cmd/coordinator: fix authentication to not require a user token
Buildlets have regular builder tokens, not "user-" prefixed ones. So
don't use the auth helper function. Just inline what we need in the
proxy handler.
Fix from testing CL 165779.
Updates golang/go#14594
Change-Id: Ie2d8d7a21f5660d24e929c932571b8df61895374
Reviewed-on: https://go-review.googlesource.com/c/build/+/165780
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/cmd/coordinator/coordinator.go b/cmd/coordinator/coordinator.go
index db2161c..f0f00d3 100644
--- a/cmd/coordinator/coordinator.go
+++ b/cmd/coordinator/coordinator.go
@@ -224,7 +224,7 @@
return
}
if r.Header.Get("X-Proxy-Service") == "module-cache" {
- requireBuildletProxyAuth(http.HandlerFunc(proxyModuleCache)).ServeHTTP(w, r)
+ proxyModuleCache(w, r)
return
}
http.DefaultServeMux.ServeHTTP(w, r)
diff --git a/cmd/coordinator/modproxy.go b/cmd/coordinator/modproxy.go
index a3c2743..59cebbb 100644
--- a/cmd/coordinator/modproxy.go
+++ b/cmd/coordinator/modproxy.go
@@ -11,17 +11,17 @@
"strings"
)
-// proxyModuleCache proxies from https://farmer.golang.org (with Auth
-// & a magic header, as handled by coordinator.go's httpRouter type)
-// to Go's private module proxy server running on GKE. The module proxy protocol
-// does not define authentication, so we do it ourselves.
+// proxyModuleCache proxies from https://farmer.golang.org (with a
+// magic header, as handled by coordinator.go's httpRouter type) to
+// Go's private module proxy server running on GKE. The module proxy
+// protocol does not define authentication, so we do it ourselves.
//
// The complete path is the buildlet listens on localhost:3000 to run
// an unauthenticated module proxy server for the cmd/go binary to use
// via GOPROXY=http://localhost:3000. That localhost:3000 server
// proxies it to https://farmer.golang.org with auth headers and a
// sentinel X-Proxy-Service:module-cache header. Then coordinator.go's
-// httpRouter sends it here after the auth has been checked.
+// httpRouter sends it here.
//
// This code then does the final reverse proxy, sent without auth.
//
@@ -29,14 +29,28 @@
//
// cmd/go -> localhost:3000 -> buildlet -> coordinator --> GKE server
func proxyModuleCache(w http.ResponseWriter, r *http.Request) {
+ if r.TLS == nil {
+ http.Error(w, "https required", http.StatusBadRequest)
+ return
+ }
+ builder, pass, ok := r.BasicAuth()
+ if !ok {
+ http.Error(w, "missing required authentication", http.StatusBadRequest)
+ return
+ }
+ if !strings.Contains(builder, "-") || builderKey(builder) != pass {
+ http.Error(w, "bad username or password", http.StatusUnauthorized)
+ return
+ }
+
target := moduleProxy()
if !strings.HasPrefix(target, "http") {
- http.Error(w, "module proxy not configured", 500)
+ http.Error(w, "module proxy not configured", http.StatusInternalServerError)
return
}
backend, err := url.Parse(target)
if err != nil {
- http.Error(w, "module proxy misconfigured", 500)
+ http.Error(w, "module proxy misconfigured", http.StatusInternalServerError)
return
}
// TODO: maybe only create this once early. But probably doesn't matter.