[image-builder-bob] Introduced transparent-proxy and extended MapAuthorizer

geropl · geropl · commit cc7a0d91caea · 2025-01-30T17:08:24.000Z
Details
  - proxy.go: make the core request-handling logic reusable
  - transparent_proxy.go: re-used the proxy logic to setup a simple forwarding proxy without any mappings
  - auth.go: fixed multiple bugs,  added tests and introduced handling of GITPOD_IMAGE_AUTH format

Tool: gitpod/catfood.gitpod.cloud
diff --git a/components/image-builder-bob/BUILD.yaml b/components/image-builder-bob/BUILD.yaml
@@ -16,6 +16,19 @@ packages:
   - ["go", "mod", "tidy"]
   config:
     packaging: app
+- name: lib
+  type: go
+  deps:
+    - components/common-go:lib
+  srcs:
+  - "cmd/*.go"
+  - "pkg/**/*.go"
+  - "main.go"
+  - "go.mod"
+  - "go.sum"
+  config:
+    packaging: library
+    dontTest: false
 - name: runc-facade
   type: go
   srcs:
diff --git a/components/image-builder-bob/cmd/proxy.go b/components/image-builder-bob/cmd/proxy.go
@@ -37,7 +37,7 @@ var proxyCmd = &cobra.Command{
 		}
 		authA, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.AdditionalAuth)
 		if err != nil {
-			log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")
+			log.WithError(err).WithField("additionalAuth", proxyOpts.AdditionalAuth).Fatal("cannot unmarshal additionalAuth")
 		}
 		authP = authP.AddIfNotExists(authA)
 
diff --git a/components/image-builder-bob/pkg/proxy/auth.go b/components/image-builder-bob/pkg/proxy/auth.go
@@ -52,10 +52,27 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 		}).Info("authorizing registry access")
 	}()
 
+	// Strip any port from the host if present
+	host = strings.Split(host, ":")[0]
+
 	explicitHostMatcher := func() (authConfig, bool) {
 		res, ok := a[host]
 		return res, ok
 	}
+	suffixHostMatcher := func() (authConfig, bool) {
+		var match *authConfig
+		for k, v := range a {
+			if strings.HasSuffix(host, k) {
+				if match == nil || len(k) > len(host) {
+					match = &v
+				}
+			}
+		}
+		if match == nil {
+			return authConfig{}, false
+		}
+		return *match, true
+	}
 	ecrHostMatcher := func() (authConfig, bool) {
 		if isECRRegistry(host) {
 			res, ok := a[DummyECRRegistryDomain]
@@ -71,7 +88,7 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 		return authConfig{}, false
 	}
 
