Hide extended health check information behind superuser permission or a session property

Also adds an endpoint that (when specified with the proper secret), sets the session property
This commit is contained in:
Joseph Schorr 2017-05-24 18:26:22 -04:00
parent 4ad3682b9c
commit b7d6bb12fa
3 changed files with 37 additions and 6 deletions

View file

@ -471,3 +471,6 @@ class DefaultConfig(ImmutableConfig):
# Feature Flag: Whether users can view and change their tag expiration. # Feature Flag: Whether users can view and change their tag expiration.
FEATURE_CHANGE_TAG_EXPIRATION = True FEATURE_CHANGE_TAG_EXPIRATION = True
# Defines a secret for enabling the health-check endpoint's debug information.
ENABLE_HEALTH_DEBUG_SECRET = None

View file

@ -6,7 +6,7 @@ from datetime import timedelta, datetime
from cachetools import lru_cache from cachetools import lru_cache
from flask import (abort, redirect, request, url_for, make_response, Response, render_template, from flask import (abort, redirect, request, url_for, make_response, Response, render_template,
Blueprint, jsonify, send_file) Blueprint, jsonify, send_file, session)
from flask_login import current_user from flask_login import current_user
import features import features
@ -260,6 +260,7 @@ def privacy():
# TODO(jschorr): Remove this mirrored endpoint once we migrate ELB. # TODO(jschorr): Remove this mirrored endpoint once we migrate ELB.
@web.route('/health', methods=['GET']) @web.route('/health', methods=['GET'])
@web.route('/health/instance', methods=['GET']) @web.route('/health/instance', methods=['GET'])
@process_auth_or_cookie
@no_cache @no_cache
def instance_health(): def instance_health():
checker = get_healthchecker(app, config_provider, instance_keys) checker = get_healthchecker(app, config_provider, instance_keys)
@ -272,6 +273,7 @@ def instance_health():
# TODO(jschorr): Remove this mirrored endpoint once we migrate pingdom. # TODO(jschorr): Remove this mirrored endpoint once we migrate pingdom.
@web.route('/status', methods=['GET']) @web.route('/status', methods=['GET'])
@web.route('/health/endtoend', methods=['GET']) @web.route('/health/endtoend', methods=['GET'])
@process_auth_or_cookie
@no_cache @no_cache
def endtoend_health(): def endtoend_health():
checker = get_healthchecker(app, config_provider, instance_keys) checker = get_healthchecker(app, config_provider, instance_keys)
@ -283,6 +285,7 @@ def endtoend_health():
@web.route('/health/dbrevision', methods=['GET']) @web.route('/health/dbrevision', methods=['GET'])
@route_show_if(features.BILLING) # Since this is only used in production. @route_show_if(features.BILLING) # Since this is only used in production.
@process_auth_or_cookie
@no_cache @no_cache
def dbrevision_health(): def dbrevision_health():
# Find the revision from the database. # Find the revision from the database.
@ -305,6 +308,23 @@ def dbrevision_health():
return response return response
@web.route('/health/enabledebug/<secret>', methods=['GET'])
@no_cache
def enable_health_debug(secret):
if not secret:
abort(404)
if not app.config.get('ENABLE_HEALTH_DEBUG_SECRET'):
abort(404)
if app.config.get('ENABLE_HEALTH_DEBUG_SECRET') != secret:
abort(404)
session['health_debug'] = True
return make_response('Health check debug information enabled')
@web.route('/robots.txt', methods=['GET']) @web.route('/robots.txt', methods=['GET'])
def robots(): def robots():
robots_txt = make_response(render_template('robots.txt', baseurl=get_app_url())) robots_txt = make_response(render_template('robots.txt', baseurl=get_app_url()))

View file

@ -1,5 +1,8 @@
import boto.rds2 import boto.rds2
import logging import logging
from auth.permissions import SuperUserPermission
from flask import session
from health.services import check_all_services from health.services import check_all_services
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
@ -68,12 +71,17 @@ class HealthCheck(object):
data = { data = {
'services': service_statuses_bools, 'services': service_statuses_bools,
}
add_debug_information = SuperUserPermission().can() or session.get('health_debug', False)
if add_debug_information:
data.update({
'services_expanded': service_status_expanded, 'services_expanded': service_status_expanded,
'notes': notes, 'notes': notes,
'is_testing': self.app.config['TESTING'], 'is_testing': self.app.config['TESTING'],
'config_provider': self.config_provider.provider_id, 'config_provider': self.config_provider.provider_id,
'local_service_key_id': self.instance_keys.local_key_id, 'local_service_key_id': self.instance_keys.local_key_id,
} })
return (data, 200 if is_healthy else 503) return (data, 200 if is_healthy else 503)