ryyst
377af163f0
Add API endpoints to manage ResourceMetadata (ownership, groups, permissions)
for KV resources. This enables administrators to configure granular access
control for stored data.
Changes:
- Add GetResourceMetadataResponse and UpdateResourceMetadataRequest types
- Add GetResourceMetadata and SetResourceMetadata methods to AuthService
- Add GET /kv/{path}/metadata endpoint (requires admin:users:read)
- Add PUT /kv/{path}/metadata endpoint (requires admin:users:update)
- Both endpoints protected by JWT authentication
- Metadata routes registered before general KV routes to prevent pattern conflicts
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
145 lines
6.2 KiB
Go
145 lines
6.2 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/gorilla/mux"
|
|
)
|
|
|
|
// setupRoutes configures all HTTP routes and their handlers
|
|
func (s *Server) setupRoutes() *mux.Router {
|
|
router := mux.NewRouter()
|
|
|
|
// Health endpoint (always available)
|
|
router.HandleFunc("/health", s.healthHandler).Methods("GET")
|
|
|
|
// Resource Metadata Management endpoints (Issue #12) - Must come BEFORE general KV routes
|
|
// These need to be registered first to prevent /kv/{path:.+} from matching metadata paths
|
|
if s.config.AuthEnabled {
|
|
router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
|
|
[]string{"admin:users:read"}, nil, "",
|
|
)(s.getResourceMetadataHandler)).Methods("GET")
|
|
|
|
router.Handle("/kv/{path:.+}/metadata", s.authService.Middleware(
|
|
[]string{"admin:users:update"}, nil, "",
|
|
)(s.updateResourceMetadataHandler)).Methods("PUT")
|
|
}
|
|
|
|
// KV endpoints (with conditional authentication based on anonymous access settings)
|
|
// GET endpoint - require auth if anonymous read is disabled
|
|
if s.config.AuthEnabled && !s.config.AllowAnonymousRead {
|
|
router.Handle("/kv/{path:.+}", s.authService.Middleware(
|
|
[]string{"read"}, nil, "",
|
|
)(s.getKVHandler)).Methods("GET")
|
|
} else {
|
|
router.HandleFunc("/kv/{path:.+}", s.getKVHandler).Methods("GET")
|
|
}
|
|
|
|
// PUT endpoint - require auth if anonymous write is disabled
|
|
if s.config.AuthEnabled && !s.config.AllowAnonymousWrite {
|
|
router.Handle("/kv/{path:.+}", s.authService.Middleware(
|
|
[]string{"write"}, nil, "",
|
|
)(s.putKVHandler)).Methods("PUT")
|
|
} else {
|
|
router.HandleFunc("/kv/{path:.+}", s.putKVHandler).Methods("PUT")
|
|
}
|
|
|
|
// DELETE endpoint - always require authentication (no anonymous delete)
|
|
if s.config.AuthEnabled {
|
|
router.Handle("/kv/{path:.+}", s.authService.Middleware(
|
|
[]string{"delete"}, nil, "",
|
|
)(s.deleteKVHandler)).Methods("DELETE")
|
|
} else {
|
|
router.HandleFunc("/kv/{path:.+}", s.deleteKVHandler).Methods("DELETE")
|
|
}
|
|
|
|
// Member endpoints (available when clustering is enabled)
|
|
if s.config.ClusteringEnabled {
|
|
// GET /members/ is unprotected for monitoring/inspection
|
|
router.HandleFunc("/members/", s.getMembersHandler).Methods("GET")
|
|
|
|
// Apply cluster authentication middleware to all cluster communication endpoints
|
|
if s.clusterAuthService != nil {
|
|
router.Handle("/members/join", s.clusterAuthService.Middleware(http.HandlerFunc(s.joinMemberHandler))).Methods("POST")
|
|
router.Handle("/members/leave", s.clusterAuthService.Middleware(http.HandlerFunc(s.leaveMemberHandler))).Methods("DELETE")
|
|
router.Handle("/members/gossip", s.clusterAuthService.Middleware(http.HandlerFunc(s.gossipHandler))).Methods("POST")
|
|
router.Handle("/members/pairs_by_time", s.clusterAuthService.Middleware(http.HandlerFunc(s.pairsByTimeHandler))).Methods("POST")
