fix: protect ops endpoints requiring admin

cmd/serve.go

@@ -1,6 +1,8 @@
 package cmd
 
 import (
+	"fmt"
+	"net/url"
 	"os"
 	"time"
 
@@ -10,6 +12,7 @@ import (
 	"github.com/nhost/hasura-storage/controller"
 	"github.com/nhost/hasura-storage/image"
 	"github.com/nhost/hasura-storage/metadata"
+	"github.com/nhost/hasura-storage/middleware/auth"
 	"github.com/nhost/hasura-storage/middleware/cdn/fastly"
 	"github.com/nhost/hasura-storage/migrations"
 	"github.com/nhost/hasura-storage/storage"
@@ -88,8 +91,14 @@ func getGin(
 		publicURL, apiRootPrefix, hasuraAdminSecret, metadataStorage, contentStorage, imageTransformer, logger,
 	)
 
+	opsPath, err := url.JoinPath(apiRootPrefix, "ops")
+	if err != nil {
+		return nil, fmt.Errorf("problem trying to compute ops prefix path: %w", err)
+	}
+
 	middlewares := []gin.HandlerFunc{
 		ginLogger(logger),
+		auth.NeedsAdmin(opsPath, hasuraAdminSecret),
 	}
 
 	fastlyService := viper.GetString(fastlyServiceFlag)

controller/openapi.yaml

@@ -1,6 +1,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/OAI/OpenAPI-Specification/main/schemas/v3.0/schema.yaml
 ---
-openapi: 3.0.0
+openapi: 3.0
 info:
   description: Hasura Storage is amazing
   version: 1.0.0
@@ -18,13 +18,19 @@ servers:
         default: '8000'
 security:
   - Authorization: []
+  - X-Hasura-Admin-Secret: []
 components:
   securitySchemes:
     Authorization:
       type: http
       scheme: bearer
       bearerFormat: JWT
       description: API key to authorize requests.
+    X-Hasura-Admin-Secret:
+      type: apiKey
+      name: X-Hasura-Admin-Secret
+      in: header
+      description: Hasura admin secret
   schemas:
     VersionInformation:
       type: object
@@ -120,7 +126,7 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/VersionInformation'
-                
+
   /files/:
     post:
       summary: Upload one or more files
@@ -450,8 +456,8 @@ paths:
           1. Set isUploaded flag to false
           2. Replace contents of the file in the storage backend
           3. Update file metadata (size, mime-type, isUploaded, etc)
-          
-        Each individual state is atomic but if a step fails, previous steps won't be undone 
+
+        Each individual state is atomic but if a step fails, previous steps won't be undone
       tags:
         - storage
       security:
@@ -762,7 +768,7 @@ paths:
       tags:
         - operations
       security:
-        - Authorization: []
+        - X-Hasura-Admin-Secret: []
       responses:
         '200':
           description: Successfully computed orphaned files
@@ -789,7 +795,7 @@ paths:
       tags:
         - operations
       security:
-        - Authorization: []
+        - X-Hasura-Admin-Secret: []
       responses:
         '200':
           description: Successfully deleted orphaned files
@@ -816,7 +822,7 @@ paths:
       tags:
         - operations
       security:
-        - Authorization: []
+        - X-Hasura-Admin-Secret: []
       responses:
         '200':
           description: Successfully computed broken metadata
@@ -835,15 +841,15 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Error'
-  
+
   /ops/delete-broken-metadata:
     post:
       summary: Delete broken metadata
       description: Broken metadata is defined as metadata that has isUploaded = true but there is no file in the storage matching it
       tags:
         - operations
       security:
-        - Authorization: []
+        - X-Hasura-Admin-Secret: []
       responses:
         '200':
           description: Successfully deleted broken metadata
@@ -870,7 +876,7 @@ paths:
       tags:
         - operations
       security:
-        - Authorization: []
+        - X-Hasura-Admin-Secret: []
       responses:
         '200':
           description: Successfully checked files not uploaded

middleware/auth/needs_admin.go

@@ -0,0 +1,25 @@
+package auth
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func isAdmin(hasuraAdminSecret string, header http.Header) bool {
+	return header.Get("X-Hasura-Admin-Secret") == hasuraAdminSecret &&
+		(header.Get("X-Hasura-Role") == "admin" ||
+			header.Get("X-Hasura-Role") == "")
+}
+
+func NeedsAdmin(prefixPath, hasuraAdminSecret string) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		if strings.HasPrefix(ctx.Request.URL.Path, prefixPath) &&
+			!isAdmin(hasuraAdminSecret, ctx.Request.Header) {
+			ctx.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+		ctx.Next()
+	}
+}

middleware/auth/needs_admin_test.go

@@ -0,0 +1,73 @@
+package auth //nolint: testpackage
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestIsAdmin(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name      string
+		reqHeader http.Header
+		isAdmin   bool
+	}{
+		{
+			name: "correct secret and empty role",
+			reqHeader: http.Header{
+				"X-Hasura-Admin-Secret": []string{"secret"},
+			},
+			isAdmin: true,
+		},
+		{
+			name: "correct secret and role",
+			reqHeader: http.Header{
+				"X-Hasura-Admin-Secret": []string{"secret"},
+				"X-Hasura-Role":         []string{"admin"},
+			},
+			isAdmin: true,
+		},
+		{
+			name: "correct secret and wrong role",
+			reqHeader: http.Header{
+				"X-Hasura-Admin-Secret": []string{"secret"},
+				"X-Hasura-Role":         []string{"user"},
+			},
+			isAdmin: false,
+		},
+		{
+			name: "wrong secret and correct role",
+			reqHeader: http.Header{
+				"X-Hasura-Admin-Secret": []string{"woooo"},
+				"X-Hasura-Role":         []string{"admin"},
+			},
+			isAdmin: false,
+		},
+		{
+			name: "wrong secret and no role",
+			reqHeader: http.Header{
+				"X-Hasura-Admin-Secret": []string{"woooo"},
+			},
+			isAdmin: false,
+		},
+		{
+			name:      "no headers",
+			reqHeader: http.Header{},
+			isAdmin:   false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			tc := tc
+
+			got := isAdmin("secret", tc.reqHeader)
+			if got != tc.isAdmin {
+				t.Errorf("isAdmin() = %v, want %v", got, tc.isAdmin)
+			}
+		})
+	}
+}