Stage 10: admin console & dictionary ops (complaint review, hot-reload, broadcasts)
Server-rendered admin console in the backend at /_gm (internal/adminconsole), fronted on the gateway's public listener by Basic-Auth + a verbatim reverse proxy (mounted on the edge mux below the h2c wrap). A same-origin check guards its POSTs; no operator identity is tracked. This supersedes the Stage 6 gateway-fronts- /api/v1/admin model: GATEWAY_ADMIN_ADDR and the backend /api/v1/admin ping are dropped and gateway/internal/admin is repurposed to the verbatim proxy. - Complaints: migration 00008 (+ jetgen) adds disposition/resolution_note/ resolved_at/applied_in_version + the deferred status CHECK; resolution feeds a query-derived pending dictionary-change pipeline (marked applied after a reload). - Dictionary hot-reload: per-version subdir BACKEND_DICT_DIR/<version>/ via the new Registry.LoadAvailable; engine.OpenWithVersions restores resident versions on restart. Partially addresses TODO-2. - Broadcasts: a backend Telegram-connector client (internal/connector, BACKEND_CONNECTOR_ADDR) for SendToUser / SendToGameChannel (discharges the Stage 9 forward-note). - Admin reads: account.ListAccounts/CountAccounts/Identities and game.ListGames/CountGames/GameByID/ListComplaints/GetComplaint/CountComplaints/ ResolveComplaint/DictionaryChanges/MarkChangesApplied. - Tests: adminconsole render, engine reload, same-origin guard, gateway verbatim proxy + h2c console mount, inttest complaint pipeline + list/count + /_gm console. - Docs: PLAN (Stage 10 done + refinements + TODO-2), ARCHITECTURE §1/§5/§6/§12/§13, FUNCTIONAL (+_ru), TESTING, backend/gateway READMEs.
This commit is contained in:
Ilia Denisov
@@ -1,8 +1,11 @@
|
||||
// Package admin is the gateway's admin surface: HTTP Basic-Auth in front of a
|
||||
// reverse proxy to the backend admin API (docs/ARCHITECTURE.md §12). The gateway
|
||||
// validates the operator credential and forwards authenticated requests to
|
||||
// backend /api/v1/admin/*; the backend trusts the gateway on this segment. The
|
||||
// admin API itself is filled in Stage 10.
|
||||
// Package admin is the gateway's admin edge: HTTP Basic-Auth in front of a reverse
|
||||
// proxy that forwards the operator's browser to the backend's server-rendered admin
|
||||
// console under /_gm. The proxy is mounted at /_gm/ on the gateway's public listener
|
||||
// (below the h2c wrap, see internal/connectsrv) and forwards verbatim — an inbound
|
||||
// /_gm/<rest> reaches <backendURL>/_gm/<rest>, preserving the inbound Host so the
|
||||
// backend's same-origin check sees the public origin. The backend trusts the gateway
|
||||
// on this segment and adds the console's same-origin CSRF guard
|
||||
// (docs/ARCHITECTURE.md §12).
|
||||
package admin
|
||||
|
||||
import (
|
||||
@@ -11,17 +14,14 @@ import (
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
// backendAdminPrefix is where the backend mounts its admin API.
|
||||
const backendAdminPrefix = "/api/v1/admin"
|
||||
|
||||
// NewProxy returns a handler that checks Basic-Auth against user/password and
|
||||
// reverse-proxies the request to the backend admin API, mapping an inbound
|
||||
// /admin/<rest> path to <backendURL>/api/v1/admin/<rest>.
|
||||
// reverse-proxies the request verbatim to the backend: the inbound path is
|
||||
// preserved, so /_gm/<rest> reaches <backendURL>/_gm/<rest>. It is mounted at /_gm/
|
||||
// on the gateway's public listener.
