Make HTTP Server header configurable (patroni#3384)

Introduce `restapi.server_tokens` configuration parameter.
Valid values of the `restapi.server_tokens` parameter are:
* "Original" : will execute the original behaviour and print the "BaseHTTP/$version Python/$version" string
* "ProductOnly" : prints merely "Patroni"
* "Minimal" : prints "Patroni/$version"

An invalid or no value will result in the original behavior being applied.

Close patroni#3379

Author: dgrierso

docs/ENVIRONMENT.rst

@@ -208,6 +208,7 @@ REST API
 -  **PATRONI\_RESTAPI\_HTTP\_EXTRA\_HEADERS**: (optional) HTTP headers let the REST API server pass additional information with an HTTP response.
 -  **PATRONI\_RESTAPI\_HTTPS\_EXTRA\_HEADERS**: (optional) HTTPS headers let the REST API server pass additional information with an HTTP response when TLS is enabled. This will also pass additional information set in ``http_extra_headers``.
 -  **PATRONI\_RESTAPI\_REQUEST\_QUEUE\_SIZE**: (optional): Sets request queue size for TCP socket used by Patroni REST API.  Once the queue is full, further requests get a "Connection denied" error. The default value is 5.
+-  **PATRONI\_RESTAPI\_SERVER\_TOKENS**: (optional) Configures the value of the ``Server`` HTTP header.  ``Original`` (default) will expose the original behaviour and display the BaseHTTP and Python versions, e.g. ``BaseHTTP/0.6 Python/3.12.3``. ``Minimal``: The header will contain only the Patroni version, e.g. ``Patroni/4.0.0``. ``ProductOnly``: The header will contain only the product name, e.g. ``Patroni``.
 
 .. warning::
 

docs/yaml_configuration.rst

@@ -349,6 +349,10 @@ REST API
    -  **http\_extra\_headers**: (optional): HTTP headers let the REST API server pass additional information with an HTTP response.
    -  **https\_extra\_headers**: (optional): HTTPS headers let the REST API server pass additional information with an HTTP response when TLS is enabled. This will also pass additional information set in ``http_extra_headers``.
    -  **request_queue_size**: (optional): Sets request queue size for TCP socket used by Patroni REST API.  Once the queue is full, further requests get a "Connection denied" error. The default value is 5.
+   -  **server_tokens**: (optional): Configures the value of the ``Server`` HTTP header.
+      - ``Minimal``: The header will contain only the Patroni version, e.g. ``Patroni/4.0.0``.
+      - ``ProductOnly``: The header will contain only the product name, e.g. ``Patroni``.
+      - ``Original`` (default): The header will expose the original behaviour and display the BaseHTTP and Python versions, e.g. ``BaseHTTP/0.6 Python/3.12.3``.
 
 Here is an example of both **http_extra_headers** and **https_extra_headers**:
 

patroni/api.py

@@ -119,6 +119,16 @@ def __init__(self, request: Any,
         self.__start_time: float = 0.0
         self.path_query: Dict[str, List[str]] = {}
 
+    def version_string(self) -> str:
+        """Override the default version string to return the server header as specified in the configuration.
+
+        If the server header is not set, then it returns the default version string of the HTTP server.
+
+        :return: ``Server`` version string, which is either the server header or the default version string
+            from the :class:`BaseHTTPRequestHandler`.
+        """
+        return self.server.server_header or super().version_string()
+
     def _write_status_code_only(self, status_code: int) -> None:
         """Write a response that is composed only of the HTTP status.
 
@@ -1480,6 +1490,33 @@ def __init__(self, patroni: Patroni, config: Dict[str, Any]) -> None:
         self.reload_config(config)
         self.daemon = True
 
+    def construct_server_tokens(self, token_config: str) -> str:
+        """Construct the value for the ``Server`` HTTP header based on *server_tokens*.
+
+        :param server_tokens: the value of ``restapi.server_tokens`` configuration option.
+
+        :returns: a string to be used as the value of ``Server`` HTTP header.
+        """
+        token = token_config.lower()
+        logger.debug('restapi.server_tokens is set to "%s".', token_config)
+
+        # If 'original' is set, we do not modify the Server header.
+        # This is useful for compatibility with existing setups that expect the original header.
+        if token == 'original':
+            return ""
+
+        # If 'productonly', or 'minimal' is set, we construct the header accordingly.
+        if token == 'productonly':  # Show only the product name, without versions.
+            return 'Patroni'
+        elif token == 'minimal':    # Show only the product name and version, without PostgreSQL version.
+            return f'Patroni/{self.patroni.version}'
+        else:
+            # Token is not valid (one of 'original', 'productonly', 'minimal') so report a warning and
+            # return an empty string.
+            logger.warning('restapi.server_tokens is set to "%s". Patroni will not modify the Server header. '
+                           'Valid values are: "Minimal", "ProductOnly".', token_config)
+            return ""
+
     def query(self, sql: str, *params: Any) -> List[Tuple[Any, ...]]:
         """Execute *sql* query with *params* and optionally return results.
 
@@ -1858,6 +1895,9 @@ def reload_config(self, config: Dict[str, Any]) -> None:
             assert isinstance(self.__listen, str)
         self.connection_string = uri(self.__protocol, config.get('connect_address') or self.__listen, 'patroni')
 
+        # Define the Server header response using the server_tokens option.
+        self.server_header = self.construct_server_tokens(config.get('server_tokens', 'original'))
+
     def handle_error(self, request: Union[socket.socket, Tuple[bytes, socket.socket]],
                      client_address: Tuple[str, int]) -> None:
         """Handle any exception that is thrown while handling a request to the REST API.

patroni/config.py

@@ -536,7 +536,7 @@ def _set_section_values(section: str, params: List[str]) -> None:
         _set_section_values('restapi', ['listen', 'connect_address', 'certfile', 'keyfile', 'keyfile_password',
                                         'cafile', 'ciphers', 'verify_client', 'http_extra_headers',
                                         'https_extra_headers', 'allowlist', 'allowlist_include_members',
-                                        'request_queue_size'])
+                                        'request_queue_size', 'server_tokens'])
         _set_section_values('ctl', ['insecure', 'cacert', 'certfile', 'keyfile', 'keyfile_password'])
         _set_section_values('postgresql', ['listen', 'connect_address', 'proxy_address',
                                            'config_dir', 'data_dir', 'pgpass', 'bin_dir'])

patroni/validator.py

@@ -1032,7 +1032,9 @@ def validate_watchdog_mode(value: Any) -> None:
         Optional("allowlist_include_members"): bool,
         Optional("http_extra_headers"): dict,
         Optional("https_extra_headers"): dict,
-        Optional("request_queue_size"): IntValidator(min=0, max=4096, expected_type=int, raise_assert=True)
+        Optional("request_queue_size"): IntValidator(min=0, max=4096, expected_type=int, raise_assert=True),
+        Optional("server_tokens"): EnumValidator(('minimal', 'productonly', 'original'),
+                                                 case_sensitive=False, raise_assert=True)
     },
     Optional("bootstrap"): {
         "dcs": {

tests/test_api.py

@@ -811,3 +811,21 @@ def test_query(self):
                 patch.object(MockConnection, 'query') as mock_query:
             self.srv.query('SELECT 1')
             mock_query.assert_called_once_with('SELECT 1')
+
+    def test_construct_server_tokens(self):
+        #
+        # Test cases (case insensitive values):
+        # 1. 'original' server token - should return empty string
+        self.assertEqual(self.srv.construct_server_tokens('original'), '')
+        self.assertEqual(self.srv.construct_server_tokens('oriGINal'), '')
+
+        # 2. 'productonly' server token - should return 'Patroni'
+        self.assertEqual(self.srv.construct_server_tokens('productonly'), 'Patroni')
+        self.assertEqual(self.srv.construct_server_tokens('prodUCTOnly'), 'Patroni')
+
+        # 3. 'minimal' server token - should return 'Patroni/$version'
+        self.assertEqual(self.srv.construct_server_tokens('minimal'), 'Patroni/0.00')
+        self.assertEqual(self.srv.construct_server_tokens('miNIMal'), 'Patroni/0.00')
+
+        # 4. Invalid server token - should exhibit 'original' behaviour and return an empty string.
+        self.assertEqual(self.srv.construct_server_tokens('foobar'), '')