Pass gitaly token into gitaly-hooks

7 files changed, 46 insertions, 31 deletions

diff --git a/changelogs/unreleased/jc-pass-token-into-hook.yml b/changelogs/unreleased/jc-pass-token-into-hook.yml
new file mode 100644
index 000000000..bee806f51
--- /dev/null
+++ b/changelogs/unreleased/jc-pass-token-into-hook.yml
@@ -0,0 +1,5 @@
+---
+title: Pass gitaly token into gitaly-hooks
+merge_request: 2035
+author:
+type: fixed
diff --git a/cmd/gitaly-hooks/hooks.go b/cmd/gitaly-hooks/hooks.go
index 552b9a663..e95c16c6a 100644
--- a/cmd/gitaly-hooks/hooks.go
+++ b/cmd/gitaly-hooks/hooks.go
@@ -65,7 +65,12 @@ func main() {
 		logger.Fatal(errors.New("GITALY_SOCKET not set"))
 	}
 
-	conn, err := client.Dial("unix://"+gitalySocket, dialOpts(os.Getenv("GITALY_TOKEN")))
+	gitalyToken, ok := os.LookupEnv("GITALY_TOKEN")
+	if !ok {
+		logger.Fatal(errors.New("GITALY_TOKEN not set"))
+	}
+
+	conn, err := client.Dial("unix://"+gitalySocket, dialOpts(gitalyToken))
 	if err != nil {
 		logger.Fatalf("error when dialing: %v", err)
 	}
diff --git a/cmd/gitaly-hooks/hooks_test.go b/cmd/gitaly-hooks/hooks_test.go
index 152da93fd..f9f247512 100644
--- a/cmd/gitaly-hooks/hooks_test.go
+++ b/cmd/gitaly-hooks/hooks_test.go
@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
-	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -20,7 +19,6 @@ import (
 	hook "gitlab.com/gitlab-org/gitaly/internal/service/hooks"
 	"gitlab.com/gitlab-org/gitaly/internal/testhelper"
 	"gitlab.com/gitlab-org/gitaly/proto/go/gitalypb"
-	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
 )
 
@@ -86,8 +84,9 @@ func TestHooksPrePostReceive(t *testing.T) {
 
 	gitObjectDirRegex := regexp.MustCompile(`(?m)^GIT_OBJECT_DIRECTORY=(.*)$`)
 	gitAlternateObjectDirRegex := regexp.MustCompile(`(?m)^GIT_ALTERNATE_OBJECT_DIRECTORIES=(.*)$`)
-	srv, socket := runHookServiceServer(t)
-	defer srv.Stop()
+	token := "abc123"
+	socket, stop := runHookServiceServer(t, token)
+	defer stop()
 
 	testCases := []struct {
 		hookName string
@@ -128,6 +127,7 @@ func TestHooksPrePostReceive(t *testing.T) {
 				t,
 				tempGitlabShellDir,
 				socket,
+				token,
 				testRepo,
 				testhelper.GlHookValues{
 					GLID:                   glID,
@@ -191,15 +191,16 @@ func TestHooksUpdate(t *testing.T) {
 
 	config.Config.GitlabShell.Dir = tempGitlabShellDir
 
-	srv, socket := runHookServiceServer(t)
-	defer srv.Stop()
+	token := "abc123"
+	socket, stop := runHookServiceServer(t, token)
+	defer stop()
 
 	require.NoError(t, os.MkdirAll(filepath.Join(tempGitlabShellDir, "hooks", "update.d"), 0755))
 	testhelper.MustRunCommand(t, nil, "cp", "testdata/update", filepath.Join(tempGitlabShellDir, "hooks", "update.d", "update"))
 
 	for _, callRPC := range []bool{true, false} {
 		t.Run(fmt.Sprintf("call rpc: %t", callRPC), func(t *testing.T) {
-			testHooksUpdate(t, tempGitlabShellDir, socket, testhelper.GlHookValues{
+			testHooksUpdate(t, tempGitlabShellDir, socket, token, testhelper.GlHookValues{
 				GLID:       glID,
 				GLUsername: glUsername,
 				GLRepo:     glRepository,
@@ -209,7 +210,7 @@ func TestHooksUpdate(t *testing.T) {
 	}
 }
 
-func testHooksUpdate(t *testing.T, gitlabShellDir, socket string, glValues testhelper.GlHookValues, callRPC bool) {
+func testHooksUpdate(t *testing.T, gitlabShellDir, socket, token string, glValues testhelper.GlHookValues, callRPC bool) {
 	testRepo, testRepoPath, cleanupFn := testhelper.NewTestRepo(t)
 	defer cleanupFn()
 