|
||||
func NewProxy(backendURL, user, password string, log *zap.Logger) (http.Handler, error) {
|
||||
target, err := url.Parse(backendURL)
|
||||
if err != nil {
|
||||
@@ -32,10 +32,8 @@ func NewProxy(backendURL, user, password string, log *zap.Logger) (http.Handler,
|
||||
}
|
||||
proxy := &httputil.ReverseProxy{
|
||||
Rewrite: func(pr *httputil.ProxyRequest) {
|
||||
pr.SetURL(target)
|
||||
rel := strings.TrimPrefix(pr.In.URL.Path, "/admin")
|
||||
pr.Out.URL.Path = backendAdminPrefix + rel
|
||||
pr.Out.Host = pr.In.Host
|
||||
pr.SetURL(target) // backend scheme+host; the inbound /_gm path is preserved
|
||||
pr.Out.Host = pr.In.Host // keep the public Host for the backend same-origin check
|
||||
},
|
||||
ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
|
||||
log.Warn("admin proxy upstream error", zap.String("path", r.URL.Path), zap.Error(err))
|
||||
|
||||
@@ -9,27 +9,28 @@ import (
|
||||
"scrabble/gateway/internal/admin"
|
||||
)
|
||||
|
||||
func newAdmin(t *testing.T) (*httptest.Server, func()) {
|
||||
// newAdmin fronts a fake backend with the admin proxy. The fake backend records the
|
||||
// path it receives so a test can assert the proxy forwards /_gm verbatim.
|
||||
func newAdmin(t *testing.T) (front *httptest.Server, gotPath *string, cleanup func()) {
|
||||
t.Helper()
|
||||
var path string
|
||||
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Path != "/api/v1/admin/ping" {
|
||||
t.Errorf("backend path = %q, want /api/v1/admin/ping", r.URL.Path)
|
||||
}
|
||||
_, _ = w.Write([]byte("pong"))
|
||||
path = r.URL.Path
|
||||
_, _ = w.Write([]byte("console"))
|
||||
}))
|
||||
proxy, err := admin.NewProxy(backend.URL, "ops", "secret", nil)
|
||||
if err != nil {
|
||||
t.Fatalf("new proxy: %v", err)
|
||||
}
|
||||
front := httptest.NewServer(proxy)
|
||||
return front, func() { front.Close(); backend.Close() }
|
||||
front = httptest.NewServer(proxy)
|
||||
return front, &path, func() { front.Close(); backend.Close() }
|
||||
}
|
||||
|
||||
func TestAdminRejectsMissingCredentials(t *testing.T) {
|
||||
front, cleanup := newAdmin(t)
|
||||
front, _, cleanup := newAdmin(t)
|
||||
defer cleanup()
|
||||
|
||||
resp, err := http.Get(front.URL + "/admin/ping")
|
||||
resp, err := http.Get(front.URL + "/_gm/")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
@@ -37,13 +38,16 @@ func TestAdminRejectsMissingCredentials(t *testing.T) {
|
||||
if resp.StatusCode != http.StatusUnauthorized {
|
||||
t.Fatalf("status = %d, want 401", resp.StatusCode)
|
||||
}
|
||||
if resp.Header.Get("WWW-Authenticate") == "" {
|
||||
t.Error("missing WWW-Authenticate challenge")
|
||||
}
|
||||
}
|
||||
|
||||
func TestAdminProxiesWithCredentials(t *testing.T) {
|
||||
front, cleanup := newAdmin(t)
|
||||
func TestAdminProxiesVerbatimWithCredentials(t *testing.T) {
|
||||
front, gotPath, cleanup := newAdmin(t)
|
||||
defer cleanup()
|
||||
|
||||
req, _ := http.NewRequest(http.MethodGet, front.URL+"/admin/ping", nil)
|
||||
req, _ := http.NewRequest(http.MethodGet, front.URL+"/_gm/complaints", nil)
|
||||
req.SetBasicAuth("ops", "secret")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
@@ -51,16 +55,19 @@ func TestAdminProxiesWithCredentials(t *testing.T) {
|
||||
}
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
if resp.StatusCode != http.StatusOK || string(body) != "pong" {
|
||||
t.Fatalf("status = %d body = %q, want 200 pong", resp.StatusCode, body)
|
||||
if resp.StatusCode != http.StatusOK || string(body) != "console" {
|
||||
t.Fatalf("status = %d body = %q, want 200 console", resp.StatusCode, body)
|
||||
}
|
||||
if *gotPath != "/_gm/complaints" {
|
||||
t.Errorf("backend path = %q, want /_gm/complaints (verbatim)", *gotPath)
|
||||
}
|
||||
}
|
||||
|
||||
func TestAdminRejectsWrongPassword(t *testing.T) {
|
||||
front, cleanup := newAdmin(t)
|
||||
front, _, cleanup := newAdmin(t)
|
||||
defer cleanup()
|
||||
|
||||
req, _ := http.NewRequest(http.MethodGet, front.URL+"/admin/ping", nil)
|
||||
req, _ := http.NewRequest(http.MethodGet, front.URL+"/_gm/", nil)
|
||||
req.SetBasicAuth("ops", "wrong")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
|
||||
@@ -11,11 +11,9 @@ import (
|
||||
|
||||
// Config holds the gateway's runtime configuration.
|
||||
type Config struct {
|
||||
// HTTPAddr is the public Connect/h2c listener address (host:port).
|
||||
// HTTPAddr is the public Connect/h2c listener address (host:port). It also
|
||||
// serves the admin console at /_gm when admin credentials are configured.
|
||||
HTTPAddr string
|
||||
// AdminAddr is the admin reverse-proxy listener address. Admin is enabled only
|
||||
// when AdminUser and AdminPassword are also set.
|
||||
AdminAddr string
|
||||
// LogLevel is the zap log level: "debug", "info", "warn" or "error".
|
||||
LogLevel string
|
||||
// BackendHTTPURL is the base URL of the backend REST API (gateway -> backend).
|
||||
@@ -59,7 +57,6 @@ type RateLimitConfig struct {
|
||||
// Defaults applied when the corresponding environment variable is unset.
|
||||
const (
|
||||
defaultHTTPAddr = ":8081"
|
||||
defaultAdminAddr = ":8082"
|
||||
defaultLogLevel = "info"
|
||||
defaultBackendHTTPURL = "http://localhost:8080"
|
||||
defaultBackendGRPCAddr = "localhost:9090"
|
||||
@@ -85,7 +82,6 @@ func Load() (Config, error) {
|
||||
var err error
|
||||
c := Config{
|
||||
HTTPAddr: envOr("GATEWAY_HTTP_ADDR", defaultHTTPAddr),
|
||||
AdminAddr: envOr("GATEWAY_ADMIN_ADDR", defaultAdminAddr),
|
||||
LogLevel: envOr("GATEWAY_LOG_LEVEL", defaultLogLevel),
|
||||
BackendHTTPURL: envOr("GATEWAY_BACKEND_HTTP_URL", defaultBackendHTTPURL),
|
||||
BackendGRPCAddr: envOr("GATEWAY_BACKEND_GRPC_ADDR", defaultBackendGRPCAddr),
|
||||
@@ -113,10 +109,10 @@ func Load() (Config, error) {
|
||||
return c, nil
|
||||
}
|
||||
|
||||
// AdminEnabled reports whether the admin proxy should be served (an address and
|
||||
// both Basic-Auth credentials are configured).
|
||||
// AdminEnabled reports whether the admin console proxy should be mounted (both
|
||||
// Basic-Auth credentials are configured).
|
||||
func (c Config) AdminEnabled() bool {
|
||||
return c.AdminAddr != "" && c.AdminUser != "" && c.AdminPassword != ""
|
||||
return c.AdminUser != "" && c.AdminPassword != ""
|
||||
}
|
||||
|
||||
// validate reports whether the configuration values are acceptable.
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
package connectsrv_test
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"scrabble/gateway/internal/connectsrv"
|
||||
)
|
||||
|
||||
// TestHTTPHandlerMountsAdminConsole verifies the admin proxy is reachable at /_gm/
|
||||
// through the h2c-wrapped edge mux when configured.
|
||||
func TestHTTPHandlerMountsAdminConsole(t *testing.T) {
|
||||
stub := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
|
||||
w.WriteHeader(http.StatusTeapot)
|
||||
})
|
||||
srv := connectsrv.NewServer(connectsrv.Deps{AdminProxy: stub})
|
||||
front := httptest.NewServer(srv.HTTPHandler())
|
||||
defer front.Close()
|
||||
|
||||
resp, err := http.Get(front.URL + "/_gm/")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
if resp.StatusCode != http.StatusTeapot {
|
||||
t.Fatalf("/_gm status = %d, want 418 (routed to the admin proxy)", resp.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
// TestHTTPHandlerNoAdminConsole verifies /_gm is not served when no proxy is set.
|
||||
func TestHTTPHandlerNoAdminConsole(t *testing.T) {
|
||||
srv := connectsrv.NewServer(connectsrv.Deps{})
|
||||
front := httptest.NewServer(srv.HTTPHandler())
|
||||
defer front.Close()
|
||||
|
||||
resp, err := http.Get(front.URL + "/_gm/")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
if resp.StatusCode != http.StatusNotFound {
|
||||
t.Fatalf("/_gm status = %d, want 404 (no admin proxy)", resp.StatusCode)
|
||||
}
|
||||
}
|
||||
@@ -32,12 +32,13 @@ const heartbeatKind = "heartbeat"
|
||||
|
||||
// Server implements edgev1connect.GatewayHandler.
|
||||
type Server struct {
|
||||
registry *transcode.Registry
|
||||
sessions *session.Cache
|
||||
limiter *ratelimit.Limiter
|
||||
hub *push.Hub
|
||||
heartbeat time.Duration
|
||||
log *zap.Logger
|
||||
registry *transcode.Registry
|
||||
sessions *session.Cache
|
||||
limiter *ratelimit.Limiter
|
||||
hub *push.Hub
|
||||
heartbeat time.Duration
|
||||
log *zap.Logger
|
||||
adminProxy http.Handler
|
||||
|
||||
publicPolicy ratelimit.Policy
|
||||
userPolicy ratelimit.Policy
|
||||
@@ -46,13 +47,14 @@ type Server struct {
|
||||
|
||||
// Deps carries the Server's dependencies.
|
||||
type Deps struct {
|
||||
Registry *transcode.Registry
|
||||
Sessions *session.Cache
|
||||
Limiter *ratelimit.Limiter
|
||||
Hub *push.Hub
|
||||
RateLimit config.RateLimitConfig
|
||||
Heartbeat time.Duration
|
||||
Logger *zap.Logger
|
||||
Registry *transcode.Registry
|
||||
Sessions *session.Cache
|
||||
Limiter *ratelimit.Limiter
|
||||
Hub *push.Hub
|
||||
RateLimit config.RateLimitConfig
|
||||
Heartbeat time.Duration
|
||||
Logger *zap.Logger
|
||||
AdminProxy http.Handler
|
||||
}
|
||||
|
||||
// NewServer constructs the edge service.
|
||||
@@ -68,6 +70,7 @@ func NewServer(d Deps) *Server {
|
||||
hub: d.Hub,
|
||||
heartbeat: d.Heartbeat,
|
||||
log: log,
|
||||
adminProxy: d.AdminProxy,
|
||||
publicPolicy: ratelimit.PerMinute(d.RateLimit.PublicPerMinute, d.RateLimit.PublicBurst),
|
||||
userPolicy: ratelimit.PerMinute(d.RateLimit.UserPerMinute, d.RateLimit.UserBurst),
|
||||
emailPolicy: ratelimit.Per(d.RateLimit.EmailPer10Min, 10*time.Minute, d.RateLimit.EmailBurst),
|
||||
@@ -79,6 +82,12 @@ func (s *Server) HTTPHandler() http.Handler {
|
||||
mux := http.NewServeMux()
|
||||
path, h := edgev1connect.NewGatewayHandler(s)
|
||||
mux.Handle(path, h)
|
||||
if s.adminProxy != nil {
|
||||
// The admin console (backend /_gm) is served on the public listener behind
|
||||
// the proxy's Basic-Auth, mounted below the h2c wrap so the Connect edge keeps
|
||||
// working over h2c (docs/ARCHITECTURE.md §12).
|
||||
mux.Handle("/_gm/", s.adminProxy)
|
||||
}
|
||||
return h2c.NewHandler(mux, &http2.Server{})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user