Skip to content

Commit

Permalink
Show admin access status information in Service settings page
Browse files Browse the repository at this point in the history
  • Loading branch information
@andris9
andris9 committed Sep 9, 2024
1 parent 7b64009 commit 2e99e66
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 2 deletions.
18 changes: 16 additions & 2 deletions lib/routes-ui.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ const {
getByteSize,
getDuration,
parseSignedFormData,
updatePublicInterfaces
updatePublicInterfaces,
hasEnvValue
} = require('./tools');
const packageData = require('../package.json');
const he = require('he');
Expand Down Expand Up @@ -93,6 +94,13 @@ config.api = config.api || {
const MAX_BODY_SIZE = getByteSize(readEnvValue('EENGINE_MAX_BODY_SIZE') || config.api.maxBodySize) || DEFAULT_MAX_BODY_SIZE;
const MAX_PAYLOAD_TIMEOUT = getDuration(readEnvValue('EENGINE_MAX_PAYLOAD_TIMEOUT') || config.api.maxPayloadTimeout) || DEFAULT_MAX_PAYLOAD_TIMEOUT;

const ADMIN_ACCESS_ADDRESSES = hasEnvValue('EENGINE_ADMIN_ACCESS_ADDRESSES')
? readEnvValue('EENGINE_ADMIN_ACCESS_ADDRESSES')
.split(',')
.map(v => v.trim())
.filter(v => v)
: null;

const { fetch: fetchCmd, Agent } = require('undici');
const fetchAgent = new Agent({ connect: { timeout: FETCH_TIMEOUT } });

Expand Down Expand Up @@ -1283,6 +1291,8 @@ function applyRoutes(server, call) {
selected: entry.tzCode === values.timezone
})),

adminAccessLimit: ADMIN_ACCESS_ADDRESSES && ADMIN_ACCESS_ADDRESSES.length,

values
},
{
Expand Down Expand Up @@ -1343,7 +1353,9 @@ function applyRoutes(server, call) {
name: entry.label,
timezone: entry.tzCode,
selected: entry.tzCode === request.payload.timezone
}))
})),

adminAccessLimit: ADMIN_ACCESS_ADDRESSES && ADMIN_ACCESS_ADDRESSES.length
},
{
layout: 'app'
Expand Down Expand Up @@ -1389,6 +1401,8 @@ function applyRoutes(server, call) {
selected: entry.tzCode === request.payload.timezone
})),

adminAccessLimit: ADMIN_ACCESS_ADDRESSES && ADMIN_ACCESS_ADDRESSES.length,

errors
},
{
Expand Down
20 changes: 20 additions & 0 deletions views/config/service.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,26 @@
referrerpolicy="no-referrer">documentation</a>.</small>
</div>


<div class="form-group form-check">

<div class="text-muted float-right code-link">[EENGINE_ADMIN_ACCESS_ADDRESSES]</div>

<input type="checkbox" class="form-check-input" id="adminAccessLimit" {{#if
adminAccessLimit}}checked{{/if}} disabled />
<label class="form-check-label" for="adminAccessLimit">Limit Access to Admin Interface

<span class="badge badge-{{#if adminAccessLimit}}success{{else}}danger{{/if}}">{{#if
adminAccessLimit}}enabled{{else}}disabled{{/if}}</span>

</label>
<small class="form-text text-muted">Access to the Admin interface cannot be modified at runtime. To
restrict access to EmailEngine’s Admin interface while keeping other parts of the app open, set the
<code>EENGINE_ADMIN_ACCESS_ADDRESSES</code> environment variable when starting EmailEngine. Provide
a comma-separated list of IP addresses that are permitted to access the Admin interface.</small>
</div>


<div class="form-group form-check">
<div class="text-muted float-right code-link">[<em>Web UI only</em>]</div>
<input type="checkbox" class="form-check-input {{#if errors.enableOAuthTokensApi}}is-invalid{{/if}}"
Expand Down
12 changes: 12 additions & 0 deletions workers/api.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,18 @@ const init = async () => {

if (ADMIN_ACCESS_ADDRESSES && ADMIN_ACCESS_ADDRESSES.length) {
if (/^\/admin\b/i.test(request.path) && !matchIp(request.app.ip, ADMIN_ACCESS_ADDRESSES)) {
logger.info({
msg: 'Blocked access from unlisted IP address',
remoteAddress: request.app.ip,
allowedAddresses: ADMIN_ACCESS_ADDRESSES,
component: 'api',
req: {
method: request.method,
url: request.path,
query: request.query
}
});

return h
.view(
'error',
Expand Down

0 comments on commit 2e99e66

Please sign in to comment.