Fix gitaly-backup TLS connections

Omnibus configures OpenSSL to use custom cert directories, but since gitaly-backup is written in go which does not use OpenSSL we need to pass these defaults through. Changelog: fixed

Fix gitaly-backup TLS connections
Omnibus configures OpenSSL to use custom cert directories, but since gitaly-backup is written in go which does not use OpenSSL we need to pass these defaults through. Changelog: fixed
e36cf16a · James Fargher · e00b70fc · e36cf16a · e36cf16a
Commit e36cf16a authored Sep 22, 2021 by James Fargher
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 7 deletions

lib/backup/gitaly_backup.rb lib/backup/gitaly_backup.rb +8 -1

spec/lib/backup/gitaly_backup_spec.rb spec/lib/backup/gitaly_backup_spec.rb +34 -6

No files found.
--- a/lib/backup/gitaly_backup.rb
+++ b/lib/backup/gitaly_backup.rb
@@ -25,7 +25,7 @@ module Backup
      args += ['-parallel', @parallel.to_s] if @parallel
      args += ['-parallel-storage', @parallel_storage.to_s] if @parallel_storage

-      @stdin, stdout, @thread = Open3.popen2(ENV, bin_path, command, '-path', backup_repos_path, *args)
+      @stdin, stdout, @thread = Open3.popen2(build_env, bin_path, command, '-path', backup_repos_path, *args)

      @out_reader = Thread.new do
        IO.copy_stream(stdout, @progress)
@@ -63,6 +63,13 @@ module Backup

    private

+    def build_env
+      {
+        'SSL_CERT_FILE' => OpenSSL::X509::DEFAULT_CERT_FILE,
+        'SSL_CERT_DIR'  => OpenSSL::X509::DEFAULT_CERT_DIR
+      }.merge(ENV)
+    end
+
    def started?
      @thread.present?
    end

--- a/spec/lib/backup/gitaly_backup_spec.rb
+++ b/spec/lib/backup/gitaly_backup_spec.rb
@@ -5,12 +5,20 @@ require 'spec_helper'
 RSpec.describe Backup::GitalyBackup do
  let(:parallel) { nil }
  let(:parallel_storage) { nil }
+
  let(:progress) do
    Tempfile.new('progress').tap do |progress|
      progress.unlink
    end
  end

+  let(:expected_env) do
+    {
+      'SSL_CERT_FILE' => OpenSSL::X509::DEFAULT_CERT_FILE,
+      'SSL_CERT_DIR'  => OpenSSL::X509::DEFAULT_CERT_DIR
+    }.merge(ENV)
+  end
+
  after do
    progress.close
  end
@@ -32,7 +40,7 @@ RSpec.describe Backup::GitalyBackup do
        project_snippet = create(:project_snippet, :repository, project: project)
        personal_snippet = create(:personal_snippet, :repository, author: project.owner)

-        expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything).and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything).and_call_original

        subject.start(:create)
        subject.enqueue(project, Gitlab::GlRepository::PROJECT)
@@ -53,7 +61,7 @@ RSpec.describe Backup::GitalyBackup do
        let(:parallel) { 3 }

        it 'passes parallel option through' do
-          expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything, '-parallel', '3').and_call_original
+          expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything, '-parallel', '3').and_call_original

          subject.start(:create)
          subject.wait
@@ -64,7 +72,7 @@ RSpec.describe Backup::GitalyBackup do
        let(:parallel_storage) { 3 }

        it 'passes parallel option through' do
-          expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything, '-parallel-storage', '3').and_call_original
+          expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything, '-parallel-storage', '3').and_call_original

          subject.start(:create)
          subject.wait
@@ -90,6 +98,26 @@ RSpec.describe Backup::GitalyBackup do

      it_behaves_like 'creates a repository backup'
    end
+
+    context 'custom SSL envs set' do
+      let(:ssl_env) do
+        {
+          'SSL_CERT_FILE' => '/some/cert/file',
+          'SSL_CERT_DIR'  => '/some/cert'
+        }
+      end
+
+      before do
+        stub_const('ENV', ssl_env)
+      end
+
+      it 'passes through SSL envs' do
+        expect(Open3).to receive(:popen2).with(ssl_env, anything, 'create', '-path', anything).and_call_original
+
+        subject.start(:create)
+        subject.wait
+      end
+    end
  end

  context 'restore' do
@@ -109,7 +137,7 @@ RSpec.describe Backup::GitalyBackup do
      copy_bundle_to_backup_path('personal_snippet_repo.bundle', personal_snippet.disk_path + '.bundle')
      copy_bundle_to_backup_path('project_snippet_repo.bundle', project_snippet.disk_path + '.bundle')

-      expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything).and_call_original
+      expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything).and_call_original

      subject.start(:restore)
      subject.enqueue(project, Gitlab::GlRepository::PROJECT)
@@ -132,7 +160,7 @@ RSpec.describe Backup::GitalyBackup do
      let(:parallel) { 3 }

      it 'passes parallel option through' do
-        expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything, '-parallel', '3').and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything, '-parallel', '3').and_call_original

        subject.start(:restore)
        subject.wait
@@ -143,7 +171,7 @@ RSpec.describe Backup::GitalyBackup do
      let(:parallel_storage) { 3 }

      it 'passes parallel option through' do
-        expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything, '-parallel-storage', '3').and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything, '-parallel-storage', '3').and_call_original

        subject.start(:restore)
        subject.wait