1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
// Package gob manages request proxies to GitLab Observability Backend
package gob
import (
"fmt"
"net/http"
"regexp"
"time"
"gitlab.com/gitlab-org/gitlab/workhorse/internal/api"
"gitlab.com/gitlab-org/gitlab/workhorse/internal/config"
"gitlab.com/gitlab-org/gitlab/workhorse/internal/helper/fail"
proxypkg "gitlab.com/gitlab-org/gitlab/workhorse/internal/proxy"
"gitlab.com/gitlab-org/gitlab/workhorse/internal/secret"
"gitlab.com/gitlab-org/gitlab/workhorse/internal/upstream/roundtripper"
)
// Internal endpoint namespace for observability authorization
const gobInternalProjectAuthPath = "/api/v4/internal/observability/project/"
var projectPathRegex = regexp.MustCompile(`^/api/v4/projects/([^/]+)`)
// Proxy manages the authorization and upstream connection to
// GitLab Observability Backend
type Proxy struct {
version string
api *api.API
proxyHeadersTimeout time.Duration
developmentMode bool
}
// NewProxy returns a new Proxy for connecting to GitLab Observability Backend
func NewProxy(
api *api.API,
version string,
proxyHeadersTimeout time.Duration,
cfg config.Config) *Proxy {
return &Proxy{
api: api,
version: version,
proxyHeadersTimeout: proxyHeadersTimeout,
developmentMode: cfg.DevelopmentMode,
}
}
// WithProjectAuth configures the proxy to use a Rails API path for authorization
func (p *Proxy) WithProjectAuth(path string) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if p.api.URL == nil {
fail.Request(w, r, fmt.Errorf("api URL has not been set"))
return
}
authURL := *p.api.URL
projectID, err := extractProjectID(r)
if err != nil {
fail.Request(w, r, err)
return
}
authURL.Path = gobInternalProjectAuthPath + projectID + path
authReq := &http.Request{
Method: r.Method,
URL: &authURL,
Header: r.Header.Clone(),
}
authReq = authReq.WithContext(r.Context())
authorizer := p.api.PreAuthorizeHandler(func(_ http.ResponseWriter, _ *http.Request, a *api.Response) {
// Successful authorization
p.serveHTTP(w, r, a)
}, "")
authorizer.ServeHTTP(w, authReq)
})
}
func (p *Proxy) serveHTTP(w http.ResponseWriter, r *http.Request, a *api.Response) {
backend, err := a.Gob.Upstream()
if err != nil {
fail.Request(w, r, err)
return
}
// Remove prefix from path so it matches the cloud.gitlab.com/observability/ routing layer.
// https://gitlab.com/gitlab-com/gl-infra/production-engineering/-/issues/25077
outReq := r.Clone(r.Context())
outReq.URL.Path = projectPathRegex.ReplaceAllLiteralString(r.URL.EscapedPath(), "")
rt := secret.NewRoundTripper(
roundtripper.NewBackendRoundTripper(
backend,
"",
p.proxyHeadersTimeout,
p.developmentMode,
), p.version)
pxy := proxypkg.NewProxy(
backend,
p.version,
rt,
proxypkg.WithCustomHeaders(a.Gob.Headers),
proxypkg.WithForcedTargetHostHeader(),
)
pxy.ServeHTTP(w, outReq)
}
func extractProjectID(r *http.Request) (string, error) {
matches := projectPathRegex.FindStringSubmatch(r.URL.EscapedPath())
if len(matches) != 2 {
return "", fmt.Errorf("%s does not match expected %s", r.URL.EscapedPath(), projectPathRegex.String())
}
return matches[1], nil
}
|
