Enforce HTTP method required by most API endpoints

[pracucci]

What this PR does:
We had some API endpoints which allowed any HTTP method, while they were clearly only GET and/or POST. This is particularly insidious if someone misconfigure Prometheus and remote writes to / because that POST requests will succeed while they shouldn't.

In this PR I'm fixing it.

Which issue(s) this PR fixes:
Fixes #3227

Checklist

• Tests updated
• Documentation added
• CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

[pstibrany]

Thanks.

I would suggest that we enforce specifying method by changing RegisterRoute signature to have one required method and fixing remaining places.

func (a *API) RegisterRoute(path string, handler http.Handler, auth bool, method string, methods ...string) {

I think the same should be done in RegisterRoutesWithPrefix (used by alertmanager only), but that requires bit more research about which methods are required there. It's not currently clear, as AlertManager acts as a mux itself.

Approving so you can decide the best course of action.

[pstibrany]

/cc @jtlisi

[pracucci]

I would suggest that we enforce specifying method by changing RegisterRoute signature to have one required method and fixing remaining places.

I've enforced it in RegisterRoute() but I think shouldn't be done with RegisterRoutesWithPrefix() because the latter one registers multiple endpoints. WDYT?

[jtlisi]

LGTM

[pstibrany]

Perhaps we should make /flush, /shutdown and push POST-only? It would make flush and shutdown links on index page not working from browser, which may be a good thing (no accidental click from browser, or prefetching, or recursive link-following robots).

[pracucci]

push POST-only

It is POST only but the CHANGELOG was wrong. Fixed, thanks!

Perhaps we should make /flush, /shutdown

I agree would be safer. If do so, we should consider:

1. Change tools/migrate-ingester-statefulsets.sh because calls GET /shutdown, but then we would have to use something different than wget (and curl is not available in Cortex images)
2. We would have to remove these links from the / HTML page because if you click on that they will fail (so there's no point linking them, the https://cortexmetrics.io/docs/api/ will be enough)

Thoughts?

[pstibrany]

1. Change tools/migrate-ingester-statefulsets.sh because calls GET /shutdown, but then we would have to use something different than wget (and curl is not available in Cortex images)

Valid point. What about we include little tool in the image to call those endpoints? We could fix another problems with included wget too -- it doesn't like 204. I'd suggest separate PR for all that.

2. We would have to remove these links from the / HTML page because if you click on that they will fail (so there's no point linking them, the https://cortexmetrics.io/docs/api/ will be enough)

I would keep them in the index page (it's useful to know that given Cortex supports it), but add a note that they are POST-only.

[pracucci]

Valid point. What about we include little tool in the image to call those endpoints? We could fix another problems with included wget too -- it doesn't like 204. I'd suggest separate PR for all that.

I've the feeling it's overkilled. Installing curl in our Docker images could be just easier.

[pstibrany]

curl also doesn't like 204 and returns non-zero exit code. We could simplify our script if we had this.

[gouthamve]

+1 to making them POST only!
+1 to showing them in index page but mention that they only support POST.

Not too familiar with the script though.

[pracucci]

Would you agree if I do it in a separate PR? We need to find a solution for the wget replacement and I would like to avoid blocking this PR because of that.

[pstibrany]

Would you agree if I do it in a separate PR? We need to find a solution for the wget replacement and I would like to avoid blocking this PR because of that.

Absolutely

[pracucci]

Opened an issue for /flush and /shutdown:
#3243

[pracucci]

@gotjosh Do you see problem with this?