handle muxed connections in resolvePraefectAddress

With muxed connections, authInfo is never nil. If no transport security
is needed, it is set to the 'insecure' transport credentials.
resolvePraefectAddress was not taking the transport security type into
account and failed when Gitaly was contacted over an insecure muxed TCP
connection. This commit fixes the problem by handling the insecure muxed
TCP connection case as it does without the multiplexing.

2 files changed, 50 insertions, 15 deletions

diff --git a/internal/praefect/metadata/server.go b/internal/praefect/metadata/server.go
index dc21d3b7d..0115fe9c9 100644
--- a/internal/praefect/metadata/server.go
+++ b/internal/praefect/metadata/server.go
@@ -9,6 +9,7 @@ import (
 	"net"
 	"net/url"
 
+	"gitlab.com/gitlab-org/gitaly/internal/backchannel"
 	"gitlab.com/gitlab-org/gitaly/internal/bootstrap/starter"
 	"gitlab.com/gitlab-org/gitaly/internal/praefect/config"
 	"google.golang.org/grpc/credentials"
@@ -114,8 +115,13 @@ func (p *PraefectServer) resolvePraefectAddress(peer *peer.Peer) error {
 
 		return nil
 	case *net.TCPAddr:
-		switch peer.AuthInfo {
-		case nil:
+		var authType string
+		if peer.AuthInfo != nil {
+			authType = peer.AuthInfo.AuthType()
+		}
+
+		switch authType {
+		case "", backchannel.Insecure().Info().SecurityProtocol:
 			// no transport security being used
 			addr, err := substituteListeningWithIP(p.ListenAddr, addr.IP.String())
 			if err != nil {
diff --git a/internal/praefect/metadata/server_test.go b/internal/praefect/metadata/server_test.go
index 44ab3af2b..cd4ad7067 100644
--- a/internal/praefect/metadata/server_test.go
+++ b/internal/praefect/metadata/server_test.go
@@ -5,12 +5,27 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/gitaly/internal/backchannel"
 	"gitlab.com/gitlab-org/gitaly/internal/praefect/config"
 	"gitlab.com/gitlab-org/gitaly/internal/testhelper"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
 )
 
+func muxedPeer(t testing.TB, p *peer.Peer) *peer.Peer {
+	t.Helper()
+
+	authInfo := p.AuthInfo
+	if authInfo == nil {
+		var err error
+		_, authInfo, err = backchannel.Insecure().ServerHandshake(nil)
+		require.NoError(t, err)
+	}
+
+	p.AuthInfo = backchannel.WithID(authInfo, 1)
+	return p
+}
+
 func tcpPeer(t *testing.T, ip string, port int) *peer.Peer {
 	parsedAddress := net.ParseIP(ip)
 	require.NotNil(t, parsedAddress)
@@ -152,23 +167,37 @@ func TestPraefect_InjectMetadata(t *testing.T) {
 				SocketPath:    tc.socketPath,
 			}
 
-			ctx = peer.NewContext(ctx, tc.peer)
+			for _, muxed := range []bool{false, true} {
+				desc := "unmuxed"
+				if muxed {
+					desc = "muxed"
+				}
+
+				t.Run(desc, func(t *testing.T) {
+					p := tc.peer
+					if muxed {
+						p = muxedPeer(t, tc.peer)
+					}
+
+					ctx = peer.NewContext(ctx, p)
 
-			praefectServer, err := PraefectFromConfig(cfg)
-			require.NoError(t, err)
+					praefectServer, err := PraefectFromConfig(cfg)
+					require.NoError(t, err)
 
-			ctx, err = praefectServer.Inject(ctx)
-			require.NoError(t, err)
+					ctx, err = praefectServer.Inject(ctx)
+					require.NoError(t, err)
 
-			server, err := PraefectFromContext(ctx)
-			if tc.expectedAddress == "" {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
+					server, err := PraefectFromContext(ctx)
+					if tc.expectedAddress == "" {
+						require.Error(t, err)
+					} else {
+						require.NoError(t, err)
 
-				address, err := server.Address()
-				require.NoError(t, err)
-				require.Equal(t, tc.expectedAddress, address)
+						address, err := server.Address()
+						require.NoError(t, err)
+						require.Equal(t, tc.expectedAddress, address)
+					}
+				})
 			}
 		})
 	}