Commit 7c1918c8 authored by Nick Thomas's avatar Nick Thomas

Merge branch 'gitaly-auth' into 'master'

Gitaly token auth

See merge request !171
parents 49803070 c303f246
......@@ -14,6 +14,7 @@ import (
"time"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/api"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/testhelper"
pb "gitlab.com/gitlab-org/gitaly-proto/go"
......@@ -32,7 +33,7 @@ func TestFailedCloneNoGitaly(t *testing.T) {
GL_ID: "user-123",
RepoPath: repoPath(t),
// This will create a failure to connect to Gitaly
GitalyAddress: "unix:/nonexistent",
GitalyServer: gitaly.Server{Address: "unix:/nonexistent"},
}
// Prepare test server and backend
......@@ -49,14 +50,20 @@ func TestFailedCloneNoGitaly(t *testing.T) {
}
func TestGetInfoRefsProxiedToGitalySuccessfully(t *testing.T) {
apiResponse := gitOkBody(t)
gitalyServer, socketPath := startGitalyServer(t, codes.OK)
defer gitalyServer.Stop()
gitalyAddress := "unix://" + socketPath
apiResponse.GitalyAddress = gitalyAddress
ts := testAuthServer(nil, 200, apiResponse)
apiResponseOld := gitOkBody(t)
apiResponseOld.GitalyServer = gitaly.Server{}
apiResponseOld.GitalyAddress = gitalyAddress
apiResponse := gitOkBody(t)
apiResponse.GitalyServer.Address = gitalyAddress
for _, a := range []*api.Response{apiResponseOld, apiResponse} {
ts := testAuthServer(nil, 200, a)
defer ts.Close()
ws := startWorkhorseServer(ts.URL)
......@@ -67,6 +74,7 @@ func TestGetInfoRefsProxiedToGitalySuccessfully(t *testing.T) {
expectedContent := string(testhelper.GitalyInfoRefsResponseMock)
assert.Equal(t, expectedContent, body, "GET %q: response body", resource)
}
}
func TestGetInfoRefsProxiedToGitalyInterruptedStream(t *testing.T) {
......@@ -75,7 +83,7 @@ func TestGetInfoRefsProxiedToGitalyInterruptedStream(t *testing.T) {
defer gitalyServer.Stop()
gitalyAddress := "unix://" + socketPath
apiResponse.GitalyAddress = gitalyAddress
apiResponse.GitalyServer.Address = gitalyAddress
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -110,7 +118,7 @@ func TestPostReceivePackProxiedToGitalySuccessfully(t *testing.T) {
gitalyServer, socketPath := startGitalyServer(t, codes.OK)
defer gitalyServer.Stop()
apiResponse.GitalyAddress = "unix://" + socketPath
apiResponse.GitalyServer.Address = "unix://" + socketPath
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -143,7 +151,7 @@ func TestPostReceivePackProxiedToGitalyInterrupted(t *testing.T) {
gitalyServer, socketPath := startGitalyServer(t, codes.OK)
defer gitalyServer.Stop()
apiResponse.GitalyAddress = "unix://" + socketPath
apiResponse.GitalyServer.Address = "unix://" + socketPath
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -184,7 +192,7 @@ func TestPostUploadPackProxiedToGitalySuccessfully(t *testing.T) {
gitalyServer, socketPath := startGitalyServer(t, code)
defer gitalyServer.Stop()
apiResponse.GitalyAddress = "unix://" + socketPath
apiResponse.GitalyServer.Address = "unix://" + socketPath
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -218,7 +226,7 @@ func TestPostUploadPackProxiedToGitalyInterrupted(t *testing.T) {
gitalyServer, socketPath := startGitalyServer(t, codes.OK)
defer gitalyServer.Stop()
apiResponse.GitalyAddress = "unix://" + socketPath
apiResponse.GitalyServer.Address = "unix://" + socketPath
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -257,6 +265,7 @@ func TestGetInfoRefsHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
apiResponse := gitOkBody(t)
apiResponse.GitalyAddress = ""
apiResponse.GitalyServer.Address = ""
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -277,6 +286,7 @@ func TestPostReceivePackHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
apiResponse := gitOkBody(t)
apiResponse.GitalyAddress = ""
apiResponse.GitalyServer.Address = ""
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......@@ -298,6 +308,7 @@ func TestPostUploadPackHandledLocallyDueToEmptyGitalySocketPath(t *testing.T) {
apiResponse := gitOkBody(t)
apiResponse.GitalyAddress = ""
apiResponse.GitalyServer.Address = ""
ts := testAuthServer(nil, 200, apiResponse)
defer ts.Close()
......
