feat: config & statistics routes

Author: rwxd

README.md

@@ -254,6 +254,38 @@ environments:
           cryptokeys: true
 ```
 
+#### Global Config
+
+Global configuration access can be defined under an `environment`.
+
+For this the `environment` must have the option `global_config: true`.
+
+This allows the token to read PowerDNS server configuration via:
+- `GET /api/v1/servers/:server_id/config` - Returns all ConfigSettings
+- `GET /api/v1/servers/:server_id/config/:config_setting_name` - Retrieve a single setting
+
+```yaml
+...
+environments:
+    - name: "Test1"
+      global_config: true
+```
+
+#### Global Statistics
+
+Global statistics access can be defined under an `environment`.
+
+For this the `environment` must have the option `global_statistics: true`.
+
+This allows the token to read PowerDNS server statistics.
+
+```yaml
+...
+environments:
+    - name: "Test1"
+      global_statistics: true
+```
+
 ### Metrics of the proxy
 
 The proxy exposes metrics on the `/metrics` endpoint.

powerdns_api_proxy/config.py

@@ -212,6 +212,14 @@ def check_pdns_tsigkeys_allowed(environment: ProxyConfigEnvironment) -> bool:
     return False
 
 
+def check_pdns_config_allowed(environment: ProxyConfigEnvironment) -> bool:
+    return environment.global_config
+
+
+def check_pdns_statistics_allowed(environment: ProxyConfigEnvironment) -> bool:
+    return environment.global_statistics
+
+
 def ensure_rrsets_request_allowed(zone: ProxyConfigZone, request: RRSETRequest) -> bool:
     """Raises HTTPException if RRSET is not allowed"""
     if zone.read_only:

powerdns_api_proxy/models.py

@@ -60,6 +60,8 @@ class ProxyConfigEnvironment(BaseModel):
     global_search: bool = False
     global_cryptokeys: bool = False
     global_tsigkeys: bool = False
+    global_config: bool = False
+    global_statistics: bool = False
     _zones_lookup: dict[str, ProxyConfigZone] = {}
     metrics_proxy: bool = False
 

powerdns_api_proxy/proxy.py

@@ -19,6 +19,8 @@
     check_pdns_search_allowed,
     check_pdns_cryptokeys_allowed,
     check_pdns_tsigkeys_allowed,
+    check_pdns_config_allowed,
+    check_pdns_statistics_allowed,
     check_pdns_zone_admin,
     check_pdns_zone_allowed,
     dependency_check_token_defined,
@@ -216,31 +218,64 @@ async def get_server(server_id: str):
 
 
 @router_pdns.get(
-    "/servers/{server_id}/configuration",
+    "/servers/{server_id}/config",
 )
-async def get_configuration(server_id: str):
+async def get_configuration(server_id: str, X_API_Key: str = Header()):
     """
     Retrieve a list of configuration items for the server.
-    Currently returns empty, as we don't want to expose the global backend configuration.
+
+    Requires global_config permission.
     """
-    _ = server_id
-    raise RessourceNotAllowedException()
+    environment = get_environment_for_token(config, X_API_Key)
+    if not check_pdns_config_allowed(environment):
+        raise RessourceNotAllowedException()
+
+    resp = await pdns.get(f"/api/v1/servers/{server_id}/config")
+    pdns_response = await handle_pdns_response(resp)
+    status_code = pdns_response.raise_for_error()
+    return JSONResponse(content=pdns_response.data, status_code=status_code)
 
 
 @router_pdns.get(
-    "/servers/{server_id}/statistics",
+    "/servers/{server_id}/config/{config_setting_name}",
 )
-async def get_statistics(
-    server_id: str,
+async def get_configuration_setting(
+    server_id: str, config_setting_name: str, X_API_Key: str = Header()
 ):
+    """
+    Retrieve a single configuration setting.
+
+    Requires global_config permission.
+    """
+    environment = get_environment_for_token(config, X_API_Key)
+    if not check_pdns_config_allowed(environment):
+        raise RessourceNotAllowedException()
+
+    resp = await pdns.get(f"/api/v1/servers/{server_id}/config/{config_setting_name}")
+    pdns_response = await handle_pdns_response(resp)
+    status_code = pdns_response.raise_for_error()
+    return JSONResponse(content=pdns_response.data, status_code=status_code)
+
+
+@router_pdns.get(
+    "/servers/{server_id}/statistics",
+)
+async def get_statistics(server_id: str, X_API_Key: str = Header()):
     """
     Retrieve a list of statistics about the server.
-    Currently returns empty, as we don't want to expose the global backend statistics.
+
+    Requires global_statistics permission.
 
     <https://doc.powerdns.com/authoritative/http-api/statistics.html#get--servers-server_id-statistics>
     """
-    _ = server_id
-    raise RessourceNotAllowedException()
+    environment = get_environment_for_token(config, X_API_Key)
+    if not check_pdns_statistics_allowed(environment):
+        raise RessourceNotAllowedException()
+
+    resp = await pdns.get(f"/api/v1/servers/{server_id}/statistics")
+    pdns_response = await handle_pdns_response(resp)
+    status_code = pdns_response.raise_for_error()
+    return JSONResponse(content=pdns_response.data, status_code=status_code)
 
 
 @router_pdns.get(

tests/unit/config_test.py

@@ -9,6 +9,8 @@
     check_pdns_search_allowed,
     check_pdns_cryptokeys_allowed,
     check_pdns_tsigkeys_allowed,
+    check_pdns_config_allowed,
+    check_pdns_statistics_allowed,
     check_pdns_zone_admin,
     check_pdns_zone_allowed,
     check_rrset_allowed,
@@ -684,6 +686,30 @@ def test_tsigkeys_allowed_globally():
     assert check_pdns_tsigkeys_allowed(environment) is True
 
 
+def test_config_not_allowed():
+    environment = deepcopy(dummy_proxy_environment)
+    environment.global_config = False
+    assert check_pdns_config_allowed(environment) is False
+
+
+def test_config_allowed_globally():
+    environment = deepcopy(dummy_proxy_environment)
+    environment.global_config = True
+    assert check_pdns_config_allowed(environment) is True
+
+
+def test_statistics_not_allowed():
+    environment = deepcopy(dummy_proxy_environment)
+    environment.global_statistics = False
+    assert check_pdns_statistics_allowed(environment) is False
+
+
+def test_statistics_allowed_globally():
+    environment = deepcopy(dummy_proxy_environment)
+    environment.global_statistics = True
+    assert check_pdns_statistics_allowed(environment) is True
+
+
 def test_global_read_only_without_zones():
     """Test that global_read_only=True allows empty zones list"""
     env = ProxyConfigEnvironment(

tests/unit/proxy_test.py

@@ -120,7 +120,8 @@ def _token_missing_request(client: TestClient, method: str, path: str):
     "/api",
     "/api/v1/servers",
     "/api/v1/servers/localhost",
-    "/api/v1/servers/localhost/configuration",
+    "/api/v1/servers/localhost/config",
+    "/api/v1/servers/localhost/config/api-key",
     "/api/v1/servers/localhost/statistics",
     "/api/v1/servers/localhost/zones",
     "/api/v1/servers/localhost/zones/test.example.com.",