diff --git a/mithril-aggregator/src/configuration.rs b/mithril-aggregator/src/configuration.rs index 94837c4117..653d808322 100644 --- a/mithril-aggregator/src/configuration.rs +++ b/mithril-aggregator/src/configuration.rs @@ -186,6 +186,9 @@ pub struct Configuration { /// Time interval at which usage metrics are persisted in event database (in seconds). pub persist_usage_report_interval_in_seconds: u64, + + /// If set to true, the HTTP server can serve static directories. + pub allow_http_serve_directory: bool, } /// Uploader needed to copy the snapshot once computed. @@ -270,6 +273,7 @@ impl Configuration { metrics_server_ip: "0.0.0.0".to_string(), metrics_server_port: 9090, persist_usage_report_interval_in_seconds: 10, + allow_http_serve_directory: false, } } @@ -411,6 +415,9 @@ pub struct DefaultConfiguration { /// Time interval at which metrics are persisted in event database (in seconds). pub persist_usage_report_interval_in_seconds: u64, + + /// If set to true, the HTTP server can serve static directories. + pub allow_http_serve_directory: bool, } impl Default for DefaultConfiguration { @@ -443,6 +450,7 @@ impl Default for DefaultConfiguration { metrics_server_ip: "0.0.0.0".to_string(), metrics_server_port: 9090, persist_usage_report_interval_in_seconds: 10, + allow_http_serve_directory: false, } } } @@ -530,6 +538,7 @@ impl Source for DefaultConfiguration { ), ])), ); + insert_default_configuration!(result, myself.allow_http_serve_directory); Ok(result) } } diff --git a/mithril-aggregator/src/dependency_injection/builder.rs b/mithril-aggregator/src/dependency_injection/builder.rs index bc55d2a199..2243416a8c 100644 --- a/mithril-aggregator/src/dependency_injection/builder.rs +++ b/mithril-aggregator/src/dependency_injection/builder.rs @@ -1556,6 +1556,7 @@ impl DependenciesBuilder { .clone(), snapshot_directory: self.configuration.get_snapshot_dir()?, cardano_node_version: self.configuration.cardano_node_version.clone(), + allow_http_serve_directory: self.configuration.allow_http_serve_directory, }, ); diff --git a/mithril-aggregator/src/http_server/routes/artifact_routes/cardano_database.rs b/mithril-aggregator/src/http_server/routes/artifact_routes/cardano_database.rs index fe84f6cb71..48749c0621 100644 --- a/mithril-aggregator/src/http_server/routes/artifact_routes/cardano_database.rs +++ b/mithril-aggregator/src/http_server/routes/artifact_routes/cardano_database.rs @@ -41,6 +41,9 @@ fn serve_cardano_database_dir( router_state.configuration.snapshot_directory.clone(), )) .and(middlewares::with_logger(router_state)) + .and(middlewares::extract_config(router_state, |config| { + config.allow_http_serve_directory + })) .and_then(handlers::ensure_downloaded_file_is_a_cardano_database) } @@ -103,6 +106,7 @@ mod handlers { pub async fn ensure_downloaded_file_is_a_cardano_database( reply: warp::fs::File, logger: Logger, + allow_http_serve_directory: bool, ) -> Result { let filepath = reply.path().to_path_buf(); debug!( @@ -111,6 +115,11 @@ mod handlers { filepath.display() ); + if !allow_http_serve_directory { + warn!(logger, "ensure_downloaded_file_is_a_cardano_database::error"; "error" => "http serve directory is disabled"); + return Ok(reply::empty(StatusCode::FORBIDDEN)); + } + // TODO: enhance this check with a regular expression once the file naming convention is defined let file_is_a_cardano_database_archive = filepath.to_string_lossy().contains("ancillary") || filepath.to_string_lossy().contains("immutable"); diff --git a/mithril-aggregator/src/http_server/routes/artifact_routes/snapshot.rs b/mithril-aggregator/src/http_server/routes/artifact_routes/snapshot.rs index 7e0962338a..1305df6d6e 100644 --- a/mithril-aggregator/src/http_server/routes/artifact_routes/snapshot.rs +++ b/mithril-aggregator/src/http_server/routes/artifact_routes/snapshot.rs @@ -61,6 +61,9 @@ fn serve_snapshots_dir( )) .and(middlewares::with_logger(router_state)) .and(middlewares::with_signed_entity_service(router_state)) + .and(middlewares::extract_config(router_state, |config| { + config.allow_http_serve_directory + })) .and_then(handlers::ensure_downloaded_file_is_a_snapshot) } @@ -155,6 +158,7 @@ mod handlers { reply: warp::fs::File, logger: Logger, signed_entity_service: Arc, + allow_http_serve_directory: bool, ) -> Result { let filepath = reply.path().to_path_buf(); debug!( @@ -163,6 +167,11 @@ mod handlers { filepath.display() ); + if !allow_http_serve_directory { + warn!(logger, "ensure_downloaded_file_is_a_cardano_database::error"; "error" => "http serve directory is disabled"); + return Ok(reply::empty(StatusCode::FORBIDDEN)); + } + match crate::tools::extract_digest_from_path(&filepath) { Ok(digest) => match signed_entity_service .get_signed_snapshot_by_id(&digest) diff --git a/mithril-aggregator/src/http_server/routes/router.rs b/mithril-aggregator/src/http_server/routes/router.rs index 4f79c9dc39..7bcc362da1 100644 --- a/mithril-aggregator/src/http_server/routes/router.rs +++ b/mithril-aggregator/src/http_server/routes/router.rs @@ -39,6 +39,7 @@ pub struct RouterConfig { pub cardano_transactions_signing_config: CardanoTransactionsSigningConfig, pub snapshot_directory: PathBuf, pub cardano_node_version: String, + pub allow_http_serve_directory: bool, } #[cfg(test)] @@ -55,6 +56,7 @@ impl RouterConfig { cardano_transactions_signing_config: CardanoTransactionsSigningConfig::dummy(), snapshot_directory: PathBuf::from("/dummy/snapshot/directory"), cardano_node_version: "1.2.3".to_string(), + allow_http_serve_directory: false, } } } diff --git a/mithril-test-lab/mithril-end-to-end/src/mithril/aggregator.rs b/mithril-test-lab/mithril-end-to-end/src/mithril/aggregator.rs index 989da98c31..ab90912680 100644 --- a/mithril-test-lab/mithril-end-to-end/src/mithril/aggregator.rs +++ b/mithril-test-lab/mithril-end-to-end/src/mithril/aggregator.rs @@ -99,6 +99,7 @@ impl Aggregator { ), ("CARDANO_TRANSACTIONS_SIGNING_CONFIG__STEP", "15"), ("PERSIST_USAGE_REPORT_INTERVAL_IN_SECONDS", "3"), + ("ALLOW_HTTP_SERVE_DIRECTORY", "true"), ]); let args = vec![ "--db-directory",