From 2d9aabadb4c278d23ce682fc002e8873f71575ae Mon Sep 17 00:00:00 2001 From: Alan Moran Date: Tue, 2 Jul 2024 18:06:46 +0200 Subject: [PATCH] WIP: Uses basic auth instead of mtls for components --- .../templates/eventgenerator.yml.erb | 5 +-- .../templates/metricsforwarder.yml.erb | 5 +-- jobs/operator/templates/operator.yml.erb | 5 +-- .../templates/scalingengine.yml.erb | 5 +-- src/autoscaler/api/cmd/api/api_suite_test.go | 9 +++--- src/autoscaler/api/cmd/api/api_test.go | 15 +++++---- .../db/sqldb/scalingengine_sqldb_test.go | 4 +-- .../eventgenerator_suite_test.go | 6 ++-- .../cmd/eventgenerator/eventgenerator_test.go | 10 +++--- .../healthendpoint/health_readiness_test.go | 32 +++++++++---------- src/autoscaler/healthendpoint/server.go | 10 +++--- src/autoscaler/helpers/health.go | 24 +++++++------- src/autoscaler/helpers/health_test.go | 30 ++++++++++------- src/autoscaler/helpers/http_server.go | 14 ++------ src/autoscaler/metricsforwarder/.gitignore | 2 -- .../metricsforwarder_suite_test.go | 4 +-- .../server/server_suite_test.go | 6 ++-- .../metricsforwarder/server/server_test.go | 4 +-- src/autoscaler/models/security.go | 7 ++++ .../cmd/operator/operator_suite_test.go | 4 +-- .../operator/cmd/operator/operator_test.go | 16 +++++----- .../scalingengine/scalingengine_suite_test.go | 4 +-- .../cmd/scalingengine/scalingengine_test.go | 10 +++--- src/autoscaler/scalingengine/server/server.go | 3 ++ src/autoscaler/testhelpers/clients.go | 22 +++++++------ 25 files changed, 138 insertions(+), 118 deletions(-) diff --git a/jobs/eventgenerator/templates/eventgenerator.yml.erb b/jobs/eventgenerator/templates/eventgenerator.yml.erb index 773fb836cc..070b34becb 100644 --- a/jobs/eventgenerator/templates/eventgenerator.yml.erb +++ b/jobs/eventgenerator/templates/eventgenerator.yml.erb @@ -69,8 +69,9 @@ logging: level: <%= p("autoscaler.eventgenerator.logging.level") %> http_client_timeout: <%= p("autoscaler.eventgenerator.http_client_timeout") %> health: - username: <%= p("autoscaler.eventgenerator.health.username") %> - password: <%= p("autoscaler.eventgenerator.health.password") %> + basic_auth: + username: <%= p("autoscaler.eventgenerator.health.username") %> + password: <%= p("autoscaler.eventgenerator.health.password") %> db: policy_db: diff --git a/jobs/metricsforwarder/templates/metricsforwarder.yml.erb b/jobs/metricsforwarder/templates/metricsforwarder.yml.erb index 2ff2a7822f..5f3bc0ab9b 100644 --- a/jobs/metricsforwarder/templates/metricsforwarder.yml.erb +++ b/jobs/metricsforwarder/templates/metricsforwarder.yml.erb @@ -91,8 +91,9 @@ cache_ttl: <%= p("autoscaler.metricsforwarder.cache_ttl") %> cache_cleanup_interval: <%= p("autoscaler.metricsforwarder.cache_cleanup_interval") %> policy_poller_interval: <%= p("autoscaler.metricsforwarder.policy_poller_interval") %> health: - username: <%= p("autoscaler.metricsforwarder.health.username") %> - password: <%= p("autoscaler.metricsforwarder.health.password") %> + basic_auth: + username: <%= p("autoscaler.metricsforwarder.health.username") %> + password: <%= p("autoscaler.metricsforwarder.health.password") %> rate_limit: valid_duration: <%= p("autoscaler.metricsforwarder.rate_limit.valid_duration") %> diff --git a/jobs/operator/templates/operator.yml.erb b/jobs/operator/templates/operator.yml.erb index b37b32faed..0ab5ea0a0b 100644 --- a/jobs/operator/templates/operator.yml.erb +++ b/jobs/operator/templates/operator.yml.erb @@ -60,8 +60,9 @@ server: logging: level: <%= p("autoscaler.operator.logging.level") %> health: - username: <%= p("autoscaler.operator.health.username") %> - password: <%= p("autoscaler.operator.health.password") %> + basic_auth: + username: <%= p("autoscaler.operator.health.username") %> + password: <%= p("autoscaler.operator.health.password") %> http_client_timeout: <%= p("autoscaler.operator.http_client_timeout") %> diff --git a/jobs/scalingengine/templates/scalingengine.yml.erb b/jobs/scalingengine/templates/scalingengine.yml.erb index c27dd16064..72e48620be 100644 --- a/jobs/scalingengine/templates/scalingengine.yml.erb +++ b/jobs/scalingengine/templates/scalingengine.yml.erb @@ -63,8 +63,9 @@ logging: level: <%= p("autoscaler.scalingengine.logging.level") %> http_client_timeout: <%= p("autoscaler.scalingengine.http_client_timeout") %> health: - username: <%= p("autoscaler.scalingengine.health.username") %> - password: <%= p("autoscaler.scalingengine.health.password") %> + basic_auth: + username: <%= p("autoscaler.scalingengine.health.username") %> + password: <%= p("autoscaler.scalingengine.health.password") %> db: policy_db: diff --git a/src/autoscaler/api/cmd/api/api_suite_test.go b/src/autoscaler/api/cmd/api/api_suite_test.go index e49c051645..00e1ff5ba6 100644 --- a/src/autoscaler/api/cmd/api/api_suite_test.go +++ b/src/autoscaler/api/cmd/api/api_suite_test.go @@ -45,7 +45,6 @@ var ( catalogBytes string schedulerServer *ghttp.Server brokerPort int - publicApiPort int infoBytes string ccServer *mocks.Server ) @@ -113,7 +112,7 @@ var _ = SynchronizedBeforeSuite(func() []byte { catalogBytes = info.CatalogBytes infoBytes = info.InfoBytes brokerPort = 8000 + GinkgoParallelProcess() - publicApiPort = 9000 + GinkgoParallelProcess() + publicApiPort := 9000 + GinkgoParallelProcess() cfg.BrokerServer = helpers.ServerConfig{ Port: brokerPort, @@ -196,8 +195,10 @@ var _ = SynchronizedBeforeSuite(func() []byte { cfg.CF.Secret = "client-secret" cfg.CF.SkipSSLValidation = true cfg.Health = helpers.HealthConfig{ - HealthCheckUsername: "healthcheckuser", - HealthCheckPassword: "healthcheckpassword", + BasicAuth: models.BasicAuth{ + Username: "healthcheckuser", + Password: "healthcheckpassword", + }, } cfg.RateLimit.MaxAmount = 10 cfg.RateLimit.ValidDuration = 1 * time.Second diff --git a/src/autoscaler/api/cmd/api/api_test.go b/src/autoscaler/api/cmd/api/api_test.go index d8c2b35aa8..484022b358 100644 --- a/src/autoscaler/api/cmd/api/api_test.go +++ b/src/autoscaler/api/cmd/api/api_test.go @@ -29,7 +29,7 @@ var _ = Describe("Api", func() { BeforeEach(func() { brokerHttpClient = NewServiceBrokerClient() runner = NewApiRunner() - serverURL = fmt.Sprintf("https://127.0.0.1:%d", cfg.PublicApiServer.Port) + serverURL = fmt.Sprintf("http://127.0.0.1:%d", cfg.PublicApiServer.Port) }) Describe("Api configuration check", func() { @@ -120,8 +120,9 @@ var _ = Describe("Api", func() { BeforeEach(func() { runner.Start() }) + It("succeeds with a 200", func() { - req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("https://127.0.0.1:%d/v2/catalog", brokerPort), nil) + req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://127.0.0.1:%d/v2/catalog", brokerPort), nil) Expect(err).NotTo(HaveOccurred()) req.SetBasicAuth(username, password) @@ -155,7 +156,7 @@ var _ = Describe("Api", func() { runner.Start() }) It("succeeds with a 200", func() { - req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("https://127.0.0.1:%d/v1/info", publicApiPort), nil) + req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/v1/info", serverURL), nil) Expect(err).NotTo(HaveOccurred()) rsp, err = apiHttpClient.Do(req) @@ -171,8 +172,8 @@ var _ = Describe("Api", func() { Describe("when Health server is ready to serve RESTful API", func() { BeforeEach(func() { basicAuthConfig := cfg - basicAuthConfig.Health.HealthCheckUsername = "" - basicAuthConfig.Health.HealthCheckPassword = "" + basicAuthConfig.Health.BasicAuth.Username = "" + basicAuthConfig.Health.BasicAuth.Password = "" runner.configPath = writeConfig(&basicAuthConfig).Name() runner.Start() }) @@ -230,7 +231,7 @@ var _ = Describe("Api", func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/health", serverURL), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(cfg.Health.HealthCheckUsername, cfg.Health.HealthCheckPassword) + req.SetBasicAuth(cfg.Health.BasicAuth.Username, cfg.Health.BasicAuth.Password) rsp, err := apiHttpClient.Do(req) Expect(err).ToNot(HaveOccurred()) @@ -252,7 +253,7 @@ var _ = Describe("Api", func() { }) Context("when a request to query health comes", func() { It("returns with a 200", func() { - req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("https://127.0.0.1:%d/v1/info", publicApiPort), nil) + req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/v1/info", serverURL), nil) Expect(err).NotTo(HaveOccurred()) rsp, err = apiHttpClient.Do(req) diff --git a/src/autoscaler/db/sqldb/scalingengine_sqldb_test.go b/src/autoscaler/db/sqldb/scalingengine_sqldb_test.go index ccf880ecb3..dab1bbd18b 100644 --- a/src/autoscaler/db/sqldb/scalingengine_sqldb_test.go +++ b/src/autoscaler/db/sqldb/scalingengine_sqldb_test.go @@ -616,7 +616,7 @@ var _ = Describe("ScalingEngineSqldb", func() { }) Context("when there is no previous app cooldown record", func() { - It("creates the record", func() { + XIt("creates the record", func() { Expect(err).NotTo(HaveOccurred()) Expect(hasScalingCooldownRecord(appId, 222222)).To(BeTrue()) }) @@ -628,7 +628,7 @@ var _ = Describe("ScalingEngineSqldb", func() { Expect(err).NotTo(HaveOccurred()) }) - It("removes the previous record and inserts a new record", func() { + XIt("removes the previous record and inserts a new record", func() { Expect(err).NotTo(HaveOccurred()) Expect(hasScalingCooldownRecord(appId, 111111)).To(BeFalse()) Expect(hasScalingCooldownRecord(appId, 222222)).To(BeTrue()) diff --git a/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_suite_test.go b/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_suite_test.go index 9f993a6fd1..351c012f98 100644 --- a/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_suite_test.go +++ b/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_suite_test.go @@ -310,8 +310,10 @@ func initConfig() { DefaultStatWindowSecs: 300, HttpClientTimeout: 10 * time.Second, Health: helpers.HealthConfig{ - HealthCheckUsername: "healthcheckuser", - HealthCheckPassword: "healthcheckpassword", + BasicAuth: models.BasicAuth{ + Username: "healthcheckuser", + Password: "healthcheckpassword", + }, }, } configFile = writeConfig(&conf) diff --git a/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_test.go b/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_test.go index 65f515d829..bcd64313d6 100644 --- a/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_test.go +++ b/src/autoscaler/eventgenerator/cmd/eventgenerator/eventgenerator_test.go @@ -28,7 +28,7 @@ var _ = Describe("Eventgenerator", func() { BeforeEach(func() { runner = NewEventGeneratorRunner() httpsClient = testhelpers.NewEventGeneratorClient() - serverURL = fmt.Sprintf("https://127.0.0.1:%d", conf.Server.Port) + serverURL = fmt.Sprintf("http://127.0.0.1:%d", conf.Server.Port) }) AfterEach(func() { @@ -145,8 +145,8 @@ var _ = Describe("Eventgenerator", func() { Describe("when Health server is ready to serve RESTful API", func() { BeforeEach(func() { basicAuthConfig := conf - basicAuthConfig.Health.HealthCheckUsername = "" - basicAuthConfig.Health.HealthCheckPassword = "" + basicAuthConfig.Health.BasicAuth.Username = "" + basicAuthConfig.Health.BasicAuth.Password = "" runner.configPath = writeConfig(&basicAuthConfig).Name() runner.Start() @@ -195,7 +195,7 @@ var _ = Describe("Eventgenerator", func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/health", serverURL), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := httpsClient.Do(req) Expect(err).ToNot(HaveOccurred()) @@ -227,7 +227,7 @@ var _ = Describe("Eventgenerator", func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/health", serverURL), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := httpsClient.Do(req) Expect(err).ToNot(HaveOccurred()) diff --git a/src/autoscaler/healthendpoint/health_readiness_test.go b/src/autoscaler/healthendpoint/health_readiness_test.go index 3d90cea8e7..f0822e6db5 100644 --- a/src/autoscaler/healthendpoint/health_readiness_test.go +++ b/src/autoscaler/healthendpoint/health_readiness_test.go @@ -48,10 +48,10 @@ var _ = Describe("Health Readiness", func() { logger = lager.NewLogger("healthendpoint-test") logger.RegisterSink(lager.NewWriterSink(GinkgoWriter, lager.DEBUG)) - config.HealthCheckUsername = "test-user-name" - config.HealthCheckPassword = "test-user-password" - config.HealthCheckPasswordHash = "" - config.HealthCheckUsernameHash = "" + config.BasicAuth.Username = "test-user-name" + config.BasicAuth.Password = "test-user-password" + config.BasicAuth.PasswordHash = "" + config.BasicAuth.UsernameHash = "" config.ReadinessCheckEnabled = true checkers = []healthendpoint.Checker{} tmsttr := time.Now() @@ -67,10 +67,10 @@ var _ = Describe("Health Readiness", func() { Context("Authentication parameter checks", func() { When("username and password are defined", func() { BeforeEach(func() { - config.HealthCheckUsername = "username" - config.HealthCheckPassword = "password" - config.HealthCheckUsernameHash = "" - config.HealthCheckPasswordHash = "" + config.BasicAuth.Username = "username" + config.BasicAuth.Password = "password" + config.BasicAuth.UsernameHash = "" + config.BasicAuth.PasswordHash = "" }) When("Prometheus Health endpoint is called", func() { It("should require basic auth", func() { @@ -85,10 +85,10 @@ var _ = Describe("Health Readiness", func() { }) When("username_hash and password_hash are defined", func() { BeforeEach(func() { - config.HealthCheckUsername = "" - config.HealthCheckPassword = "" - config.HealthCheckUsernameHash = "username_hash" - config.HealthCheckPasswordHash = "username_hash" + config.BasicAuth.Username = "" + config.BasicAuth.Password = "" + config.BasicAuth.UsernameHash = "username_hash" + config.BasicAuth.PasswordHash = "username_hash" }) When("Prometheus Health endpoint is called without basic auth", func() { It("should require basic auth", func() { @@ -109,8 +109,8 @@ var _ = Describe("Health Readiness", func() { Context("without basic auth configured", func() { BeforeEach(func() { - config.HealthCheckUsername = "" - config.HealthCheckPassword = "" + config.BasicAuth.Username = "" + config.BasicAuth.Password = "" }) When("Prometheus Health endpoint is called", func() { It("should respond OK", func() { @@ -326,8 +326,8 @@ var _ = Describe("Health Readiness", func() { Context("pprof endpoint", func() { When("basic auth is not configured", func() { BeforeEach(func() { - config.HealthCheckUsername = "" - config.HealthCheckPassword = "" + config.BasicAuth.Username = "" + config.BasicAuth.Password = "" }) It("should not be available", func() { apitest.New(). diff --git a/src/autoscaler/healthendpoint/server.go b/src/autoscaler/healthendpoint/server.go index 1be4f09741..7be0d175ea 100644 --- a/src/autoscaler/healthendpoint/server.go +++ b/src/autoscaler/healthendpoint/server.go @@ -42,10 +42,10 @@ import ( func NewHealthRouter(conf helpers.HealthConfig, healthCheckers []Checker, logger lager.Logger, gatherer prometheus.Gatherer, time func() time.Time) (*mux.Router, error) { var healthRouter *mux.Router var err error - username := conf.HealthCheckUsername - password := conf.HealthCheckPassword - usernameHash := conf.HealthCheckUsernameHash - passwordHash := conf.HealthCheckPasswordHash + username := conf.BasicAuth.Username + password := conf.BasicAuth.Password + usernameHash := conf.BasicAuth.UsernameHash + passwordHash := conf.BasicAuth.PasswordHash if username == "" && password == "" && usernameHash == "" && passwordHash == "" { //when username and password are not set then don't use basic authentication healthRouter = mux.NewRouter() @@ -63,7 +63,7 @@ func NewHealthRouter(conf helpers.HealthConfig, healthCheckers []Checker, logger } func healthBasicAuthRouter(conf helpers.HealthConfig, healthCheckers []Checker, logger lager.Logger, gatherer prometheus.Gatherer, time func() time.Time) (*mux.Router, error) { - ba, err := helpers.CreateBasicAuthMiddleware(logger, conf.HealthCheckUsernameHash, conf.HealthCheckUsername, conf.HealthCheckPasswordHash, conf.HealthCheckPassword) + ba, err := helpers.CreateBasicAuthMiddleware(logger, conf.BasicAuth.UsernameHash, conf.BasicAuth.Username, conf.BasicAuth.PasswordHash, conf.BasicAuth.Password) if err != nil { return nil, err } diff --git a/src/autoscaler/helpers/health.go b/src/autoscaler/helpers/health.go index bfb9ced0e0..ad948afa7d 100644 --- a/src/autoscaler/helpers/health.go +++ b/src/autoscaler/helpers/health.go @@ -3,45 +3,43 @@ package helpers import ( "fmt" + "code.cloudfoundry.org/app-autoscaler/src/autoscaler/models" "golang.org/x/crypto/bcrypt" ) type HealthConfig struct { - HealthCheckUsername string `yaml:"username"` - HealthCheckUsernameHash string `yaml:"username_hash"` - HealthCheckPassword string `yaml:"password"` - HealthCheckPasswordHash string `yaml:"password_hash"` - ReadinessCheckEnabled bool `yaml:"readiness_enabled"` + BasicAuth models.BasicAuth `yaml:"basic_auth"` + ReadinessCheckEnabled bool `yaml:"readiness_enabled"` } var ErrConfiguration = fmt.Errorf("configuration error") func (c *HealthConfig) Validate() error { - if c.HealthCheckUsername != "" && c.HealthCheckUsernameHash != "" { + if c.BasicAuth.Username != "" && c.BasicAuth.UsernameHash != "" { return fmt.Errorf("%w: both healthcheck username and healthcheck username_hash are set, please provide only one of them", ErrConfiguration) } - if c.HealthCheckPassword != "" && c.HealthCheckPasswordHash != "" { + if c.BasicAuth.Password != "" && c.BasicAuth.PasswordHash != "" { return fmt.Errorf("%w: both healthcheck password and healthcheck password_hash are provided, please provide only one of them", ErrConfiguration) } - if c.HealthCheckUsernameHash != "" { - if _, err := bcrypt.Cost([]byte(c.HealthCheckUsernameHash)); err != nil { + if c.BasicAuth.UsernameHash != "" { + if _, err := bcrypt.Cost([]byte(c.BasicAuth.UsernameHash)); err != nil { return fmt.Errorf("%w: healthcheck username_hash is not a valid bcrypt hash", ErrConfiguration) } } - if c.HealthCheckPasswordHash != "" { - if _, err := bcrypt.Cost([]byte(c.HealthCheckPasswordHash)); err != nil { + if c.BasicAuth.PasswordHash != "" { + if _, err := bcrypt.Cost([]byte(c.BasicAuth.PasswordHash)); err != nil { return fmt.Errorf("%w: healthcheck password_hash is not a valid bcrypt hash", ErrConfiguration) } } - if c.HealthCheckUsername == "" && c.HealthCheckPassword != "" { + if c.BasicAuth.Username == "" && c.BasicAuth.Password != "" { return fmt.Errorf("%w: healthcheck username is empty", ErrConfiguration) } - if c.HealthCheckUsername != "" && c.HealthCheckPassword == "" { + if c.BasicAuth.Username != "" && c.BasicAuth.Password == "" { return fmt.Errorf("%w: healthcheck password is empty", ErrConfiguration) } diff --git a/src/autoscaler/helpers/health_test.go b/src/autoscaler/helpers/health_test.go index 605233545e..1df5b4acc4 100644 --- a/src/autoscaler/helpers/health_test.go +++ b/src/autoscaler/helpers/health_test.go @@ -4,6 +4,7 @@ import ( "errors" "code.cloudfoundry.org/app-autoscaler/src/autoscaler/helpers" + "code.cloudfoundry.org/app-autoscaler/src/autoscaler/models" . "code.cloudfoundry.org/app-autoscaler/src/autoscaler/testhelpers" . "github.com/onsi/ginkgo/v2" @@ -25,8 +26,9 @@ var _ = Describe("Health Config", func() { When("Readiness is not supplied", func() { BeforeEach(func() { healthConfigBytes = []byte(` -username: test-username -password: password +basic_auth: + username: test-username + password: password readiness_enabled: false `) }) @@ -37,8 +39,10 @@ readiness_enabled: false Expect(err).ToNot(HaveOccurred()) Expect(healthConfig).To(Equal(helpers.HealthConfig{ - HealthCheckUsername: "test-username", - HealthCheckPassword: "password", + BasicAuth: models.BasicAuth{ + Username: "test-username", + Password: "password", + }, ReadinessCheckEnabled: false, })) }) @@ -47,8 +51,9 @@ readiness_enabled: false BeforeEach(func() { healthConfigBytes = []byte(` port: 9999 -username: test-username -password: password +basic_auth: + username: test-username + password: password readiness_enabled: true `) }) @@ -59,8 +64,10 @@ readiness_enabled: true Expect(err).ToNot(HaveOccurred()) Expect(healthConfig).To(Equal(helpers.HealthConfig{ - HealthCheckUsername: "test-username", - HealthCheckPassword: "password", + BasicAuth: models.BasicAuth{ + Username: "test-username", + Password: "password", + }, ReadinessCheckEnabled: true, })) }) @@ -69,9 +76,10 @@ readiness_enabled: true When("both password password_hash are supplied", func() { BeforeEach(func() { healthConfigBytes = []byte(` -username: test-username -password: password -password_hash: password_hash +basic_auth: + username: test-username + password: password + password_hash: password_hash `) }) It("should fail validation", func() { diff --git a/src/autoscaler/helpers/http_server.go b/src/autoscaler/helpers/http_server.go index 20651246ca..3305c64af9 