fix(cat-gateway): Add auth to rbac endpoints

stevenj · stevenj · commit 233d1cf649bf · 2024-11-01T22:05:05.000+07:00
diff --git a/catalyst-gateway/bin/src/service/api/cardano/mod.rs b/catalyst-gateway/bin/src/service/api/cardano/mod.rs
@@ -214,6 +214,8 @@ impl CardanoApi {
         &self,
         /// Stake address to get the chain root for.
         Path(stake_address): Path<Cip19StakeAddress>,
+        /// No Authorization required, but Token permitted.
+        _auth: NoneOrRBAC,
     ) -> rbac::chain_root_get::AllResponses {
         rbac::chain_root_get::endpoint(stake_address).await
     }
@@ -231,6 +233,8 @@ impl CardanoApi {
         /// Chain root to get the registrations for.
         #[oai(validator(max_length = 66, min_length = 64, pattern = "0x[0-9a-f]{64}"))]
         Path(chain_root): Path<String>,
+        /// No Authorization required, but Token permitted.
+        _auth: NoneOrRBAC,
     ) -> rbac::registrations_get::AllResponses {
         rbac::registrations_get::endpoint(chain_root).await
     }
@@ -248,6 +252,8 @@ impl CardanoApi {
         /// Role0 key to get the chain root for.
         #[oai(validator(min_length = 34, max_length = 34, pattern = "0x[0-9a-f]{32}"))]
         Path(role0_key): Path<String>,
+        /// No Authorization required, but Token permitted.
+        _auth: NoneOrRBAC,
     ) -> rbac::role0_chain_root_get::AllResponses {
         rbac::role0_chain_root_get::endpoint(role0_key).await
     }
diff --git a/catalyst-gateway/bin/src/service/api/cardano/rbac/chain_root_get.rs b/catalyst-gateway/bin/src/service/api/cardano/rbac/chain_root_get.rs
@@ -1,4 +1,5 @@
 //! Implementation of the GET `/rbac/chain_root` endpoint.
+use anyhow::anyhow;
 use der_parser::asn1_rs::ToDer;
 use futures::StreamExt as _;
 use poem_openapi::{payload::Json, ApiResponse, Object};
@@ -9,7 +10,10 @@ use crate::{
         queries::rbac::get_chain_root::{GetChainRootQuery, GetChainRootQueryParams},
         session::CassandraSession,
     },
-    service::common::{responses::WithErrorResponses, types::cardano::address::Cip19StakeAddress},
+    service::common::{
+        responses::WithErrorResponses,
+        types::{cardano::address::Cip19StakeAddress, headers::retry_after::RetryAfterOption},
+    },
 };
 
 /// GET RBAC chain root response.
@@ -29,9 +33,6 @@ pub(crate) enum Responses {
     /// No chain root found for the given stake address.
     #[oai(status = 404)]
     NotFound,
-    /// Internal server error.
-    #[oai(status = 500)]
-    InternalServerError,
 }
 
 pub(crate) type AllResponses = WithErrorResponses<Responses>;
@@ -40,12 +41,14 @@ pub(crate) type AllResponses = WithErrorResponses<Responses>;
 pub(crate) async fn endpoint(stake_address: Cip19StakeAddress) -> AllResponses {
     let Some(session) = CassandraSession::get(true) else {
         error!("Failed to acquire db session");
-        return Responses::InternalServerError.into();
+        let err = anyhow::anyhow!("Failed to acquire db session");
+        return AllResponses::service_unavailable(&err, RetryAfterOption::Default);
     };
 
     let Ok(stake_address) = stake_address.to_der_vec() else {
         error!("Failed to create stake address vec");
-        return Responses::InternalServerError.into();
+        let err = anyhow!("Failed to create stake address vec");
+        return AllResponses::internal_error(&err);
     };
 
     let query_res =
@@ -58,7 +61,8 @@ pub(crate) async fn endpoint(stake_address: Cip19StakeAddress) -> AllResponses {
                     Ok(row) => row,
                     Err(err) => {
                         error!(error = ?err, "Failed to parse get chain root by stake address query row");
-                        return Responses::InternalServerError.into();
+                        let err = anyhow!(err);
+                        return AllResponses::internal_error(&err);
                     },
                 };
 
