From 4cabef5e1ef3b6ee1cb9da58c0f5775d26dcee53 Mon Sep 17 00:00:00 2001 From: Claudia Beresford Date: Tue, 26 Apr 2022 14:56:38 +0100 Subject: [PATCH] feat: Set vars when TLS disabled or Dev enabled This is so that the UI can query what has been set on the server and display appropriate warning messages. It will also be logged on each request whether TLS is enabled or not. --- cmd/gitops-server/cmd/cmd.go | 10 ++- pkg/server/handler.go | 10 ++- pkg/server/middleware/middleware.go | 4 +- pkg/server/server.go | 12 +-- pkg/server/server_test.go | 110 ++++++++++++++++++++-------- 5 files changed, 104 insertions(+), 42 deletions(-) diff --git a/cmd/gitops-server/cmd/cmd.go b/cmd/gitops-server/cmd/cmd.go index 127544e0b4..2f2be959c8 100644 --- a/cmd/gitops-server/cmd/cmd.go +++ b/cmd/gitops-server/cmd/cmd.go @@ -100,7 +100,7 @@ func NewCommand() *cobra.Command { } func runCmd(cmd *cobra.Command, args []string) error { - log, err := logger.New(options.LogLevel, options.Insecure) + log, err := logger.New(options.LogLevel, options.DevMode) if err != nil { return err } @@ -181,7 +181,8 @@ func runCmd(cmd *cobra.Command, args []string) error { } if options.DevMode { - log.Info("WARNING: dev mode enabled. This should be used for local work only") + log.Info("WARNING: dev mode enabled. Authentication will be bypassed in some instances. This should be used for LOCAL WORK ONLY.") + os.Setenv(server.DevModeFeatureFlag, "true") tsv.SetDevMode(options.DevUser) } @@ -286,7 +287,10 @@ func runCmd(cmd *cobra.Command, args []string) error { func listenAndServe(log logr.Logger, srv *http.Server, options Options) error { if options.Insecure { - log.Info("TLS connections disabled") + log.Info( + "WARNING: TLS connections disabled by the `--insecure` flag. All data INCLUDING AUTH TOKENS will be transmitted without encryption.") + os.Setenv(server.TlsDisabledFeatureFlag, "true") + return srv.ListenAndServe() } diff --git a/pkg/server/handler.go b/pkg/server/handler.go index 467982ef5b..718630f13e 100644 --- a/pkg/server/handler.go +++ b/pkg/server/handler.go @@ -19,6 +19,10 @@ import ( const ( AuthEnabledFeatureFlag = "WEAVE_GITOPS_AUTH_ENABLED" + TlsDisabledFeatureFlag = "WEAVE_GITOPS_TLS_DISABLED" + DevModeFeatureFlag = "WEAVE_GITOPS_DEV_MODE_ENABLED" + ClusterUserAuthFlag = "CLUSTER_USER_AUTH" + OidcAuthFlag = "OIDC_AUTH" ) var ( @@ -31,6 +35,10 @@ func AuthEnabled() bool { return os.Getenv(AuthEnabledFeatureFlag) == "true" } +func TlsEnabled() bool { + return os.Getenv(TlsDisabledFeatureFlag) != "true" +} + type Config struct { AppConfig *ApplicationsConfig AppOptions []ApplicationsOption @@ -41,7 +49,7 @@ type Config struct { func NewHandlers(ctx context.Context, log logr.Logger, cfg *Config) (http.Handler, error) { mux := runtime.NewServeMux(middleware.WithGrpcErrorLogging(log)) - httpHandler := middleware.WithLogging(log, mux) + httpHandler := middleware.WithLogging(log, mux, TlsEnabled()) if AuthEnabled() { clustersFetcher, err := fetcher.NewSingleClusterFetcher(cfg.CoreServerConfig.RestCfg) diff --git a/pkg/server/middleware/middleware.go b/pkg/server/middleware/middleware.go index ebb6b667b0..f363462d6c 100644 --- a/pkg/server/middleware/middleware.go +++ b/pkg/server/middleware/middleware.go @@ -44,7 +44,7 @@ func WithGrpcErrorLogging(log logr.Logger) runtime.ServeMuxOption { // WithLogging adds basic logging for HTTP requests. // Note that this accepts a grpc-gateway ServeMux instead of an http.Handler. -func WithLogging(log logr.Logger, mux *runtime.ServeMux) http.Handler { +func WithLogging(log logr.Logger, mux *runtime.ServeMux, secure bool) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { recorder := &statusRecorder{ ResponseWriter: w, @@ -52,7 +52,7 @@ func WithLogging(log logr.Logger, mux *runtime.ServeMux) http.Handler { } mux.ServeHTTP(recorder, r) - l := log.WithValues("uri", r.RequestURI, "status", recorder.Status) + l := log.WithValues("uri", r.RequestURI, "status", recorder.Status, "tls-secured", secure) if recorder.Status < 400 { l.V(logger.LogLevelDebug).Info(RequestOkText) diff --git a/pkg/server/server.go b/pkg/server/server.go index 36bd1ca503..2ec12a4b13 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -227,7 +227,9 @@ func (s *applicationServer) ValidateProviderToken(ctx context.Context, msg *pb.V func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeatureFlagsRequest) (*pb.GetFeatureFlagsResponse, error) { flags := make(map[string]string) - flags["WEAVE_GITOPS_AUTH_ENABLED"] = os.Getenv("WEAVE_GITOPS_AUTH_ENABLED") + flags[AuthEnabledFeatureFlag] = os.Getenv(AuthEnabledFeatureFlag) + flags[TlsDisabledFeatureFlag] = os.Getenv(TlsDisabledFeatureFlag) + flags[DevModeFeatureFlag] = os.Getenv(DevModeFeatureFlag) cl, err := s.clientGetter.Client(ctx) if err != nil { @@ -242,12 +244,12 @@ func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeat if err != nil { if apierrors.IsNotFound(err) { - flags["CLUSTER_USER_AUTH"] = "false" + flags[ClusterUserAuthFlag] = "false" } else { s.log.Error(err, "could not