dnsdist: Switch Webserver and console to the new configuration

PowerDNS · Jul 5, 2024 · 4f3bd69 · 4f3bd69
1 parent 2f64f13
commit 4f3bd69
Show file tree

Hide file tree

Showing 11 changed files with 273 additions and 300 deletions.
diff --git a/pdns/dnsdistdist/dnsdist-configuration.hh b/pdns/dnsdistdist/dnsdist-configuration.hh
@@ -23,8 +23,11 @@
 
 #include <functional>
 #include <map>
+#include <memory>
+#include <optional>
 #include <string>
 
+#include "credentials.hh"
 #include "dnsdist-query-count.hh"
 #include "dnsdist-rule-chains.hh"
 #include "iputils.hh"
@@ -156,8 +159,6 @@ struct Configuration
 {
   std::set<std::string> d_capabilitiesToRetain;
   std::vector<uint32_t> d_tcpFastOpenKey;
-  ComboAddress d_consoleServerAddress{"127.0.0.1:5199"};
-  std::string d_consoleKey;
 #ifdef __linux__
   // On Linux this gives us 128k pending queries (default is 8192 queries),
   // which should be enough to deal with huge spikes
@@ -193,23 +194,21 @@ struct Configuration
    a RCU-like mechanism */
 struct RuntimeConfiguration
 {
-  // ca tient pas la route: meilleure option: stocker un type plus opaque dans la configuration (dnsdist::rules::RuleChains) et
-  // laisser le soin a dnsdist::rules de le gerer
-  /*  std::vector<rules::RuleAction> d_cacheMissRuleActions;
-  std::vector<rules::ResponseRuleAction> d_respruleactions;
-  std::vector<rules::ResponseRuleAction> d_cachehitrespruleactions;
-  std::vector<rules::ResponseRuleAction> d_selfansweredrespruleactions;
-  std::vector<rules::ResponseRuleAction> d_cacheInsertedRespRuleActions;
-  std::vector<rules::ResponseRuleAction> d_XFRRespRuleActions;
-  */
   rules::RuleChains d_ruleChains;
   servers_t d_backends;
   std::map<std::string, std::shared_ptr<ServerPool>> d_pools;
+  std::shared_ptr<const CredentialsHolder> d_webPassword;
+  std::shared_ptr<const CredentialsHolder> d_webAPIKey;
+  std::optional<std::unordered_map<std::string, std::string>> d_webCustomHeaders;
   std::shared_ptr<ServerPolicy> d_lbPolicy;
   NetmaskGroup d_ACL;
   NetmaskGroup d_proxyProtocolACL;
   NetmaskGroup d_consoleACL;
+  NetmaskGroup d_webServerACL;
+  std::optional<ComboAddress> d_webServerAddress{std::nullopt};
   dnsdist::QueryCount::Configuration d_queryCountConfig;
+  ComboAddress d_consoleServerAddress{"127.0.0.1:5199"};
+  std::string d_consoleKey;
   std::string d_secPollSuffix{"secpoll.powerdns.com."};
   std::string d_apiConfigDirectory;
   uint64_t d_dynBlocksPurgeInterval{60};
@@ -231,6 +230,9 @@ struct RuntimeConfiguration
   uint16_t d_tlsSessionCacheSessionValidity{600};
   uint16_t d_tlsSessionCacheMaxSessionsPerBackend{20};
   DNSAction::Action d_dynBlockAction{DNSAction::Action::Drop};
+  bool d_apiRequiresAuthentication{true};
+  bool d_dashboardRequiresAuthentication{true};
+  bool d_statsRequireAuthentication{true};
   bool d_truncateTC{false};
   bool d_fixupCase{false};
   bool d_queryCountEnabled{false};

diff --git a/pdns/dnsdistdist/dnsdist-console.cc b/pdns/dnsdistdist/dnsdist-console.cc
@@ -178,7 +178,7 @@ static bool putMsgLen32(int fileDesc, uint32_t len)
 
