1937584094

Committed 18 Jul 2025 02:06PM UTC coverage: 65.472% (-0.05%) from 65.519%

Build # 1937584094

Build Type

push

gitlab-ci

Committed by

web-flow

Commit Message

Merge pull request #769 from alfrunes/MEN-7744

MEN-7744: Rate limits for authenticated requests

Run Details

30 of 72 new or added lines in 6 files covered. (41.67%)

7 existing lines in 2 files now uncovered.

32192 of 49169 relevant lines covered (65.47%)

1.39 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

89.47

/backend/services/deviceauth/api/http/routing.go

// Copyright 2023 Northern.tech AS
//
//        Licensed under the Apache License, Version 2.0 (the "License");
//        you may not use this file except in compliance with the License.
//        You may obtain a copy of the License at
//
//            http://www.apache.org/licenses/LICENSE-2.0
//
//        Unless required by applicable law or agreed to in writing, software
//        distributed under the License is distributed on an "AS IS" BASIS,
//        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//        See the License for the specific language governing permissions and
//        limitations under the License.
package http

import (
        "net/http"
        "strings"

        "github.com/gin-gonic/gin"

        "github.com/mendersoftware/mender-server/pkg/contenttype"
        "github.com/mendersoftware/mender-server/pkg/identity"
        "github.com/mendersoftware/mender-server/pkg/routing"
        dconfig "github.com/mendersoftware/mender-server/services/deviceauth/config"
        "github.com/mendersoftware/mender-server/services/deviceauth/devauth"
        "github.com/mendersoftware/mender-server/services/deviceauth/store"
        "github.com/mendersoftware/mender-server/services/deviceauth/utils"
)

const (
        apiUrlDevicesV1 = "/api/devices/v1/authentication"
        uriAuthReqs     = "/auth_requests"

        // internal API
        apiUrlInternalV1      = "/api/internal/v1/devauth"
        uriAlive              = "/alive"
        uriHealth             = "/health"
        uriTokenVerify        = "/tokens/verify"
        uriTenantLimit        = "/tenant/:id/limits/:name"
        uriTokens             = "/tokens"
        uriTenants            = "/tenants"
        uriTenantDevice       = "/tenants/:tid/devices/:did"
        uriTenantDeviceStatus = "/tenants/:tid/devices/:did/status"
        uriTenantDevices      = "/tenants/:tid/devices"
        uriTenantDevicesCount = "/tenants/:tid/devices/count"

        // management API v2
        apiUrlManagementV2       = "/api/management/v2/devauth"
        v2uriDevices             = "/devices"
        v2uriDevicesCount        = "/devices/count"
        v2uriDevicesSearch       = "/devices/search"
        v2uriDevice              = "/devices/:id"
        v2uriDeviceAuthSet       = "/devices/:id/auth/:aid"
        v2uriDeviceAuthSetStatus = "/devices/:id/auth/:aid/status"
        v2uriToken               = "/tokens/:id"
        v2uriDevicesLimit        = "/limits/:name"

        HdrAuthReqSign = "X-MEN-Signature"
)

type HttpOptionsGenerator func(methods []string) gin.HandlerFunc

func AllowHeaderOptionsGenerator(methods []string) gin.HandlerFunc {
        // return a dummy handler for now
        return func(c *gin.Context) {
                for _, m := range methods {
                        c.Writer.Header().Add("Allow", m)
                }
        }
}

func supportsMethod(method string, methods []string) bool {
        return utils.ContainsString(method, methods)
}

// Automatically add OPTIONS method support for each defined route,
// only if there's no OPTIONS handler for that route yet
func AutogenOptionsRoutes(router *gin.Engine, gen HttpOptionsGenerator) {
        routes := router.Routes()
        methodGroups := make(map[string][]string, len(routes))

        for _, route := range routes {
                if strings.HasPrefix(route.Path, "/api/internal") {
                        continue
                }
                methods, ok := methodGroups[route.Path]
                if !ok {
                        methods = make([]string, 0)
                }

                methodGroups[route.Path] = append(methods, route.Method)
        }

        for route, methods := range methodGroups {
                // skip if there's a handler for OPTIONS already
                if !supportsMethod(http.MethodOptions, methods) {
                        router.OPTIONS(route, gen(methods))
                }
        }
}

type Config struct {
        AuthVerifyRatelimits gin.HandlerFunc
        MaxRequestSize       int64
}

func NewConfig() *Config {
        return &Config{
                MaxRequestSize: dconfig.SettingMaxRequestSizeDefault,
        }
}

type Option func(c *Config)

func SetMaxRequestSize(size int64) Option {
        return func(c *Config) {
                c.MaxRequestSize = size
        }
}

func ConfigAuthVerifyRatelimits(handler gin.HandlerFunc) Option {
        return func(c *Config) {
                c.AuthVerifyRatelimits = handler
        }
}

func NewRouter(app devauth.App, db store.DataStore, options ...Option) http.Handler {
        router := routing.NewGinRouter()
        cfg := new(Config)
        for _, option := range options {
                if option != nil {
                        option(cfg)
                }
        }

        d := NewDevAuthApiHandlers(app, db, options...)

        publicAPIs := router.Group(".")
        publicAPIs.Use(identity.Middleware())

        mgmtAPIV2 := publicAPIs.Group(apiUrlManagementV2)
        devicesAPIs := router.Group(apiUrlDevicesV1)

        // Devices API
        devicesAPIs.Group(".").Use(contenttype.CheckJSON()).
                POST(uriAuthReqs, d.SubmitAuthRequestHandler)

        // API v2
        mgmtAPIV2.GET(v2uriDevicesCount, d.GetDevicesCountHandler)
        mgmtAPIV2.GET(v2uriDevices, d.GetDevicesV2Handler)
        mgmtAPIV2.GET(v2uriDevice, d.GetDeviceV2Handler)
        mgmtAPIV2.GET(v2uriDeviceAuthSetStatus, d.GetAuthSetStatusHandler)
        mgmtAPIV2.GET(v2uriDevicesLimit, d.GetLimitHandler)
        mgmtAPIV2.DELETE(v2uriDevice, d.DecommissionDeviceHandler)
        mgmtAPIV2.DELETE(v2uriDeviceAuthSet, d.DeleteDeviceAuthSetHandler)
        mgmtAPIV2.DELETE(v2uriToken, d.DeleteTokenHandler)
        mgmtAPIV2.Group(".").Use(contenttype.CheckJSON()).
                POST(v2uriDevices, d.PostDevicesV2Handler).
                PUT(v2uriDeviceAuthSetStatus, d.UpdateDeviceStatusHandler).
                POST(v2uriDevicesSearch, d.SearchDevicesV2Handler)

        // automatically add Option routes for public endpoints
        AutogenOptionsRoutes(router, AllowHeaderOptionsGenerator)

        intrnlAPIV1 := router.Group(apiUrlInternalV1)

        intrnlAPIV1.GET(uriAlive, d.AliveHandler)
        intrnlAPIV1.GET(uriHealth, d.HealthCheckHandler)

        intrnlAPIV1.Group(".").
                Use(identity.Middleware()).
                GET(uriTokenVerify, d.VerifyTokenHandler).
                POST(uriTokenVerify, d.VerifyTokenHandler)
        intrnlAPIV1.DELETE(uriTokens, d.DeleteTokensHandler)
        intrnlAPIV1.PUT(uriTenantLimit, d.PutTenantLimitHandler)
        intrnlAPIV1.GET(uriTenantLimit, d.GetTenantLimitHandler)
        intrnlAPIV1.DELETE(uriTenantLimit, d.DeleteTenantLimitHandler)
        intrnlAPIV1.POST(uriTenants, d.ProvisionTenantHandler)
        intrnlAPIV1.GET(uriTenantDeviceStatus, d.GetTenantDeviceStatus)
        intrnlAPIV1.GET(uriTenantDevices, d.GetTenantDevicesHandler)
        intrnlAPIV1.GET(uriTenantDevicesCount, d.GetTenantDevicesCountHandler)
        intrnlAPIV1.DELETE(uriTenantDevice, d.DeleteDeviceHandler)

