feat: add admin dashboard for key & upload status monitoring

Lightweight web UI served at /admin (disabled by default, enable with
S3PROXY_ADMIN_UI=true) showing KEK fingerprint, active multipart uploads,
memory/concurrency health, and request statistics. Server-rendered HTML
with auto-refresh via fetch() every 10s, protected by HTTP Basic Auth.

Closes #19

Author: ServerSideHannes

pyproject.toml

@@ -70,6 +70,9 @@ target-version = "py314"
 [tool.ruff.lint]
 select = ["E", "F", "I", "N", "W", "UP", "B", "C4", "SIM"]
 
+[tool.ruff.lint.per-file-ignores]
+"s3proxy/admin/templates.py" = ["E501"]
+
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
 testpaths = ["tests"]

s3proxy/admin/__init__.py

@@ -0,0 +1,5 @@
+"""Admin dashboard for S3Proxy."""
+
+from .router import create_admin_router
+
+__all__ = ["create_admin_router"]

s3proxy/admin/auth.py

@@ -0,0 +1,35 @@
+"""Basic auth for admin dashboard."""
+
+import secrets
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBasic, HTTPBasicCredentials
+
+security = HTTPBasic(realm="S3Proxy Admin")
+
+_security_dep = Depends(security)
+
+
+def create_auth_dependency(settings, credentials_store: dict[str, str]):
+    """Create a Basic Auth dependency for the admin router."""
+    if settings.admin_username and settings.admin_password:
+        valid_username = settings.admin_username
+        valid_password = settings.admin_password
+    else:
+        if not credentials_store:
+            raise RuntimeError("No credentials configured for admin auth")
+        valid_username = next(iter(credentials_store.keys()))
+        valid_password = credentials_store[valid_username]
+
+    async def verify(credentials: HTTPBasicCredentials = _security_dep):
+        username_ok = secrets.compare_digest(credentials.username.encode(), valid_username.encode())
+        password_ok = secrets.compare_digest(credentials.password.encode(), valid_password.encode())
+        if not (username_ok and password_ok):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid credentials",
+                headers={"WWW-Authenticate": 'Basic realm="S3Proxy Admin"'},
+            )
+        return credentials
+
+    return verify

