Merge pull request #2686 from JanBerktold/enable-unauthenticated-monitoring

Add DRONE_PROMETHEUS_ANONYMOUS_ACCESS configuration option
This commit is contained in:
Brad Rydzewski 2019-04-25 18:08:56 -07:00 committed by GitHub
commit b7737a4a89
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 56 additions and 25 deletions

View file

@ -10,7 +10,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- endpoint to trigger new build for default branch, by [@bradrydzewski](https://github.com/bradrydzewski). [#2679](https://github.com/drone/drone/issues/2679).
- endpoint to trigger new build for branch, by [@bradrydzewski](https://github.com/bradrydzewski). [#2679](https://github.com/drone/drone/issues/2679).
- endpoint to trigger new build for branch and sha, by [@bradrydzewski](https://github.com/bradrydzewski). [#2679](https://github.com/drone/drone/issues/2679).
- DRONE_PROMETHEUS_ANONYMOUS_ACCESS configuration option, by [@janberktold](https://github.com/janberktold)
-
## [1.1.0] - 2019-04-23
### Added

View file

@ -56,7 +56,7 @@ type (
HTTP HTTP
Jsonnet Jsonnet
Logging Logging
// Prometheus Prometheus
Prometheus Prometheus
Proxy Proxy
Registration Registration
Registries Registries
@ -162,6 +162,11 @@ type (
Text bool `envconfig:"DRONE_LOGS_TEXT"`
}
// Prometheus provides the prometheus configuration.
Prometheus struct {
EnableAnonymousAccess bool `envconfig:"DRONE_PROMETHEUS_ANONYMOUS_ACCESS" default:"false"`
}
// Repository provides the repository configuration.
Repository struct {
Filter []string `envconfig:"DRONE_REPOSITORY_FILTER"`

View file

@ -18,6 +18,7 @@ import (
"net/http"
"github.com/drone/drone/cmd/drone-server/config"
"github.com/drone/drone/core"
"github.com/drone/drone/handler/api"
"github.com/drone/drone/handler/web"
"github.com/drone/drone/metric"
@ -33,9 +34,9 @@ import (
// wire set for loading the server.
var serverSet = wire.NewSet(
manager.New,
metric.NewServer,
api.New,
web.New,
provideMetric,
provideRouter,
provideRPC,
provideServer,
@ -53,6 +54,12 @@ func provideRouter(api api.Server, web web.Server, rpc http.Handler, metrics *me
return r
}
// provideMetric is a Wire provider function that returns the
// metrics server exposing metrics in prometheus format.
func provideMetric(session core.Session, config config.Config) *metric.Server {
return metric.NewServer(session, config.Prometheus.EnableAnonymousAccess)
}
// provideRPC is a Wire provider function that returns an rpc
// handler that exposes the build manager to a remote agent.
func provideRPC(m manager.BuildManager, config config.Config) http.Handler {

View file

@ -10,7 +10,6 @@ import (
"github.com/drone/drone/handler/api"
"github.com/drone/drone/handler/web"
"github.com/drone/drone/livelog"
"github.com/drone/drone/metric"
"github.com/drone/drone/operator/manager"
"github.com/drone/drone/pubsub"
"github.com/drone/drone/service/commit"
@ -93,7 +92,7 @@ func InitializeApplication(config2 config.Config) (application, error) {
options := provideServerOptions(config2)
webServer := web.New(admissionService, buildStore, client, hookParser, coreLicense, licenseService, middleware, repositoryStore, session, syncer, triggerer, userStore, userService, webhookSender, options, system)
handler := provideRPC(buildManager, config2)
metricServer := metric.NewServer(session)
metricServer := provideMetric(session, config2)
mux := provideRouter(server, webServer, handler, metricServer)
serverServer := provideServer(mux, config2)
mainApplication := newApplication(cronScheduler, datadog, runner, serverServer, userStore)

View file

@ -26,13 +26,15 @@ var errAccessDenied = errors.New("Access denied")
type Server struct {
metrics http.Handler
session core.Session
anonymous bool
}
// NewServer returns a new metrics server.
func NewServer(session core.Session) *Server {
func NewServer(session core.Session, anonymous bool) *Server {
return &Server{
metrics: promhttp.Handler(),
session: session,
anonymous: anonymous,
}
}
@ -41,9 +43,9 @@ func NewServer(session core.Session) *Server {
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
user, _ := s.session.Get(r)
switch {
case user == nil:
case !s.anonymous && user == nil:
http.Error(w, errInvalidToken.Error(), 401)
case !user.Admin && !user.Machine:
case !s.anonymous && !user.Admin && !user.Machine:
http.Error(w, errAccessDenied.Error(), 403)
default:
s.metrics.ServeHTTP(w, r)

View file

@ -26,7 +26,7 @@ func TestHandleMetrics(t *testing.T) {
session := mock.NewMockSession(controller)
session.EXPECT().Get(r).Return(mockUser, nil)
NewServer(session).ServeHTTP(w, r)
NewServer(session, false).ServeHTTP(w, r)
if got, want := w.Code, 200; got != want {
t.Errorf("Want status code %d, got %d", want, got)
}
@ -46,13 +46,30 @@ func TestHandleMetrics_NoSession(t *testing.T) {
session := mock.NewMockSession(controller)
session.EXPECT().Get(r).Return(nil, nil)
NewServer(session).ServeHTTP(w, r)
NewServer(session, false).ServeHTTP(w, r)
if got, want := w.Code, 401; got != want {
t.Errorf("Want status code %d, got %d", want, got)
}
}
func TestHandleMetrics_NoSessionButAnonymousAccessEnabled(t *testing.T) {
controller := gomock.NewController(t)
defer controller.Finish()
w := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/", nil)
session := mock.NewMockSession(controller)
session.EXPECT().Get(r).Return(nil, nil)
NewServer(session, true).ServeHTTP(w, r)
if got, want := w.Code, 200; got != want {
t.Errorf("Want status code %d, got %d", want, got)
}
}
func TestHandleMetrics_AccessDenied(t *testing.T) {
controller := gomock.NewController(t)
defer controller.Finish()
@ -64,7 +81,7 @@ func TestHandleMetrics_AccessDenied(t *testing.T) {
session := mock.NewMockSession(controller)
session.EXPECT().Get(r).Return(mockUser, nil)
NewServer(session).ServeHTTP(w, r)
NewServer(session, false).ServeHTTP(w, r)
if got, want := w.Code, 403; got != want {
t.Errorf("Want status code %d, got %d", want, got)
}