archive" }, "jwts": { - "max-age": "2m" + "max-age": "2000h" }, "clusters": [ { diff --git a/configs/config.json b/configs/config.json index fbc3343..d5b8ada 100644 --- a/configs/config.json +++ b/configs/config.json @@ -43,7 +43,7 @@ "jwts": { "cookieName": "", "validateUser": false, - "max-age": "2m", + "max-age": "2000h", "trustedIssuer": "" }, "short-running-jobs-duration": 300 diff --git a/internal/api/docs.go b/internal/api/docs.go index f3bcf5e..bf70cdb 100644 --- a/internal/api/docs.go +++ b/internal/api/docs.go @@ -1,4 +1,5 @@ -// Code generated by swaggo/swag. DO NOT EDIT +// Code generated by swaggo/swag. DO NOT EDIT. + package api import "github.com/swaggo/swag" @@ -35,7 +36,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "query" + "Job query" ], "summary": "Lists all jobs", "parameters": [ @@ -133,7 +134,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -205,7 +206,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -275,7 +276,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "remove" + "Job remove" ], "summary": "Remove a job from the sql database", "parameters": [ @@ -348,7 +349,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Adds a new job as \"running\"", "parameters": [ @@ -414,7 +415,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Marks job as completed and triggers archiving", "parameters": [ @@ -489,7 +490,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Marks job as completed and triggers archiving", "parameters": [ @@ -571,7 +572,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "add and modify" + "Job add and modify" ], "summary": "Adds one or more tags to a job", "parameters": [ @@ -644,7 +645,7 @@ const docTemplate = `{ "application/json" ], "tags": [ - "query" + "Job query" ], "summary": "Get complete job meta and metric data", "parameters": [ @@ -721,7 +722,7 @@ const docTemplate = `{ "ApiKeyAuth": [] } ], - "description": "Modifies user defined by username (id) in one of four possible ways.\nIf more than one formValue is set then only the highest priority field is used.", + "description": "Modifies user defined by username (id) in one of four possible ways.\nIf more than one formValue is set then only the highest priority field is used.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -729,7 +730,7 @@ const docTemplate = `{ "text/plain" ], "tags": [ - "add and modify" + "User" ], "summary": "Updates an existing user", "parameters": [ @@ -826,12 +827,12 @@ const docTemplate = `{ "ApiKeyAuth": [] } ], - "description": "Returns a JSON-encoded list of users.\nRequired query-parameter defines if all users or only users with additional special roles are returned.", + "description": "Returns a JSON-encoded list of users.\nRequired query-parameter defines if all users or only users with additional special roles are returned.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "produces": [ "application/json" ], "tags": [ - "query" + "User" ], "summary": "Returns a list of users", "parameters": [ @@ -885,7 +886,7 @@ const docTemplate = `{ "ApiKeyAuth": [] } ], - "description": "User specified in form data will be saved to database.", + "description": "User specified in form data will be saved to database.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -893,7 +894,7 @@ const docTemplate = `{ "text/plain" ], "tags": [ - "add and modify" + "User" ], "summary": "Adds a new user", "parameters": [ @@ -989,7 +990,7 @@ const docTemplate = `{ "ApiKeyAuth": [] } ], - "description": "User defined by username in form data will be deleted from database.", + "description": "User defined by username in form data will be deleted from database.\nOnly accessible from IPs registered with apiAllowedIPs configuration option.", "consumes": [ "multipart/form-data" ], @@ -997,7 +998,7 @@ const docTemplate = `{ "text/plain" ], "tags": [ - "remove" + "User" ], "summary": "Deletes a user", "parameters": [ @@ -1763,12 +1764,7 @@ const docTemplate = `{ "name": "X-Auth-Token", "in": "header" } - }, - "tags": [ - { - "name": "Job API" - } - ] + } }` // SwaggerInfo holds exported Swagger Info so clients can modify it @@ -1781,6 +1777,8 @@ var SwaggerInfo = &swag.Spec{ Description: "API for batch job control.", InfoInstanceName: "swagger", SwaggerTemplate: docTemplate, + LeftDelim: "{{", + RightDelim: "}}", } func init() { diff --git a/internal/api/rest.go b/internal/api/rest.go index 0d4ddb4..11682ee 100644 --- a/internal/api/rest.go +++ b/internal/api/rest.go @@ -37,8 +37,6 @@ import ( // @version 1.0.0 // @description API for batch job control. -// @tag.name Job API - // @contact.name ClusterCockpit Project // @contact.url https://github.com/ClusterCockpit // @contact.email support@clustercockpit.org @@ -212,6 +210,10 @@ func securedCheck(r *http.Request) error { IPAddress = r.RemoteAddr } + if strings.Contains(IPAddress, ":") { + IPAddress = strings.Split(IPAddress, ":")[0] + } + // check if IP is allowed if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) { return fmt.Errorf("unknown ip: %v", IPAddress) @@ -223,7 +225,7 @@ func securedCheck(r *http.Request) error { // getJobs godoc // @summary Lists all jobs -// @tags query +// @tags Job query // @description Get a list of all jobs. Filters can be applied using query parameters. // @description Number of results can be limited by page. Results are sorted by descending startTime. // @produce json @@ -369,7 +371,7 @@ func (api *RestApi) getJobs(rw http.ResponseWriter, r *http.Request) { // getJobById godoc // @summary Get complete job meta and metric data -// @tags query +// @tags Job query // @description Job to get is specified by database ID // @description Returns full job resource information according