Prometheus: keep auth by default

Restore the previous behaviour where the Prometheus /metrics endpoint
required auth if auth was enabled.

A new -prometheus-no-auth flag allows you to override this and disable
auth for that specific endpoint.

cmd/rest-server/main.go

@@ -50,6 +50,7 @@ func init() {
 	flags.BoolVar(&server.AppendOnly, "append-only", server.AppendOnly, "enable append only mode")
 	flags.BoolVar(&server.PrivateRepos, "private-repos", server.PrivateRepos, "users can only access their private repo")
 	flags.BoolVar(&server.Prometheus, "prometheus", server.Prometheus, "enable Prometheus metrics")
+	flags.BoolVar(&server.Prometheus, "prometheus-no-auth", server.PrometheusNoAuth, "disable auth for Prometheus /metrics endpoint")
 	flags.BoolVarP(&showVersion, "version", "V", showVersion, "output version and exit")
 }
 

handlers.go

@@ -25,6 +25,7 @@ type Server struct {
 	AppendOnly       bool
 	PrivateRepos     bool
 	Prometheus       bool
+	PrometheusNoAuth bool
 	Debug            bool
 	MaxRepoSize      int64
 	PanicOnError     bool

mux.go

@@ -45,6 +45,16 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	return username, true
 }
 
+func (s *Server) wrapAuth(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if _, ok := s.checkAuth(r); !ok {
+			httpDefaultError(w, http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
+	}
+}
+
 // NewHandler returns the master HTTP multiplexer/router.
 func NewHandler(server *Server) (http.Handler, error) {
 	if !server.NoAuth {
@@ -67,8 +77,11 @@ func NewHandler(server *Server) (http.Handler, error) {
 
 	mux := http.NewServeMux()
 	if server.Prometheus {
-		// FIXME: need auth like in previous version?
+		if server.PrometheusNoAuth {
 			mux.Handle("/metrics", promhttp.Handler())
+		} else {
+			mux.HandleFunc("/metrics", server.wrapAuth(promhttp.Handler().ServeHTTP))
+		}
 	}
 	mux.Handle("/", server)