diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | acceptance_test.go | 19 | ||||
-rw-r--r-- | helpers_test.go | 76 | ||||
-rw-r--r-- | internal/deprecatedargs/deprecatedargs.go | 29 | ||||
-rw-r--r-- | internal/deprecatedargs/deprecatedargs_test.go | 33 | ||||
-rw-r--r-- | internal/validateargs/validateargs.go | 41 | ||||
-rw-r--r-- | internal/validateargs/validateargs_test.go | 50 | ||||
-rw-r--r-- | main.go | 13 |
8 files changed, 169 insertions, 93 deletions
@@ -2,6 +2,7 @@ shared/pages/.update /gitlab-pages /vendor +/gitlab-pages-config # Used by the makefile /.GOPATH diff --git a/acceptance_test.go b/acceptance_test.go index 79a9b275..4a1b3028 100644 --- a/acceptance_test.go +++ b/acceptance_test.go @@ -650,7 +650,7 @@ func TestPrivateArtifactProxyRequest(t *testing.T) { host: "group.gitlab-example.com", path: "/-/private/-/jobs/1/artifacts/delayed_200.html", status: http.StatusBadGateway, - binaryOption: "-artifacts-server-timeout=1", + binaryOption: "artifacts-server-timeout=1", }, { name: "Proxying 404 from server", @@ -676,19 +676,20 @@ func TestPrivateArtifactProxyRequest(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + configFile, cleanup := defaultConfigFileWith(t, + "artifacts-server="+artifactServerURL, + "auth-server="+testServer.URL, + "auth-redirect-uri=https://projects.gitlab-example.com/auth", + tt.binaryOption) + defer cleanup() + teardown := RunPagesProcessWithSSLCertFile( t, *pagesBinary, listeners, "", certFile, - "-artifacts-server="+artifactServerURL, - "-auth-client-id=1", - "-auth-client-secret=1", - "-auth-server="+testServer.URL, - "-auth-redirect-uri=https://projects.gitlab-example.com/auth", - "-auth-secret=something-very-secret", - tt.binaryOption, + "-config="+configFile, ) defer teardown() @@ -856,7 +857,7 @@ func TestWhenAuthIsEnabledPrivateWillRedirectToAuthorize(t *testing.T) { require.Equal(t, "https", url.Scheme) require.Equal(t, "gitlab-auth.com", url.Host) require.Equal(t, "/oauth/authorize", url.Path) - require.Equal(t, "1", url.Query().Get("client_id")) + require.Equal(t, "clientID", url.Query().Get("client_id")) require.Equal(t, "https://projects.gitlab-example.com/auth", url.Query().Get("redirect_uri")) require.NotEqual(t, "", url.Query().Get("state")) } diff --git a/helpers_test.go b/helpers_test.go index 29ed87de..195c3cea 100644 --- a/helpers_test.go +++ b/helpers_test.go @@ -183,28 +183,35 @@ func RunPagesProcessWithEnvs(t *testing.T, wait bool, pagesPath string, listener return runPagesProcess(t, wait, pagesPath, listeners, promPort, envs, extraArgs...) } -func RunPagesProcessWithAuth(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string) (teardown func()) { - return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, "-auth-client-id=1", - "-auth-client-secret=1", - "-auth-server=https://gitlab-auth.com", - "-auth-redirect-uri=https://projects.gitlab-example.com/auth", - "-auth-secret=something-very-secret") +func RunPagesProcessWithAuth(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string) func() { + configFile, cleanup := defaultConfigFileWith(t, + "auth-server=https://gitlab-auth.com", + "auth-redirect-uri=https://projects.gitlab-example.com/auth") + defer cleanup() + + return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, + "-config="+configFile, + ) } -func RunPagesProcessWithAuthServer(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, authServer string) (teardown func()) { - return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, "-auth-client-id=1", - "-auth-client-secret=1", - "-auth-server="+authServer, - "-auth-redirect-uri=https://projects.gitlab-example.com/auth", - "-auth-secret=something-very-secret") +func RunPagesProcessWithAuthServer(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, authServer string) func() { + configFile, cleanup := defaultConfigFileWith(t, + "auth-server="+authServer, + "auth-redirect-uri=https://projects.gitlab-example.com/auth") + defer cleanup() + + return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, + "-config="+configFile) } -func RunPagesProcessWithAuthServerWithSSL(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, sslCertFile string, authServer string) (teardown func()) { - return runPagesProcess(t, true, pagesPath, listeners, promPort, []string{"SSL_CERT_FILE=" + sslCertFile}, "-auth-client-id=1", - "-auth-client-secret=1", - "-auth-server="+authServer, - "-auth-redirect-uri=https://projects.gitlab-example.com/auth", - "-auth-secret=something-very-secret") +func