Add flag --no-access-check to ServerMain (#2436)

When calling `ServerMain` with this new flag, privileged operations (like updates), can be issued without access token. This is useful for scenarios where security is not an issue or where access control is guaranteed by other means. In particular, this solves #2402

Author: tobiasschweizer

src/ServerMain.cpp

@@ -46,6 +46,7 @@ int main(int argc, char** argv) {
 
   std::string indexBasename;
   std::string accessToken;
+  bool noAccessCheck = false;
   bool text = false;
   unsigned short port;
   NonNegative numSimultaneousQueries = 1;
@@ -70,6 +71,10 @@ int main(int argc, char** argv) {
       "The port on which HTTP requests are served (required).");
   add("access-token,a", po::value<std::string>(&accessToken)->default_value(""),
       "Access token for restricted API calls (default: no access).");
+  add("no-access-check,n",
+      po::bool_switch(&noAccessCheck)->default_value(false),
+      "If set to true, no access-token check is performed for restricted API "
+      "calls (default: false).");
   add("num-simultaneous-queries,j",
       po::value<NonNegative>(&numSimultaneousQueries)->default_value(1),
       "The number of queries that can be processed simultaneously.");
@@ -186,7 +191,7 @@ int main(int argc, char** argv) {
 
   try {
     Server server(port, numSimultaneousQueries, memoryMaxSize,
-                  std::move(accessToken), !noPatterns);
+                  std::move(accessToken), noAccessCheck, !noPatterns);
     server.run(indexBasename, text, !noPatterns, !onlyPsoAndPosPermutations,
                persistUpdates);
   } catch (const std::exception& e) {

src/engine/Server.cpp

@@ -47,10 +47,11 @@ using ad_utility::MediaType;
 // __________________________________________________________________________
 Server::Server(unsigned short port, size_t numThreads,
                ad_utility::MemorySize maxMem, std::string accessToken,
-               bool usePatternTrick)
+               bool noAccessCheck, bool usePatternTrick)
     : numThreads_(numThreads),
       port_(port),
       accessToken_(std::move(accessToken)),
+      noAccessCheck_(noAccessCheck),
       allocator_{ad_utility::makeAllocationMemoryLeftThreadsafeObject(maxMem),
                  [this](ad_utility::MemorySize numMemoryToAllocate) {
                    cache_.makeRoomAsMuchAsPossible(MAKE_ROOM_SLACK_FACTOR *
@@ -92,8 +93,13 @@ void Server::initialize(const std::string& indexBaseName, bool useText,
       allocator_, index_.numTriples().normalAndInternal_() *
                       PERCENTAGE_OF_TRIPLES_FOR_SORT_ESTIMATE / 100);
 
-  AD_LOG_INFO << "Access token for restricted API calls is \"" << accessToken_
-              << "\"" << std::endl;
+  if (noAccessCheck_) {
+    AD_LOG_INFO << "No access token required for restricted API calls"
+                << std::endl;
+  } else {
+    AD_LOG_INFO << "Access token for restricted API calls is \"" << accessToken_
+                << "\"" << std::endl;
+  }
 }
 
 // _____________________________________________________________________________
@@ -1227,6 +1233,10 @@ CPP_template_def(typename Function,
 // _____________________________________________________________________________
 bool Server::checkAccessToken(
     std::optional<std::string_view> accessToken) const {
+  if (noAccessCheck_) {
+    AD_LOG_DEBUG << "Skipping access check" << std::endl;
+    return true;
+  }
   if (!accessToken) {
     return false;
   }

src/engine/Server.h

@@ -46,7 +46,7 @@ class Server {
  public:
   explicit Server(unsigned short port, size_t numThreads,
                   ad_utility::MemorySize maxMem, std::string accessToken,
-                  bool usePatternTrick = true);
+                  bool noAccessCheck = false, bool usePatternTrick = true);
 
   virtual ~Server() = default;
 
@@ -80,6 +80,7 @@ class Server {
   const size_t numThreads_;
   unsigned short port_;
   std::string accessToken_;
+  bool noAccessCheck_;
   QueryResultCache cache_;
   NamedResultCache namedResultCache_;
   ad_utility::AllocatorWithLimit<Id> allocator_;
@@ -299,6 +300,7 @@ class Server {
   /// formulated towards end users, it can be sent directly as the text of an
   /// HTTP error response.
   bool checkAccessToken(std::optional<std::string_view> accessToken) const;
+  FRIEND_TEST(ServerTest, checkAccessToken);
 
   /// Check if user-provided timeout is authorized with a valid access-token or
   /// lower than the server default. Return an empty optional and send a 403

test/ServerTest.cpp

@@ -346,3 +346,15 @@ TEST(ServerTest, configurePinnedResultWithName) {
   // Verify qec was not modified when exception was thrown
   EXPECT_FALSE(qec->pinResultWithName().has_value());
 }
+
+TEST(ServerTest, checkAccessToken) {
+  Server server{4321, 1, ad_utility::MemorySize::megabytes(1), "accessToken"};
+  EXPECT_TRUE(server.checkAccessToken("accessToken"));
+
+  AD_EXPECT_THROW_WITH_MESSAGE(
+      server.checkAccessToken("invalidAccessToken"),
+      testing::HasSubstr("Access token was provided but it was invalid"));
+
+  Server server2{1234, 1, ad_utility::MemorySize::megabytes(1), "", true};
+  EXPECT_TRUE(server2.checkAccessToken(std::nullopt));
+}