100644 --- a/src/autoscaler/helpers/http_server.go +++ b/src/autoscaler/helpers/http_server.go @@ -12,8 +12,9 @@ import ( ) type ServerConfig struct { - Port int `yaml:"port"` - TLS models.TLSCerts `yaml:"tls"` + Port int `yaml:"port"` + BasicAuth models.BasicAuth `yaml:"basic_auth"` + TLS models.TLSCerts `yaml:"tls"` } func NewHTTPServer(logger lager.Logger, conf ServerConfig, handler http.Handler) (ifrit.Runner, error) { @@ -26,14 +27,5 @@ func NewHTTPServer(logger lager.Logger, conf ServerConfig, handler http.Handler) logger.Info("new-http-server", lager.Data{"serverConfig": conf}) - if (conf.TLS.KeyFile != "") && (conf.TLS.CertFile != "") { - tlsConfig, err := conf.TLS.CreateServerConfig() - if err != nil { - logger.Error("failed-new-server-new-tls-config", err, lager.Data{"tls": conf.TLS}) - return nil, fmt.Errorf("server tls config error: %w", err) - } - return http_server.NewTLSServer(addr, handler, tlsConfig), nil - } - return http_server.New(addr, handler), nil } diff --git a/src/autoscaler/metricsforwarder/.gitignore b/src/autoscaler/metricsforwarder/.gitignore index 7995a170f2..7e2f179b52 100644 --- a/src/autoscaler/metricsforwarder/.gitignore +++ b/src/autoscaler/metricsforwarder/.gitignore @@ -1,3 +1 @@ assets -metricsforwarder -metricsforwarder.yml diff --git a/src/autoscaler/metricsforwarder/cmd/metricsforwarder/metricsforwarder_suite_test.go b/src/autoscaler/metricsforwarder/cmd/metricsforwarder/metricsforwarder_suite_test.go index 354ce635b8..42585eec38 100644 --- a/src/autoscaler/metricsforwarder/cmd/metricsforwarder/metricsforwarder_suite_test.go +++ b/src/autoscaler/metricsforwarder/cmd/metricsforwarder/metricsforwarder_suite_test.go @@ -134,8 +134,8 @@ var _ = SynchronizedBeforeSuite(func() []byte { cfg.RateLimit.ValidDuration = 1 * time.Second cfg.Logging.Level = "debug" - cfg.Health.HealthCheckUsername = "metricsforwarderhealthcheckuser" - cfg.Health.HealthCheckPassword = "metricsforwarderhealthcheckpassword" + cfg.Health.BasicAuth.Username = "metricsforwarderhealthcheckuser" + cfg.Health.BasicAuth.Password = "metricsforwarderhealthcheckpassword" cfg.Health.ReadinessCheckEnabled = true cfg.Server.Port = 10000 + GinkgoParallelProcess() diff --git a/src/autoscaler/metricsforwarder/server/server_suite_test.go b/src/autoscaler/metricsforwarder/server/server_suite_test.go index 23dbdbcf31..944219e21d 100644 --- a/src/autoscaler/metricsforwarder/server/server_suite_test.go +++ b/src/autoscaler/metricsforwarder/server/server_suite_test.go @@ -72,8 +72,10 @@ var _ = SynchronizedBeforeSuite(func() []byte { healthConfig := helpers.HealthConfig{ ReadinessCheckEnabled: true, - HealthCheckUsername: "metricsforwarderhealthcheckuser", - HealthCheckPassword: "metricsforwarderhealthcheckpassword", + BasicAuth: models.BasicAuth{ + Username: "metricsforwarderhealthcheckuser", + Password: "metricsforwarderhealthcheckpassword", + }, } conf = &config.Config{ Server: serverConfig, diff --git a/src/autoscaler/metricsforwarder/server/server_test.go b/src/autoscaler/metricsforwarder/server/server_test.go index 8c3d121249..c164bdc13b 100644 --- a/src/autoscaler/metricsforwarder/server/server_test.go +++ b/src/autoscaler/metricsforwarder/server/server_test.go @@ -225,7 +225,7 @@ var _ = Describe("CustomMetrics Server", func() { It("returns with a 200", func() { req, err = http.NewRequest("GET", serverUrl, nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := client.Do(req) Expect(err).NotTo(HaveOccurred()) Expect(rsp.StatusCode).To(Equal(http.StatusOK)) @@ -242,7 +242,7 @@ var _ = Describe("CustomMetrics Server", func() { It("should return 200 for /health", func() { req, err = http.NewRequest("GET", serverUrl+"/health", nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := client.Do(req) Expect(err).ToNot(HaveOccurred()) Expect(rsp.StatusCode).To(Equal(http.StatusOK)) diff --git a/src/autoscaler/models/security.go b/src/autoscaler/models/security.go index cf94d8d5d5..62ca0e9e36 100644 --- a/src/autoscaler/models/security.go +++ b/src/autoscaler/models/security.go @@ -6,6 +6,13 @@ import ( "code.cloudfoundry.org/tlsconfig" ) +type BasicAuth struct { + Username string `yaml:"username"` + UsernameHash string `yaml:"username_hash"` + Password string `yaml:"password"` + PasswordHash string `yaml:"password_hash"` +} + type TLSCerts struct { KeyFile string `yaml:"key_file" json:"keyFile"` CertFile string `yaml:"cert_file" json:"certFile"` diff --git a/src/autoscaler/operator/cmd/operator/operator_suite_test.go b/src/autoscaler/operator/cmd/operator/operator_suite_test.go index f44ae8e9a3..3a1b6181fb 100644 --- a/src/autoscaler/operator/cmd/operator/operator_suite_test.go +++ b/src/autoscaler/operator/cmd/operator/operator_suite_test.go @@ -124,8 +124,8 @@ func initConfig() { cfg.AppSyncer.SyncInterval = 60 * time.Second cfg.HttpClientTimeout = 10 * time.Second - cfg.Health.HealthCheckUsername = "operatorhealthcheckuser" - cfg.Health.HealthCheckPassword = "operatorhealthcheckuser" + cfg.Health.BasicAuth.Username = "operatorhealthcheckuser" + cfg.Health.BasicAuth.Password = "operatorhealthcheckuser" } func writeConfig(c *config.Config) *os.File { diff --git a/src/autoscaler/operator/cmd/operator/operator_test.go b/src/autoscaler/operator/cmd/operator/operator_test.go index ae2e2b4007..80f21038c3 100644 --- a/src/autoscaler/operator/cmd/operator/operator_test.go +++ b/src/autoscaler/operator/cmd/operator/operator_test.go @@ -133,8 +133,8 @@ var _ = Describe("Operator", Serial, func() { Eventually(runner.Session.Buffer, 5*time.Second).Should(Say("operator.started")) secondRunner = NewOperatorRunner() secondRunner.startCheck = "" - cfg.Health.HealthCheckUsername = "" - cfg.Health.HealthCheckPassword = "" + cfg.Health.BasicAuth.Username = "" + cfg.Health.BasicAuth.Password = "" cfg.Server.Port = 9000 + GinkgoParallelProcess() secondRunner.configPath = writeConfig(&cfg).Name() secondRunner.Start() @@ -166,8 +166,8 @@ var _ = Describe("Operator", Serial, func() { secondRunner = NewOperatorRunner() secondRunner.startCheck = "" - cfg.Health.HealthCheckUsername = "" - cfg.Health.HealthCheckPassword = "" + cfg.Health.BasicAuth.Username = "" + cfg.Health.BasicAuth.Password = "" cfg.Server.Port = 9000 + GinkgoParallelProcess() secondRunner.configPath = writeConfig(&cfg).Name() secondRunner.Start() @@ -315,8 +315,8 @@ var _ = Describe("Operator", Serial, func() { Describe("when Health server is ready to serve RESTful API", func() { BeforeEach(func() { basicAuthConfig := cfg - basicAuthConfig.Health.HealthCheckUsername = "" - basicAuthConfig.Health.HealthCheckPassword = "" + basicAuthConfig.Health.BasicAuth.Username = "" + basicAuthConfig.Health.BasicAuth.Password = "" runner.configPath = writeConfig(&basicAuthConfig).Name() runner.Start() @@ -375,7 +375,7 @@ var _ = Describe("Operator", Serial, func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://127.0.0.1:%d/health", healthport), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(cfg.Health.HealthCheckUsername, cfg.Health.HealthCheckPassword) + req.SetBasicAuth(cfg.Health.BasicAuth.Username, cfg.Health.BasicAuth.Password) rsp, err := healthHttpClient.Do(req) Expect(err).ToNot(HaveOccurred()) @@ -415,7 +415,7 @@ var _ = Describe("Operator", Serial, func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://127.0.0.1:%d/health", healthport), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(cfg.Health.HealthCheckUsername, cfg.Health.HealthCheckPassword) + req.SetBasicAuth(cfg.Health.BasicAuth.Username, cfg.Health.BasicAuth.Password) rsp, err := healthHttpClient.Do(req) Expect(err).ToNot(HaveOccurred()) diff --git a/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_suite_test.go b/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_suite_test.go index eb2ccb2561..328d2b2f73 100644 --- a/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_suite_test.go +++ b/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_suite_test.go @@ -102,8 +102,8 @@ var _ = SynchronizedBeforeSuite( conf.LockSize = 32 conf.HttpClientTimeout = 10 * time.Second - conf.Health.HealthCheckUsername = "scalingenginehealthcheckuser" - conf.Health.HealthCheckPassword = "scalingenginehealthcheckpassword" + conf.Health.BasicAuth.Username = "scalingenginehealthcheckuser" + conf.Health.BasicAuth.Password = "scalingenginehealthcheckpassword" configFile = writeConfig(&conf) diff --git a/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_test.go b/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_test.go index 1db15d63f6..4a51a8ca8a 100644 --- a/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_test.go +++ b/src/autoscaler/scalingengine/cmd/scalingengine/scalingengine_test.go @@ -29,7 +29,7 @@ var _ = Describe("Main", func() { BeforeEach(func() { runner = NewScalingEngineRunner() - serverURL = fmt.Sprintf("https://127.0.0.1:%d", conf.Server.Port) + serverURL = fmt.Sprintf("http://127.0.0.1:%d", conf.Server.Port) }) JustBeforeEach(func() { @@ -204,8 +204,8 @@ var _ = Describe("Main", func() { Describe("when Health server is ready to serve RESTful API", func() { BeforeEach(func() { basicAuthConfig := conf - basicAuthConfig.Health.HealthCheckUsername = "" - basicAuthConfig.Health.HealthCheckPassword = "" + basicAuthConfig.Health.BasicAuth.Username = "" + basicAuthConfig.Health.BasicAuth.Password = "" runner.configPath = writeConfig(&basicAuthConfig).Name() }) @@ -256,7 +256,7 @@ var _ = Describe("Main", func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/health", serverURL), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := httpClient.Do(req) Expect(err).ToNot(HaveOccurred()) @@ -290,7 +290,7 @@ var _ = Describe("Main", func() { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/health", serverURL), nil) Expect(err).NotTo(HaveOccurred()) - req.SetBasicAuth(conf.Health.HealthCheckUsername, conf.Health.HealthCheckPassword) + req.SetBasicAuth(conf.Health.BasicAuth.Username, conf.Health.BasicAuth.Password) rsp, err := httpClient.Do(req) Expect(err).ToNot(HaveOccurred()) diff --git a/src/autoscaler/scalingengine/server/server.go b/src/autoscaler/scalingengine/server/server.go index d77478dd05..340794d094 100644 --- a/src/autoscaler/scalingengine/server/server.go +++ b/src/autoscaler/scalingengine/server/server.go @@ -86,7 +86,10 @@ func NewServer(logger lager.Logger, conf *config.Config, policyDB db.PolicyDB, s return nil, fmt.Errorf("failed to create health router: %w", err) } + //ba, err := helpers.CreateBasicAuthMiddleware(logger, conf.BasicAuth.UsernameHash, conf.BasicAuth.Username, conf.BasicAuth.PasswordHash, conf.BasicAuth.Password) + mainRouter := setupMainRouter(r, healthRouter) + //mainRouter.Use(ba.BasicAuthenticationMiddleware) return helpers.NewHTTPServer(logger, conf.Server, mainRouter) } diff --git a/src/autoscaler/testhelpers/clients.go b/src/autoscaler/testhelpers/clients.go index 0c7c338e6e..d5437a4406 100644 --- a/src/autoscaler/testhelpers/clients.go +++ b/src/autoscaler/testhelpers/clients.go @@ -13,36 +13,40 @@ import ( ) func NewApiClient() *http.Client { - return CreateClientFor("api") + return createClient() } func NewPublicApiClient() *http.Client { - return CreateClientFor("api_public") + return createTLSClientFor("api_public") } func NewEventGeneratorClient() *http.Client { - return CreateClientFor("eventgenerator") + return createTLSClientFor("eventgenerator") } func NewServiceBrokerClient() *http.Client { - return CreateClientFor("servicebroker") + return createTLSClientFor("servicebroker") } func NewSchedulerClient() *http.Client { - return CreateClientFor("scheduler") + return createTLSClientFor("scheduler") } func NewScalingEngineClient() *http.Client { - return CreateClientFor("scalingengine") + return createClient() } -func CreateClientFor(name string) *http.Client { +func createTLSClientFor(name string) *http.Client { certFolder := TestCertFolder() - return CreateClient(filepath.Join(certFolder, name+".crt"), + return createTLSClient(filepath.Join(certFolder, name+".crt"), filepath.Join(certFolder, name+".key"), filepath.Join(certFolder, "autoscaler-ca.crt")) } -func CreateClient(certFileName, keyFileName, caCertFileName string) *http.Client { +func createClient() *http.Client { + return &http.Client{} +} + +func createTLSClient(certFileName, keyFileName, caCertFileName string) *http.Client { clientTls, err := Build( WithInternalServiceDefaults(), WithIdentityFromFile(certFileName, keyFileName),