Handle debug endpoints in extra http.ServeMux

jrauh01 · julianbrost · commit c479cfd14a0e · 2025-04-23T14:49:18.000+02:00
diff --git a/doc/20-HTTP-API.md b/doc/20-HTTP-API.md
@@ -43,28 +43,29 @@ EOF
 ## Debugging Endpoints
 
 There are multiple endpoints for dumping specific configurations.
+All of them are prefixed by `/debug`.
 To use those, the `debug-password` must be set and supplied via HTTP Basic Authentication next to an arbitrary username.
 
 ### Dump Config
 
 The database-stored configuration from Icinga Notifications current viewpoint can be dumped as JSON.
 
 ```
-curl -v -u ':debug-password' 'http://localhost:5680/dump-config'
+curl -v -u ':debug-password' 'http://localhost:5680/debug/dump-config'
 ```
 
 ### Dump Incidents
 
 The current incidents can be dumped as JSON.
 
 ```
-curl -v -u ':debug-password' 'http://localhost:5680/dump-incidents'
+curl -v -u ':debug-password' 'http://localhost:5680/debug/dump-incidents'
 ```
 
 ### Dump Schedules
 
 All schedules with their assignee can be dumped in a human-readable form.
 
 ```
-curl -v -u ':debug-password' 'http://localhost:5680/dump-schedules'
+curl -v -u ':debug-password' 'http://localhost:5680/debug/dump-schedules'
 ```
diff --git a/internal/listener/listener.go b/internal/listener/listener.go
@@ -34,10 +34,14 @@ func NewListener(db *database.DB, runtimeConfig *config.RuntimeConfig, logs *log
 		logs:          logs,
 		runtimeConfig: runtimeConfig,
 	}
+
+	debugMux := http.NewServeMux()
+	debugMux.HandleFunc("/dump-config", l.DumpConfig)
+	debugMux.HandleFunc("/dump-incidents", l.DumpIncidents)
+	debugMux.HandleFunc("/dump-schedules", l.DumpSchedules)
+
+	l.mux.Handle("/debug/", http.StripPrefix("/debug", l.requireDebugAuth(debugMux)))
 	l.mux.HandleFunc("/process-event", l.ProcessEvent)
-	l.mux.HandleFunc("/dump-config", l.DumpConfig)
-	l.mux.HandleFunc("/dump-incidents", l.DumpIncidents)
-	l.mux.HandleFunc("/dump-schedules", l.DumpSchedules)
 	return l
 }
 
@@ -150,57 +154,54 @@ func (l *Listener) ProcessEvent(w http.ResponseWriter, req *http.Request) {
 	_, _ = fmt.Fprintln(w)
 }
 
-// checkDebugPassword checks if the valid debug password was provided. If there is no password configured or the
-// supplied password is incorrect, it sends an error code and returns false. True is returned if access is allowed.
-func (l *Listener) checkDebugPassword(w http.ResponseWriter, r *http.Request) bool {
-	expectedPassword := daemon.Config().DebugPassword
-	if expectedPassword == "" {
-		w.WriteHeader(http.StatusForbidden)
-		_, _ = fmt.Fprintln(w, "config dump disables, no debug-password set in config")
+// requireDebugAuth is a middleware that checks if the valid debug password was provided. If there is no password
+// configured or the supplied password is incorrect, it sends an error code and does not redirect the request.
+func (l *Listener) requireDebugAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		expectedPassword := daemon.Config().DebugPassword
+		if expectedPassword == "" {
+			w.WriteHeader(http.StatusForbidden)
+			_, _ = fmt.Fprintln(w, "config dump disabled, no debug-password set in config")
 
-		return false
-	}
+			return
+		}
 
-	_, providedPassword, _ := r.BasicAuth()
-	if subtle.ConstantTimeCompare([]byte(expectedPassword), []byte(providedPassword)) != 1 {
-		l.logger.Warnw("Unauthorized request", zap.String("url", r.RequestURI))
+		_, providedPassword, _ := r.BasicAuth()
+		if subtle.ConstantTimeCompare([]byte(expectedPassword), []byte(providedPassword)) != 1 {
+			l.logger.Warnw("Unauthorized request", zap.String("url", r.RequestURI))
 
-		w.Header().Set("WWW-Authenticate", `Basic realm="debug"`)
-		w.WriteHeader(http.StatusUnauthorized)
-		_, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")
-		return false
-	}
+			w.Header().Set("WWW-Authenticate", `Basic realm="debug"`)
+			w.WriteHeader(http.StatusUnauthorized)
+			_, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")
+			return
+		}
 
-	return true
+		next.ServeHTTP(w, r)
+	})
 }
 
+// DumpConfig is used as /debug prefixed endpoint to dump the current live configuration of the daemon.
+// The authorization has to be done beforehand.
 func (l *Listener) DumpConfig(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		_, _ = fmt.Fprintln(w, "GET required")
 		return
 	}
 
-	if !l.checkDebugPassword(w, r) {
-		return
-	}
-
 	enc := json.NewEncoder(w)
 	enc.SetIndent("", "  ")
 	_ = enc.Encode(&l.runtimeConfig.ConfigSet)
 }
 
+// DumpIncidents is used as /debug prefixed endpoint to dump all incidents. The authorization has to be done beforehand.
 func (l *Listener) DumpIncidents(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		_, _ = fmt.Fprintln(w, "GET required")
 		return
 	}
 
-	if !l.checkDebugPassword(w, r) {
-		return
-	}
-
 	incidents := incident.GetCurrentIncidents()
 	encodedIncidents := make(map[int64]json.RawMessage)
 
@@ -230,17 +231,14 @@ func (l *Listener) DumpIncidents(w http.ResponseWriter, r *http.Request) {
 	_ = enc.Encode(encodedIncidents)
 }
 
+// DumpSchedules is used as /debug prefixed endpoint to dump all schedules. The authorization has to be done beforehand.
 func (l *Listener) DumpSchedules(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		w.WriteHeader(http.StatusMethodNotAllowed)
 		_, _ = fmt.Fprintln(w, "GET required")
 		return
 	}
 
-	if !l.checkDebugPassword(w, r) {
-		return
-	}
-
 	l.runtimeConfig.RLock()
 	defer l.runtimeConfig.RUnlock()
 