        return router
}

1	// Copyright 2023 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14	package http
15
16	import (
17	"net/http"
18	"strings"
19
20	"github.com/gin-gonic/gin"
21
22	"github.com/mendersoftware/mender-server/pkg/contenttype"
23	"github.com/mendersoftware/mender-server/pkg/identity"
24	"github.com/mendersoftware/mender-server/pkg/routing"
25	dconfig "github.com/mendersoftware/mender-server/services/deviceauth/config"
26	"github.com/mendersoftware/mender-server/services/deviceauth/devauth"
27	"github.com/mendersoftware/mender-server/services/deviceauth/store"
28	"github.com/mendersoftware/mender-server/services/deviceauth/utils"
29	)
30
31	const (
32	apiUrlDevicesV1 = "/api/devices/v1/authentication"
33	uriAuthReqs = "/auth_requests"
34
35	// internal API
36	apiUrlInternalV1 = "/api/internal/v1/devauth"
37	uriAlive = "/alive"
38	uriHealth = "/health"
39	uriTokenVerify = "/tokens/verify"
40	uriTenantLimit = "/tenant/:id/limits/:name"
41	uriTokens = "/tokens"
42	uriTenants = "/tenants"
43	uriTenantDevice = "/tenants/:tid/devices/:did"
44	uriTenantDeviceStatus = "/tenants/:tid/devices/:did/status"
45	uriTenantDevices = "/tenants/:tid/devices"
46	uriTenantDevicesCount = "/tenants/:tid/devices/count"
47
48	// management API v2
49	apiUrlManagementV2 = "/api/management/v2/devauth"
50	v2uriDevices = "/devices"
51	v2uriDevicesCount = "/devices/count"
52	v2uriDevicesSearch = "/devices/search"
53	v2uriDevice = "/devices/:id"
54	v2uriDeviceAuthSet = "/devices/:id/auth/:aid"
55	v2uriDeviceAuthSetStatus = "/devices/:id/auth/:aid/status"
56	v2uriToken = "/tokens/:id"
57	v2uriDevicesLimit = "/limits/:name"
58
59	HdrAuthReqSign = "X-MEN-Signature"
60	)
61
62	type HttpOptionsGenerator func(methods []string) gin.HandlerFunc
63
64	func AllowHeaderOptionsGenerator(methods []string) gin.HandlerFunc {	3✔
65	// return a dummy handler for now	3✔
66	return func(c *gin.Context) {	4✔
67	for _, m := range methods {	2✔
68	c.Writer.Header().Add("Allow", m)	1✔
69	}	1✔
70	}
71	}
72
73	func supportsMethod(method string, methods []string) bool {	3✔
74	return utils.ContainsString(method, methods)	3✔
75	}	3✔
76
77	// Automatically add OPTIONS method support for each defined route,
78	// only if there's no OPTIONS handler for that route yet
79	func AutogenOptionsRoutes(router *gin.Engine, gen HttpOptionsGenerator) {	3✔
80	routes := router.Routes()	3✔
81	methodGroups := make(map[string][]string, len(routes))	3✔
82		3✔
83	for _, route := range routes {	6✔
84	if strings.HasPrefix(route.Path, "/api/internal") {	3✔
85	continue	×
86	}
87	methods, ok := methodGroups[route.Path]	3✔
88	if !ok {	6✔
89	methods = make([]string, 0)	3✔
90	}	3✔
91
92	methodGroups[route.Path] = append(methods, route.Method)	3✔
93	}
94
95	for route, methods := range methodGroups {	6✔
96	// skip if there's a handler for OPTIONS already	3✔
97	if !supportsMethod(http.MethodOptions, methods) {	6✔
98	router.OPTIONS(route, gen(methods))	3✔
99	}	3✔
100	}
101	}
102
103	type Config struct {
104	AuthVerifyRatelimits gin.HandlerFunc
105	MaxRequestSize int64
106	}
107
UNCOV 108	func NewConfig() *Config {	×
UNCOV 109	return &Config{	×