@@ -217,7 +218,7 @@ func testHooksUpdate(t *testing.T, gitlabShellDir, socket string, glValues testh
 	updateHookPath, err := filepath.Abs("../../ruby/git-hooks/update")
 	require.NoError(t, err)
 	cmd := exec.Command(updateHookPath, refval, oldval, newval)
-	cmd.Env = testhelper.EnvForHooks(t, gitlabShellDir, socket, testRepo, glValues)
+	cmd.Env = testhelper.EnvForHooks(t, gitlabShellDir, socket, token, testRepo, glValues)
 	cmd.Dir = testRepoPath
 	tempFilePath := filepath.Join(testRepoPath, "tempfile")
 
@@ -297,15 +298,16 @@ func TestHooksPostReceiveFailed(t *testing.T) {
 	customHookOutputPath, cleanup := testhelper.WriteEnvToCustomHook(t, testRepoPath, "post-receive")
 	defer cleanup()
 
-	srv, socket := runHookServiceServer(t)
-	defer srv.Stop()
+	token := "abc123"
+	socket, stop := runHookServiceServer(t, token)
+	defer stop()
 
 	var stdout, stderr bytes.Buffer
 
 	postReceiveHookPath, err := filepath.Abs("../../ruby/git-hooks/post-receive")
 	require.NoError(t, err)
 	cmd := exec.Command(postReceiveHookPath)
-	cmd.Env = testhelper.EnvForHooks(t, tempGitlabShellDir, socket, testRepo, testhelper.GlHookValues{
+	cmd.Env = testhelper.EnvForHooks(t, tempGitlabShellDir, socket, token, testRepo, testhelper.GlHookValues{
 		GLID:       glID,
 		GLUsername: glUsername,
 		GLRepo:     glRepository,
@@ -367,8 +369,9 @@ func TestHooksNotAllowed(t *testing.T) {
 	defer cleanup()
 
 	config.Config.GitlabShell.Dir = tempGitlabShellDir
-	srv, socket := runHookServiceServer(t)
-	defer srv.Stop()
+	token := "abc123"
+	socket, stop := runHookServiceServer(t, token)
+	defer stop()
 
 	var stderr, stdout bytes.Buffer
 
@@ -378,7 +381,7 @@ func TestHooksNotAllowed(t *testing.T) {
 	cmd.Stderr = &stderr
 	cmd.Stdout = &stdout
 	cmd.Stdin = strings.NewReader(changes)
-	cmd.Env = testhelper.EnvForHooks(t, tempGitlabShellDir, socket, testRepo, testhelper.GlHookValues{
+	cmd.Env = testhelper.EnvForHooks(t, tempGitlabShellDir, socket, token, testRepo, testhelper.GlHookValues{
 		GLID:       glID,
 		GLUsername: glUsername,
 		GLRepo:     glRepository,
@@ -488,19 +491,12 @@ func TestCheckBadCreds(t *testing.T) {
 	require.Equal(t, "FAILED. code: 401\n", stderr.String())
 }
 
-func runHookServiceServer(t *testing.T) (*grpc.Server, string) {
-	server := testhelper.NewTestGrpcServer(t, nil, nil)
+func runHookServiceServer(t *testing.T, token string) (string, func()) {
+	server := testhelper.NewServerWithAuth(t, nil, nil, token)
 
-	serverSocketPath := testhelper.GetTemporaryGitalySocketFileName()
-	listener, err := net.Listen("unix", serverSocketPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	gitalypb.RegisterHookServiceServer(server, hook.NewServer())
-	reflection.Register(server)
-
-	go server.Serve(listener)
+	gitalypb.RegisterHookServiceServer(server.GrpcServer(), hook.NewServer())
+	reflection.Register(server.GrpcServer())
+	require.NoError(t, server.Start())
 
