From 65e68790b6f61cb7cec3f9275c9a23e24cab0552 Mon Sep 17 00:00:00 2001 From: Christian Weichel Date: Wed, 24 Nov 2021 08:44:54 +0000 Subject: [PATCH 1/2] [image-builder] Don't re-use authentication across requests --- components/image-builder-bob/cmd/proxy.go | 2 +- .../image-builder-bob/pkg/proxy/proxy.go | 24 ++++++++++++++----- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/components/image-builder-bob/cmd/proxy.go b/components/image-builder-bob/cmd/proxy.go index 6ce2fe45ab5c4c..c6d9c5c1984f3f 100644 --- a/components/image-builder-bob/cmd/proxy.go +++ b/components/image-builder-bob/cmd/proxy.go @@ -52,7 +52,7 @@ var proxyCmd = &cobra.Command{ targettag = r.Tag() } - auth := docker.NewDockerAuthorizer(docker.WithAuthCreds(authP.Authorize)) + auth := func() docker.Authorizer { return docker.NewDockerAuthorizer(docker.WithAuthCreds(authP.Authorize)) } prx, err := proxy.NewProxy(&url.URL{Host: "localhost:8080", Scheme: "http"}, map[string]proxy.Repo{ "base": { Host: reference.Domain(baseref), diff --git a/components/image-builder-bob/pkg/proxy/proxy.go b/components/image-builder-bob/pkg/proxy/proxy.go index c781244838ffde..dc43ad0c03809a 100644 --- a/components/image-builder-bob/pkg/proxy/proxy.go +++ b/components/image-builder-bob/pkg/proxy/proxy.go @@ -18,6 +18,8 @@ import ( "github.com/hashicorp/go-retryablehttp" ) +const authKey = "authKey" + func NewProxy(host *url.URL, aliases map[string]Repo) (*Proxy, error) { if host.Host == "" || host.Scheme == "" { return nil, fmt.Errorf("host Host or Scheme are missing") @@ -47,7 +49,7 @@ type Repo struct { Host string Repo string Tag string - Auth docker.Authorizer + Auth func() docker.Authorizer } func rewriteURL(u *url.URL, fromRepo, toRepo, host, tag string) { @@ -100,15 +102,17 @@ func (proxy *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { rewriteURL(r.URL, alias, repo.Repo, repo.Host, repo.Tag) r.Host = r.URL.Host - err := repo.Auth.Authorize(ctx, r) + auth := repo.Auth() + r = r.WithContext(context.WithValue(ctx, authKey, auth)) + + err := auth.Authorize(ctx, r) if err != nil { log.WithError(err).Error("cannot authorize request") http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden) return } - reqdbg, _ := httputil.DumpRequest(r, false) - log.WithField("req", string(reqdbg)).Info("serving request") + log.WithField("req", r.URL.Path).Info("serving request") r.RequestURI = "" proxy.reverse(alias).ServeHTTP(w, r) @@ -138,8 +142,12 @@ func (proxy *Proxy) reverse(alias string) *httputil.ReverseProxy { log.WithError(err).Warn("saw error during CheckRetry") return false, err } + auth, ok := ctx.Value(authKey).(docker.Authorizer) + if !ok || auth == nil { + return false, nil + } if resp.StatusCode == http.StatusUnauthorized { - err := repo.Auth.AddResponses(context.Background(), []*http.Response{resp}) + err := auth.AddResponses(context.Background(), []*http.Response{resp}) if err != nil { log.WithError(err).WithField("URL", resp.Request.URL.String()).Warn("cannot add responses although response was Unauthorized") return false, nil @@ -164,7 +172,11 @@ func (proxy *Proxy) reverse(alias string) *httputil.ReverseProxy { // @link https://golang.org/src/net/http/httputil/reverseproxy.go r.Header.Set("X-Forwarded-For", "127.0.0.1") - _ = repo.Auth.Authorize(r.Context(), r) + auth, ok := r.Context().Value(authKey).(docker.Authorizer) + if !ok || auth == nil { + return + } + _ = auth.Authorize(r.Context(), r) } client.ResponseLogHook = func(l retryablehttp.Logger, r *http.Response) {} From b14a584a3460256b1d9d0030a09a169ce7848593 Mon Sep 17 00:00:00 2001 From: Christian Weichel Date: Wed, 24 Nov 2021 09:23:24 +0000 Subject: [PATCH 2/2] [image-builder] Add missing owners files --- components/image-builder-bob/OWNERS | 9 +++++++++ components/image-builder-mk3/OWNERS | 9 +++++++++ 2 files changed, 18 insertions(+) create mode 100644 components/image-builder-bob/OWNERS create mode 100644 components/image-builder-mk3/OWNERS diff --git a/components/image-builder-bob/OWNERS b/components/image-builder-bob/OWNERS new file mode 100644 index 00000000000000..cd8b31399c625f --- /dev/null +++ b/components/image-builder-bob/OWNERS @@ -0,0 +1,9 @@ + +options: + no_parent_owners: true + +approvers: + - engineering-workspace + +labels: + - "team: workspace" \ No newline at end of file diff --git a/components/image-builder-mk3/OWNERS b/components/image-builder-mk3/OWNERS new file mode 100644 index 00000000000000..cd8b31399c625f --- /dev/null +++ b/components/image-builder-mk3/OWNERS @@ -0,0 +1,9 @@ + +options: + no_parent_owners: true + +approvers: + - engineering-workspace + +labels: + - "team: workspace" \ No newline at end of file