Merge branch 'gitaly-auth' into 'master'

Gitaly token auth See merge request !171

Merge branch 'gitaly-auth' into 'master'
Gitaly token auth See merge request !171
7c1918c8 · Nick Thomas · 49803070 · c303f246 · 7c1918c8 · 7c1918c8
Commit 7c1918c8 authored Jun 22, 2017 by Nick Thomas
10 changed files
--- a/gitaly_test.go
+++ b/gitaly_test.go
@@ -14,6 +14,7 @@ import (
 	"time"
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/api"
+	"gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly"
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/testhelper"
 	pb "gitlab.com/gitlab-org/gitaly-proto/go"
@@ -32,7 +33,7 @@ func TestFailedCloneNoGitaly(t *testing.T) {
 		GL_ID:    "user-123",
 		RepoPath: repoPath(t),
 		// This will create a failure to connect to Gitaly
-		GitalyAddress: "unix:/nonexistent",
+		GitalyServer: gitaly.Server{Address: "unix:/nonexistent"},
 	}
 	// Prepare test server and backend
@@ -49,24 +50,31 @@ func TestFailedCloneNoGitaly(t *testing.T) {
 }
 func TestGetInfoRefsProxiedToGitalySuccessfully(t *testing.T) {
-	apiResponse := gitOkBody(t)
 	gitalyServer, socketPath := startGitalyServer(t, codes.OK)
 	defer gitalyServer.Stop()
 	gitalyAddress := "unix://" + socketPath
-	apiResponse.GitalyAddress = gitalyAddress
-	ts := testAuthServer(nil, 200, apiResponse)
+	apiResponseOld := gitOkBody(t)
-	defer ts.Close()
+	apiResponseOld.GitalyServer = gitaly.Server{}
+	apiResponseOld.GitalyAddress = gitalyAddress
-	ws := startWorkhorseServer(ts.URL)
+	apiResponse := gitOkBody(t)
-	defer ws.Close()
+	apiResponse.GitalyServer.Address = gitalyAddress
-	resource := "/gitlab-org/gitlab-test.git/info/refs?service=git-upload-pack"
+	for _, a := range []*api.Response{apiResponseOld, apiResponse} {
-	_, body := httpGet(t, ws.URL+resource)
+		ts := testAuthServer(nil, 200, a)
+		defer ts.Close()
+		ws := startWorkhorseServer(ts.URL)
+		defer ws.Close()
-	expectedContent := string(testhelper.GitalyInfoRefsResponseMock)
+		resource := "/gitlab-org/gitlab-test.git/info/refs?service=git-upload-pack"
-	assert.Equal(t, expectedContent, body, "GET %q: response body", resource)
+		_, body := httpGet(t, ws.URL+resource)
+		expectedContent := string(testhelper.GitalyInfoRefsResponseMock)
+		assert.Equal(t, expectedContent, body, "GET %q: response body", resource)
+	}
 }
 func TestGetInfoRefsProxiedToGitalyInterruptedStream(t *testing.T) {
@@ -75,7 +83,7 @@ func TestGetInfoRefsProxiedToGitalyInterruptedStream(t *testing.T) {
 	defer gitalyServer.Stop()
 	gitalyAddress := "unix://" + socketPath
-	apiResponse.GitalyAddress = gitalyAddress
+	apiResponse.GitalyServer.Address = gitalyAddress
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -110,7 +118,7 @@ func TestPostReceivePackProxiedToGitalySuccessfully(t *testing.T) {
 	gitalyServer, socketPath := startGitalyServer(t, codes.OK)
 	defer gitalyServer.Stop()
-	apiResponse.GitalyAddress = "unix://" + socketPath
+	apiResponse.GitalyServer.Address = "unix://" + socketPath
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -143,7 +151,7 @@ func TestPostReceivePackProxiedToGitalyInterrupted(t *testing.T) {
 	gitalyServer, socketPath := startGitalyServer(t, codes.OK)
 	defer gitalyServer.Stop()
-	apiResponse.GitalyAddress = "unix://" + socketPath
+	apiResponse.GitalyServer.Address = "unix://" + socketPath
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -184,7 +192,7 @@ func TestPostUploadPackProxiedToGitalySuccessfully(t *testing.T) {
 			gitalyServer, socketPath := startGitalyServer(t, code)
 			defer gitalyServer.Stop()
-			apiResponse.GitalyAddress = "unix://" + socketPath
+			apiResponse.GitalyServer.Address = "unix://" + socketPath
 			ts := testAuthServer(nil, 200, apiResponse)
 			defer ts.Close()
@@ -218,7 +226,7 @@ func TestPostUploadPackProxiedToGitalyInterrupted(t *testing.T) {
 	gitalyServer, socketPath := startGitalyServer(t, codes.OK)
 	defer gitalyServer.Stop()
-	apiResponse.GitalyAddress = "unix://" + socketPath
+	apiResponse.GitalyServer.Address = "unix://" + socketPath
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -257,6 +265,7 @@ func TestGetInfoRefsHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
 	apiResponse := gitOkBody(t)
 	apiResponse.GitalyAddress = ""
+	apiResponse.GitalyServer.Address = ""
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -277,6 +286,7 @@ func TestPostReceivePackHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
 	apiResponse := gitOkBody(t)
 	apiResponse.GitalyAddress = ""
+	apiResponse.GitalyServer.Address = ""
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()
@@ -298,6 +308,7 @@ func TestPostUploadPackHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
 	apiResponse := gitOkBody(t)
 	apiResponse.GitalyAddress = ""
+	apiResponse.GitalyServer.Address = ""
 	ts := testAuthServer(nil, 200, apiResponse)
 	defer ts.Close()

