From eeb7d9a3375b5e70b5ea9ce94cc0415deb6d9dfb Mon Sep 17 00:00:00 2001 From: David Crespo Date: Wed, 6 Jul 2022 16:25:01 -0500 Subject: [PATCH 1/3] serve console assets from /, fix /settings/* too --- nexus/src/external_api/console_api.rs | 11 +++++++++++ nexus/src/external_api/device_auth.rs | 3 +-- nexus/src/external_api/http_entrypoints.rs | 2 ++ nexus/tests/integration_tests/console_api.rs | 19 ++++++++++++++----- openapi/nexus.json | 11 ----------- 5 files changed, 28 insertions(+), 18 deletions(-) diff --git a/nexus/src/external_api/console_api.rs b/nexus/src/external_api/console_api.rs index e68f9b08823..d87e76bcf1f 100644 --- a/nexus/src/external_api/console_api.rs +++ b/nexus/src/external_api/console_api.rs @@ -619,6 +619,17 @@ pub async fn console_settings_page( console_index_or_login_redirect(rqctx).await } +#[endpoint { + method = GET, + path = "/", + unpublished = true, +}] +pub async fn console_root( + rqctx: Arc>>, +) -> Result, HttpError> { + console_index_or_login_redirect(rqctx).await +} + /// Make a new PathBuf with `.gz` on the end fn with_gz_ext(path: &PathBuf) -> PathBuf { let mut new_path = path.clone(); diff --git a/nexus/src/external_api/device_auth.rs b/nexus/src/external_api/device_auth.rs index 00132cc078c..70d67abbc6f 100644 --- a/nexus/src/external_api/device_auth.rs +++ b/nexus/src/external_api/device_auth.rs @@ -15,7 +15,7 @@ use crate::context::OpContext; use crate::db::model::DeviceAccessToken; use crate::ServerContext; use dropshot::{ - endpoint, HttpError, HttpResponseOk, Query, RequestContext, TypedBody, + endpoint, HttpError, HttpResponseOk, RequestContext, TypedBody, }; use http::{header, Response, StatusCode}; use hyper::Body; @@ -125,7 +125,6 @@ pub struct DeviceAuthVerify { }] pub async fn device_auth_verify( rqctx: Arc>>, - _params: Query, ) -> Result, HttpError> { console_index_or_login_redirect(rqctx).await } diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs index 5384b9f412a..258bb3dea5c 100644 --- a/nexus/src/external_api/http_entrypoints.rs +++ b/nexus/src/external_api/http_entrypoints.rs @@ -221,6 +221,8 @@ pub fn external_api() -> NexusApiDescription { api.register(console_api::session_me)?; api.register(console_api::logout)?; api.register(console_api::console_page)?; + api.register(console_api::console_root)?; + api.register(console_api::console_settings_page)?; api.register(console_api::asset)?; api.register(console_api::login)?; diff --git a/nexus/tests/integration_tests/console_api.rs b/nexus/tests/integration_tests/console_api.rs index e5a4002d5ae..d727e3fc926 100644 --- a/nexus/tests/integration_tests/console_api.rs +++ b/nexus/tests/integration_tests/console_api.rs @@ -158,10 +158,18 @@ async fn test_console_pages(cptestctx: &ControlPlaneTestContext) { let session_token = log_in_and_extract_token(&testctx).await; - // hit console page with session, should get back HTML response - let console_page = - RequestBuilder::new(&testctx, Method::GET, "/orgs/irrelevant-path") - .header(http::header::COOKIE, session_token) + // hit console pages with session, should get back HTML response + let console_paths = &[ + "/", + "/orgs/irrelevant-path", + "/settings/irrelevant-path", + "/device/success", + "/device/verify", + ]; + + for path in console_paths { + let console_page = RequestBuilder::new(&testctx, Method::GET, path) + .header(http::header::COOKIE, session_token.clone()) .expect_status(Some(StatusCode::OK)) .expect_response_header( http::header::CONTENT_TYPE, @@ -171,7 +179,8 @@ async fn test_console_pages(cptestctx: &ControlPlaneTestContext) { .await .expect("failed to get console index"); - assert_eq!(console_page.body, "".as_bytes()); + assert_eq!