From cd9e75143a3b060b21b0dc298818e58c89ec7a28 Mon Sep 17 00:00:00 2001 From: koetsier Date: Mon, 27 Apr 2026 21:51:13 +0100 Subject: [PATCH 1/3] Deprecate post "/commit" endpoint This route is no longer in use # Conflicts: # spec/integration/app/deprecated_endpoints_spec.rb --- lib/rummager/app.rb | 10 +--------- spec/integration/app/authorization_spec.rb | 2 +- spec/integration/app/deprecated_endpoints_spec.rb | 1 + spec/integration/indexer/commit_spec.rb | 8 -------- 4 files changed, 3 insertions(+), 18 deletions(-) delete mode 100644 spec/integration/indexer/commit_spec.rb diff --git a/lib/rummager/app.rb b/lib/rummager/app.rb index 04210c4d9..2dd241529 100644 --- a/lib/rummager/app.rb +++ b/lib/rummager/app.rb @@ -63,12 +63,6 @@ def require_authentication(permission) halt(403, "You do not have permission to access this endpoint") unless u["permissions"].include? permission end - def prevent_access_to_govuk_and_detailed - if %w[govuk detailed].include?(index_name) - halt(403, "Actions to the govuk or detailed indices are not allowed via this endpoint.") - end - end - def deprecated_endpoint GovukError.notify("Deprecated endpoint accessed", extras: { source_ip: request.ip, path: request.fullpath }) halt(403, "This endpoint has been deprecated.") @@ -183,9 +177,7 @@ def json_only end post "/:index/commit" do - require_authentication "manage_search_indices" - prevent_access_to_govuk_and_detailed - simple_json_result(current_index.commit) + deprecated_endpoint end delete "/:index/documents/*" do diff --git a/spec/integration/app/authorization_spec.rb b/spec/integration/app/authorization_spec.rb index 7d9547e03..4b8f7ffca 100644 --- a/spec/integration/app/authorization_spec.rb +++ b/spec/integration/app/authorization_spec.rb @@ -23,7 +23,7 @@ end it "prevents access to a route that requires authentication when no authentication is provided" do - response = post "/government_test/commit", {}.to_json + response = post "/v2/metasearch/documents", {}.to_json expect(response.status).to eq(401) end diff --git a/spec/integration/app/deprecated_endpoints_spec.rb b/spec/integration/app/deprecated_endpoints_spec.rb index f90b83c55..051b16e92 100644 --- a/spec/integration/app/deprecated_endpoints_spec.rb +++ b/spec/integration/app/deprecated_endpoints_spec.rb @@ -20,4 +20,5 @@ include_examples "forbidden request", :get, "/content" include_examples "forbidden request", :delete, "/content" include_examples "forbidden request", :delete, "/govuk_test/documents" + include_examples "forbidden request", :post, "/:index/commit" end diff --git a/spec/integration/indexer/commit_spec.rb b/spec/integration/indexer/commit_spec.rb deleted file mode 100644 index d4ddcc85d..000000000 --- a/spec/integration/indexer/commit_spec.rb +++ /dev/null @@ -1,8 +0,0 @@ -require "spec_helper" - -RSpec.describe "Commit" do - describe "post /:index/commit" do - it_behaves_like "govuk and detailed index protection", "/:index/commit", method: :post - it_behaves_like "rejects unknown index", "/unknown_index/commit", method: :post - end -end From a53795a68ac4fa9263f19fdc7c1df8a58086db35 Mon Sep 17 00:00:00 2001 From: koetsier Date: Tue, 28 Apr 2026 12:00:16 +0100 Subject: [PATCH 2/3] Remove old deprecated routes. These were deprecated 2018 and an error message was raised when accessing to alert us if they were still used. We can now be confident they are no longer used and the routes can be removed --- lib/rummager/app.rb | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/lib/rummager/app.rb b/lib/rummager/app.rb index 2dd241529..9d8e19bb1 100644 --- a/lib/rummager/app.rb +++ b/lib/rummager/app.rb @@ -14,8 +14,6 @@ require "healthcheck/elasticsearch_connectivity_check" class Rummager < Sinatra::Application - class AttemptToUseDefaultMainstreamIndex < StandardError; end - Warden::Strategies.add :bearer_token, Warden::OAuth2::Strategies::Bearer Warden::OAuth2.configure { |config| config.token_model = Auth::GdsSso } Warden::Strategies.add :mock_bearer_token, Auth::MockStrategy @@ -122,16 +120,6 @@ def json_only halt(404, env["sinatra.error"].message) end - error Rummager::AttemptToUseDefaultMainstreamIndex do - GovukError.notify( - env["sinatra.error"], - extra: { - params:, - }, - ) - halt(500, env["sinatra.error"].message) - end - # Return results for the