s3proxy/admin/collectors.py

@@ -0,0 +1,143 @@
+"""Data collectors for admin dashboard."""
+
+from __future__ import annotations
+
+import hashlib
+import time
+from typing import TYPE_CHECKING
+
+from .. import metrics
+from ..state.redis import is_using_redis
+
+if TYPE_CHECKING:
+    from ..config import Settings
+    from ..handlers import S3ProxyHandler
+
+
+def collect_key_status(settings: Settings) -> dict:
+    """Collect encryption key status. Never exposes raw key material."""
+    return {
+        "kek_fingerprint": hashlib.sha256(settings.kek).hexdigest()[:16],
+        "algorithm": "AES-256-GCM + AES-KWP",
+        "dek_tag_name": settings.dektag_name,
+    }
+
+
+async def collect_upload_status(handler: S3ProxyHandler) -> dict:
+    """Collect active multipart upload status."""
+    uploads = await handler.multipart_manager.list_active_uploads()
+    return {
+        "active_count": len(uploads),
+        "uploads": uploads,
+    }
+
+
+def _read_gauge(gauge) -> float:
+    """Read current value from a Prometheus Gauge."""
+    return gauge._value.get()
+
+
+def _read_counter(counter) -> float:
+    """Read current value from a Prometheus Counter."""
+    return counter._value.get()
+
+
+def _read_labeled_counter_sum(counter) -> float:
+    """Sum all label combinations for a labeled counter."""
+    total = 0.0
+    for sample in counter.collect()[0].samples:
+        if sample.name.endswith("_total"):
+            total += sample.value
+    return total
+
+
+def _read_labeled_gauge_sum(gauge) -> float:
+    """Sum all label combinations for a labeled gauge."""
+    total = 0.0
+    for sample in gauge.collect()[0].samples:
+        total += sample.value
+    return total
+
+
+def collect_system_health(start_time: float) -> dict:
+    """Collect system health metrics."""
+    memory_reserved = _read_gauge(metrics.MEMORY_RESERVED_BYTES)
+    memory_limit = _read_gauge(metrics.MEMORY_LIMIT_BYTES)
+    usage_pct = round(memory_reserved / memory_limit * 100, 1) if memory_limit > 0 else 0
+
+    return {
+        "memory_reserved_bytes": int(memory_reserved),
+        "memory_limit_bytes": int(memory_limit),
+        "memory_usage_pct": usage_pct,
+        "requests_in_flight": int(_read_labeled_gauge_sum(metrics.REQUESTS_IN_FLIGHT)),
+        "memory_rejections": int(_read_counter(metrics.MEMORY_REJECTIONS)),
+        "uptime_seconds": int(time.monotonic() - start_time),
+        "storage_backend": ("Redis (HA)" if is_using_redis() else "In-memory"),
+    }
+
+
+def collect_request_stats() -> dict:
+    """Collect request statistics."""
+    encrypt_ops = 0.0
+    decrypt_ops = 0.0
+    for sample in metrics.ENCRYPTION_OPERATIONS.collect()[0].samples:
+        if sample.name.endswith("_total"):
+            if sample.labels.get("operation") == "encrypt":
+                encrypt_ops = sample.value
+            elif sample.labels.get("operation") == "decrypt":
+                decrypt_ops = sample.value
+
+    return {
+        "total_requests": int(_read_labeled_counter_sum(metrics.REQUEST_COUNT)),
+        "encrypt_ops": int(encrypt_ops),
+        "decrypt_ops": int(decrypt_ops),
+        "bytes_encrypted": int(_read_counter(metrics.BYTES_ENCRYPTED)),
+        "bytes_decrypted": int(_read_counter(metrics.BYTES_DECRYPTED)),
+    }
+
+
+def _format_bytes(n: int) -> str:
+    """Format bytes to human-readable string."""
+    for unit in ("B", "KB", "MB", "GB", "TB"):
+        if abs(n) < 1024:
+            return f"{n:.1f} {unit}" if unit != "B" else f"{n} {unit}"
+        n /= 1024
+    return f"{n:.1f} PB"
+
+
+def _format_uptime(seconds: int) -> str:
+    """Format seconds to human-readable uptime string."""
+    days, remainder = divmod(seconds, 86400)
+    hours, remainder = divmod(remainder, 3600)
+    minutes, _ = divmod(remainder, 60)
+    parts = []
+    if days:
+        parts.append(f"{days}d")
+    if hours:
+        parts.append(f"{hours}h")
+    parts.append(f"{minutes}m")
+    return " ".join(parts)
+
+
+async def collect_all(
+    settings: Settings,
+    handler: S3ProxyHandler,
+    start_time: float,
+) -> dict:
+    """Collect all dashboard data."""
+    upload_status = await collect_upload_status(handler)
+    health = collect_system_health(start_time)
+    stats = collect_request_stats()
+    return {
+        "key_status": collect_key_status(settings),
+        "upload_status": upload_status,
+        "system_health": health,
+        "request_stats": stats,
+        "formatted": {
+            "memory_reserved": _format_bytes(health["memory_reserved_bytes"]),
+            "memory_limit": _format_bytes(health["memory_limit_bytes"]),
+            "uptime": _format_uptime(health["uptime_seconds"]),
+            "bytes_encrypted": _format_bytes(stats["bytes_encrypted"]),
+            "bytes_decrypted": _format_bytes(stats["bytes_decrypted"]),
+        },
+    }