......@@ -15,6 +15,7 @@ import (
pb "gitlab.com/gitlab-org/gitaly-proto/go"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/badgateway"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/gitaly"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
"gitlab.com/gitlab-org/gitlab-workhorse/internal/secret"
)
......@@ -104,8 +105,10 @@ type Response struct {
Entry string `json:"entry"`
// Used to communicate terminal session details
Terminal *TerminalSettings
// GitalyAddress is a unix:// or tcp:// address to reach a Gitaly service on
// DEPRECATED. GitalyAddress is a unix:// or tcp:// address to reach a Gitaly service on
GitalyAddress string
// GitalyServer specifies an address and authentication token for a gitaly server we should connect to.
GitalyServer gitaly.Server
// Repository object for making gRPC requests to Gitaly. This will
// eventually replace the RepoPath field.
Repository pb.Repository
......@@ -228,6 +231,11 @@ func (api *API) PreAuthorize(suffix string, r *http.Request) (httpResponse *http
return httpResponse, nil, fmt.Errorf("preAuthorizeHandler: decode authorization response: %v", err)
}
if authResponse.GitalyServer.Address == "" {
authResponse.GitalyServer.Address = authResponse.GitalyAddress
}
authResponse.GitalyAddress = ""
return httpResponse, authResponse, nil
}
......
......@@ -31,7 +31,7 @@ func handleGetInfoRefs(rw http.ResponseWriter, r *http.Request, a *api.Response)
w.Header().Set("Cache-Control", "no-cache")
var err error
if a.GitalyAddress == "" {
if a.GitalyServer.Address == "" {
err = handleGetInfoRefsLocally(w, a, rpc)
} else {
err = handleGetInfoRefsWithGitaly(w, a, rpc)
......@@ -64,7 +64,7 @@ func handleGetInfoRefsLocally(w http.ResponseWriter, a *api.Response, rpc string
}
func handleGetInfoRefsWithGitaly(w http.ResponseWriter, a *api.Response, rpc string) error {
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
if err != nil {
return fmt.Errorf("GetInfoRefsHandler: %v", err)
}
......
......@@ -20,7 +20,7 @@ func handleReceivePack(w *GitHttpResponseWriter, r *http.Request, a *api.Respons
defer cw.Flush()
var err error
if a.GitalyAddress == "" {
if a.GitalyServer.Address == "" {
err = handleReceivePackLocally(a, r, cr, cw, action)
} else {
err = handleReceivePackWithGitaly(a, cr, cw)
......@@ -46,7 +46,7 @@ func handleReceivePackLocally(a *api.Response, r *http.Request, stdin io.Reader,
}
func handleReceivePackWithGitaly(a *api.Response, clientRequest io.Reader, clientResponse io.Writer) error {
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
if err != nil {
return fmt.Errorf("smarthttp.ReceivePack: %v", err)
}
......
......@@ -27,7 +27,7 @@ func handleUploadPack(w *GitHttpResponseWriter, r *http.Request, a *api.Response
action := getService(r)
writePostRPCHeader(w, action)
if a.GitalyAddress == "" {
if a.GitalyServer.Address == "" {
err = handleUploadPackLocally(a, r, buffer, w, action)
} else {
err = handleUploadPackWithGitaly(a, buffer, w)
......@@ -58,7 +58,7 @@ func handleUploadPackLocally(a *api.Response, r *http.Request, stdin *os.File, s
}
func handleUploadPackWithGitaly(a *api.Response, clientRequest io.Reader, clientResponse io.Writer) error {
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyAddress)
smarthttp, err := gitaly.NewSmartHTTPClient(a.GitalyServer)
if err != nil {
return fmt.Errorf("smarthttp.UploadPack: %v", err)
}
......
