archive-gh-me/gitpod
1
0
Fork 0
mirror of https://github.com/gitpod-io/gitpod.git synced 2025-12-08 17:36:30 +00:00
Code Issues Projects Releases Wiki Activity
gitpod/components/public-api-server/pkg/server/server.go
Milan Pavlik 0dc46c5bcc
[public-api] Measure incoming JWT Sessions - WEB-102 (#17345) 
* retest

* retest

* [installer] Add cookie name to config

* Fix

* retest

* [installer] Add cookie name to config

* [public-api] Measure incoming JWT Sessions

* fix

* Fix

* Fix

* fix

* retest
2023-04-24 21:34:45 +08:00

233 lines
8.1 KiB
Go
Raw Blame History

// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
// Licensed under the GNU Affero General Public License (AGPL).
// See License.AGPL.txt in the project root for license information.
package server
import (
"context"
"fmt"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
"time"
"github.com/bufbuild/connect-go"
"github.com/gitpod-io/gitpod/common-go/experiments"
"github.com/gitpod-io/gitpod/common-go/log"
"github.com/go-chi/chi/v5"
chi_middleware "github.com/go-chi/chi/v5/middleware"
"github.com/redis/go-redis/v9"
"gorm.io/gorm"
"github.com/gitpod-io/gitpod/components/public-api/go/config"
"github.com/gitpod-io/gitpod/components/public-api/go/experimental/v1/v1connect"
"github.com/gorilla/handlers"
"github.com/gitpod-io/gitpod/common-go/baseserver"
db "github.com/gitpod-io/gitpod/components/gitpod-db/go"
"github.com/gitpod-io/gitpod/public-api-server/middleware"
"github.com/gitpod-io/gitpod/public-api-server/pkg/apiv1"
"github.com/gitpod-io/gitpod/public-api-server/pkg/auth"
"github.com/gitpod-io/gitpod/public-api-server/pkg/billingservice"
"github.com/gitpod-io/gitpod/public-api-server/pkg/identityprovider"
"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
"github.com/gitpod-io/gitpod/public-api-server/pkg/oidc"
"github.com/gitpod-io/gitpod/public-api-server/pkg/origin"
"github.com/gitpod-io/gitpod/public-api-server/pkg/proxy"
"github.com/gitpod-io/gitpod/public-api-server/pkg/webhooks"
"github.com/sirupsen/logrus"
)
func Start(logger *logrus.Entry, version string, cfg *config.Configuration) error {
logger.WithField("config", cfg).Info("Starting public-api.")
gitpodAPI, err := url.Parse(cfg.GitpodServiceURL)
if err != nil {
return fmt.Errorf("failed to parse Gitpod API URL: %w", err)
}
connPool, err := proxy.NewConnectionPool(gitpodAPI, 500)
if err != nil {
return fmt.Errorf("failed to setup connection pool: %w", err)
}
dbConn, err := db.Connect(db.ConnectionParamsFromEnv())
if err != nil {
return fmt.Errorf("failed to establish database connection: %w", err)
}
cipherSet, err := db.NewCipherSetFromKeysInFile(filepath.Join(cfg.DatabaseConfigPath, "encryptionKeys"))
if err != nil {
return fmt.Errorf("failed to read cipherset from file: %w", err)
}
redisClient := redis.NewClient(&redis.Options{
Addr: cfg.Redis.Address,
})
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
err = redisClient.Ping(ctx).Err()
if err != nil {
return fmt.Errorf("redis is unavailable at %s", cfg.Redis.Address)
}
expClient := experiments.NewClient()
srv, err := baseserver.New("public_api_server",
baseserver.WithLogger(logger),
baseserver.WithConfig(cfg.Server),
baseserver.WithVersion(version),
)
if err != nil {
return fmt.Errorf("failed to initialize public api server: %w", err)
}
var billingService billingservice.Interface = &billingservice.NoOpClient{}
if cfg.BillingServiceAddress != "" {
billingService, err = billingservice.New(cfg.BillingServiceAddress)
if err != nil {
return fmt.Errorf("failed to initialize billing service client: %w", err)
}
}
keyset, err := jws.NewKeySetFromAuthPKI(cfg.Auth.PKI)
if err != nil {
return fmt.Errorf("failed to setup JWS Keyset: %w", err)
}
rsa256, err := jws.NewRSA256(keyset)
if err != nil {
return fmt.Errorf("failed to setup jws.RSA256: %w", err)
}
hs256 := jws.NewHS256FromKeySet(keyset)
var stripeWebhookHandler http.Handler = webhooks.NewNoopWebhookHandler()
if cfg.StripeWebhookSigningSecretPath != "" {
stripeWebhookSecret, err := readSecretFromFile(cfg.StripeWebhookSigningSecretPath)
if err != nil {
return fmt.Errorf("failed to read stripe secret: %w", err)
}
stripeWebhookHandler = webhooks.NewStripeWebhookHandler(billingService, stripeWebhookSecret)
} else {
