feat: /mon/status returns details only for maintainer (#5795)

richardlt · web-flow · commit a4e32e521dd8 · 2021-04-16T15:13:34.000+02:00
diff --git a/engine/api/api_routes.go b/engine/api/api_routes.go
@@ -129,7 +129,7 @@ func (api *API) InitRouter() {
 	r.Handle("/broadcast/{id}/mark", Scope(sdk.AuthConsumerScopeProject), r.POST(api.postMarkAsReadBroadcastHandler))
 
 	// Overall health
-	r.Handle("/mon/status", ScopeNone(), r.GET(api.statusHandler, service.OverrideAuth(service.NoAuthMiddleware)))
+	r.Handle("/mon/status", ScopeNone(), r.GET(api.statusHandler, service.OverrideAuth(api.authOptionalMiddleware)))
 	r.Handle("/mon/version", ScopeNone(), r.GET(service.VersionHandler, service.OverrideAuth(service.NoAuthMiddleware)))
 	r.Handle("/mon/db/migrate", ScopeNone(), r.GET(api.getMonDBStatusMigrateHandler, service.OverrideAuth(api.authAdminMiddleware)))
 	r.Handle("/mon/metrics", ScopeNone(), r.GET(service.GetPrometheustMetricsHandler(api), service.OverrideAuth(service.NoAuthMiddleware)))
diff --git a/engine/api/status.go b/engine/api/status.go
@@ -48,11 +48,18 @@ func (api *API) statusHandler() service.Handler {
 			status = http.StatusServiceUnavailable
 		}
 
+		// Always load services to ensure that database connection is ok.
 		srvs, err := services.LoadAll(ctx, api.mustDB(), services.LoadOptions.WithStatus)
 		if err != nil {
 			return err
 		}
 
+		// If there is a valid session and user is maintainer, allows to get status details.
+		currentConsumer := getAPIConsumer(ctx)
+		if currentConsumer == nil || !isMaintainer(ctx) {
+			return service.WriteJSON(w, nil, status)
+		}
+
 		mStatus := api.computeGlobalStatus(srvs)
 		return service.WriteJSON(w, mStatus, status)
 	}

Original file line number	Diff line number	Diff line change
`@@ -48,11 +48,18 @@ func (api *API) statusHandler() service.Handler {`
`48`	`48`	`status = http.StatusServiceUnavailable`
`49`	`49`	`}`
`50`	`50`
	`51`	`+ // Always load services to ensure that database connection is ok.`
`51`	`52`	`srvs, err := services.LoadAll(ctx, api.mustDB(), services.LoadOptions.WithStatus)`
`52`	`53`	`if err != nil {`
`53`	`54`	`return err`
`54`	`55`	`}`
`55`	`56`
	`57`	`+ // If there is a valid session and user is maintainer, allows to get status details.`
	`58`	`+ currentConsumer := getAPIConsumer(ctx)`
	`59`	`+ if currentConsumer == nil \|\| !isMaintainer(ctx) {`
	`60`	`+ return service.WriteJSON(w, nil, status)`
	`61`	`+ }`
	`62`	`+`
`56`	`63`	`mStatus := api.computeGlobalStatus(srvs)`
`57`	`64`	`return service.WriteJSON(w, mStatus, status)`
`58`	`65`	`}`