GOV.UK site search # # For details, see docs/search-api.md @@ -256,28 +244,6 @@ def serve_from_s3(key) halt(404, "No such object") end - # these endpoints are used to capture any usage of old endpoints which relied on a default index. - # They can be removed once we are happy they are not being accessed. - delete "/documents" do - raise AttemptToUseDefaultMainstreamIndex - end - - post "/documents/*" do - raise AttemptToUseDefaultMainstreamIndex - end - - delete "/documents/*" do - raise AttemptToUseDefaultMainstreamIndex - end - - post "/commit" do - raise AttemptToUseDefaultMainstreamIndex - end - - post "/documents" do - raise AttemptToUseDefaultMainstreamIndex - end - post "/unauthenticated/?" do if env["HTTP_AUTHORIZATION"].to_s.start_with?("Bearer ") message = "Bearer token does not appear to be valid" From 706d0babb298797b905a25f975a39c65d6f7995e Mon Sep 17 00:00:00 2001 From: koetsier Date: Tue, 28 Apr 2026 12:15:58 +0100 Subject: [PATCH 3/3] Group deprecated enpoints and add a message So when we feel confident the endpoints are not accessed anymore we can delete them --- lib/rummager/app.rb | 61 +++++++++++---------- spec/integration/app/error_handling_spec.rb | 28 ---------- 2 files changed, 31 insertions(+), 58 deletions(-) diff --git a/lib/rummager/app.rb b/lib/rummager/app.rb index 9d8e19bb1..139cbef42 100644 --- a/lib/rummager/app.rb +++ b/lib/rummager/app.rb @@ -141,19 +141,6 @@ def json_only end end - get "/content" do - deprecated_endpoint - end - - delete "/content" do - deprecated_endpoint - end - - # Insert (or overwrite) a document - post "/:index/documents" do - deprecated_endpoint - end - post "/v2/metasearch/documents" do require_authentication "manage_search_indices" document = JSON.parse(request.body.read) @@ -164,14 +151,6 @@ def json_only json_result 200, "Success" end - post "/:index/commit" do - deprecated_endpoint - end - - delete "/:index/documents/*" do - deprecated_endpoint - end - delete "/v2/metasearch/documents/*" do require_authentication "manage_search_indices" id = params["splat"].first @@ -182,15 +161,6 @@ def json_only json_result 200, "Success" end - # Update an existing document - post "/:index/documents/*" do - deprecated_endpoint - end - - delete "/:index/documents" do - deprecated_endpoint - end - get "/_status" do status = {} status["queues"] = {} @@ -257,4 +227,35 @@ def serve_from_s3(key) body = { message: }.to_json halt(401, headers, body) end + + # Deprecated routes (since April 2026). + # Accessing these routes raises an error so we can detect any remaining usage. + # They can be removed once we’re confident they are no longer in use. + get "/content" do + deprecated_endpoint + end + + delete "/content" do + deprecated_endpoint + end + + post "/:index/documents" do + deprecated_endpoint + end + + post "/:index/documents/*" do + deprecated_endpoint + end + + delete "/:index/documents" do + deprecated_endpoint + end + + post "/:index/commit" do + deprecated_endpoint + end + + delete "/:index/documents/*" do + deprecated_endpoint + end end diff --git a/spec/integration/app/error_handling_spec.rb b/spec/integration/app/error_handling_spec.rb index eaa251472..7f6e284a2 100644 --- a/spec/integration/app/error_handling_spec.rb +++ b/spec/integration/app/error_handling_spec.rb @@ -18,20 +18,6 @@ end end - RSpec.shared_examples "blocks default mainstream index usage" do |http_method:, path:| - it "#{http_method.upcase} #{path} raises AttemptToUseDefaultMainstreamIndex" do - expect(GovukError).to receive(:notify) - .with( - instance_of(Rummager::AttemptToUseDefaultMainstreamIndex), - extra: hash_including(:params), - ) - - send(http_method, path) - expect(last_response.status).to eq(500) - expect(last_response.body).to be_present - end - end - include_examples( "a sinatra error handler", exception_class: Index::ResponseValidator::NotFound, @@ -67,20 +53,6 @@ body: ->(msg) { msg }, ) - [ - [:delete, "/documents"], - [:post, "/documents/123"], - [:delete, "/documents/123"], - [:post, "/commit"], - [:post, "/documents"], - ].each do |http_method, path| - include_examples( - "blocks default mainstream index usage", - http_method:, - path:, - ) - end - it "notifies GovukError with the exception and params" do error = Index::ResponseValidator::ElasticsearchError.new("error")