(console_page.body, "".as_bytes()); + } } #[nexus_test] diff --git a/openapi/nexus.json b/openapi/nexus.json index 9e354e60d11..ddf06a4b52b 100644 --- a/openapi/nexus.json +++ b/openapi/nexus.json @@ -120,17 +120,6 @@ "summary": "Verify an OAuth 2.0 Device Authorization Grant", "description": "This endpoint should be accessed in a full user agent (e.g., a browser). If the user is not logged in, we redirect them to the login page and use the `state` parameter to get them back here on completion. If they are logged in, serve up the console verification page so they can verify the user code.", "operationId": "device_auth_verify", - "parameters": [ - { - "in": "query", - "name": "user_code", - "required": true, - "schema": { - "type": "string" - }, - "style": "form" - } - ], "responses": { "default": { "description": "", From 87371fe06bb240f972d03b50f17b14c6348f83ad Mon Sep 17 00:00:00 2001 From: David Crespo Date: Thu, 7 Jul 2022 00:00:26 -0500 Subject: [PATCH 2/3] unpublish /device/verify --- nexus/src/external_api/device_auth.rs | 2 +- nexus/tests/output/nexus_tags.txt | 1 - openapi/nexus.json | 20 -------------------- 3 files changed, 1 insertion(+), 22 deletions(-) diff --git a/nexus/src/external_api/device_auth.rs b/nexus/src/external_api/device_auth.rs index 70d67abbc6f..746b973716a 100644 --- a/nexus/src/external_api/device_auth.rs +++ b/nexus/src/external_api/device_auth.rs @@ -121,7 +121,7 @@ pub struct DeviceAuthVerify { #[endpoint { method = GET, path = "/device/verify", - tags = ["hidden"], // "token" + unpublished = true, }] pub async fn device_auth_verify( rqctx: Arc>>, diff --git a/nexus/tests/output/nexus_tags.txt b/nexus/tests/output/nexus_tags.txt index 95d99abfe46..6737bbadfb5 100644 --- a/nexus/tests/output/nexus_tags.txt +++ b/nexus/tests/output/nexus_tags.txt @@ -15,7 +15,6 @@ OPERATION ID URL PATH device_access_token /device/token device_auth_confirm /device/confirm device_auth_request /device/auth -device_auth_verify /device/verify logout /logout session_me /session/me spoof_login /login diff --git a/openapi/nexus.json b/openapi/nexus.json index ddf06a4b52b..2893585c08c 100644 --- a/openapi/nexus.json +++ b/openapi/nexus.json @@ -112,26 +112,6 @@ } } }, - "/device/verify": { - "get": { - "tags": [ - "hidden" - ], - "summary": "Verify an OAuth 2.0 Device Authorization Grant", - "description": "This endpoint should be accessed in a full user agent (e.g., a browser). If the user is not logged in, we redirect them to the login page and use the `state` parameter to get them back here on completion. If they are logged in, serve up the console verification page so they can verify the user code.", - "operationId": "device_auth_verify", - "responses": { - "default": { - "description": "", - "content": { - "*/*": { - "schema": {} - } - } - } - } - } - }, "/hardware/racks": { "get": { "tags": [ From b224b6514033b0da64ee0f7f735de894911292f1 Mon Sep 17 00:00:00 2001 From: David Crespo Date: Thu, 7 Jul 2022 08:42:09 -0500 Subject: [PATCH 3/3] remove unpublished /device/verify from expected uncovered list --- nexus/tests/output/uncovered-authz-endpoints.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/nexus/tests/output/uncovered-authz-endpoints.txt b/nexus/tests/output/uncovered-authz-endpoints.txt index dd197825a47..6a0cae41685 100644 --- a/nexus/tests/output/uncovered-authz-endpoints.txt +++ b/nexus/tests/output/uncovered-authz-endpoints.txt @@ -1,6 +1,5 @@ API endpoints with no coverage in authz tests: session_sshkey_delete (delete "/session/me/sshkeys/{ssh_key_name}") -device_auth_verify (get "/device/verify") login (get "/login/{silo_name}/{provider_name}") session_me (get "/session/me") session_sshkey_list (get "/session/me/sshkeys")