RunPagesProcessWithAuthServerWithSSL(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, sslCertFile string, authServer string) func() { + configFile, cleanup := defaultConfigFileWith(t, + "auth-server="+authServer, + "auth-redirect-uri=https://projects.gitlab-example.com/auth") + defer cleanup() + + return runPagesProcess(t, true, pagesPath, listeners, promPort, []string{"SSL_CERT_FILE=" + sslCertFile}, + "-config="+configFile) } func runPagesProcess(t *testing.T, wait bool, pagesPath string, listeners []ListenSpec, promPort string, extraEnv []string, extraArgs ...string) (teardown func()) { @@ -440,3 +447,36 @@ func NewGitlabDomainsSourceStub(t *testing.T) *httptest.Server { return httptest.NewServer(handler) } + +func newConfigFile(configs ...string) (string, error) { + f, err := ioutil.TempFile(os.TempDir(), "gitlab-pages-config") + if err != nil { + return "", err + } + defer f.Close() + + for _, config := range configs { + _, err := fmt.Fprintf(f, "%s\n", config) + if err != nil { + return "", err + } + } + + return f.Name(), nil +} + +func defaultConfigFileWith(t *testing.T, configs ...string) (string, func()) { + configs = append(configs, "auth-client-id=clientID", + "auth-client-secret=clientSecret", + "auth-secret=authSecret") + + name, err := newConfigFile(configs...) + require.NoError(t, err) + + cleanup := func() { + err := os.Remove(name) + require.NoError(t, err) + } + + return name, cleanup +} diff --git a/internal/deprecatedargs/deprecatedargs.go b/internal/deprecatedargs/deprecatedargs.go deleted file mode 100644 index 56219e47..00000000 --- a/internal/deprecatedargs/deprecatedargs.go +++ /dev/null @@ -1,29 +0,0 @@ -package deprecatedargs - -import ( - "fmt" - "strings" -) - -var deprecatedArgs = []string{"-auth-client-id", "-auth-client-secret", "-auth-secret", "-sentry-dsn"} - -// Validate checks if deprecated params have been used -func Validate(args []string) error { - foundDeprecatedArgs := []string{} - argMap := make(map[string]bool) - - for _, arg := range args { - argMap[arg] = true - } - - for _, deprecatedArg := range deprecatedArgs { - if argMap[deprecatedArg] { - foundDeprecatedArgs = append(foundDeprecatedArgs, deprecatedArg) - } - } - - if len(foundDeprecatedArgs) > 0 { - return fmt.Errorf("Deprecation message: %s should not be passed as a command line arguments", strings.Join(foundDeprecatedArgs, ", ")) - } - return nil -} diff --git a/internal/deprecatedargs/deprecatedargs_test.go b/internal/deprecatedargs/deprecatedargs_test.go deleted file mode 100644 index b1ebeb41..00000000 --- a/internal/deprecatedargs/deprecatedargs_test.go +++ /dev/null @@ -1,33 +0,0 @@ -package deprecatedargs - -import ( - "testing" - - "github.com/stretchr/testify/require" -) - -func TestValidParams(t *testing.T) { - args := []string{"gitlab-pages", - "-listen-http", ":3010", - "-artifacts-server", "http://192.168.1.123:3000/api/v4", - "-pages-domain", "127.0.0.1.xip.io"} - res := Validate(args) - require.Nil(t, res) -} - -func TestInvalidParms(t *testing.T) { - tests := map[string][]string{ - "Client ID passed": []string{"gitlab-pages", "-auth-client-id", "abc123"}, - "Client secret passed": []string{"gitlab-pages", "-auth-client-secret", "abc123"}, - "Auth secret passed": []string{"gitlab-pages", "-auth-secret", "abc123"}, - "Sentry DSN passed": []string{"gitlab-pages", "-sentry-dsn", "abc123"}, - "Multiple keys passed": []string{"gitlab-pages", "-auth-client-id", "abc123", "-auth-client-secret", "abc123"}, - } - - for name, args := range tests { - t.Run(name, func(t *testing.T) { - err := Validate(args) - require.Error(t, err) - }) - } -} diff --git a/internal/validateargs/validateargs.go b/internal/validateargs/validateargs.go new file mode 100644 index 00000000..3b75b69b --- /dev/null +++ b/internal/validateargs/validateargs.go @@ -0,0 +1,41 @@ +package validateargs + +import ( + "fmt" + "strings" +) + +const ( + deprecatedMessage = "command line options have been deprecated:" + notAllowedMsg = "invalid command line arguments:" +) + +var deprecatedArgs = []string{"-sentry-dsn"} +var notAllowedArgs = []string{"-auth-client-id", "-auth-client-secret", "-auth-secret"} + +// Deprecated checks if deprecated params have been used +func Deprecated(args []string) error { + return validate(args, deprecatedArgs, deprecatedMessage) +} + +// NotAllowed checks if explicitly not allowed params have been used +func NotAllowed(args []string) error { + return validate(args, notAllowedArgs, notAllowedMsg) +} + +func validate(args, invalidArgs []string, errMsg string) error { + var foundInvalidArgs []string + + argsStr := strings.Join(args, " ") + for _, invalidArg := range invalidArgs { + if strings.Contains(argsStr, invalidArg) { + foundInvalidArgs = append(foundInvalidArgs, invalidArg) + } + } + + if len(foundInvalidArgs) > 0 { + return fmt.Errorf("%s %s", errMsg, strings.Join(foundInvalidArgs, ", ")) + } + + return nil +} diff --git a/internal/validateargs/validateargs_test.go b/internal/validateargs/validateargs_test.go new file mode 100644 index 00000000..7bf2ec10 --- /dev/null +++ b/internal/validateargs/validateargs_test.go @@ -0,0 +1,50 @@ +package validateargs + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func TestValidParams(t *testing.T) { + args := []string{"gitlab-pages", + "-listen-http", ":3010", + "-artifacts-server", "http://192.168.1.123:3000/api/v4", + "-pages-domain", "127.0.0.1.xip.io"} + require.NoError(t, Deprecated(args)) + require.NoError(t, NotAllowed(args)) +} + +func TestInvalidDeprecatedParms(t *testing.T) { + tests := map[string][]string{ + "Sentry DSN passed": []string{"gitlab-pages", "-sentry-dsn", "abc123"}, + "Sentry DSN using key=value": []string{"gitlab-pages", "-sentry-dsn=abc123"}, + } + + for name, args := range tests { + t.Run(name, func(t *testing.T) { + err := Deprecated(args) + require.Error(t, err) + require.Contains(t, err.Error(), deprecatedMessage) + }) + } +} + +func TestInvalidNotAllowedParams(t *testing.T) { + tests := map[string][]string{ + "Client ID passed": []string{"gitlab-pages", "-auth-client-id", "abc123"}, + "Client secret passed": []string{"gitlab-pages", "-auth-client-secret", "abc123"}, + "Auth secret passed": []string{"gitlab-pages", "-auth-secret", "abc123"}, + "Multiple keys passed": []string{"gitlab-pages", "-auth-client-id", "abc123", "-auth-client-secret", "abc123"}, + "key=value": []string{"gitlab-pages", "-auth-client-id=abc123"}, + "multiple key=value": []string{"gitlab-pages", "-auth-client-id=abc123", "-auth-client-secret=abc123"}, + } + + for name, args := range tests { + t.Run(name, func(t *testing.T) { + err := NotAllowed(args) + require.Error(t, err) + require.Contains(t, err.Error(), notAllowedMsg) + }) + } +} @@ -15,10 +15,10 @@ import ( log "github.com/sirupsen/logrus" "gitlab.com/gitlab-org/labkit/errortracking" - "gitlab.com/gitlab-org/gitlab-pages/internal/deprecatedargs" "gitlab.com/gitlab-org/gitlab-pages/internal/host" "gitlab.com/gitlab-org/gitlab-pages/internal/logging" "gitlab.com/gitlab-org/gitlab-pages/internal/tlsconfig" + "gitlab.com/gitlab-org/gitlab-pages/internal/validateargs" "gitlab.com/gitlab-org/gitlab-pages/metrics" ) @@ -58,7 +58,7 @@ var ( _ = flag.String("admin-https-listener", "", "DEPRECATED") _ = flag.String("admin-https-cert", "", "DEPRECATED") _ = flag.String("admin-https-key", "", "DEPRECATED") - secret = flag.String("auth-secret", "", "Cookie store hash key, should be at least 32 bytes long.") + secret = flag.String("auth-secret", "", "Cookie store hash key, should be at least 32 bytes long") gitLabAuthServer = flag.String("auth-server", "", "DEPRECATED, use gitlab-server instead. GitLab server, for example https://www.gitlab.com") gitLabServer = flag.String("gitlab-server", "", "GitLab server, for example https://www.gitlab.com") internalGitLabServer = flag.String("internal-gitlab-server", "", "Internal GitLab server used for API requests, useful if you want to send that traffic over an internal load balancer, example value https://www.gitlab.com (defaults to value of gitlab-server)") @@ -240,8 +240,12 @@ func initErrorReporting(sentryDSN, sentryEnvironment string) { } func loadConfig() appConfig { - if err := deprecatedargs.Validate(os.Args[1:]); err != nil { - log.WithError(err) + if err := validateargs.NotAllowed(os.Args[1:]); err != nil { + log.WithError(err).Fatal("Using invalid arguments, use -config=gitlab-pages-config file instead") + } + + if err := validateargs.Deprecated(os.Args[1:]); err != nil { + log.WithError(err).Warn("Using deprecated arguments") } config := configFromFlags() @@ -286,6 +290,7 @@ func loadConfig() appConfig { func appMain() { var showVersion = flag.Bool("version", false, "Show version") + // read from -config=/path/to/gitlab-pages-config flag.String(flag.DefaultConfigFlagname, "", "path to config file") flag.Parse() if err := tlsconfig.ValidateTLSVersions(*tlsMinVersion, *tlsMaxVersion); err != nil { |