s3proxy/admin/router.py

@@ -0,0 +1,36 @@
+"""Admin dashboard router."""
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+
+from fastapi import APIRouter, Depends, Request
+from fastapi.responses import HTMLResponse, JSONResponse
+
+from .auth import create_auth_dependency
+from .collectors import collect_all
+from .templates import DASHBOARD_HTML
+
+if TYPE_CHECKING:
+    from ..config import Settings
+
+
+def create_admin_router(settings: Settings, credentials_store: dict[str, str]) -> APIRouter:
+    """Create the admin dashboard router with auth."""
+    verify_admin = create_auth_dependency(settings, credentials_store)
+    router = APIRouter(dependencies=[Depends(verify_admin)])
+
+    @router.get("/", response_class=HTMLResponse)
+    async def dashboard():
+        return HTMLResponse(DASHBOARD_HTML)
+
+    @router.get("/api/status")
+    async def status(request: Request):
+        data = await collect_all(
+            request.app.state.settings,
+            request.app.state.handler,
+            request.app.state.start_time,
+        )
+        return JSONResponse(data)
+
+    return router

s3proxy/admin/templates.py

@@ -0,0 +1,116 @@
+"""HTML template for admin dashboard."""
+
+DASHBOARD_HTML = """\
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>S3Proxy Admin</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{background:#0f1117;color:#c9d1d9;font-family:'SF Mono',Menlo,Consolas,monospace;font-size:14px;padding:24px;max-width:900px;margin:0 auto}
+h1{font-size:18px;color:#f0f6fc;margin-bottom:4px}
+.subtitle{color:#8b949e;font-size:12px;margin-bottom:24px}
+.refresh-badge{display:inline-block;background:#1c2128;border:1px solid #30363d;border-radius:4px;padding:2px 8px;font-size:11px;color:#8b949e}
+.section{background:#161b22;border:1px solid #30363d;border-radius:8px;padding:16px;margin-bottom:16px}
+.section-title{font-size:13px;color:#8b949e;text-transform:uppercase;letter-spacing:1px;margin-bottom:12px;font-weight:600}
+.row{display:flex;justify-content:space-between;padding:6px 0;border-bottom:1px solid #21262d}
+.row:last-child{border-bottom:none}
+.label{color:#8b949e}
+.value{color:#f0f6fc;font-weight:500}
+.bar-container{width:120px;height:8px;background:#21262d;border-radius:4px;display:inline-block;vertical-align:middle;margin-left:8px}
+.bar-fill{height:100%;border-radius:4px;transition:width 0.3s}
+.bar-green{background:#3fb950}
+.bar-yellow{background:#d29922}
+.bar-red{background:#f85149}
+table{width:100%;border-collapse:collapse;margin-top:8px}
+th{text-align:left;color:#8b949e;font-weight:500;padding:6px 8px;border-bottom:1px solid #30363d;font-size:12px}
+td{padding:6px 8px;border-bottom:1px solid #21262d;color:#c9d1d9}
+.empty{color:#484f58;font-style:italic;padding:12px 0}
+.num{font-variant-numeric:tabular-nums}
+#status-dot{display:inline-block;width:6px;height:6px;border-radius:50%;background:#3fb950;margin-right:6px}
+</style>
+</head>
+<body>
+<div style="display:flex;justify-content:space-between;align-items:flex-start;margin-bottom:24px">
+<div><h1><span id="status-dot"></span>S3Proxy Admin</h1><div class="subtitle">Encryption proxy dashboard</div></div>
+<div class="refresh-badge">auto-refresh: 10s</div>
+</div>
+
+<div class="section">
+<div class="section-title">Key Status</div>
+<div class="row"><span class="label">KEK Fingerprint</span><span class="value" id="kek-fp"></span></div>
+<div class="row"><span class="label">Algorithm</span><span class="value" id="algo"></span></div>
+<div class="row"><span class="label">DEK Tag Name</span><span class="value" id="dek-tag"></span></div>
+</div>
+
+<div class="section">
+<div class="section-title">Active Uploads</div>
+<div class="row"><span class="label">Count</span><span class="value num" id="upload-count"></span></div>