to 'JobMeta' scheme and all metrics according to 'JobData'. // @accept json @@ -464,7 +466,7 @@ func (api *RestApi) getJobById(rw http.ResponseWriter, r *http.Request) { // tagJob godoc // @summary Adds one or more tags to a job -// @tags add and modify +// @tags Job add and modify // @description Adds tag(s) to a job specified by DB ID. Name and Type of Tag(s) can be chosen freely. // @description If tagged job is already finished: Tag will be written directly to respective archive files. // @accept json @@ -531,7 +533,7 @@ func (api *RestApi) tagJob(rw http.ResponseWriter, r *http.Request) { // startJob godoc // @summary Adds a new job as "running" -// @tags add and modify +// @tags Job add and modify // @description Job specified in request body will be saved to database as "running" with new DB ID. // @description Job specifications follow the 'JobMeta' scheme, API will fail to execute if requirements are not met. // @accept json @@ -612,7 +614,7 @@ func (api *RestApi) startJob(rw http.ResponseWriter, r *http.Request) { // stopJobById godoc // @summary Marks job as completed and triggers archiving -// @tags add and modify +// @tags Job add and modify // @description Job to stop is specified by database ID. Only stopTime and final state are required in request body. // @description Returns full job resource information according to 'JobMeta' scheme. // @accept json @@ -669,7 +671,7 @@ func (api *RestApi) stopJobById(rw http.ResponseWriter, r *http.Request) { // stopJobByRequest godoc // @summary Marks job as completed and triggers archiving -// @tags add and modify +// @tags Job add and modify // @description Job to stop is specified by request body. All fields are required in this case. // @description Returns full job resource information according to 'JobMeta' scheme. // @produce json @@ -718,7 +720,7 @@ func (api *RestApi) stopJobByRequest(rw http.ResponseWriter, r *http.Request) { // deleteJobById godoc // @summary Remove a job from the sql database -// @tags remove +// @tags Job remove // @description Job to remove is specified by database ID. This will not remove the job from the job archive. // @produce json // @param id path int true "Database ID of Job" @@ -765,7 +767,7 @@ func (api *RestApi) deleteJobById(rw http.ResponseWriter, r *http.Request) { // deleteJobByRequest godoc // @summary Remove a job from the sql database -// @tags remove +// @tags Job remove // @description Job to delete is specified by request body. All fields are required in this case. // @accept json // @produce json @@ -823,7 +825,7 @@ func (api *RestApi) deleteJobByRequest(rw http.ResponseWriter, r *http.Request) // deleteJobBefore godoc // @summary Remove a job from the sql database -// @tags remove +// @tags Job remove // @description Remove all jobs with start time before timestamp. The jobs will not be removed from the job archive. // @produce json // @param ts path int true "Unix epoch timestamp" @@ -955,8 +957,9 @@ func (api *RestApi) getJobMetrics(rw http.ResponseWriter, r *http.Request) { // createUser godoc // @summary Adds a new user -// @tags add and modify +// @tags User // @description User specified in form data will be saved to database. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param username formData string true "Unique user ID" @@ -1022,8 +1025,9 @@ func (api *RestApi) createUser(rw http.ResponseWriter, r *http.Request) { // deleteUser godoc // @summary Deletes a user -// @tags remove +// @tags User // @description User defined by username in form data will be deleted from database. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param username formData string true "User ID to delete" @@ -1058,9 +1062,10 @@ func (api *RestApi) deleteUser(rw http.ResponseWriter, r *http.Request) { // getUsers godoc // @summary Returns a list of users -// @tags query +// @tags User // @description Returns a JSON-encoded list of users. // @description Required query-parameter defines if all users or only users with additional special roles are returned. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @produce json // @param not-just-user query bool true "If returned list should contain all users or only users with additional special roles" // @success 200 {array} api.ApiReturnedUser "List of users returned successfully" @@ -1093,9 +1098,10 @@ func (api *RestApi) getUsers(rw http.ResponseWriter, r *http.Request) { // updateUser godoc // @summary Updates an existing user -// @tags add and modify +// @tags User // @description Modifies user defined by username (id) in one of four possible ways. // @description If more than one formValue is set then only the highest priority field is used. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param id path string true "Database ID of User" diff --git a/pkg/schema/config.go b/pkg/schema/config.go index 50260ca..5f43fb7 100644 --- a/pkg/schema/config.go +++ b/pkg/schema/config.go @@ -15,7 +15,7 @@ type LdapConfig struct { SearchDN string `json:"search_dn"` UserBind string `json:"user_bind"` UserFilter string `json:"user_filter"` - UserAttr string `json:"username_attr"` + UserAttr string `json:"username_attr"` SyncInterval string `json:"sync_interval"` // Parsed using time.ParseDuration. SyncDelOldUsers bool `json:"sync_del_old_users"` @@ -76,7 +76,7 @@ type ProgramConfig struct { // Address where the http (or https) server will listen on (for example: 'localhost:80'). Addr string `json:"addr"` - // Addresses from which the /api/secured/* API endpoints can be reached + // Addresses from which secured API endpoints can be reached ApiAllowedIPs []string `json:"apiAllowedIPs"` // Drop root permissions once .env was read and the port was taken.