 static ConsoleCommandResult sendMessageToServer(int fileDesc, const std::string& line, dnsdist::crypto::authenticated::Nonce& readingNonce, dnsdist::crypto::authenticated::Nonce& writingNonce, const bool outputEmptyLine)
 {
-  const auto& consoleKey = dnsdist::configuration::getImmutableConfiguration().d_consoleKey;
+  const auto& consoleKey = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleKey;
   string msg = dnsdist::crypto::authenticated::encryptSym(line, consoleKey, writingNonce);
   const auto msgLen = msg.length();
   if (msgLen > std::numeric_limits<uint32_t>::max()) {
@@ -225,8 +225,8 @@ namespace dnsdist::console
 {
 void doClient(const std::string& command)
 {
-  const auto consoleKey = dnsdist::configuration::getImmutableConfiguration().d_consoleKey;
-  const auto server = dnsdist::configuration::getImmutableConfiguration().d_consoleServerAddress;
+  const auto consoleKey = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleKey;
+  const auto server = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleServerAddress;
   if (!dnsdist::crypto::authenticated::isValidKey(consoleKey)) {
     cerr << "The currently configured console key is not valid, please configure a valid key using the setKey() directive" << endl;
     return;
@@ -932,7 +932,7 @@ static void controlClientThread(ConsoleConnection&& conn)
 
     setTCPNoDelay(conn.getFD());
 
-    const auto& consoleKey = dnsdist::configuration::getImmutableConfiguration().d_consoleKey;
+    const auto consoleKey = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleKey;
     dnsdist::crypto::authenticated::Nonce theirs;
     dnsdist::crypto::authenticated::Nonce ours;
     dnsdist::crypto::authenticated::Nonce readingNonce;
@@ -1065,11 +1065,11 @@ static void controlClientThread(ConsoleConnection&& conn)
   }
 }
 
-// NOLINTNEXTLINE(performance-unnecessary-value-param): this is thread
-void controlThread(std::shared_ptr<Socket>&& acceptFD, ComboAddress local)
+void controlThread(Socket&& acceptFD)
 {
   try {
     setThreadName("dnsdist/control");
+    const ComboAddress local = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleServerAddress;
     s_connManager.setMaxConcurrentConnections(dnsdist::configuration::getImmutableConfiguration().d_consoleMaxConcurrentConnections);
 
     ComboAddress client;
@@ -1081,8 +1081,8 @@ void controlThread(std::shared_ptr<Socket>&& acceptFD, ComboAddress local)
     int sock{-1};
     infolog("Accepting control connections on %s", local.toStringWithPort());
 
-    while ((sock = SAccept(acceptFD->getHandle(), client)) >= 0) {
-      const auto& consoleKey = dnsdist::configuration::getImmutableConfiguration().d_consoleKey;
+    while ((sock = SAccept(acceptFD.getHandle(), client)) >= 0) {
+      const auto& consoleKey = dnsdist::configuration::getCurrentRuntimeConfiguration().d_consoleKey;
       FDWrapper socket(sock);
       if (!dnsdist::crypto::authenticated::isValidKey(consoleKey)) {
         vinfolog("Control connection from %s dropped because we don't have a valid key configured, please configure one using setKey()", client.toStringWithPort());

diff --git a/pdns/dnsdistdist/dnsdist-console.hh b/pdns/dnsdistdist/dnsdist-console.hh
@@ -32,7 +32,7 @@ namespace dnsdist::console
 const std::vector<std::pair<timeval, std::string>>& getConfigurationDelta();
 void doClient(const std::string& command);
 void doConsole();
-void controlThread(std::shared_ptr<Socket>&& acceptFD, ComboAddress local);
+void controlThread(Socket&& acceptFD);
 void clearHistory();
 
 #ifndef DISABLE_COMPLETION

diff --git a/pdns/dnsdistdist/dnsdist-lua-web.cc b/pdns/dnsdistdist/dnsdist-lua-web.cc
@@ -25,14 +25,17 @@
 #include "dnsdist-lua.hh"
 #include "dnsdist-web.hh"
 
+namespace dnsdist::webserver
+{
 void registerWebHandler(const std::string& endpoint, std::function<void(const YaHTTP::Request&, YaHTTP::Response&)> handler, bool isLua);
+}
 
 void setupLuaWeb(LuaContext& luaCtx)
 {
 #ifndef DISABLE_LUA_WEB_HANDLERS
   luaCtx.writeFunction("registerWebHandler", [](const std::string& path, std::function<void(const YaHTTP::Request*, YaHTTP::Response*)> handler) {
     /* LuaWrapper does a copy for objects passed by reference, so we pass a pointer */
-    registerWebHandler(path, [handler](const YaHTTP::Request& req, YaHTTP::Response& resp) { handler(&req, &resp); }, true);
+    dnsdist::webserver::registerWebHandler(path, [handler](const YaHTTP::Request& req, YaHTTP::Response& resp) { handler(&req, &resp); }, true);
   });
 
   luaCtx.registerMember<std::string(YaHTTP::Request::*)>("path", [](const YaHTTP::Request& req) -> std::string { return req.url.path; }, [](YaHTTP::Request& req, const std::string& path) { (void) path; });