mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-12-23 08:56:29 +00:00
enable grpc auth
This commit is contained in:
parent
1a6920e822
commit
a625f06c1a
3 changed files with 71 additions and 10 deletions
|
@ -21,15 +21,10 @@ import (
|
|||
|
||||
"github.com/tevino/abool"
|
||||
"github.com/urfave/cli"
|
||||
oldcontext "golang.org/x/net/context"
|
||||
)
|
||||
|
||||
func loop(c *cli.Context) error {
|
||||
// endpoint, err := url.Parse(
|
||||
// c.String("drone-server"),
|
||||
// )
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
filter := rpc.Filter{
|
||||
Labels: map[string]string{
|
||||
"platform": c.String("platform"),
|
||||
|
@ -39,9 +34,15 @@ func loop(c *cli.Context) error {
|
|||
// TODO pass version information to grpc server
|
||||
// TODO authenticate to grpc server
|
||||
|
||||
// grpc.Dial(target, ))
|
||||
|
||||
conn, err := grpc.Dial(
|
||||
c.String("server"),
|
||||
grpc.WithInsecure(),
|
||||
grpc.WithPerRPCCredentials(&credentials{
|
||||
username: c.String("username"),
|
||||
password: c.String("password"),
|
||||
}),
|
||||
)
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -282,3 +283,19 @@ func run(ctx context.Context, client rpc.Peer, filter rpc.Filter) error {
|
|||
|
||||
return nil
|
||||
}
|
||||
|
||||
type credentials struct {
|
||||
username string
|
||||
password string
|
||||
}
|
||||
|
||||
func (c *credentials) GetRequestMetadata(oldcontext.Context, ...string) (map[string]string, error) {
|
||||
return map[string]string{
|
||||
"username": c.username,
|
||||
"password": c.password,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (c *credentials) RequireTransportSecurity() bool {
|
||||
return false
|
||||
}
|
||||
|
|
|
@ -24,9 +24,15 @@ func main() {
|
|||
Value: "localhost:9000",
|
||||
},
|
||||
cli.StringFlag{
|
||||
EnvVar: "DRONE_SECRET",
|
||||
Name: "secret",
|
||||
Usage: "drone agent secret",
|
||||
EnvVar: "DRONE_USERNAME",
|
||||
Name: "username",
|
||||
Usage: "drone auth username",
|
||||
Value: "x-oauth-basic",
|
||||
},
|
||||
cli.StringFlag{
|
||||
EnvVar: "DRONE_PASSWORD,DRONE_SECRET",
|
||||
Name: "password",
|
||||
Usage: "drone auth password",
|
||||
},
|
||||
cli.BoolFlag{
|
||||
EnvVar: "DRONE_DEBUG",
|
||||
|
|
|
@ -2,6 +2,7 @@ package main
|
|||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
@ -9,6 +10,7 @@ import (
|
|||
"time"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/metadata"
|
||||
|
||||
"golang.org/x/crypto/acme/autocert"
|
||||
"golang.org/x/sync/errgroup"
|
||||
|
@ -28,6 +30,7 @@ import (
|
|||
"github.com/Sirupsen/logrus"
|
||||
"github.com/gin-gonic/contrib/ginrus"
|
||||
"github.com/urfave/cli"
|
||||
oldcontext "golang.org/x/net/context"
|
||||
)
|
||||
|
||||
var flags = []cli.Flag{
|
||||
|
@ -422,7 +425,13 @@ func server(c *cli.Context) error {
|
|||
logrus.Error(err)
|
||||
return err
|
||||
}
|
||||
s := grpc.NewServer()
|
||||
auther := &authorizer{
|
||||
password: c.String("agent-secret"),
|
||||
}
|
||||
s := grpc.NewServer(
|
||||
grpc.StreamInterceptor(auther.streamInterceptor),
|
||||
grpc.UnaryInterceptor(auther.unaryIntercaptor),
|
||||
)
|
||||
ss := new(droneserver.DroneServer)
|
||||
ss.Queue = droneserver.Config.Services.Queue
|
||||
ss.Logger = droneserver.Config.Services.Logs
|
||||
|
@ -527,3 +536,32 @@ func setupEvilGlobals(c *cli.Context, v store.Store, r remote.Remote) {
|
|||
// droneserver.Config.Server.Orgs = sliceToMap(cli.StringSlice("orgs"))
|
||||
// droneserver.Config.Server.Admins = sliceToMap(cli.StringSlice("admin"))
|
||||
}
|
||||
|
||||
type authorizer struct {
|
||||
username string
|
||||
password string
|
||||
}
|
||||
|
||||
func (a *authorizer) streamInterceptor(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
||||
if err := a.authorize(stream.Context()); err != nil {
|
||||
return err
|
||||
}
|
||||
return handler(srv, stream)
|
||||
}
|
||||
|
||||
func (a *authorizer) unaryIntercaptor(ctx oldcontext.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
|
||||
if err := a.authorize(ctx); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return handler(ctx, req)
|
||||
}
|
||||
|
||||
func (a *authorizer) authorize(ctx context.Context) error {
|
||||
if md, ok := metadata.FromContext(ctx); ok {
|
||||
if len(md["password"]) > 0 && md["password"][0] == a.password {
|
||||
return nil
|
||||
}
|
||||
return errors.New("invalid agent token")
|
||||
}
|
||||
return errors.New("missing agent token")
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue