{ "setUDPMultipleMessagesVectorSize", true, "n", "set the size of the vector passed to recvmmsg() to receive UDP messages. Default to 1 which means that the feature is disabled and recvmsg() is used instead" },
{ "setUDPTimeout", true, "n", "set the maximum time dnsdist will wait for a response from a backend over UDP, in seconds" },
{ "setVerboseHealthChecks", true, "bool", "set whether health check errors will be logged" },
- { "setWebserverConfig", true, "password [, apiKey [, customHeaders ]]", "Updates webserver configuration" },
+ { "setWebserverConfig", true, "[{password=string, apiKey=string, customHeaders}]", "Updates webserver configuration" },
{ "show", true, "string", "outputs `string`" },
{ "showACL", true, "", "show our ACL set" },
{ "showBinds", true, "", "show listening addresses (frontends)" },
void setupLuaConfig(bool client)
{
typedef std::unordered_map<std::string, boost::variant<bool, std::string, vector<pair<int, std::string> >, DownstreamState::checkfunc_t > > newserver_t;
-
g_lua.writeFunction("inClientStartup", [client]() {
return client && !g_configurationDone;
});
SBind(sock, local);
SListen(sock, 5);
auto launch=[sock, local, password, apiKey, customHeaders]() {
- setWebserverConfig(password, apiKey, customHeaders);
+ setWebserverPassword(password);
+ setWebserverAPIKey(apiKey);
+ setWebserverCustomHeaders(customHeaders);
thread t(dnsdistWebserverThread, sock, local);
t.detach();
};
});
- g_lua.writeFunction("setWebserverConfig", [](const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders) {
+ typedef std::unordered_map<std::string, boost::variant<std::string, std::map<std::string, std::string>> > webserveropts_t;
+
+ g_lua.writeFunction("setWebserverConfig", [](boost::optional<webserveropts_t> vars) {
setLuaSideEffect();
- setWebserverConfig(password, apiKey, customHeaders);
+
+ if (!vars) {
+ return ;
+ }
+ if(vars->count("password")) {
+ const std::string password = boost::get<std::string>(vars->at("password"));
+
+ setWebserverPassword(password);
+ }
+ if(vars->count("apiKey")) {
+ // allows setting apiKey: nil to disable access with it
+ const std::string apiKey = boost::get<std::string>(vars->at("apiKey"));
+
+ setWebserverAPIKey(apiKey);
+ }
+ if(vars->count("customHeaders")) {
+ const boost::optional<std::map<std::string, std::string> > headers = boost::get<std::map<std::string, std::string> >(vars->at("customHeaders"));
+
+ setWebserverCustomHeaders(headers);
+ }
});
g_lua.writeFunction("controlSocket", [client](const std::string& str) {
close(sock);
}
}
-void setWebserverConfig(const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders)
+
+void setWebserverAPIKey(const boost::optional<std::string> apiKey)
{
std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
- g_webserverConfig.password = password;
if (apiKey) {
g_webserverConfig.apiKey = *apiKey;
} else {
g_webserverConfig.apiKey.clear();
}
+}
+
+void setWebserverPassword(const std::string& password)
+{
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
+ g_webserverConfig.password = password;
+}
+
+void setWebserverCustomHeaders(const boost::optional<std::map<std::string, std::string> > customHeaders)
+{
+ std::lock_guard<std::mutex> lock(g_webserverConfig.lock);
+
g_webserverConfig.customHeaders = customHeaders;
}
std::mutex lock;
};
-void setWebserverConfig(const std::string& password, const boost::optional<std::string> apiKey, const boost::optional<std::map<std::string, std::string> > customHeaders);
+void setWebserverAPIKey(const boost::optional<std::string> apiKey);
+void setWebserverPassword(const std::string& password);
+void setWebserverCustomHeaders(const boost::optional<std::map<std::string, std::string> > customHeaders);
+
void dnsdistWebserverThread(int sock, const ComboAddress& local);
bool getMsgLen32(int fd, uint32_t* len);
bool putMsgLen32(int fd, uint32_t len);
:param bool allow: Set to true to allow modification through the API
:param str dir: A valid directory where the configuration files will be written by the API.
-.. function:: setWebserverConfig(password[, apikey[, custom_headers]])
+.. function:: setWebserverConfig(options)
.. versionadded:: 1.3.3
Setup webserver configuration. See :func:`webserver`.
- :param str password: The password required to access the webserver
- :param str apikey: The key required to access the API
- :param {[str]=str,...} custom_headers: Allows setting custom headers and removing the defaults
+ :param table options: A table with key: value pairs with webserver options.
+
+ Options:
+
+ * ``password=newPassword``: string - Changes the API password
+ * ``apikey=newKey``: string - Changes the API Key (set to an empty string do disable it)
+ * ``custom_headers={[str]=str,...}``: map of string - Allows setting custom headers and removing the defaults.
