Restrict access to metrics from the public network

Due to security reasons, access to the `/metrics` endpoint is restricted by basic HTTP Bearer Token authentication. If you make a request without the correct token, the server will respond with "Unauthorized Access". Close #43
tarantool · Apr 4, 2024 · 9db0cd3 · 9db0cd3
1 parent b16fd7a
commit 9db0cd3
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -42,7 +42,12 @@ docker build -t docbot .
 Then run it like this:
 
 ```sh
-docker run -d -p5000:5000 -e GITHUB_TOKEN=<token> -e GITHUB_SIGN_KEY=<sign_key> --name docbot docbot
+docker run \
+    -d -p5000:5000 \
+    -e GITHUB_TOKEN=<token> \
+    -e GITHUB_SIGN_KEY=<sign_key> \
+    -e PROMETHEUS_TOKEN=<token> \
+    --name docbot docbot
 ```
 
 To check that it works try to get `localhost:5000` - it will print the

diff --git a/docbot/app.py b/docbot/app.py
@@ -3,10 +3,11 @@
 from elasticapm.contrib.flask import ElasticAPM
 from prometheus_flask_exporter import PrometheusMetrics
 from flask import Flask, Response, request
+from flask_httpauth import HTTPTokenAuth
 
 from .handlers import webhook_handler, list_events_handler
 from .logging_config import LOGGING_CONFIG
-from .utils import is_verified_signature
+from .utils import is_verified_signature, is_verified_prometheus_token
 
 
 logging.config.dictConfig(LOGGING_CONFIG)
@@ -15,13 +16,19 @@
 
 
 app = Flask(__name__)
+auth = HTTPTokenAuth()
 
 app.config['ELASTIC_APM'] = {
     'SERVICE_NAME': 'docbot',
 }
 apm = ElasticAPM(app, logging=True)
 
-metrics = PrometheusMetrics(app, group_by='endpoint')
+metrics = PrometheusMetrics(app, group_by='endpoint', metrics_decorator=auth.login_required)
+
+
+@auth.verify_token
+def verify_token(token):
+    return is_verified_prometheus_token(token)
 
 @app.route("/", methods=['GET'])
 @metrics.do_not_track()

diff --git a/docbot/settings.py b/docbot/settings.py
@@ -2,8 +2,10 @@
 
 token = os.environ.get('GITHUB_TOKEN')
 github_signature = os.environ.get('GITHUB_SIGN_KEY')
+prometheus_token = os.environ.get('PROMETHEUS_TOKEN')
 assert token is not None
 assert github_signature is not None
+assert prometheus_token is not None
 doc_requests = [' document\r\n', ' document\n']
 bot_name = '@TarantoolBot'
 title_header = 'Title:'

diff --git a/docbot/utils.py b/docbot/utils.py
@@ -39,3 +39,15 @@ def is_verified_signature(body, signature):
     if not hmac.compare_digest(expected_signature, signature):
         return False
     return True
+
+def is_verified_prometheus_token(token):
+    """Verify that the payload was sent from Prometheus via Bearer token.
+
+    Returns True if the request is authorized, otherwise False.
+
+    Args:
+        token: original request token to verify
+    """
+    if token == settings.prometheus_token:
+        return True
+    return False
diff --git a/requirements.txt b/requirements.txt
@@ -5,6 +5,7 @@ click==8.1.3
 ecs-logging==2.0.0
 elastic-apm==6.9.1
 Flask==2.2.5
+Flask-HTTPAuth==4.8.0
 gunicorn==20.1.0
 idna==3.3
 itsdangerous==2.1.2