Documentation update for current code

Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>

Author: nuclearcat

README.md

@@ -4,6 +4,7 @@ This is a simple storage server that supports file upload and download, with tok
 It supports multiple backends, currently only Azure Blob is supported, to provide user transparent storage.
 It caches the files in a local directory and serves them from there.
 Range requests are supported, but only for start offset, end limit is not implemented yet.
+Files are protected by upload locking to prevent concurrent uploads to the same path.
 
 ## Configuration
 
@@ -16,6 +17,11 @@ account=""
 key=""
 container=""
 sastoken=""
+
+# User upload permissions (optional)
+[[users]]
+name = "user@email.com"
+prefixes = ["/allowed/path"]
 ```
 
 ## Creating user tokens
@@ -24,23 +30,53 @@ The server uses JWT token based authentication. The token is passed in the `Auth
 JWT secret is configured in the `config.toml` file.
 
 ```bash
-./kernelci-storage -generate_jwt_token user@email.com
+# Generate JWT secret
+./kernelci-storage --generate-jwt-secret
+
+# Generate JWT token for a user
+./kernelci-storage --generate-jwt-token user@email.com
 ```
-This will generate a JWT token for the user.
+The first command generates a JWT secret for your configuration, the second generates a token for the specified user.
 
 ### Testing Token Validity
 
 You can verify if a token is valid using the `/v1/checkauth` endpoint:
 
 ```bash
-curl -X GET http://localhost:3000/v1/checkauth \
+curl -X GET https://localhost:3000/v1/checkauth \
     -H "Authorization: Bearer <JWT_TOKEN>"
 ```
 
 **Responses:**
 - `200 OK` with body `Authorized: user@email.com` - Token is valid
 - `401 Unauthorized` with body `Unauthorized` - Token is invalid or missing
 
+## Environment Variables
+
+- `KCI_STORAGE_CONFIG` - Override config file path (defaults to config.toml)
+- `STORAGE_DEBUG` - Enable debug logging
+
 ## API
 
-See [docs](docs/) for the API documentation.
+### Endpoints
+
+- `GET /` - Server status
+- `POST /v1/file` or `POST /upload` - File upload (requires JWT)
+- `GET /*filepath` - File download (public, supports range requests)
+- `GET /v1/checkauth` - Validate JWT token
+- `GET /v1/list` - List all files (public)
+- `GET /metrics` - Prometheus metrics endpoint
+
+The server supports large file uploads up to 4GB and includes upload conflict protection to prevent concurrent uploads to the same file path. Downloads have a 30-second timeout for acquiring file locks.
+
+### Metrics
+
+The `/metrics` endpoint provides Prometheus-compatible metrics including:
+- `storage_free_space` - Available disk space
+- `storage_total_space` - Total disk space
+
+Both metrics include hostname, diskname, and mount_point labels.
+
+## API Documentation
+
+See [docs](docs/) for detailed API documentation.

docs/_index.md

@@ -4,47 +4,101 @@ date: 2025-08-06
 description: KernelCI's Storage API documentation
 ---
 
-We have simple storage server that supports file upload and download, with JWT token based authentication.
+We have a simple Proxy server that supports file upload and download, with JWT token-based authentication. The server supports multiple storage backends, file caching, range requests, and provides Prometheus metrics.
 
 ## API Endpoints
 
-The API is quite simple with upload through a `/upload` endpoint and download through a GET to the file url.
-
 ### Upload
 
-`POST /upload`
+**`POST /upload`** or **`POST /v1/file`**
 
-Upload a file to the server.
+Upload a file to the server. Requires JWT authentication.
 
-field path: the path to store the file in the server.
-field file0: the file to upload.
+**Form fields:**
+- `path`: The path to store the file in the server
+- `file0`: The file to upload
 
 ### Download
 
-`GET /path/to/file`
+**`GET /*filepath`**
+
+Download a file from the server. Supports range requests for partial downloads.
+
+### Authentication Check
+
+**`GET /v1/checkauth`**
+
+Validate a JWT token. Returns the authenticated user's email if valid.
+
+### List Files
+
+**`GET /v1/list`**
+
+List all files in the storage (public endpoint).
 
-Download a file from the server.
+### Server Status
+
+**`GET /`**
+
+Returns server status: "KernelCI Proxy Server"
+
+### Metrics
+
+**`GET /metrics`**
+
+Prometheus metrics endpoint showing storage space and system information.
 
 ### Request a token
 
 Ask the kernelci-sysadmin team for a token.
 
-### Testing upload and download using curl
+### Testing with curl
 