Access Control Lists
~~~~~~~~~~~~~~~~~~~~
setACL({"192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24"})
""")
+class TestAPICustomHeaders(DNSDistTest):
+
+ _webTimeout = 2.0
+ _webServerPort = 8083
+ _webServerBasicAuthPassword = 'secret'
+ _webServerAPIKey = 'apisecret'
+ # paths accessible using the API key only
+ _apiOnlyPath = '/api/v1/servers/localhost/config'
+ # paths accessible using basic auth only (list not exhaustive)
+ _basicOnlyPath = '/'
+ _consoleKey = DNSDistTest.generateConsoleKey()
+ _consoleKeyB64 = base64.b64encode(_consoleKey).decode('ascii')
+ _config_params = ['_consoleKeyB64', '_consolePort', '_testServerPort', '_webServerPort', '_webServerBasicAuthPassword', '_webServerAPIKey']
+ _config_template = """
+ setKey("%s")
+ controlSocket("127.0.0.1:%s")
+ setACL({"127.0.0.1/32", "::1/128"})
+ newServer({address="127.0.0.1:%s"})
+ webserver("127.0.0.1:%s", "%s", "%s", {["X-Frame-Options"]="", ["X-Custom"]="custom"})
+ """
+
+ def testBasicHeaders(self):
+ """
+ API: Basic custom headers
+ """
+
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
+
+ r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+ self.assertEquals(r.headers.get('x-custom'), "custom")
+ self.assertFalse("x-frame-options" in r.headers)
+
+ def testBasicHeadersUpdate(self):
+ """
+ API: Basic update of custom headers
+ """
+
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
+ self.sendConsoleCommand('setWebserverConfig({customHeaders={["x-powered-by"]="dnsdist"}})')
+ r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+ self.assertEquals(r.headers.get('x-powered-by'), "dnsdist")
+ self.assertTrue("x-frame-options" in r.headers)
+
+
class TestAPIAuth(DNSDistTest):
_webTimeout = 2.0
API: Basic Authentication updating credentials
"""
- self.sendConsoleCommand('setWebserverConfig("{}")'.format(self._webServerBasicAuthPasswordNew))
-
url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
+ self.sendConsoleCommand('setWebserverConfig({{password="{}"}})'.format(self._webServerBasicAuthPasswordNew))
+
r = requests.get(url, auth=('whatever', self._webServerBasicAuthPasswordNew), timeout=self._webTimeout)
self.assertTrue(r)
self.assertEquals(r.status_code, 200)
# Make sure the old password is not usable any more
- url = 'http://127.0.0.1:' + str(self._webServerPort) + self._basicOnlyPath
r = requests.get(url, auth=('whatever', self._webServerBasicAuthPassword), timeout=self._webTimeout)
self.assertEquals(r.status_code, 401)
API: X-Api-Key updating credentials
"""
- self.sendConsoleCommand('setWebserverConfig("{}", "{}")'.format(self._webServerBasicAuthPasswordNew, self._webServerAPIKeyNew))
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ self.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self._webServerAPIKeyNew))
headers = {'x-api-key': self._webServerAPIKeyNew}
- url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
r = requests.get(url, headers=headers, timeout=self._webTimeout)
self.assertTrue(r)
self.assertEquals(r.status_code, 200)
# Make sure the old password is not usable any more
headers = {'x-api-key': self._webServerAPIKey}
- url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
r = requests.get(url, headers=headers, timeout=self._webTimeout)
self.assertEquals(r.status_code, 401)
API: X-Api-Key updated to none (disabled)
"""
- self.sendConsoleCommand('setWebserverConfig("{}", "{}")'.format(self._webServerBasicAuthPasswordNew, self._webServerAPIKeyNew))
+ url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
+ self.sendConsoleCommand('setWebserverConfig({{apiKey="{}"}})'.format(self._webServerAPIKeyNew))
headers = {'x-api-key': self._webServerAPIKeyNew}
- url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
r = requests.get(url, headers=headers, timeout=self._webTimeout)
self.assertTrue(r)
self.assertEquals(r.status_code, 200)
# now disable apiKey
- self.sendConsoleCommand('setWebserverConfig("{}")'.format(self._webServerBasicAuthPasswordNew))
+ self.sendConsoleCommand('setWebserverConfig({apiKey=""})')
- headers = {'x-api-key': self._webServerAPIKeyNew}
- url = 'http://127.0.0.1:' + str(self._webServerPort) + self._apiOnlyPath
r = requests.get(url, headers=headers, timeout=self._webTimeout)
self.assertEquals(r.status_code, 401)
projects / thirdparty / pdns.git / commitdiff