get secret for cluster user") } } else { - flags["CLUSTER_USER_AUTH"] = "true" + flags[ClusterUserAuthFlag] = "true" } err = cl.Get(ctx, client.ObjectKey{ @@ -257,12 +259,12 @@ func (s *applicationServer) GetFeatureFlags(ctx context.Context, msg *pb.GetFeat if err != nil { if apierrors.IsNotFound(err) { - flags["OIDC_AUTH"] = "false" + flags[OidcAuthFlag] = "false" } else { s.log.Error(err, "could not get secret for oidc") } } else { - flags["OIDC_AUTH"] = "true" + flags[OidcAuthFlag] = "true" } return &pb.GetFeatureFlagsResponse{ diff --git a/pkg/server/server_test.go b/pkg/server/server_test.go index d971c73cf4..48c200f9ea 100644 --- a/pkg/server/server_test.go +++ b/pkg/server/server_test.go @@ -318,7 +318,7 @@ var _ = Describe("ApplicationsServer", func() { fakeClientGetter := kubefakes.NewFakeClientGetter(k8s) appsSrv := server.NewApplicationsServer(&cfg, server.WithClientGetter(fakeClientGetter)) mux = runtime.NewServeMux(middleware.WithGrpcErrorLogging(log)) - httpHandler := middleware.WithLogging(log, mux) + httpHandler := middleware.WithLogging(log, mux, true) err := pb.RegisterApplicationsHandlerServer(context.Background(), mux, appsSrv) Expect(err).NotTo(HaveOccurred()) @@ -458,10 +458,6 @@ func contextWithAuth(ctx context.Context) context.Context { } func TestGetFeatureFlags(t *testing.T) { - type Data struct { - Flags map[string]string - } - tests := []struct { name string envSet func() @@ -472,31 +468,35 @@ func TestGetFeatureFlags(t *testing.T) { { name: "Auth enabled", envSet: func() { - os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "true") + os.Setenv(server.AuthEnabledFeatureFlag, "true") }, envUnset: func() { - os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED") + os.Unsetenv(server.AuthEnabledFeatureFlag) }, state: []client.Object{}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "true", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "true", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { name: "Auth disabled", envSet: func() { - os.Setenv("WEAVE_GITOPS_AUTH_ENABLED", "false") + os.Setenv(server.AuthEnabledFeatureFlag, "false") }, envUnset: func() { - os.Unsetenv("WEAVE_GITOPS_AUTH_ENABLED") + os.Unsetenv(server.AuthEnabledFeatureFlag) }, state: []client.Object{}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "false", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "false", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { @@ -505,9 +505,11 @@ func TestGetFeatureFlags(t *testing.T) { envUnset: func() {}, state: []client.Object{}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { @@ -516,9 +518,11 @@ func TestGetFeatureFlags(t *testing.T) { envUnset: func() {}, state: []client.Object{&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "flux-system", Name: "cluster-user-auth"}}}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "", - "CLUSTER_USER_AUTH": "true", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "true", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { @@ -527,9 +531,11 @@ func TestGetFeatureFlags(t *testing.T) { envUnset: func() {}, state: []client.Object{}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { @@ -538,9 +544,11 @@ func TestGetFeatureFlags(t *testing.T) { envUnset: func() {}, state: []client.Object{&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Namespace: "flux-system", Name: "oidc-auth"}}}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "true", + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "true", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", }, }, { @@ -549,11 +557,51 @@ func TestGetFeatureFlags(t *testing.T) { envUnset: func() {}, state: []client.Object{}, result: map[string]string{ - "WEAVE_GITOPS_AUTH_ENABLED": "", - "CLUSTER_USER_AUTH": "false", - "OIDC_AUTH": "false", + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "", + }, + }, + { + name: "TLS disabled", + envSet: func() { + os.Setenv(server.TlsDisabledFeatureFlag, "true") + }, + envUnset: func() { + os.Unsetenv(server.TlsDisabledFeatureFlag) + }, + state: []client.Object{}, + result: map[string]string{ + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "true", + server.DevModeFeatureFlag: "", }, }, + { + name: "dev mode enabled", + envSet: func() { + os.Setenv(server.DevModeFeatureFlag, "true") + }, + envUnset: func() { + os.Unsetenv(server.DevModeFeatureFlag) + }, + state: []client.Object{}, + result: map[string]string{ + server.AuthEnabledFeatureFlag: "", + server.ClusterUserAuthFlag: "false", + server.OidcAuthFlag: "false", + server.TlsDisabledFeatureFlag: "", + server.DevModeFeatureFlag: "true", + }, + }, + } + + type Data struct { + Flags map[string]string } for _, tt := range tests { @@ -571,7 +619,7 @@ func TestGetFeatureFlags(t *testing.T) { err := pb.RegisterApplicationsHandlerServer(context.Background(), mux, appSrv) Expect(err).NotTo(HaveOccurred()) - httpHandler := middleware.WithLogging(log, mux) + httpHandler := middleware.WithLogging(log, mux, true) ts := httptest.NewServer(httpHandler) defer ts.Close()