 ```bash
-# Upload
-curl -X POST http://files.kernelci.org/upload \
+# Upload a file
+curl -X POST https://files.kernelci.org/upload \
+    -H "Authorization: Bearer <JWT_TOKEN>" \
+    -F "path=testfolder" \
+    -F "file0=@local_folder/local_file"
+
+# Alternative upload endpoint
+curl -X POST https://files.kernelci.org/v1/file \
     -H "Authorization: Bearer <JWT_TOKEN>" \
     -F "path=testfolder" \
     -F "file0=@local_folder/local_file"
 
-# File will be uploaded to Azure Blob Storage as testfolder/local_folder/local_file
+# File will be uploaded as testfolder/local_folder/local_file
+
+# Download a file
+curl https://files.kernelci.org/testfolder/local_folder/local_file
+
+# Download with range request (partial content)
+curl -H "Range: bytes=0-1023" https://files.kernelci.org/testfolder/local_folder/local_file
+
+# Check authentication
+curl -X GET https://files.kernelci.org/v1/checkauth \
+    -H "Authorization: Bearer <JWT_TOKEN>"
 
-# Download
-curl http://files.kernelci.org/testfolder/local_folder/local_file
+# List all files
+curl https://files.kernelci.org/v1/list
+
+# Get metrics
+curl https://files.kernelci.org/metrics
 ```
 
-## Principle of operation
+## Features
+
+- **JWT Authentication**: Secure token-based authentication for uploads
+- **Multiple Storage Backends**: Currently supports Azure Blob Storage with extensible driver architecture
+- **Local Caching**: Files are cached locally with automatic cleanup when disk space is low
+- **Range Request Support**: Partial content downloads using HTTP range requests
+- **File Locking**: Prevents concurrent uploads to the same file path
+- **Prometheus Metrics**: System monitoring and metrics collection
+- **User Access Control**: Configurable path-based upload permissions per user
+- **Content-Type Detection**: Automatic MIME type detection based on file extensions
+- **HTTP Caching Headers**: ETag and Last-Modified support for efficient caching
+
+## Architecture
 
 ```mermaid
 sequenceDiagram
@@ -54,21 +108,56 @@ sequenceDiagram
     participant Azure Blob Storage
 
     %% Upload Flow
-    User->>Proxy Server: Upload File (POST Request)
-    Proxy Server->>Azure Blob Storage: Store File in Cloud
-    Azure Blob Storage-->>Proxy Server: Confirmation
-    Proxy Server-->>User: Upload Successful
+    User->>Proxy Server: Upload File (POST /upload or /v1/file)
+    Note over Proxy Server: JWT Authentication & Path Permissions Check
+    Proxy Server->>Proxy Server: Acquire File Lock
+    Proxy Server->>Azure Blob Storage: Store File with Chunked Upload
+    Proxy Server->>Local Cache: Cache File Locally
+    Azure Blob Storage-->>Proxy Server: Upload Confirmation
+    Proxy Server-->>User: Upload Successful (200 OK)
 
     %% Download Flow
-    User->>Proxy Server: Request File (GET Request)
+    User->>Proxy Server: Request File (GET /*filepath)
+    Proxy Server->>Proxy Server: Acquire File Lock (with timeout)
     Proxy Server->>Local Cache: Check if File Exists
     alt File Found in Cache
         Local Cache-->>Proxy Server: Return Cached File
-        Proxy Server-->>User: Send File
+        Proxy Server-->>User: Send File (with Range Support)
     else File Not in Cache
         Proxy Server->>Azure Blob Storage: Fetch File from Cloud
         Azure Blob Storage-->>Proxy Server: Send File Data
-        Proxy Server->>Local Cache: Save File Locally
-        Proxy Server-->>User: Send File
+        Proxy Server->>Local Cache: Save File Locally (SHA-512 based filename)
+        Proxy Server-->>User: Send File (with Range Support)
     end
 ```
+
+## Configuration
+
+The server supports configuration through a `config.toml` file with the following structure:
+
+```toml
+# Storage backend driver (defaults to "azure")
+driver = "azure"
+jwt_secret = "your-jwt-secret-here"
+
+# Azure Blob Storage configuration
+[azure]
+account = "your-storage-account"
+key = "your-storage-key"
+container = "your-container-name"
+sastoken = "?sv=2022-11-02&ss=b..."
+
+# User access control
+[[users]]
+name = "user@example.com"
+prefixes = ["/allowed/path1", "/allowed/path2"]
+
+[[users]]
+name = "admin@example.com"
+prefixes = [""]  # Empty prefix allows access to all paths
+```
+
+## Environment Variables
+
+- `STORAGE_DEBUG`: Enable debug logging
+- `KCI_STORAGE_CONFIG`: Override default config file path