(#965) Disable access to Swagger by default

.env

@@ -32,3 +32,5 @@ IAM_COMMUNITY_ROLE_READER=
 IAM_ISSUER=
 IAM_URL=
 SECRET_KEY_BASE=[secret key string for signed cookies]
+
+SWAGGER_ENABLED=

app/api/v1/root.rb

@@ -30,17 +30,30 @@ def metadata_communities
 
       desc 'Gives general info about the api node'
       get :info do
-        {
+        swagger_enabled = ActiveRecord::Type::Boolean.new.deserialize(
+          ENV.fetch('SWAGGER_ENABLED', nil)
+        )
+
+        info = {
           metadata_communities: metadata_communities,
           postman: 'https://www.getpostman.com/collections/bc38edc491333b643e23',
-          swagger: url(:swagger, 'index.html'),
           readme: 'https://github.com/CredentialEngine/CredentialRegistry/blob/master/README.md',
           docs: 'https://github.com/CredentialEngine/CredentialRegistry/tree/master/docs'
         }
+
+        info[:swagger] = url(:swagger, 'index.html') if swagger_enabled
+
+        info
       end
 
       desc 'Render `swagger.json`'
       get ':swagger_json', requirements: { swagger_json: 'swagger.json' } do
+        swagger_enabled = ActiveRecord::Type::Boolean.new.deserialize(
+          ENV.fetch('SWAGGER_ENABLED', nil)
+        )
+
+        error!('Swagger is disabled', 403) unless swagger_enabled
+
         swagger_json = Swagger::Blocks.build_root_json [MR::SwaggerDocs]
         present swagger_json.merge(host: request.host_with_port)
       end

spec/api/v1/root_spec.rb

@@ -1,83 +1,164 @@
 RSpec.describe API::V1::Revisions do # rubocop:todo RSpec/SpecFilePathFormat
   before do
     ENV['AUTHENTICATION_REQUIRED'] = auth_required
+    ENV['SWAGGER_ENABLED'] = swagger_enabled
 
     create(:envelope)
     create(:envelope, :from_cer)
   end
 
   after do
     ENV.delete('AUTHENTICATION_REQUIRED')
+    ENV.delete('SWAGGER_ENABLED')
   end
 
   context 'with no authentication required' do
     let(:auth_required) { '' }
 
-    context 'GET' do # rubocop:todo RSpec/ContextWording
-      before { get '/' }
+    context 'with swagger enabled' do
+      let(:swagger_enabled) { 'true' }
 
-      it 'retrieves api info' do
-        expect_status(:ok)
+      context 'GET' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/' }
 
-        expect_json_keys(%i[api_version total_envelopes info
-                            metadata_communities])
+        it 'retrieves api info' do
+          expect_status(:ok)
 
-        data = JSON.parse(response.body)
-        expect(data['metadata_communities'].keys).to match_array(
-          %w[learning_registry ce_registry]
-        )
+          expect_json_keys(%i[api_version total_envelopes info
+                              metadata_communities])
 
-        expect_json(total_envelopes: 2)
+          data = JSON.parse(response.body)
+          expect(data['metadata_communities'].keys).to match_array(
+            %w[learning_registry ce_registry]
+          )
+
+          expect_json(total_envelopes: 2)
+        end
       end
-    end
 
-    context 'GET /info' do # rubocop:todo RSpec/ContextWording
-      before { get '/info' }
+      context 'GET /info' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/info' }
 
-      it 'retrieves info about the node' do
-        expect_status(:ok)
+        it 'retrieves info about the node including swagger' do
+          expect_status(:ok)
 
-        expect_json_keys(%i[postman swagger readme docs
-                            metadata_communities])
+          expect_json_keys(%i[postman swagger readme docs
+                              metadata_communities])
 
-        data = JSON.parse(response.body)
-        expect(data['metadata_communities'].keys).to match_array(
-          %w[learning_registry ce_registry]
-        )
+          data = JSON.parse(response.body)
+          expect(data['metadata_communities'].keys).to match_array(
+            %w[learning_registry ce_registry]
+          )
+        end
+      end
+
+      context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/swagger.json' }
+
+        it 'retrieves the swagger.json' do
+          expect_status(:ok)
+          expect_json('swagger', '2.0')
+        end
       end
     end
 
-    context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording
-      before { get '/swagger.json' }
+    context 'with swagger disabled' do
+      let(:swagger_enabled) { '' }
+
+      context 'GET' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/' }
+
+        it 'retrieves api info' do
+          expect_status(:ok)
+
+          expect_json_keys(%i[api_version total_envelopes info
+                              metadata_communities])
+
+          data = JSON.parse(response.body)
+          expect(data['metadata_communities'].keys).to match_array(
+            %w[learning_registry ce_registry]
+          )
+
+          expect_json(total_envelopes: 2)
+        end
+      end
+
+      context 'GET /info' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/info' }
+
+        it 'retrieves info about the node without swagger' do
+          expect_status(:ok)
+
+          data = JSON.parse(response.body)
+          expect(data.keys).to match_array(
+            %w[postman readme docs metadata_communities]
+          )
+          expect(data).not_to have_key('swagger')
+          expect(data['metadata_communities'].keys).to match_array(
+            %w[learning_registry ce_registry]
+          )
+        end
+      end
+
+      context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/swagger.json' }
 
-      it 'retrieves the swagger.json' do
-        expect_status(:ok)
-        expect_json('swagger', '2.0')
+        it 'returns forbidden' do
+          expect_status(:forbidden)
+        end
       end
     end
   end
 
   context 'with authentication required' do
     let(:auth_required) { 'true' }
 
-    context 'GET' do # rubocop:todo RSpec/ContextWording
-      before { get '/' }
+    context 'with swagger enabled' do
+      let(:swagger_enabled) { 'true' }
 
-      it { expect_status(:unauthorized) }
-    end
+      context 'GET' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/' }
+
+        it { expect_status(:unauthorized) }
+      end
 
-    context 'GET /info' do # rubocop:todo RSpec/ContextWording
-      before { get '/info' }
+      context 'GET /info' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/info' }
 
-      it { expect_status(:unauthorized) }
+        it { expect_status(:unauthorized) }
+      end
+
+      context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/swagger.json' }
+
+        it 'retrieves the swagger.json when not protected by auth' do
+          expect_status(:ok)
+          expect_json('swagger', '2.0')
+        end
+      end
     end
 
-    context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording
-      before { get '/swagger.json' }
+    context 'with swagger disabled' do
+      let(:swagger_enabled) { '' }
+
+      context 'GET' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/' }
+
+        it { expect_status(:unauthorized) }
+      end
+
+      context 'GET /info' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/info' }
+
+        it { expect_status(:unauthorized) }
+      end
+
+      context 'GET /swagger.json' do # rubocop:todo RSpec/ContextWording, RSpec/NestedGroups
+        before { get '/swagger.json' }
 
-      it 'retrieves the swagger.json' do
-        expect_status(:ok)
-        expect_json('swagger', '2.0')
+        it 'returns forbidden due to swagger being disabled' do
+          expect_status(:forbidden)
+        end
       end
     end
   end