UNCOV 110	MaxRequestSize: dconfig.SettingMaxRequestSizeDefault,	×
UNCOV 111	}	×
UNCOV 112	}	×
113
114	type Option func(c *Config)
115
116	func SetMaxRequestSize(size int64) Option {	2✔
117	return func(c *Config) {	4✔
118	c.MaxRequestSize = size	2✔
119	}	2✔
120	}
121
NEW 122	func ConfigAuthVerifyRatelimits(handler gin.HandlerFunc) Option {	×
NEW 123	return func(c *Config) {	×
NEW 124	c.AuthVerifyRatelimits = handler	×
NEW 125	}	×
126	}
127
128	func NewRouter(app devauth.App, db store.DataStore, options ...Option) http.Handler {	3✔
129	router := routing.NewGinRouter()	3✔
130	cfg := new(Config)	3✔
131	for _, option := range options {	5✔
132	if option != nil {	4✔
133	option(cfg)	2✔
134	}	2✔
135	}
136
137	d := NewDevAuthApiHandlers(app, db, options...)	3✔
138		3✔
139	publicAPIs := router.Group(".")	3✔
140	publicAPIs.Use(identity.Middleware())	3✔
141		3✔
142	mgmtAPIV2 := publicAPIs.Group(apiUrlManagementV2)	3✔
143	devicesAPIs := router.Group(apiUrlDevicesV1)	3✔
144		3✔
145	// Devices API	3✔
146	devicesAPIs.Group(".").Use(contenttype.CheckJSON()).	3✔
147	POST(uriAuthReqs, d.SubmitAuthRequestHandler)	3✔
148		3✔
149	// API v2	3✔
150	mgmtAPIV2.GET(v2uriDevicesCount, d.GetDevicesCountHandler)	3✔
151	mgmtAPIV2.GET(v2uriDevices, d.GetDevicesV2Handler)	3✔
152	mgmtAPIV2.GET(v2uriDevice, d.GetDeviceV2Handler)	3✔
153	mgmtAPIV2.GET(v2uriDeviceAuthSetStatus, d.GetAuthSetStatusHandler)	3✔
154	mgmtAPIV2.GET(v2uriDevicesLimit, d.GetLimitHandler)	3✔
155	mgmtAPIV2.DELETE(v2uriDevice, d.DecommissionDeviceHandler)	3✔
156	mgmtAPIV2.DELETE(v2uriDeviceAuthSet, d.DeleteDeviceAuthSetHandler)	3✔
157	mgmtAPIV2.DELETE(v2uriToken, d.DeleteTokenHandler)	3✔
158	mgmtAPIV2.Group(".").Use(contenttype.CheckJSON()).	3✔
159	POST(v2uriDevices, d.PostDevicesV2Handler).	3✔
160	PUT(v2uriDeviceAuthSetStatus, d.UpdateDeviceStatusHandler).	3✔
161	POST(v2uriDevicesSearch, d.SearchDevicesV2Handler)	3✔
162		3✔
163	// automatically add Option routes for public endpoints	3✔
164	AutogenOptionsRoutes(router, AllowHeaderOptionsGenerator)	3✔
165		3✔
166	intrnlAPIV1 := router.Group(apiUrlInternalV1)	3✔
167		3✔
168	intrnlAPIV1.GET(uriAlive, d.AliveHandler)	3✔
169	intrnlAPIV1.GET(uriHealth, d.HealthCheckHandler)	3✔
170		3✔
171	intrnlAPIV1.Group(".").	3✔
172	Use(identity.Middleware()).	3✔
173	GET(uriTokenVerify, d.VerifyTokenHandler).	3✔
174	POST(uriTokenVerify, d.VerifyTokenHandler)	3✔
175	intrnlAPIV1.DELETE(uriTokens, d.DeleteTokensHandler)	3✔
176	intrnlAPIV1.PUT(uriTenantLimit, d.PutTenantLimitHandler)	3✔
177	intrnlAPIV1.GET(uriTenantLimit, d.GetTenantLimitHandler)	3✔
178	intrnlAPIV1.DELETE(uriTenantLimit, d.DeleteTenantLimitHandler)	3✔
179	intrnlAPIV1.POST(uriTenants, d.ProvisionTenantHandler)	3✔
180	intrnlAPIV1.GET(uriTenantDeviceStatus, d.GetTenantDeviceStatus)	3✔
181	intrnlAPIV1.GET(uriTenantDevices, d.GetTenantDevicesHandler)	3✔
182	intrnlAPIV1.GET(uriTenantDevicesCount, d.GetTenantDevicesCountHandler)	3✔
183	intrnlAPIV1.DELETE(uriTenantDevice, d.DeleteDeviceHandler)	3✔
184		3✔
185	return router	3✔
186	}

mendersoftware / mender-server / 1937584094

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous