diff --git a/configs/README.md b/configs/README.md index 76029d1..1ee8cb8 100644 --- a/configs/README.md +++ b/configs/README.md @@ -9,6 +9,7 @@ It is supported to set these by means of a `.env` file in the project root. ## Configuration Options * `addr`: Type string. Address where the http (or https) server will listen on (for example: 'localhost:80'). Default `:8080`. +* `apiAllowedIPs`: Type string array. Addresses from which the secured API endpoints (/users and other auth related endpoints) can be reached * `user`: Type string. Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port. * `group`: Type string. Drop root permissions once .env was read and the port was taken. Only applicable if using privileged port. * `disable-authentication`: Type bool. Disable authentication (for everything: API, Web-UI, ...). Default `false`. diff --git a/internal/api/rest.go b/internal/api/rest.go index 0d4ddb4..a6e33fc 100644 --- a/internal/api/rest.go +++ b/internal/api/rest.go @@ -957,6 +957,7 @@ func (api *RestApi) getJobMetrics(rw http.ResponseWriter, r *http.Request) { // @summary Adds a new user // @tags add and modify // @description User specified in form data will be saved to database. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param username formData string true "Unique user ID" @@ -1024,6 +1025,7 @@ func (api *RestApi) createUser(rw http.ResponseWriter, r *http.Request) { // @summary Deletes a user // @tags remove // @description User defined by username in form data will be deleted from database. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param username formData string true "User ID to delete" @@ -1061,6 +1063,7 @@ func (api *RestApi) deleteUser(rw http.ResponseWriter, r *http.Request) { // @tags query // @description Returns a JSON-encoded list of users. // @description Required query-parameter defines if all users or only users with additional special roles are returned. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @produce json // @param not-just-user query bool true "If returned list should contain all users or only users with additional special roles" // @success 200 {array} api.ApiReturnedUser "List of users returned successfully" @@ -1096,6 +1099,7 @@ func (api *RestApi) getUsers(rw http.ResponseWriter, r *http.Request) { // @tags add and modify // @description Modifies user defined by username (id) in one of four possible ways. // @description If more than one formValue is set then only the highest priority field is used. +// @description Only accessible from IPs registered with apiAllowedIPs configuration option. // @accept mpfd // @produce plain // @param id path string true "Database ID of User" diff --git a/pkg/schema/config.go b/pkg/schema/config.go index 50260ca..5f43fb7 100644 --- a/pkg/schema/config.go +++ b/pkg/schema/config.go @@ -15,7 +15,7 @@ type LdapConfig struct { SearchDN string `json:"search_dn"` UserBind string `json:"user_bind"` UserFilter string `json:"user_filter"` - UserAttr string `json:"username_attr"` + UserAttr string `json:"username_attr"` SyncInterval string `json:"sync_interval"` // Parsed using time.ParseDuration. SyncDelOldUsers bool `json:"sync_del_old_users"` @@ -76,7 +76,7 @@ type ProgramConfig struct { // Address where the http (or https) server will listen on (for example: 'localhost:80'). Addr string `json:"addr"` - // Addresses from which the /api/secured/* API endpoints can be reached + // Addresses from which secured API endpoints can be reached ApiAllowedIPs []string `json:"apiAllowedIPs"` // Drop root permissions once .env was read and the port was taken.