WithCacheShardLevelPaths enforces that shard-level URLs (see pkg/authorization/shardpaths) are not reachable via a shard- or workspace-scoped cache server URL such as services/cache/shards/ /clusters/ /metrics. The data exposed at these paths is process-wide and has no per-shard or per-workspa
(handler http.Handler)
| 158 | // Must run AFTER WithClusterScope and WithShardScope so the request context |
| 159 | // reflects whether either prefix was present in the original URL. |
| 160 | func WithCacheShardLevelPaths(handler http.Handler) http.Handler { |
| 161 | return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { |
| 162 | if !shardpaths.Paths.Has(req.URL.Path) { |
| 163 | handler.ServeHTTP(w, req) |
| 164 | return |
| 165 | } |
| 166 | shardScope := request.ShardFrom(req.Context()) |
| 167 | cluster := request.ClusterFrom(req.Context()) |
| 168 | if !shardScope.Empty() || (cluster != nil && !cluster.Name.Empty()) { |
| 169 | audit.AddAuditAnnotation(req.Context(), "shardpaths.kcp.io/rejected", req.URL.Path) |
| 170 | http.Error(w, "shard-level endpoint not available at shard or workspace scope", http.StatusNotImplemented) |
| 171 | return |
| 172 | } |
| 173 | handler.ServeHTTP(w, req) |
| 174 | }) |
| 175 | } |
| 176 | |
| 177 | // WithSyntheticDelay injects a synthetic delay to calls, to exacerbate timing issues and expose inconsistent client behavior. |
| 178 | func WithSyntheticDelay(handler http.Handler, delay time.Duration) http.Handler { |