@@ -73,7 +77,8 @@ pub(crate) async fn endpoint(stake_address: Cip19StakeAddress) -> AllResponses {
         },
         Err(err) => {
             error!(error = ?err, "Failed to execute get chain root by stake address query");
-            Responses::InternalServerError.into()
+            let err = anyhow!(err);
+            AllResponses::internal_error(&err)
         },
     }
 }
diff --git a/catalyst-gateway/bin/src/service/api/cardano/rbac/registrations_get.rs b/catalyst-gateway/bin/src/service/api/cardano/rbac/registrations_get.rs
@@ -1,4 +1,5 @@
 //! Implementation of the GET `/rbac/registrations` endpoint.
+use anyhow::anyhow;
 use futures::StreamExt as _;
 use poem_openapi::{payload::Json, ApiResponse, Object};
 use tracing::error;
@@ -10,7 +11,10 @@ use crate::{
         },
         session::CassandraSession,
     },
-    service::common::{objects::cardano::hash::Hash, responses::WithErrorResponses},
+    service::common::{
+        objects::cardano::hash::Hash, responses::WithErrorResponses,
+        types::headers::retry_after::RetryAfterOption,
+    },
 };
 
 /// GET RBAC registrations by chain root response list item.
@@ -37,9 +41,6 @@ pub(crate) enum Responses {
     /// Response for bad requests.
     #[oai(status = 400)]
     BadRequest,
-    /// Internal server error.
-    #[oai(status = 500)]
-    InternalServerError,
 }
 
 pub(crate) type AllResponses = WithErrorResponses<Responses>;
@@ -48,7 +49,8 @@ pub(crate) type AllResponses = WithErrorResponses<Responses>;
 pub(crate) async fn endpoint(chain_root: String) -> AllResponses {
     let Some(session) = CassandraSession::get(true) else {
         error!("Failed to acquire db session");
-        return Responses::InternalServerError.into();
+        let err = anyhow::anyhow!("Failed to acquire db session");
+        return AllResponses::service_unavailable(&err, RetryAfterOption::Default);
     };
 
     let Ok(decoded_chain_root) = hex::decode(chain_root) else {
@@ -70,7 +72,7 @@ pub(crate) async fn endpoint(chain_root: String) -> AllResponses {
                 error = ?err,
                 "Failed to execute get registrations by chain root query"
             );
-            return Responses::InternalServerError.into();
+            return AllResponses::internal_error(&err);
         },
     };
 
@@ -80,7 +82,8 @@ pub(crate) async fn endpoint(chain_root: String) -> AllResponses {
             Ok(row) => row,
             Err(err) => {
                 error!(error = ?err, "Failed to parse get registrations by chain root query row");
-                return Responses::InternalServerError.into();
+                let err = anyhow!(err);
+                return AllResponses::internal_error(&err);
             },
         };
 
diff --git a/catalyst-gateway/bin/src/service/api/cardano/rbac/role0_chain_root_get.rs b/catalyst-gateway/bin/src/service/api/cardano/rbac/role0_chain_root_get.rs
@@ -1,4 +1,5 @@
 //! Implementation of the GET `/rbac/role0_chain_root` endpoint.
+use anyhow::anyhow;
 use futures::StreamExt as _;
 use poem_openapi::{payload::Json, ApiResponse, Object};
 use tracing::error;
@@ -10,7 +11,9 @@ use crate::{
         },
         session::CassandraSession,
     },
-    service::common::responses::WithErrorResponses,
+    service::common::{
+        responses::WithErrorResponses, types::headers::retry_after::RetryAfterOption,
+    },
 };
 
 /// GET RBAC chain root response.
@@ -33,9 +36,6 @@ pub(crate) enum Responses {
     /// Response for bad requests.
     #[oai(status = 400)]
     BadRequest,
-    /// Internal server error.
-    #[oai(status = 500)]
-    InternalServerError,
 }
 
 pub(crate) type AllResponses = WithErrorResponses<Responses>;
@@ -44,7 +44,8 @@ pub(crate) type AllResponses = WithErrorResponses<Responses>;
 pub(crate) async fn endpoint(role0_key: String) -> AllResponses {
     let Some(session) = CassandraSession::get(true) else {
         error!("Failed to acquire db session");
-        return Responses::InternalServerError.into();
+        let err = anyhow::anyhow!("Failed to acquire db session");
+        return AllResponses::service_unavailable(&err, RetryAfterOption::Default);
     };
 
     let Ok(decoded_role0_key) = hex::decode(role0_key) else {
@@ -63,7 +64,8 @@ pub(crate) async fn endpoint(role0_key: String) -> AllResponses {
                     Ok(row) => row,
                     Err(err) => {
                         error!(error = ?err, "Failed to parse get chain root by role0 key query row");
-                        return Responses::InternalServerError.into();
+                        let err = anyhow!(err);
+                        return AllResponses::internal_error(&err);
                     },
                 };
 
@@ -78,7 +80,7 @@ pub(crate) async fn endpoint(role0_key: String) -> AllResponses {
         },
         Err(err) => {
             error!(error = ?err, "Failed to execute get chain root by role0 key query");
-            Responses::InternalServerError.into()
+            AllResponses::internal_error(&err)
         },
     }
 }
diff --git a/catalyst-gateway/bin/src/service/common/responses/code_503_service_unavailable.rs b/catalyst-gateway/bin/src/service/common/responses/code_503_service_unavailable.rs
@@ -26,6 +26,11 @@ impl ServiceUnavailable {
 
