Add authn for graphql and http admin endpoints

dgraph/cmd/alpha/admin.go

@@ -25,54 +25,83 @@ import (
 	"net/http"
 	"strconv"
 
+	"github.com/dgraph-io/dgraph/edgraph"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/worker"
 	"github.com/dgraph-io/dgraph/x"
 	"github.com/golang/glog"
 )
 
+func checkIpIsWhitelisted(w http.ResponseWriter, r *http.Request) bool {
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil || (!ipInIPWhitelistRanges(ip) && !net.ParseIP(ip).IsLoopback()) {
+		x.SetStatus(w, x.ErrorUnauthorized, fmt.Sprintf("Request from IP: %v", ip))
+		return false
+	}
+	return true
+}
+
+func checkPoormansAcl(w http.ResponseWriter, r *http.Request) bool {
+	if worker.Config.AuthToken != "" && worker.Config.AuthToken != r.Header.Get(
+		"X-Dgraph-AuthToken") {
+		x.SetStatus(w, x.ErrorUnauthorized, "Invalid X-Dgraph-AuthToken")
+		return false
+	}
+	return true
+}
+
 // handlerInit does some standard checks. Returns false if something is wrong.
-func handlerInit(w http.ResponseWriter, r *http.Request, allowedMethods map[string]bool) bool {
+func handlerInit(w http.ResponseWriter, r *http.Request, allowedMethods map[string]bool,
+	allowOnlyGuardians bool) bool {
 	if _, ok := allowedMethods[r.Method]; !ok {
 		x.SetStatus(w, x.ErrorInvalidMethod, "Invalid method")
+		w.WriteHeader(http.StatusMethodNotAllowed)
 		return false
 	}
 
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil || (!ipInIPWhitelistRanges(ip) && !net.ParseIP(ip).IsLoopback()) {
-		x.SetStatus(w, x.ErrorUnauthorized, fmt.Sprintf("Request from IP: %v", ip))
+	if !checkIpIsWhitelisted(w, r) || !checkPoormansAcl(w, r) {
 		return false
 	}
+
+	if allowOnlyGuardians {
+		err := edgraph.AuthorizeGuardians(x.AttachAccessJwt(context.Background(), r))
+		if err != nil {
+			x.SetStatus(w, x.ErrorUnauthorized, err.Error())
+			return false
+		}
+	}
 	return true
 }
 
 func drainingHandler(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case http.MethodPut, http.MethodPost:
-		enableStr := r.URL.Query().Get("enable")
+	if !handlerInit(w, r, map[string]bool{
+		http.MethodPut:  true,
+		http.MethodPost: true,
+	}, true) {
+		return
+	}
 
-		enable, err := strconv.ParseBool(enableStr)
-		if err != nil {
-			x.SetStatus(w, x.ErrorInvalidRequest,
-				"Found invalid value for the enable parameter")
-			return
-		}
+	enableStr := r.URL.Query().Get("enable")
 
-		x.UpdateDrainingMode(enable)
-		_, err = w.Write([]byte(fmt.Sprintf(`{"code": "Success",`+
-			`"message": "draining mode has been set to %v"}`, enable)))
-		if err != nil {
-			glog.Errorf("Failed to write response: %v", err)
-		}
-	default:
-		w.WriteHeader(http.StatusMethodNotAllowed)
+	enable, err := strconv.ParseBool(enableStr)
+	if err != nil {
+		x.SetStatus(w, x.ErrorInvalidRequest,
+			"Found invalid value for the enable parameter")
+		return
+	}
+
+	x.UpdateDrainingMode(enable)
+	_, err = w.Write([]byte(fmt.Sprintf(`{"code": "Success",`+
+		`"message": "draining mode has been set to %v"}`, enable)))
+	if err != nil {
+		glog.Errorf("Failed to write response: %v", err)
 	}
 }
 
 func shutDownHandler(w http.ResponseWriter, r *http.Request) {
 	if !handlerInit(w, r, map[string]bool{
 		http.MethodGet: true,
-	}) {
+	}, true) {
 		return
 	}
 