-	matchers := []func() (authConfig, bool){explicitHostMatcher, ecrHostMatcher, dockerHubHostMatcher}
+	matchers := []func() (authConfig, bool){explicitHostMatcher, suffixHostMatcher, ecrHostMatcher, dockerHubHostMatcher}
 	res, ok := authConfig{}, false
 	for _, matcher := range matchers {
 		res, ok = matcher()
@@ -86,12 +103,13 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 
 	user, pass = res.Username, res.Password
 	if res.Auth != "" {
-		var auth []byte
-		auth, err = base64.StdEncoding.DecodeString(res.Auth)
+		var authBytes []byte
+		authBytes, err = base64.StdEncoding.DecodeString(res.Auth)
 		if err != nil {
 			return
 		}
-		segs := strings.Split(string(auth), ":")
+		auth := strings.TrimSpace(string(authBytes))
+		segs := strings.Split(auth, ":")
 		if len(segs) < 2 {
 			return
 		}
@@ -145,3 +163,23 @@ func NewAuthorizerFromEnvVar(content string) (auth MapAuthorizer, err error) {
 	}
 	return MapAuthorizer(res), nil
 }
+
+func NewAuthorizerFromGitpodImageAuth(content string) (auth MapAuthorizer, err error) {
+	if content == "" {
+		return nil, nil
+	}
+
+	res := map[string]authConfig{}
+	hostsCredentials := strings.Split(content, ",")
+	for _, hostCredentials := range hostsCredentials {
+		parts := strings.SplitN(hostCredentials, ":", 2)
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			log.Debug("Error parsing host credential for authorizer, skipping.")
+			continue
+		}
+		res[parts[0]] = authConfig{
+			Auth: parts[1],
+		}
+	}
+	return MapAuthorizer(res), nil
+}
diff --git a/components/image-builder-bob/pkg/proxy/auth_test.go b/components/image-builder-bob/pkg/proxy/auth_test.go
@@ -0,0 +1,149 @@
+// Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package proxy
+
+import (
+	"testing"
+)
+
+func TestAuthorize(t *testing.T) {
+	type expectation struct {
+		user string
+		pass string
+		err  string
+	}
+	tests := []struct {
+		name        string
+		constructor func(string) (MapAuthorizer, error)
+		input       string
+		testHost    string
+		expected    expectation
+	}{
+		{
+			name:        "docker auth format - valid credentials",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`, // base64(user:pass)
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "docker auth format - valid credentials - host with port",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`, // base64(user:pass)
+			testHost:    "registry.example.com:443",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "docker auth format - invalid host",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`,
+			testHost:    "wrong.registry.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "env var format - valid credentials",
+			constructor: NewAuthorizerFromEnvVar,
+			input:       `{"registry.example.com": {"auth": "dXNlcjpwYXNz"}}`,
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "env var format - empty input",
+			constructor: NewAuthorizerFromEnvVar,
+			input:       "",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - valid credentials",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "registry.example.com:dXNlcjpwYXNz",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "gitpod format - multiple hosts",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "registry1.example.com:dXNlcjE6cGFzczEK,registry2.example.com:dXNlcjI6cGFzczIK",
+			testHost:    "registry2.example.com",
+			expected: expectation{
+				user: "user2",
+				pass: "pass2",
+			},
+		},
+		{
+			name:        "gitpod format - invalid format",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "invalid:format:with:toomany:colons",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - empty input",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - suffix match",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"docker.io": {"auth": "dXNlcjpwYXNz"}}}`,
+			testHost:    "registry.docker.io",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth, err := tt.constructor(tt.input)
+			if err != nil {
+				if tt.expected.err == "" {
+					t.Errorf("Constructor failed: %s", err)
+				}
+				return
+			}
+
+			actualUser, actualPassword, err := auth.Authorize(tt.testHost)
+			if (err != nil) != (tt.expected.err != "") {
+				t.Errorf("Authorize() error = %v, wantErr %v", err, tt.expected.err)
+				return
+			}
+			if actualUser != tt.expected.user {
+				t.Errorf("Authorize() actual user = %v, want %v", actualUser, tt.expected.user)
+			}
+			if actualPassword != tt.expected.pass {
+				t.Errorf("Authorize() actual password = %v, want %v", actualPassword, tt.expected.pass)
+			}
+		})
+	}
+}
diff --git a/components/image-builder-bob/pkg/proxy/proxy.go b/components/image-builder-bob/pkg/proxy/proxy.go
@@ -19,7 +19,7 @@ import (
 	"github.com/hashicorp/go-retryablehttp"
 )
 
-const authKey = "authKey"
+const CONTEXT_KEY_AUTHORIZER = "authKey"
 
 func NewProxy(host *url.URL, aliases map[string]Repo, mirrorAuth func() docker.Authorizer) (*Proxy, error) {
 	if host.Host == "" || host.Scheme == "" {
@@ -146,7 +146,7 @@ func (proxy *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		r.Host = host
 
 		auth := proxy.mirrorAuth()
-		r = r.WithContext(context.WithValue(ctx, authKey, auth))
+		r = r.WithContext(context.WithValue(ctx, CONTEXT_KEY_AUTHORIZER, auth))
 
 		r.RequestURI = ""
 		proxy.mirror(host).ServeHTTP(w, r)
@@ -161,7 +161,7 @@ func (proxy *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	r.Host = r.URL.Host
 
 	auth := repo.Auth()
-	r = r.WithContext(context.WithValue(ctx, authKey, auth))
+	r = r.WithContext(context.WithValue(ctx, CONTEXT_KEY_AUTHORIZER, auth))
 
 	err := auth.Authorize(ctx, r)
 	if err != nil {
@@ -200,7 +200,7 @@ func (proxy *Proxy) reverse(alias string) *httputil.ReverseProxy {
 			log.WithError(err).Warn("saw error during CheckRetry")
 			return false, err
 		}
-		auth, ok := ctx.Value(authKey).(docker.Authorizer)
+		auth, ok := ctx.Value(CONTEXT_KEY_AUTHORIZER).(docker.Authorizer)
 		if !ok || auth == nil {
 			return false, nil
 		}
@@ -256,7 +256,7 @@ func (proxy *Proxy) reverse(alias string) *httputil.ReverseProxy {
 		// 			   @link https://golang.org/src/net/http/httputil/reverseproxy.go
 		r.Header.Set("X-Forwarded-For", "127.0.0.1")
 