--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -15,6 +15,7 @@ import (
 	pb "gitlab.com/gitlab-org/gitaly-proto/go"
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway"
+	"gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly"
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
 	"gitlab.com/gitlab-org/gitlab-workhorse/internal/secret"
 )
@@ -104,8 +105,10 @@ type Response struct {
 	Entry string `json:"entry"`
 	// Used to communicate terminal session details
 	Terminal *TerminalSettings
-	// GitalyAddress is a unix:// or tcp:// address to reach a Gitaly service on
+	// DEPRECATED. GitalyAddress is a unix:// or tcp:// address to reach a Gitaly service on
 	GitalyAddress string
+	// GitalyServer specifies an address and authentication token for a gitaly server we should connect to.
+	GitalyServer gitaly.Server
 	// Repository object for making gRPC requests to Gitaly. This will
 	// eventually replace the RepoPath field.
 	Repository pb.Repository
@@ -228,6 +231,11 @@ func (api *API) PreAuthorize(suffix string, r *http.Request) (httpResponse *http
 		return httpResponse, nil, fmt.Errorf("preAuthorizeHandler: decode authorization response: %v", err)
 	}
+	if authResponse.GitalyServer.Address == "" {
+		authResponse.GitalyServer.Address = authResponse.GitalyAddress
+	}
+	authResponse.GitalyAddress = ""
 	return httpResponse, authResponse, nil
 }

--- a/internal/git/info-refs.go
+++ b/internal/git/info-refs.go
@@ -31,7 +31,7 @@ func handleGetInfoRefs(rw http.ResponseWriter, r *http.Request, a *api.Response)
 	w.Header().Set("Cache-Control", "no-cache")
 	var err error
-	if a.GitalyAddress == "" {
+	if a.GitalyServer.Address == "" {
 		err = handleGetInfoRefsLocally(w, a, rpc)
 	} else {
 		err = handleGetInfoRefsWithGitaly(w, a, rpc)
@@ -64,7 +64,7 @@ func handleGetInfoRefsLocally(w http.ResponseWriter, a *api.Response, rpc string
 }
 func handleGetInfoRefsWithGitaly(w http.ResponseWriter, a *api.Response, rpc string) error {
-	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
+	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
 	if err != nil {
 		return fmt.Errorf("GetInfoRefsHandler: %v", err)
 	}

--- a/internal/git/receive-pack.go
+++ b/internal/git/receive-pack.go
@@ -20,7 +20,7 @@ func handleReceivePack(w *GitHttpResponseWriter, r *http.Request, a *api.Respons
 	defer cw.Flush()
 	var err error
-	if a.GitalyAddress == "" {
+	if a.GitalyServer.Address == "" {
 		err = handleReceivePackLocally(a, r, cr, cw, action)
 	} else {
 		err = handleReceivePackWithGitaly(a, cr, cw)
@@ -46,7 +46,7 @@ func handleReceivePackLocally(a *api.Response, r *http.Request, stdin io.Reader,
 }
 func handleReceivePackWithGitaly(a *api.Response, clientRequest io.Reader, clientResponse io.Writer) error {
-	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
+	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
 	if err != nil {
 		return fmt.Errorf("smarthttp.ReceivePack: %v", err)
 	}

--- a/internal/git/upload-pack.go
+++ b/internal/git/upload-pack.go
@@ -27,7 +27,7 @@ func handleUploadPack(w *GitHttpResponseWriter, r *http.Request, a *api.Response
 	action := getService(r)
 	writePostRPCHeader(w, action)
-	if a.GitalyAddress == "" {
+	if a.GitalyServer.Address == "" {
 		err = handleUploadPackLocally(a, r, buffer, w, action)
 	} else {
 		err = handleUploadPackWithGitaly(a, buffer, w)
@@ -58,7 +58,7 @@ func handleUploadPackLocally(a *api.Response, r *http.Request, stdin *os.File, s
 }
 func handleUploadPackWithGitaly(a *api.Response, clientRequest io.Reader, clientResponse io.Writer) error {
-	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
+	smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
 	if err != nil {
 		return fmt.Errorf("smarthttp.UploadPack: %v", err)
 	}

--- a/internal/gitaly/gitaly.go
+++ b/internal/gitaly/gitaly.go
@@ -9,20 +9,26 @@ import (
 	"time"
 	pb "gitlab.com/gitlab-org/gitaly-proto/go"
+	"gitlab.com/gitlab-org/gitaly/auth"
 	"google.golang.org/grpc"
 )
+type Server struct {
+	Address string `json:"address"`
+	Token   string `json:"token"`
+}
 type connectionsCache struct {
 	sync.RWMutex
-	connections map[string]*grpc.ClientConn
+	connections map[Server]*grpc.ClientConn
 }
 var cache = connectionsCache{
-	connections: make(map[string]*grpc.ClientConn),
+	connections: make(map[Server]*grpc.ClientConn),
 }
-func NewSmartHTTPClient(address string) (*SmartHTTPClient, error) {
+func NewSmartHTTPClient(server Server) (*SmartHTTPClient, error) {
-	conn, err := getOrCreateConnection(address)
+	conn, err := getOrCreateConnection(server)
 	if err != nil {
 		return nil, err
 	}
@@ -30,20 +36,20 @@ func NewSmartHTTPClient(address string) (*SmartHTTPClient, error) {
 	return &SmartHTTPClient{grpcClient}, nil
 }
-func getOrCreateConnection(address string) (*grpc.ClientConn, error) {
+func getOrCreateConnection(server Server) (*grpc.ClientConn, error) {
 	cache.Lock()
 	defer cache.Unlock()
-	if conn := cache.connections[address]; conn != nil {
+	if conn := cache.connections[server]; conn != nil {
 		return conn, nil
 	}
-	conn, err := newConnection(address)
+	conn, err := newConnection(server)
 	if err != nil {
 		return nil, err
 	}
-	cache.connections[address] = conn
+	cache.connections[server] = conn
 	return conn, nil
 }
@@ -57,8 +63,8 @@ func CloseConnections() {
 	}
 }
-func newConnection(rawAddress string) (*grpc.ClientConn, error) {
+func newConnection(server Server) (*grpc.ClientConn, error) {
-	network, addr, err := parseAddress(rawAddress)
+	network, addr, err := parseAddress(server.Address)
 	if err != nil {
 		return nil, err
 	}
@@ -68,6 +74,7 @@ func newConnection(rawAddress string) (*grpc.ClientConn, error) {
 		grpc.WithDialer(func(a string, _ time.Duration) (net.Conn, error) {
 			return net.Dial(network, a)
 		}),
+		grpc.WithPerRPCCredentials(gitalyauth.RPCCredentials(server.Token)),
 	}
 	conn, err := grpc.Dial(addr, connOpts...)
 	if err != nil {

--- a/vendor/gitlab.com/gitlab-org/gitaly/LICENSE
+++ b/vendor/gitlab.com/gitlab-org/gitaly/LICENSE
+The MIT License (MIT)
+Copyright (c) 2016-2017 GitLab B.V.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
--- a/vendor/gitlab.com/gitlab-org/gitaly/NOTICE
+++ b/vendor/gitlab.com/gitlab-org/gitaly/NOTICE
--- a/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go
+++ b/vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go
+package gitalyauth
+import (
+	"encoding/base64"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc/credentials"
+)
+// RPCCredentials can be used with grpc.WithPerRPCCredentials to create a
+// grpc.DialOption that inserts the supplied token for authentication
+// with a Gitaly server.
+func RPCCredentials(token string) credentials.PerRPCCredentials {
+	return &rpcCredentials{token: base64.StdEncoding.EncodeToString([]byte(token))}
+}
+type rpcCredentials struct {
+	token string
+}
+func (*rpcCredentials) RequireTransportSecurity() bool { return false }
+func (rc *rpcCredentials) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
+	return map[string]string{"authorization": "Bearer " + rc.token}, nil
+}
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@@ -143,6 +143,14 @@
 			"version": "v0.9.0",
 			"versionExact": "v0.9.0"
 		},
+		{
+			"checksumSHA1": "dUHJbKas746n5fLzlwxHb6FOCxs=",
+			"path": "gitlab.com/gitlab-org/gitaly/auth",
+			"revision": "b933e5ce4843ec6c332a0184afb8e69820cc9050",
+			"revisionTime": "2017-06-22T09:36:09Z",
+			"version": "v0.13.0",
+			"versionExact": "v0.13.0"
+		},
 		{
 			"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
 			"path": "golang.org/x/net/context",