From 2010de73f5cb8bf092b9b47bf3b0f8a89a3d99d8 Mon Sep 17 00:00:00 2001
From: oddgrd <29732646+oddgrd@users.noreply.github.com>
Date: Wed, 26 Apr 2023 11:58:37 +0200
Subject: [PATCH 1/3] fix: apply admin layer to admin routes only

---
 gateway/src/api/latest.rs | 41 ++++++++++++---------------------------
 1 file changed, 12 insertions(+), 29 deletions(-)

diff --git a/gateway/src/api/latest.rs b/gateway/src/api/latest.rs
index 8aebff559..71f4254b7 100644
--- a/gateway/src/api/latest.rs
+++ b/gateway/src/api/latest.rs
@@ -765,6 +765,16 @@ impl ApiBuilder {
     }
 
     pub fn with_default_routes(mut self) -> Self {
+        let admin_routes = Router::new()
+            .route("/projects", get(get_projects))
+            .route("/revive", post(revive_projects))
+            .route("/destroy", post(destroy_projects))
+            .route("/stats/load", get(get_load_admin).delete(delete_load_admin))
+            // TODO: The `/swagger-ui` responds with a 303 See Other response which is followed in
+            // browsers but leads to 404 Not Found. This must be investigated.
+            .merge(SwaggerUi::new("/swagger-ui").url("/api-docs/openapi.json", ApiDoc::openapi()))
+            .layer(ScopedLayer::new(vec![Scope::Admin]));
+
         self.router = self
             .router
             .route("/", get(get_status))
@@ -772,10 +782,6 @@ impl ApiBuilder {
                 "/projects",
                 get(get_projects_list.layer(ScopedLayer::new(vec![Scope::Project]))),
             )
-            // .route(
-            //     "/projects/:state",
-            //     get(get_projects_list_with_filter.layer(ScopedLayer::new(vec![Scope::Project]))),
-            // )
             .route(
                 "/projects/:project_name",
                 get(get_project.layer(ScopedLayer::new(vec![Scope::Project])))
@@ -784,31 +790,8 @@ impl ApiBuilder {
             )
             .route("/projects/:project_name/*any", any(route_project))
             .route("/stats/load", post(post_load).delete(delete_load))
-            .route(
-                "/admin/projects",
-                get(get_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/revive",
-                post(revive_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/destroy",
-                post(destroy_projects.layer(ScopedLayer::new(vec![Scope::Admin]))),
-            )
-            .route(
-                "/admin/stats/load",
-                get(get_load_admin)
-                    .delete(delete_load_admin)
-                    .layer(ScopedLayer::new(vec![Scope::Admin])),
-            )
-            // TODO: The `/admin/swagger-ui` responds with a 303 See Other response which is followed in
-            // browsers but leads to 404 Not Found. This must be investigated.
-            .merge(
-                SwaggerUi::new("/admin/swagger-ui")
-                    .url("/admin/api-docs/openapi.json", ApiDoc::openapi()),
-            )
-            .layer(ScopedLayer::new(vec![Scope::Admin]));
+            .nest("/admin", admin_routes);
+
         self
     }
 

From 864fd6110d12dad7da6850c7cc30ceb7f4a00030 Mon Sep 17 00:00:00 2001
From: oddgrd <29732646+oddgrd@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:52:31 +0200
Subject: [PATCH 2/3] test: add some asserts to check admin route

---
 gateway/src/api/latest.rs | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/gateway/src/api/latest.rs b/gateway/src/api/latest.rs
index 71f4254b7..4c02c5ac1 100644
--- a/gateway/src/api/latest.rs
+++ b/gateway/src/api/latest.rs
@@ -974,6 +974,38 @@ pub mod tests {
             .await
             .unwrap();
 
+        let get_load = || {
+            Request::builder()
+                .method("GET")
+                .uri(format!("/admin/stats/load"))
+                .body(Body::empty())
+                .unwrap()
+        };
+
+        // Non-admin user cannot access admin routes
+        router
+            .call(get_load().with_header(&authorization))
+            .map_ok(|resp| {
+                assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+            })
+            .await
+            .unwrap();
+
+        // Create new admin user
+        let admin_neo_key = world.create_user("admin-neo");
+        world.set_super_user("admin-neo");
+
+        let authorization = Authorization::bearer(&admin_neo_key).unwrap();
+
+        // Admin user can access admin routes
+        router
+            .call(get_load().with_header(&authorization))
+            .map_ok(|resp| {
+                assert_eq!(resp.status(), StatusCode::OK);
+            })
+            .await
+            .unwrap();
+
         // TODO: setting the user to admin here doesn't update the cached token, so the
         // commands will still fail. We need to add functionality for this or modify the test.
         // world.set_super_user("trinity");

From c84490fb40812fa6260c19679c9394db2d435bc2 Mon Sep 17 00:00:00 2001
From: oddgrd <29732646+oddgrd@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:53:24 +0200
Subject: [PATCH 3/3] fix: clippy

---
 gateway/src/api/latest.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gateway/src/api/latest.rs b/gateway/src/api/latest.rs
index 4c02c5ac1..1118e4077 100644
--- a/gateway/src/api/latest.rs
+++ b/gateway/src/api/latest.rs
@@ -977,7 +977,7 @@ pub mod tests {
         let get_load = || {
             Request::builder()
                 .method("GET")
-                .uri(format!("/admin/stats/load"))
+                .uri("/admin/stats/load")
                 .body(Body::empty())
                 .unwrap()
         };