-	return server, serverSocketPath
+	return server.Socket(), server.Stop
 }
diff --git a/internal/git/receivepack.go b/internal/git/receivepack.go
index b321a83b1..4e65e1e1b 100644
--- a/internal/git/receivepack.go
+++ b/internal/git/receivepack.go
@@ -35,6 +35,7 @@ func HookEnv(req ReceivePackRequest) ([]string, error) {
 		fmt.Sprintf("GL_REPOSITORY=%s", req.GetGlRepository()),
 		fmt.Sprintf("GITALY_SOCKET=" + config.GitalyInternalSocketPath()),
 		fmt.Sprintf("GITALY_REPO=%s", repo),
+		fmt.Sprintf("GITALY_TOKEN=%s", config.Config.Auth.Token),
 	}, gitlabshell.Env()...), nil
 }
 
diff --git a/internal/service/smarthttp/receive_pack_test.go b/internal/service/smarthttp/receive_pack_test.go
index d79233b27..d8c9e0a45 100644
--- a/internal/service/smarthttp/receive_pack_test.go
+++ b/internal/service/smarthttp/receive_pack_test.go
@@ -353,6 +353,11 @@ func testPostReceivePackToHooks(t *testing.T, callRPC bool) {
 	glRepository := "some_repo"
 	glID := "key-123"
 
+	defer func(token string) {
+		config.Config.Auth.Token = token
+	}(config.Config.Auth.Token)
+	config.Config.Auth.Token = "abc123"
+
 	server, socket := runSmartHTTPHookServiceServer(t)
 	defer server.Stop()
 
diff --git a/internal/service/smarthttp/testhelper_test.go b/internal/service/smarthttp/testhelper_test.go
index 212ff9a4c..34ad47776 100644
--- a/internal/service/smarthttp/testhelper_test.go
+++ b/internal/service/smarthttp/testhelper_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	gitalyauth "gitlab.com/gitlab-org/gitaly/auth"
 	"gitlab.com/gitlab-org/gitaly/internal/config"
 	"gitlab.com/gitlab-org/gitaly/internal/git/hooks"
 	"gitlab.com/gitlab-org/gitaly/internal/testhelper"
@@ -40,7 +41,7 @@ func testMain(m *testing.M) int {
 }
 
 func runSmartHTTPServer(t *testing.T, serverOpts ...ServerOpt) (string, func()) {
-	srv := testhelper.NewServer(t, nil, nil)
+	srv := testhelper.NewServerWithAuth(t, nil, nil, config.Config.Auth.Token)
 
 	gitalypb.RegisterSmartHTTPServiceServer(srv.GrpcServer(), NewServer(serverOpts...))
 	reflection.Register(srv.GrpcServer())
@@ -53,6 +54,7 @@ func runSmartHTTPServer(t *testing.T, serverOpts ...ServerOpt) (string, func())
 func newSmartHTTPClient(t *testing.T, serverSocketPath string) (gitalypb.SmartHTTPServiceClient, *grpc.ClientConn) {
 	connOpts := []grpc.DialOption{
 		grpc.WithInsecure(),
+		grpc.WithPerRPCCredentials(gitalyauth.RPCCredentials(config.Config.Auth.Token)),
 	}
 	conn, err := grpc.Dial(serverSocketPath, connOpts...)
 	if err != nil {
diff --git a/internal/testhelper/testserver.go b/internal/testhelper/testserver.go
index 3cd70b9eb..135d0db44 100644
--- a/internal/testhelper/testserver.go
+++ b/internal/testhelper/testserver.go
@@ -468,7 +468,7 @@ type GlHookValues struct {
 var jsonpbMarshaller jsonpb.Marshaler
 
 // EnvForHooks generates a set of environment variables for gitaly hooks
-func EnvForHooks(t TB, gitlabShellDir, gitalySocket string, repo *gitalypb.Repository, glHookValues GlHookValues, gitPushOptions ...string) []string {
+func EnvForHooks(t TB, gitlabShellDir, gitalySocket, gitalyToken string, repo *gitalypb.Repository, glHookValues GlHookValues, gitPushOptions ...string) []string {
 	rubyDir, err := filepath.Abs("../../ruby")
 	require.NoError(t, err)
 
@@ -483,6 +483,7 @@ func EnvForHooks(t TB, gitlabShellDir, gitalySocket string, repo *gitalypb.Repos
 		fmt.Sprintf("GL_PROTOCOL=%s", glHookValues.GLProtocol),
 		fmt.Sprintf("GL_USERNAME=%s", glHookValues.GLUsername),
 		fmt.Sprintf("GITALY_SOCKET=%s", gitalySocket),
+		fmt.Sprintf("GITALY_TOKEN=%s", gitalyToken),
 		fmt.Sprintf("GITALY_REPO=%v", repoString),
 		fmt.Sprintf("GITALY_GITLAB_SHELL_DIR=%s", gitlabShellDir),
 		fmt.Sprintf("GITALY_LOG_DIR=%s", gitlabShellDir),