......@@ -9,20 +9,26 @@ import (
"time"
pb "gitlab.com/gitlab-org/gitaly-proto/go"
"gitlab.com/gitlab-org/gitaly/auth"
"google.golang.org/grpc"
)
type Server struct {
Address string `json:"address"`
Token string `json:"token"`
}
type connectionsCache struct {
sync.RWMutex
connections map[string]*grpc.ClientConn
connections map[Server]*grpc.ClientConn
}
var cache = connectionsCache{
connections: make(map[string]*grpc.ClientConn),
connections: make(map[Server]*grpc.ClientConn),
}
func NewSmartHTTPClient(address string) (*SmartHTTPClient, error) {
conn, err := getOrCreateConnection(address)
func NewSmartHTTPClient(server Server) (*SmartHTTPClient, error) {
conn, err := getOrCreateConnection(server)
if err != nil {
return nil, err
}
......@@ -30,20 +36,20 @@ func NewSmartHTTPClient(address string) (*SmartHTTPClient, error) {
return &SmartHTTPClient{grpcClient}, nil
}
func getOrCreateConnection(address string) (*grpc.ClientConn, error) {
func getOrCreateConnection(server Server) (*grpc.ClientConn, error) {
cache.Lock()
defer cache.Unlock()
if conn := cache.connections[address]; conn != nil {
if conn := cache.connections[server]; conn != nil {
return conn, nil
}
conn, err := newConnection(address)
conn, err := newConnection(server)
if err != nil {
return nil, err
}
cache.connections[address] = conn
cache.connections[server] = conn
return conn, nil
}
......@@ -57,8 +63,8 @@ func CloseConnections() {
}
}
func newConnection(rawAddress string) (*grpc.ClientConn, error) {
network, addr, err := parseAddress(rawAddress)
func newConnection(server Server) (*grpc.ClientConn, error) {
network, addr, err := parseAddress(server.Address)
if err != nil {
return nil, err
}
......@@ -68,6 +74,7 @@ func newConnection(rawAddress string) (*grpc.ClientConn, error) {
grpc.WithDialer(func(a string, _ time.Duration) (net.Conn, error) {
return net.Dial(network, a)
}),
grpc.WithPerRPCCredentials(gitalyauth.RPCCredentials(server.Token)),
}
conn, err := grpc.Dial(addr, connOpts...)
if err != nil {
......
The MIT License (MIT)
Copyright (c) 2016-2017 GitLab B.V.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
This source diff could not be displayed because it is too large. You can view the blob instead.
package gitalyauth
import (
"encoding/base64"
"golang.org/x/net/context"
"google.golang.org/grpc/credentials"
)
// RPCCredentials can be used with grpc.WithPerRPCCredentials to create a
// grpc.DialOption that inserts the supplied token for authentication
// with a Gitaly server.
func RPCCredentials(token string) credentials.PerRPCCredentials {
return &rpcCredentials{token: base64.StdEncoding.EncodeToString([]byte(token))}
}
type rpcCredentials struct {
token string
}
func (*rpcCredentials) RequireTransportSecurity() bool { return false }
func (rc *rpcCredentials) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
return map[string]string{"authorization": "Bearer " + rc.token}, nil
}
......@@ -143,6 +143,14 @@
"version": "v0.9.0",
"versionExact": "v0.9.0"
},
{
"checksumSHA1": "dUHJbKas746n5fLzlwxHb6FOCxs=",
"path": "gitlab.com/gitlab-org/gitaly/auth",
"revision": "b933e5ce4843ec6c332a0184afb8e69820cc9050",
"revisionTime": "2017-06-22T09:36:09Z",
"version": "v0.13.0",
"versionExact": "v0.13.0"
},
{
"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
"path": "golang.org/x/net/context",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment