[image-builder-bob] Introduced forward-proxy and extended MapAuthorizer

geropl · geropl · commit cffb23c4d6a2 · 2025-01-30T19:04:12.000Z
Details
  - proxy.go: make the core request-handling logic reusable
  - forward_proxy.go: re-used the proxy logic to setup a simple forwarding proxy without any mappings
  - auth.go: fixed multiple bugs,  added tests and introduced handling of GITPOD_IMAGE_AUTH format

Tool: gitpod/catfood.gitpod.cloud
diff --git a/components/image-builder-bob/BUILD.yaml b/components/image-builder-bob/BUILD.yaml
@@ -16,6 +16,19 @@ packages:
   - ["go", "mod", "tidy"]
   config:
     packaging: app
+- name: lib
+  type: go
+  deps:
+    - components/common-go:lib
+  srcs:
+  - "cmd/*.go"
+  - "pkg/**/*.go"
+  - "main.go"
+  - "go.mod"
+  - "go.sum"
+  config:
+    packaging: library
+    dontTest: false
 - name: runc-facade
   type: go
   srcs:
diff --git a/components/image-builder-bob/cmd/proxy.go b/components/image-builder-bob/cmd/proxy.go
@@ -37,7 +37,7 @@ var proxyCmd = &cobra.Command{
 		}
 		authA, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.AdditionalAuth)
 		if err != nil {
-			log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")
+			log.WithError(err).WithField("additionalAuth", proxyOpts.AdditionalAuth).Fatal("cannot unmarshal additionalAuth")
 		}
 		authP = authP.AddIfNotExists(authA)
 
diff --git a/components/image-builder-bob/pkg/proxy/auth.go b/components/image-builder-bob/pkg/proxy/auth.go
@@ -52,10 +52,27 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 		}).Info("authorizing registry access")
 	}()
 
+	// Strip any port from the host if present
+	host = strings.Split(host, ":")[0]
+
 	explicitHostMatcher := func() (authConfig, bool) {
 		res, ok := a[host]
 		return res, ok
 	}
+	suffixHostMatcher := func() (authConfig, bool) {
+		var match *authConfig
+		for k, v := range a {
+			if strings.HasSuffix(host, k) {
+				if match == nil || len(k) > len(host) {
+					match = &v
+				}
+			}
+		}
+		if match == nil {
+			return authConfig{}, false
+		}
+		return *match, true
+	}
 	ecrHostMatcher := func() (authConfig, bool) {
 		if isECRRegistry(host) {
 			res, ok := a[DummyECRRegistryDomain]
@@ -71,7 +88,7 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 		return authConfig{}, false
 	}
 
-	matchers := []func() (authConfig, bool){explicitHostMatcher, ecrHostMatcher, dockerHubHostMatcher}
+	matchers := []func() (authConfig, bool){explicitHostMatcher, suffixHostMatcher, ecrHostMatcher, dockerHubHostMatcher}
 	res, ok := authConfig{}, false
 	for _, matcher := range matchers {
 		res, ok = matcher()
@@ -86,12 +103,13 @@ func (a MapAuthorizer) Authorize(host string) (user, pass string, err error) {
 
 	user, pass = res.Username, res.Password
 	if res.Auth != "" {
-		var auth []byte
-		auth, err = base64.StdEncoding.DecodeString(res.Auth)
+		var authBytes []byte
+		authBytes, err = base64.StdEncoding.DecodeString(res.Auth)
 		if err != nil {
 			return
 		}
-		segs := strings.Split(string(auth), ":")
+		auth := strings.TrimSpace(string(authBytes))
+		segs := strings.Split(auth, ":")
 		if len(segs) < 2 {
 			return
 		}
@@ -145,3 +163,23 @@ func NewAuthorizerFromEnvVar(content string) (auth MapAuthorizer, err error) {
 	}
 	return MapAuthorizer(res), nil
 }
+
+func NewAuthorizerFromGitpodImageAuth(content string) (auth MapAuthorizer, err error) {
+	if content == "" {
+		return nil, nil
+	}
+
+	res := map[string]authConfig{}
+	hostsCredentials := strings.Split(content, ",")
+	for _, hostCredentials := range hostsCredentials {
+		parts := strings.SplitN(hostCredentials, ":", 2)
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			log.Debug("Error parsing host credential for authorizer, skipping.")
+			continue
+		}
+		res[parts[0]] = authConfig{
+			Auth: parts[1],
+		}
+	}
+	return MapAuthorizer(res), nil
+}
diff --git a/components/image-builder-bob/pkg/proxy/auth_test.go b/components/image-builder-bob/pkg/proxy/auth_test.go
@@ -0,0 +1,149 @@
+// Copyright (c) 2025 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package proxy
+
+import (
+	"testing"
+)
+
+func TestAuthorize(t *testing.T) {
+	type expectation struct {
+		user string
+		pass string
+		err  string
+	}
+	tests := []struct {
+		name        string
+		constructor func(string) (MapAuthorizer, error)
+		input       string
+		testHost    string
+		expected    expectation
+	}{
+		{
+			name:        "docker auth format - valid credentials",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`, // base64(user:pass)
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "docker auth format - valid credentials - host with port",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`, // base64(user:pass)
+			testHost:    "registry.example.com:443",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "docker auth format - invalid host",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"registry.example.com": {"auth": "dXNlcjpwYXNz"}}}`,
+			testHost:    "wrong.registry.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "env var format - valid credentials",
+			constructor: NewAuthorizerFromEnvVar,
+			input:       `{"registry.example.com": {"auth": "dXNlcjpwYXNz"}}`,
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "env var format - empty input",
+			constructor: NewAuthorizerFromEnvVar,
+			input:       "",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - valid credentials",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "registry.example.com:dXNlcjpwYXNz",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+		{
+			name:        "gitpod format - multiple hosts",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "registry1.example.com:dXNlcjE6cGFzczEK,registry2.example.com:dXNlcjI6cGFzczIK",
+			testHost:    "registry2.example.com",
+			expected: expectation{
+				user: "user2",
+				pass: "pass2",
+			},
+		},
+		{
+			name:        "gitpod format - invalid format",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "invalid:format:with:toomany:colons",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - empty input",
+			constructor: NewAuthorizerFromGitpodImageAuth,
+			input:       "",
+			testHost:    "registry.example.com",
+			expected: expectation{
+				user: "",
+				pass: "",
+			},
+		},
+		{
+			name:        "gitpod format - suffix match",
+			constructor: NewAuthorizerFromDockerEnvVar,
+			input:       `{"auths": {"docker.io": {"auth": "dXNlcjpwYXNz"}}}`,
+			testHost:    "registry.docker.io",
+			expected: expectation{
+				user: "user",
+				pass: "pass",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth, err := tt.constructor(tt.input)
+			if err != nil {
+				if tt.expected.err == "" {
+					t.Errorf("Constructor failed: %s", err)
+				}
+				return
+			}
+
+			actualUser, actualPassword, err := auth.Authorize(tt.testHost)
+			if (err != nil) != (tt.expected.err != "") {
+				t.Errorf("Authorize() error = %v, wantErr %v", err, tt.expected.err)
+				return
+			}
+			if actualUser != tt.expected.user {
+				t.Errorf("Authorize() actual user = %v, want %v", actualUser, tt.expected.user)
+			}
+			if actualPassword != tt.expected.pass {
+				t.Errorf("Authorize() actual password = %v, want %v", actualPassword, tt.expected.pass)
+			}
+		})
+	}
+}
diff --git a/components/image-builder-bob/pkg/proxy/forward_proxy.go b/components/image-builder-bob/pkg/proxy/forward_proxy.go
@@ -0,0 +1,92 @@
+// Copyright (c) 2021 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package proxy
+
+import (
+	"context"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+	"sync"
+
+	"github.com/containerd/containerd/remotes/docker"
+	"github.com/gitpod-io/gitpod/common-go/log"
+)
+
+func NewForwardProxy(authorizer func() docker.Authorizer, scheme string) (*ForwardProxy, error) {
+	return &ForwardProxy{
+		authorizer: authorizer,
+		scheme:     scheme,
+		proxies:    make(map[string]*httputil.ReverseProxy),
+	}, nil
+}
+
+// ForwardProxy acts as forward proxy, injecting authentication to requests
+// It uses the same docker-specific retry-and-authenticate logic as the reverse/mirror proxy in proxy.go
+type ForwardProxy struct {
+	authorizer func() docker.Authorizer
+	scheme     string
+
+	mu      sync.Mutex
+	proxies map[string]*httputil.ReverseProxy
+}
+
+// ServeHTTP serves the proxy
+func (p *ForwardProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	// Prepare for forwarding
+	r.RequestURI = ""
+
+	auth := p.authorizer()
+	r = r.WithContext(context.WithValue(ctx, CONTEXT_KEY_AUTHORIZER, auth)) // auth might be used in the forward proxy below
+
+	err := auth.Authorize(ctx, r)
+	if err != nil {
+		log.WithError(err).Error("cannot authorize request")
+		http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+		return
+	}
+
+	// Construct target URL
+	targetUrl, err := parseTargetURL(r.Host, p.scheme)
+	if err != nil {
+		log.WithError(err).Error("cannot parse host to determine target URL")
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
+	p.authenticatingProxy(targetUrl).ServeHTTP(w, r)
+}
+
+func parseTargetURL(targetHost string, scheme string) (*url.URL, error) {
+	// to safely parse the URL, we need to make sure it has a scheme
+	parts := strings.Split(targetHost, "://")
+	if len(parts) == 1 {
+		targetHost = scheme + "://" + parts[0]
+	} else if len(parts) == 2 {
+		targetHost = scheme + "://" + parts[1]
+	} else {
+		targetHost = scheme + "://" + parts[len(parts)-1]
+	}
+	targetUrl, err := url.Parse(targetHost)
+	if err != nil {
+		return nil, err
+	}
+
+	return targetUrl, nil
+}
+
+func (p *ForwardProxy) authenticatingProxy(targetUrl *url.URL) *httputil.ReverseProxy {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if rp, ok := p.proxies[targetUrl.Host]; ok {
+		return rp
+	}
+	rp := createAuthenticatingReverseProxy(targetUrl)
+	p.proxies[targetUrl.Host] = rp
+	return rp
+}
diff --git a/components/image-builder-bob/pkg/proxy/proxy.go b/components/image-builder-bob/pkg/proxy/proxy.go

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ var proxyCmd = &cobra.Command{`
`37`	`37`	`}`
`38`	`38`	`authA, err := proxy.NewAuthorizerFromEnvVar(proxyOpts.AdditionalAuth)`
`39`	`39`	`if err != nil {`
`40`		`- log.WithError(err).WithField("auth", proxyOpts.Auth).Fatal("cannot unmarshal auth")`
	`40`	`+ log.WithError(err).WithField("additionalAuth", proxyOpts.AdditionalAuth).Fatal("cannot unmarshal additionalAuth")`
`41`	`41`	`}`
`42`	`42`	`authP = authP.AddIfNotExists(authA)`
`43`	`43`