log.Info("No stripe webhook secret is configured, endpoints will return NotImplemented")
}
var signer auth.Signer
if cfg.PersonalAccessTokenSigningKeyPath != "" {
personalACcessTokenSigningKey, err := readSecretFromFile(cfg.PersonalAccessTokenSigningKeyPath)
if err != nil {
return fmt.Errorf("failed to read personal access token signing key: %w", err)
}
signer = auth.NewHS256Signer([]byte(personalACcessTokenSigningKey))
} else {
log.Info("No Personal Access Token signign key specified, PersonalAccessToken service will be disabled.")
}
srv.HTTPMux().Handle("/stripe/invoices/webhook", handlers.ContentTypeHandler(stripeWebhookHandler, "application/json"))
oidcService := oidc.NewService(cfg.SessionServiceAddress, dbConn, cipherSet, hs256, 5*time.Minute)
if redisClient == nil {
return fmt.Errorf("no Redis configiured")
}
idpService, err := identityprovider.NewService(strings.TrimSuffix(cfg.PublicURL, "/")+"/idp", identityprovider.NewRedisCache(redisClient))
if err != nil {
return err
}
if registerErr := register(srv, &registerDependencies{
connPool: connPool,
expClient: expClient,
dbConn: dbConn,
signer: signer,
cipher: cipherSet,
oidcService: oidcService,
idpService: idpService,
authCfg: cfg.Auth,
sessionVerifier: rsa256,
}); registerErr != nil {
return fmt.Errorf("failed to register services: %w", registerErr)
}
if listenErr := srv.ListenAndServe(); listenErr != nil {
return fmt.Errorf("failed to serve public api server: %w", listenErr)
}
return nil
}
type registerDependencies struct {
connPool proxy.ServerConnectionPool
expClient experiments.Client
dbConn *gorm.DB
signer auth.Signer
cipher db.Cipher
oidcService *oidc.Service
idpService *identityprovider.Service
sessionVerifier jws.SignerVerifier
authCfg config.AuthConfiguration
}
func register(srv *baseserver.Server, deps *registerDependencies) error {
proxy.RegisterMetrics(srv.MetricsRegistry())
auth.RegisterMetrics(srv.MetricsRegistry())
connectMetrics := NewConnectMetrics()
err := connectMetrics.Register(srv.MetricsRegistry())
if err != nil {
return err
}
rootHandler := chi.NewRouter()
rootHandler.Use(chi_middleware.Recoverer)
rootHandler.Use(middleware.NewLoggingMiddleware())
handlerOptions := []connect.HandlerOption{
connect.WithInterceptors(
NewMetricsInterceptor(connectMetrics),
NewLogInterceptor(log.Log),
auth.NewServerInterceptor(),
origin.NewInterceptor(),
auth.NewJWTCookieInterceptor(deps.expClient, deps.authCfg.Session.Cookie.Name, deps.authCfg.Session.Issuer, deps.sessionVerifier),
),
}
rootHandler.Mount(v1connect.NewWorkspacesServiceHandler(apiv1.NewWorkspaceService(deps.connPool), handlerOptions...))
rootHandler.Mount(v1connect.NewTeamsServiceHandler(apiv1.NewTeamsService(deps.connPool), handlerOptions...))
rootHandler.Mount(v1connect.NewUserServiceHandler(apiv1.NewUserService(deps.connPool), handlerOptions...))
rootHandler.Mount(v1connect.NewIDEClientServiceHandler(apiv1.NewIDEClientService(deps.connPool), handlerOptions...))
rootHandler.Mount(v1connect.NewProjectsServiceHandler(apiv1.NewProjectsService(deps.connPool), handlerOptions...))
rootHandler.Mount(v1connect.NewOIDCServiceHandler(apiv1.NewOIDCService(deps.connPool, deps.expClient, deps.dbConn, deps.cipher), handlerOptions...))
rootHandler.Mount(v1connect.NewIdentityProviderServiceHandler(apiv1.NewIdentityProviderService(deps.connPool, deps.idpService), handlerOptions...))
if deps.signer != nil {
rootHandler.Mount(v1connect.NewTokensServiceHandler(apiv1.NewTokensService(deps.connPool, deps.expClient, deps.dbConn, deps.signer), handlerOptions...))
}
// OIDC sign-in handlers
rootHandler.Mount("/oidc", oidc.Router(deps.oidcService))
// The OIDC spec dictates how the identity provider endpoint needs to look like,
// hence the extra endpoint rather than making this part of the proto API.
// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
rootHandler.Mount("/idp", deps.idpService.Router())
// All requests are handled by our root router
srv.HTTPMux().Handle("/", rootHandler)
return nil
}
func readSecretFromFile(path string) (string, error) {
b, err := os.ReadFile(path)
if err != nil {
return "", fmt.Errorf("failed to read secret from file: %w", err)
}
return strings.TrimSpace(string(b)), nil
}
Reference in New Issue View Git Blame Copy Permalink