@@ -84,7 +113,7 @@ func shutDownHandler(w http.ResponseWriter, r *http.Request) {
 func exportHandler(w http.ResponseWriter, r *http.Request) {
 	if !handlerInit(w, r, map[string]bool{
 		http.MethodGet: true,
-	}) {
+	}, true) {
 		return
 	}
 	if err := r.ParseForm(); err != nil {
@@ -114,13 +143,18 @@ func exportHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func memoryLimitHandler(w http.ResponseWriter, r *http.Request) {
+	if !handlerInit(w, r, map[string]bool{
+		http.MethodGet: true,
+		http.MethodPut: true,
+	}, true) {
+		return
+	}
+
 	switch r.Method {
 	case http.MethodGet:
 		memoryLimitGetHandler(w, r)
 	case http.MethodPut:
 		memoryLimitPutHandler(w, r)
-	default:
-		w.WriteHeader(http.StatusMethodNotAllowed)
 	}
 }
 

dgraph/cmd/alpha/admin_backup.go

@@ -35,7 +35,7 @@ func init() {
 func backupHandler(w http.ResponseWriter, r *http.Request) {
 	if !handlerInit(w, r, map[string]bool{
 		http.MethodPost: true,
-	}) {
+	}, true) {
 		return
 	}
 

dgraph/cmd/alpha/http.go

@@ -581,6 +581,10 @@ func adminSchemaHandler(w http.ResponseWriter, r *http.Request, adminServer web.
 		return
 	}
 
+	if !checkIpIsWhitelisted(w, r) || !checkPoormansAcl(w, r) {
+		return
+	}
+
 	b := readRequest(w, r)
 	if b == nil {
 		return

dgraph/cmd/alpha/http_test.go

@@ -735,28 +735,19 @@ func TestHealth(t *testing.T) {
 	require.True(t, info[0].Uptime > int64(time.Duration(1)))
 }
 
-func setDrainingMode(t *testing.T, enable bool) {
+func setDrainingMode(t *testing.T, enable bool, accessJwt string) {
 	drainingRequest := `mutation drain($enable: Boolean) {
 		draining(enable: $enable) {
 			response {
 				code
 			}
 		}
 	}`
-	adminUrl := fmt.Sprintf("%s/admin", addr)
-	params := testutil.GraphQLParams{
+	params := &testutil.GraphQLParams{
 		Query:     drainingRequest,
 		Variables: map[string]interface{}{"enable": enable},
 	}
-	b, err := json.Marshal(params)
-	require.NoError(t, err)
-
-	resp, err := http.Post(adminUrl, "application/json", bytes.NewBuffer(b))
-	require.NoError(t, err)
-
-	defer resp.Body.Close()
-	b, err = ioutil.ReadAll(resp.Body)
-	require.NoError(t, err)
+	b := testutil.MakeGQLRequestWithAccessJwt(t, params, accessJwt)
 	require.JSONEq(t, `{"data":{"draining":{"response":{"code":"Success"}}}}`,
 		string(b))
 }
@@ -800,10 +791,12 @@ func TestDrainingMode(t *testing.T) {
 
 	}
 
-	setDrainingMode(t, true)
+	grootJwt, _ := testutil.GrootHttpLogin(addr + "/admin")
+
+	setDrainingMode(t, true, grootJwt)
 	runRequests(true)
 
-	setDrainingMode(t, false)
+	setDrainingMode(t, false, grootJwt)
 	runRequests(false)
 }
 

dgraph/cmd/alpha/run.go

@@ -462,7 +462,7 @@ func setupServer(closer *y.Closer) {
 				http.MethodPost:    true,
 				http.MethodGet:     true,
 				http.MethodOptions: true,
-			}) {
+			}, false) {
 				return
 			}
 			h.ServeHTTP(w, r)

edgraph/access.go

@@ -65,7 +65,7 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
-func authorizeGuardians(ctx context.Context) error {
+func AuthorizeGuardians(ctx context.Context) error {
 	// always allow access
 	return nil
 }

edgraph/access_ee.go

@@ -794,8 +794,8 @@ func authorizeQuery(ctx context.Context, parsedReq *gql.Result, graphql bool) er
 	return nil
 }
 
-// authorizeGuardians authorizes the operation for users which belong to Guardians group.
-func authorizeGuardians(ctx context.Context) error {
+// AuthorizeGuardians authorizes the operation for users which belong to Guardians group.
+func AuthorizeGuardians(ctx context.Context) error {
 	if len(worker.Config.HmacSecret) == 0 {
 		// the user has not turned on the acl feature
 		return nil

edgraph/server.go

@@ -697,7 +697,7 @@ func (s *Server) Health(ctx context.Context, all bool) (*api.Response, error) {
 
 	var healthAll []pb.HealthInfo
 	if all {
-		if err := authorizeGuardians(ctx); err != nil {
+		if err := AuthorizeGuardians(ctx); err != nil {
 			return nil, err
 		}
 		pool := conn.GetPools().GetAll()
@@ -735,7 +735,7 @@ func (s *Server) State(ctx context.Context) (*api.Response, error) {
 		return nil, ctx.Err()
 	}
 
-	if err := authorizeGuardians(ctx); err != nil {
+	if err := AuthorizeGuardians(ctx); err != nil {
 		return nil, err
 	}