         Self { id, msg }
     }
+
+    /// Get the id of this Server Error.
+    pub(crate) fn id(&self) -> Uuid {
+        self.id
+    }
 }
 
 impl Example for ServiceUnavailable {
diff --git a/catalyst-gateway/bin/src/service/common/responses/mod.rs b/catalyst-gateway/bin/src/service/common/responses/mod.rs
@@ -28,8 +28,9 @@ mod code_503_service_unavailable;
 use code_500_internal_server_error::InternalServerError;
 
 use super::types::headers::{
-    access_control_allow_origin::AccessControlAllowOriginHeader, ratelimit::RateLimitHeader,
-    retry_after::RetryAfterHeader,
+    access_control_allow_origin::AccessControlAllowOriginHeader,
+    ratelimit::RateLimitHeader,
+    retry_after::{RetryAfterHeader, RetryAfterOption},
 };
 
 /// Default error responses
@@ -121,20 +122,35 @@ impl<T> WithErrorResponses<T> {
     pub(crate) fn handle_error(err: &anyhow::Error) -> Self {
         match err {
             err if err.is::<bb8::RunError<tokio_postgres::Error>>() => {
-                let error = ServiceUnavailable::new(None);
-                WithErrorResponses::Error(ErrorResponses::ServiceUnavailable(
-                    Json(error),
-                    Some(RetryAfterHeader::default()),
-                ))
-            },
-            err => {
-                let error = InternalServerError::new(None);
-                error!(id=%error.id(), error=?err);
-                WithErrorResponses::Error(ErrorResponses::ServerError(Json(error)))
+                Self::service_unavailable(err, RetryAfterOption::Default)
             },
+            err => Self::internal_error(err),
         }
     }
 
+    /// Handle a 503 service unavailable error response.
+    ///
+    /// Returns a 503 Service unavailable Error response.
+    pub(crate) fn service_unavailable(err: &anyhow::Error, retry: RetryAfterOption) -> Self {
+        let error = ServiceUnavailable::new(None);
+        error!(id=%error.id(), error=?err, retry_after=?retry);
+        let retry = match retry {
+            RetryAfterOption::Default => Some(RetryAfterHeader::default()),
+            RetryAfterOption::None => None,
+            RetryAfterOption::Some(value) => Some(value),
+        };
+        WithErrorResponses::Error(ErrorResponses::ServiceUnavailable(Json(error), retry))
+    }
+
+    /// Handle a 500 internal error response.
+    ///
+    /// Returns a 500 Internal Error response.
+    pub(crate) fn internal_error(err: &anyhow::Error) -> Self {
+        let error = InternalServerError::new(None);
+        error!(id=%error.id(), error=?err);
+        WithErrorResponses::Error(ErrorResponses::ServerError(Json(error)))
+    }
+
     /// Handle a 401 unauthorized response.
     ///
     /// Returns a 401 Unauthorized response.
diff --git a/catalyst-gateway/bin/src/service/common/types/headers/retry_after.rs b/catalyst-gateway/bin/src/service/common/types/headers/retry_after.rs
@@ -13,6 +13,7 @@ use poem_openapi::{
 use serde_json::Value;
 
 /// Parameter which describes the possible choices for a Retry-After header field.
+#[derive(Debug)]
 #[allow(dead_code)] // Its OK if all these variants are not used.
 pub(crate) enum RetryAfterHeader {
     /// Http Date
@@ -21,6 +22,20 @@ pub(crate) enum RetryAfterHeader {
     Seconds(u64),
 }
 
+/// Parameter which lets us set the retry header, or use some default.
+/// Needed, because its valid to exclude the retry header specifically.
+/// This is also due to the way Poem handles optional headers.
+#[derive(Debug)]
+#[allow(dead_code)] // Its OK if all these variants are not used.
+pub(crate) enum RetryAfterOption {
+    /// Use a default Retry After header value
+    Default,
+    /// Don't include the Retry After header value in the response.
+    None,
+    /// Use a specific Retry After header value
+    Some(RetryAfterHeader),
+}
+
 impl Display for RetryAfterHeader {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,11 @@ impl ServiceUnavailable {`
`26`	`26`
`27`	`27`	`Self { id, msg }`
`28`	`28`	`}`
	`29`	`+`
	`30`	`+ /// Get the id of this Server Error.`
	`31`	`+ pub(crate) fn id(&self) -> Uuid {`
	`32`	`+ self.id`
	`33`	`+ }`
`29`	`34`	`}`
`30`	`35`
`31`	`36`	`impl Example for ServiceUnavailable {`