+<div id="uploads-table"></div>
+</div>
+
+<div class="section">
+<div class="section-title">System Health</div>
+<div class="row"><span class="label">Memory</span><span class="value" id="memory"></span></div>
+<div class="row"><span class="label">In-Flight Requests</span><span class="value num" id="in-flight"></span></div>
+<div class="row"><span class="label">503 Rejections</span><span class="value num" id="rejections"></span></div>
+<div class="row"><span class="label">Uptime</span><span class="value" id="uptime"></span></div>
+<div class="row"><span class="label">Storage Backend</span><span class="value" id="storage"></span></div>
+</div>
+
+<div class="section">
+<div class="section-title">Request Stats</div>
+<div class="row"><span class="label">Total Requests</span><span class="value num" id="total-req"></span></div>
+<div class="row"><span class="label">Encrypt Ops</span><span class="value num" id="encrypt-ops"></span></div>
+<div class="row"><span class="label">Decrypt Ops</span><span class="value num" id="decrypt-ops"></span></div>
+<div class="row"><span class="label">Bytes Encrypted</span><span class="value" id="bytes-enc"></span></div>
+<div class="row"><span class="label">Bytes Decrypted</span><span class="value" id="bytes-dec"></span></div>
+</div>
+
+<script>
+function fmt(n){return n.toLocaleString()}
+function barClass(pct){return pct>80?'bar-red':pct>50?'bar-yellow':'bar-green'}
+function bar(pct){return '<div class="bar-container"><div class="bar-fill '+barClass(pct)+'" style="width:'+Math.min(pct,100)+'%"></div></div>'}
+function age(iso){
+  var s=Math.floor((Date.now()-new Date(iso+'Z'))/1000);
+  if(s<60)return s+'s';
+  if(s<3600)return Math.floor(s/60)+'m';
+  if(s<86400)return Math.floor(s/3600)+'h '+Math.floor((s%3600)/60)+'m';
+  return Math.floor(s/86400)+'d '+Math.floor((s%86400)/3600)+'h';
+}
+function update(d){
+  var k=d.key_status,u=d.upload_status,h=d.system_health,r=d.request_stats,f=d.formatted;
+  document.getElementById('kek-fp').textContent=k.kek_fingerprint;
+  document.getElementById('algo').textContent=k.algorithm;
+  document.getElementById('dek-tag').textContent=k.dek_tag_name;
+  document.getElementById('upload-count').textContent=u.active_count;
+  var ut=document.getElementById('uploads-table');
+  if(u.uploads.length===0){ut.innerHTML='<div class="empty">No active uploads</div>';}
+  else{var h2='<table><tr><th>Bucket</th><th>Key</th><th>Parts</th><th>Size</th><th>Age</th></tr>';
+    u.uploads.forEach(function(up){h2+='<tr><td>'+up.bucket+'</td><td>'+up.key+'</td><td class="num">'+up.parts_count+'</td><td class="num">'+up.total_plaintext_size+'</td><td>'+age(up.created_at)+'</td></tr>';});
+    h2+='</table>';ut.innerHTML=h2;}
+  document.getElementById('memory').innerHTML=f.memory_reserved+' / '+f.memory_limit+' ('+h.memory_usage_pct+'%)'+bar(h.memory_usage_pct);
+  document.getElementById('in-flight').textContent=fmt(h.requests_in_flight);
+  document.getElementById('rejections').textContent=fmt(h.memory_rejections);
+  document.getElementById('uptime').textContent=f.uptime;
+  document.getElementById('storage').textContent=h.storage_backend;
+  document.getElementById('total-req').textContent=fmt(r.total_requests);
+  document.getElementById('encrypt-ops').textContent=fmt(r.encrypt_ops);
+  document.getElementById('decrypt-ops').textContent=fmt(r.decrypt_ops);
+  document.getElementById('bytes-enc').textContent=f.bytes_encrypted;
+  document.getElementById('bytes-dec').textContent=f.bytes_decrypted;
+}
+function refresh(){
+  fetch('api/status',{credentials:'same-origin'})
+    .then(function(r){return r.json()})
+    .then(update)
+    .catch(function(){});
+}
+refresh();
+setInterval(refresh,10000);
+</script>
+</body>
+</html>
+"""