|
|
|
|
// Merkle Tree endpoints (clustering feature)
|
|
router.Handle("/merkle_tree/root", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleRootHandler))).Methods("GET")
|
|
router.Handle("/merkle_tree/diff", s.clusterAuthService.Middleware(http.HandlerFunc(s.getMerkleDiffHandler))).Methods("POST")
|
|
router.Handle("/kv_range", s.clusterAuthService.Middleware(http.HandlerFunc(s.getKVRangeHandler))).Methods("POST")
|
|
} else {
|
|
// Fallback to unprotected endpoints (for backwards compatibility)
|
|
router.HandleFunc("/members/join", s.joinMemberHandler).Methods("POST")
|
|
router.HandleFunc("/members/leave", s.leaveMemberHandler).Methods("DELETE")
|
|
router.HandleFunc("/members/gossip", s.gossipHandler).Methods("POST")
|
|
router.HandleFunc("/members/pairs_by_time", s.pairsByTimeHandler).Methods("POST")
|
|
|
|
// Merkle Tree endpoints (clustering feature)
|
|
router.HandleFunc("/merkle_tree/root", s.getMerkleRootHandler).Methods("GET")
|
|
router.HandleFunc("/merkle_tree/diff", s.getMerkleDiffHandler).Methods("POST")
|
|
router.HandleFunc("/kv_range", s.getKVRangeHandler).Methods("POST")
|
|
}
|
|
}
|
|
|
|
// Authentication and user management endpoints (available when auth is enabled)
|
|
if s.config.AuthEnabled {
|
|
// User Management endpoints (with authentication middleware)
|
|
router.Handle("/api/users", s.authService.Middleware(
|
|
[]string{"admin:users:create"}, nil, "",
|
|
)(s.createUserHandler)).Methods("POST")
|
|
|
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:users:read"}, nil, "",
|
|
)(s.getUserHandler)).Methods("GET")
|
|
|
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:users:update"}, nil, "",
|
|
)(s.updateUserHandler)).Methods("PUT")
|
|
|
|
router.Handle("/api/users/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:users:delete"}, nil, "",
|
|
)(s.deleteUserHandler)).Methods("DELETE")
|
|
|
|
// Group Management endpoints (with authentication middleware)
|
|
router.Handle("/api/groups", s.authService.Middleware(
|
|
[]string{"admin:groups:create"}, nil, "",
|
|
)(s.createGroupHandler)).Methods("POST")
|
|
|
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:groups:read"}, nil, "",
|
|
)(s.getGroupHandler)).Methods("GET")
|
|
|
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:groups:update"}, nil, "",
|
|
)(s.updateGroupHandler)).Methods("PUT")
|
|
|
|
router.Handle("/api/groups/{uuid}", s.authService.Middleware(
|
|
[]string{"admin:groups:delete"}, nil, "",
|
|
)(s.deleteGroupHandler)).Methods("DELETE")
|
|
|
|
// Token Management endpoints (with authentication middleware)
|
|
router.Handle("/api/tokens", s.authService.Middleware(
|
|
[]string{"admin:tokens:create"}, nil, "",
|
|
)(s.createTokenHandler)).Methods("POST")
|
|
|
|
// Cluster Bootstrap endpoint (Issue #13) - Protected by JWT authentication
|
|
// Allows authenticated administrators to retrieve the cluster secret for new nodes
|
|
router.Handle("/auth/cluster-bootstrap", s.authService.Middleware(
|
|
[]string{"admin:tokens:create"}, nil, "",
|
|
)(s.clusterBootstrapHandler)).Methods("GET")
|
|
}
|
|
|
|
// Revision History endpoints (available when revision history is enabled)
|
|
if s.config.RevisionHistoryEnabled {
|
|
router.HandleFunc("/api/data/{key}/history", s.getRevisionHistoryHandler).Methods("GET")
|
|
router.HandleFunc("/api/data/{key}/history/{revision}", s.getSpecificRevisionHandler).Methods("GET")
|
|
}
|
|
|
|
// Backup Status endpoint (always available if backup is enabled)
|
|
router.HandleFunc("/api/backup/status", s.getBackupStatusHandler).Methods("GET")
|
|
|
|
return router
|
|
}
|