From f74db93b942e4b36e2c6671634f24e41723c9501 Mon Sep 17 00:00:00 2001
From: Tim Holm <tim.holm@nitric.io>
Date: Fri, 31 May 2024 08:53:58 +1000
Subject: [PATCH] fix: Ensure GCP gateway timeouts match target service
 timeout. (#617)

Co-Authored-By: Andy Warns <96792092+awarns-impower@users.noreply.github.com>
---
 cloud/common/deploy/image/image.go |  4 ++--
 cloud/gcp/deploy/api.go            | 38 ++++++++++++++++++++----------
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/cloud/common/deploy/image/image.go b/cloud/common/deploy/image/image.go
index adfe8135b..8e366ffc5 100644
--- a/cloud/common/deploy/image/image.go
+++ b/cloud/common/deploy/image/image.go
@@ -83,8 +83,8 @@ func NewImage(ctx *pulumi.Context, name string, args *ImageArgs, opts ...pulumi.
 	}
 
 	buildContext := fmt.Sprintf("%s/build-%s", os.TempDir(), name)
-	//#nosec G301 - Patch to remove exec perms
-	err = os.MkdirAll(buildContext, os.ModePerm)
+	// Set Read/Write/Execute permissions for owner and group in compliance with https://securego.io/docs/rules/g301.html
+	err = os.MkdirAll(buildContext, 0o750)
 	if err != nil {
 		return nil, err
 	}
diff --git a/cloud/gcp/deploy/api.go b/cloud/gcp/deploy/api.go
index 59a97b92a..24576dad8 100644
--- a/cloud/gcp/deploy/api.go
+++ b/cloud/gcp/deploy/api.go
@@ -39,8 +39,9 @@ import (
 )
 
 type nameUrlPair struct {
-	name      string
-	invokeUrl string
+	name           string
+	invokeUrl      string
+	timeoutSeconds int
 }
 
 func (p *NitricGcpPulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resource, name string, apiConfig *deploymentspb.Api) error {
@@ -124,17 +125,25 @@ func (p *NitricGcpPulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resourc
 
 	// collect name arn pairs for output iteration
 	for k, v := range services {
-		nameUrlPairs = append(nameUrlPairs, pulumi.All(k, v.Url).ApplyT(func(args []interface{}) (nameUrlPair, error) {
+		nameUrlPairs = append(nameUrlPairs, pulumi.All(k, v.Url, v.Service.Template.Spec().TimeoutSeconds()).ApplyT(func(args []interface{}) (nameUrlPair, error) {
 			name, nameOk := args[0].(string)
 			url, urlOk := args[1].(string)
+			timeoutPtr, timeoutOk := args[2].(*int)
+
+			timeout := 15
+
+			if timeoutOk && timeoutPtr != nil {
+				timeout = *timeoutPtr
+			}
 
 			if !nameOk || !urlOk {
 				return nameUrlPair{}, fmt.Errorf("invalid data %T %v", args, args)
 			}
 
 			return nameUrlPair{
-				name:      name,
-				invokeUrl: url,
+				name:           name,
+				invokeUrl:      url,
+				timeoutSeconds: timeout,
 			}, nil
 		}))
 	}
@@ -144,22 +153,24 @@ func (p *NitricGcpPulumiProvider) Api(ctx *pulumi.Context, parent pulumi.Resourc
 	// Replace Nitric API Extensions with google api gateway extensions
 	doc := pulumi.All(nameUrlPairs...).ApplyT(func(pairs []interface{}) (string, error) {
 		naps := make(map[string]string)
+		timeouts := make(map[string]int)
 
 		for _, p := range pairs {
 			if pair, ok := p.(nameUrlPair); ok {
 				naps[pair.name] = pair.invokeUrl
+				timeouts[pair.name] = pair.timeoutSeconds
 			} else {
 				return "", fmt.Errorf("failed to resolve Cloud Run container URL for api %s, invalid name URL pair value %T %v, %s", name, p, p, help.BugInNitricHelpText())
 			}
 		}
 
 		for k, p := range v2doc.Paths {
-			p.Get = gcpOperation(name, p.Get, naps)
-			p.Post = gcpOperation(name, p.Post, naps)
-			p.Patch = gcpOperation(name, p.Patch, naps)
-			p.Put = gcpOperation(name, p.Put, naps)
-			p.Delete = gcpOperation(name, p.Delete, naps)
-			p.Options = gcpOperation(name, p.Options, naps)
+			p.Get = gcpOperation(name, p.Get, naps, timeouts)
+			p.Post = gcpOperation(name, p.Post, naps, timeouts)
+			p.Patch = gcpOperation(name, p.Patch, naps, timeouts)
+			p.Put = gcpOperation(name, p.Put, naps, timeouts)
+			p.Delete = gcpOperation(name, p.Delete, naps, timeouts)
+			p.Options = gcpOperation(name, p.Options, naps, timeouts)
 			v2doc.Paths[k] = p
 		}
 
@@ -266,7 +277,7 @@ func keepOperation(opExt map[string]interface{}) (string, bool) {
 	return name, true
 }
 
-func gcpOperation(apiName string, op *openapi2.Operation, urls map[string]string) *openapi2.Operation {
+func gcpOperation(apiName string, op *openapi2.Operation, urls map[string]string, timeouts map[string]int) *openapi2.Operation {
 	if op == nil {
 		return nil
 	}
@@ -298,10 +309,11 @@ func gcpOperation(apiName string, op *openapi2.Operation, urls map[string]string
 		}
 	}
 
-	op.Extensions["x-google-backend"] = map[string]string{
+	op.Extensions["x-google-backend"] = map[string]any{
 		// Append the name of the target origin api gateway to the target address
 		"address":          fmt.Sprintf("%s/x-nitric-api/%s", urls[name], apiName),
 		"path_translation": "APPEND_PATH_TO_ADDRESS",
+		"deadline":         timeouts[name],
 	}
 
 	return op