Admin changes

[Ulincsys]

Description

• Add admin dashboard
• Add admin API routes
• Add admin_required decorator to protect admin routes

Notes for Reviewers

• There's a lot more work to do on this interface, but I'd like to get it into main so it stays up to date instead of lagging behind again.
• Admin users cannot be created via the frontend, and must be added via the augur user add command with the --admin flag

Signed commits

• Yes, I signed my commits.

[github-actions]

[pylint] _{reported by reviewdog 🐶}
W0611: Unused current_app imported from flask (unused-import)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_message' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_message' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_message' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
W0621: Redefining name 'request' from outer scope (line 1) (redefined-outer-name)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
W0611: Unused wraps imported from functools (unused-import)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_module' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_module' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
E0602: Undefined variable 'render_module' (undefined-variable)

[github-actions]

[pylint] _{reported by reviewdog 🐶}
W0621: Redefining name 'session' from outer scope (line 8) (redefined-outer-name)

[shlokgilda]

Defaults to GET requests. Shouldn't this be POST only? Would prevent CSRF.

[shlokgilda]

Same as admin/shudown. I think this should also be POST only.

[shlokgilda]

Can we use absolute path derived from __file__ or the project root instead of relative path?

[MoralCode]

also is this script going to work for docker installs?

[shlokgilda]

Why are we allowing POST here?

[shlokgilda]

Similar to above. Config mutations via GET are a CSRF risk and leak values into server logs, browser history, and referer headers. This should be POST-only with a JSON body.

[shlokgilda]

update_config is missing @admin_required. The new set_config_item above it has admin protection, but this existing endpoint that can overwrite the entire config is unprotected. Should be:

Suggested change

	@app.route(f"/{AUGUR_API_VERSION}/config/update", methods=['POST'])
	@app.route(f"/{AUGUR_API_VERSION}/config/update", methods=['POST'])
	@ssl_required
	@admin_required
	def update_config():

[shlokgilda]

The admin_required decorator has a subtle ordering issue. @login_required is applied to inner_function after @wraps(func), but login_required returns its own wrapper that doesn't preserve the metadata set by @wraps. This means the final returned function loses func's __name__ and __module__. Maybe we can use this approach:

Suggested change

	def admin_required(func):
	@login_required
	@wraps(func)
	def inner_function(*args, **kwargs):
	if current_user.admin:
	return func(*args, **kwargs)
	else:
	abort(403)
	return inner_function
	def admin_required(func):
	@wraps(func)
	def inner_function(*args, **kwargs):
	if not current_user.is_authenticated:
	return current_app.login_manager.unauthorized()
	if current_user.admin:
	return func(*args, **kwargs)
	else:
	abort(403)
	return inner_function

[shlokgilda]

raise e inside the 500 error handler will crash the handler itself, meaning the user never sees the friendly error page. Is that the intended idea?

[shlokgilda]

session here shadows Flask's session import at the top of the file. Not a bug right now but could cause confusion. Consider db_session or db_sess instead?

[shlokgilda]

The IDs stats-section is reused on three different <h1> elements (Stats, User List, Config). Should be stats-section, user-section, and config-section to avoid issues down the line?

[shlokgilda]

The fetch() calls for restart/shutdown don't specify { method: 'POST' }. They default to GET. If the backend endpoints get fixed to POST-only (as suggested above), these need updating too:

fetch(url, { method: 'POST' }).then(response => { ... });

[MoralCode]

@shlokgilda some context: i think the point of this PR is mainly to bring the admin page back (it used to be merged but somehow got unmerged)

definitely agree with a lot of the feedback though

im very hesitant about including "start and stop your instance" controls in our mixed manual/docker setup environment

[sgoggins]

@Ulincsys : Sorry I missed this earlier in the stack of PRs. Since all of this is really only code that Admin touches, or affects admin, and I don't see any of the general API changes as problematic, LGTM.

[MoralCode]

As discussed in the March 10 maintainers meeting:

Most of these API endpoints, especially for restarting the Instance, assume a non-docker install. Thus this restarting only works on bare metal
This also relies on the jumpstart part if the code still existing (consider removing if exists as its only useful outside docker)

Many of these endpoints are likely disabled anyway and Augur’s core functionality has changed since this was merged

Id like to avoid merging endpoints that are disabled and dont have a future so we dont need a followup PR to remove them later

[sgoggins]

As discussed in the March 10 maintainers meeting:

Most of these API endpoints, especially for restarting the Instance, assume a non-docker install. Thus this restarting only works on bare metal This also relies on the jumpstart part if the code still existing (consider removing if exists as its only useful outside docker)

Many of these endpoints are likely disabled anyway and Augur’s core functionality has changed since this was merged

Id like to avoid merging endpoints that are disabled and dont have a future so we dont need a followup PR to remove them later

I will wait for @Ulincsys to address these points. Have we verified the restart does not work on Docker? I may have missed that discussion point at the last meeting.

[Ulincsys]

@sgoggins I'm planning to address the comments on this tonight after I get home.

We did discuss the restart endpoints during the last meeting. They make the assumption that they are not running in Docker, and so should are not suitable for attempting a restart from within Docker

[MoralCode]

I see potentially two forward paths:

1. if jumpstart is still present in the code and we intend to keep it, then we can potentially set these routes up to only be present on the wbe server/in the admin UI when we are not running in docker.

2. if jumpstart isnt present/these routes arent enabled anyway, we should remove them and their UI elements since they wont be functional and wont work.

It seems like the benefit of this UI was for admin convenience when augur was not yet dockerized and startup/shutdown was a special sequence of commands that needed remembering/referring to. with docker, it can be as simple as running docker compose stop from the same folder as augurs containerfile, or docker stop <one or more container names> to stop pieces of augur.

I worry that, if we have endpoints that allow instances to be restarted in the UI, that could present a much larger DoS attack surface, or general user inconvenience in multi-admin/multi-tenancy scenarios, than the convenience it provides.

I can see a benefit to controlling augur tasks within the admin dashboard, but im not sure we need shutdown and restart endpoints

[MoralCode]

Jumpstart does appear to still be in the repo. last touched 2 years ago.

Im very tempted to exclude it from the docker builds. maybe we can have the code check if jumpstart is available before trying to use it and make these endpoints no-ops on docker?