-		auth, ok := r.Context().Value(authKey).(docker.Authorizer)
+		auth, ok := r.Context().Value(CONTEXT_KEY_AUTHORIZER).(docker.Authorizer)
 		if !ok || auth == nil {
 			return
 		}
@@ -315,20 +315,47 @@ func (proxy *Proxy) mirror(host string) *httputil.ReverseProxy {
 		return rp
 	}
 
+	rp := createAuthenticatingReverseProxy(host)
+	proxy.proxies[host] = rp
+	return rp
+}
+
+func createAuthenticatingReverseProxy(host string) *httputil.ReverseProxy {
 	rp := httputil.NewSingleHostReverseProxy(&url.URL{Scheme: "https", Host: host})
 
+	client := CreateAuthenticatingDockerClient()
+	rp.Transport = &retryablehttp.RoundTripper{
+		Client: client,
+	}
+	rp.ModifyResponse = func(r *http.Response) error {
+		if r.StatusCode == http.StatusBadGateway {
+			// BadGateway makes containerd retry - we don't want that because we retry the upstream
+			// requests internally.
+			r.StatusCode = http.StatusInternalServerError
+			r.Status = http.StatusText(http.StatusInternalServerError)
+		}
+
+		return nil
+	}
+	return rp
+}
+
+// CreateAuthenticatingDockerClient creates a retryable http client that can authenticate against a docker registry, incl. handling it's idiosyncracies
+func CreateAuthenticatingDockerClient() *retryablehttp.Client {
 	client := retryablehttp.NewClient()
 	client.RetryMax = 3
 	client.CheckRetry = func(ctx context.Context, resp *http.Response, err error) (bool, error) {
 		if err != nil {
 			log.WithError(err).Warn("saw error during CheckRetry")
 			return false, err
 		}
-		auth, ok := ctx.Value(authKey).(docker.Authorizer)
+		auth, ok := ctx.Value(CONTEXT_KEY_AUTHORIZER).(docker.Authorizer)
 		if !ok || auth == nil {
+			log.Warn("no authorizer found in context, won't retry.")
 			return false, nil
 		}
 		if resp.StatusCode == http.StatusUnauthorized {
+			log.Debug("employing authorizer workaround for 401")
 			// the docker authorizer only refreshes OAuth tokens after two
 			// successive 401 errors for the same URL. Rather than issue the same
 			// request multiple times to tickle the token-refreshing logic, just
@@ -352,6 +379,7 @@ func (proxy *Proxy) mirror(host string) *httputil.ReverseProxy {
 			}
 			return true, nil
 		}
+
 		if resp.StatusCode == http.StatusBadRequest {
 			log.WithField("URL", resp.Request.URL.String()).Warn("bad request")
 			return true, nil
@@ -374,27 +402,13 @@ func (proxy *Proxy) mirror(host string) *httputil.ReverseProxy {
 		// 			   @link https://golang.org/src/net/http/httputil/reverseproxy.go
 		r.Header.Set("X-Forwarded-For", "127.0.0.1")
 
-		auth, ok := r.Context().Value(authKey).(docker.Authorizer)
+		auth, ok := r.Context().Value(CONTEXT_KEY_AUTHORIZER).(docker.Authorizer)
 		if !ok || auth == nil {
 			return
 		}
 		_ = auth.Authorize(r.Context(), r)
 	}
 	client.ResponseLogHook = func(l retryablehttp.Logger, r *http.Response) {}
 
-	rp.Transport = &retryablehttp.RoundTripper{
-		Client: client,
-	}
-	rp.ModifyResponse = func(r *http.Response) error {
-		if r.StatusCode == http.StatusBadGateway {
-			// BadGateway makes containerd retry - we don't want that because we retry the upstream
-			// requests internally.
-			r.StatusCode = http.StatusInternalServerError
-			r.Status = http.StatusText(http.StatusInternalServerError)
-		}
-
-		return nil
-	}
-	proxy.proxies[host] = rp
-	return rp
+	return client
 }
diff --git a/components/image-builder-bob/pkg/proxy/transparent_proxy.go b/components/image-builder-bob/pkg/proxy/transparent_proxy.go

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ var proxyCmd = &cobra.Command{`
`37`	`37`	`}`
`38`	`38`	`authA, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.AdditionalAuth)`
`39`	`39`	`if err != nil {`
`40`		`- log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")`
	`40`	`+ log.WithError(err).WithField("additionalAuth", proxyOpts.AdditionalAuth).Fatal("cannot unmarshal additionalAuth")`
`41`	`41`	`}`
`42`	`42`	`authP = authP.AddIfNotExists(authA)`
`43`	`43`