434 lines
16 KiB
Go
434 lines
16 KiB
Go
package upstream
|
|
|
|
import (
|
|
"net/http"
|
|
"net/url"
|
|
"regexp"
|
|
|
|
"github.com/gorilla/websocket"
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
|
|
"gitlab.com/gitlab-org/labkit/log"
|
|
"gitlab.com/gitlab-org/labkit/tracing"
|
|
|
|
apipkg "gitlab.com/gitlab-org/gitlab/workhorse/internal/api"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/artifacts"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/builds"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/channel"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/config"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/dependencyproxy"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/git"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/helper"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/imageresizer"
|
|
proxypkg "gitlab.com/gitlab-org/gitlab/workhorse/internal/proxy"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/queueing"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/secret"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/senddata"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/sendfile"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/sendurl"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/staticpages"
|
|
"gitlab.com/gitlab-org/gitlab/workhorse/internal/upload"
|
|
)
|
|
|
|
type matcherFunc func(*http.Request) bool
|
|
|
|
type routeEntry struct {
|
|
method string
|
|
regex *regexp.Regexp
|
|
handler http.Handler
|
|
matchers []matcherFunc
|
|
}
|
|
|
|
type routeOptions struct {
|
|
tracing bool
|
|
isGeoProxyRoute bool
|
|
matchers []matcherFunc
|
|
}
|
|
|
|
const (
|
|
apiPattern = `^/api/`
|
|
ciAPIPattern = `^/ci/api/`
|
|
gitProjectPattern = `^/.+\.git/`
|
|
geoGitProjectPattern = `^/[^-].+\.git/` // Prevent matching routes like /-/push_from_secondary
|
|
projectPattern = `^/([^/]+/){1,}[^/]+/`
|
|
apiProjectPattern = apiPattern + `v4/projects/[^/]+` // API: Projects can be encoded via group%2Fsubgroup%2Fproject
|
|
apiGroupPattern = apiPattern + `v4/groups/[^/]+`
|
|
apiTopicPattern = apiPattern + `v4/topics`
|
|
snippetUploadPattern = `^/uploads/personal_snippet`
|
|
userUploadPattern = `^/uploads/user`
|
|
importPattern = `^/import/`
|
|
)
|
|
|
|
var (
|
|
// For legacy reasons, user uploads are stored in public/uploads. To
|
|
// prevent anybody who knows/guesses the URL of a user-uploaded file
|
|
// from downloading it we configure static.ServeExisting to treat files
|
|
// under public/uploads/ as if they do not exist.
|
|
staticExclude = []string{"/uploads/"}
|
|
)
|
|
|
|
func compileRegexp(regexpStr string) *regexp.Regexp {
|
|
if len(regexpStr) == 0 {
|
|
return nil
|
|
}
|
|
|
|
return regexp.MustCompile(regexpStr)
|
|
}
|
|
|
|
func withMatcher(f matcherFunc) func(*routeOptions) {
|
|
return func(options *routeOptions) {
|
|
options.matchers = append(options.matchers, f)
|
|
}
|
|
}
|
|
|
|
func withoutTracing() func(*routeOptions) {
|
|
return func(options *routeOptions) {
|
|
options.tracing = false
|
|
}
|
|
}
|
|
|
|
func withGeoProxy() func(*routeOptions) {
|
|
return func(options *routeOptions) {
|
|
options.isGeoProxyRoute = true
|
|
}
|
|
}
|
|
|
|
func (u *upstream) observabilityMiddlewares(handler http.Handler, method string, regexpStr string, opts *routeOptions) http.Handler {
|
|
handler = log.AccessLogger(
|
|
handler,
|
|
log.WithAccessLogger(u.accessLogger),
|
|
log.WithExtraFields(func(r *http.Request) log.Fields {
|
|
return log.Fields{
|
|
"route": regexpStr, // This field matches the `route` label in Prometheus metrics
|
|
}
|
|
}),
|
|
)
|
|
|
|
handler = instrumentRoute(handler, method, regexpStr) // Add prometheus metrics
|
|
|
|
if opts != nil && opts.isGeoProxyRoute {
|
|
handler = instrumentGeoProxyRoute(handler, method, regexpStr) // Add Geo prometheus metrics
|
|
}
|
|
|
|
return handler
|
|
}
|
|
|
|
func (u *upstream) route(method, regexpStr string, handler http.Handler, opts ...func(*routeOptions)) routeEntry {
|
|
// Instantiate a route with the defaults
|
|
options := routeOptions{
|
|
tracing: true,
|
|
}
|
|
|
|
for _, f := range opts {
|
|
f(&options)
|
|
}
|
|
|
|
handler = u.observabilityMiddlewares(handler, method, regexpStr, &options)
|
|
handler = denyWebsocket(handler) // Disallow websockets
|
|
if options.tracing {
|
|
// Add distributed tracing
|
|
handler = tracing.Handler(handler, tracing.WithRouteIdentifier(regexpStr))
|
|
}
|
|
|
|
return routeEntry{
|
|
method: method,
|
|
regex: compileRegexp(regexpStr),
|
|
handler: handler,
|
|
matchers: options.matchers,
|
|
}
|
|
}
|
|
|
|
func (u *upstream) wsRoute(regexpStr string, handler http.Handler, matchers ...matcherFunc) routeEntry {
|
|
method := "GET"
|
|
handler = u.observabilityMiddlewares(handler, method, regexpStr, nil)
|
|
|
|
return routeEntry{
|
|
method: method,
|
|
regex: compileRegexp(regexpStr),
|
|
handler: handler,
|
|
matchers: append(matchers, websocket.IsWebSocketUpgrade),
|
|
}
|
|
}
|
|
|
|
// Creates matcherFuncs for a particular content type.
|
|
func isContentType(contentType string) func(*http.Request) bool {
|
|
return func(r *http.Request) bool {
|
|
return helper.IsContentType(contentType, r.Header.Get("Content-Type"))
|
|
}
|
|
}
|
|
|
|
func (ro *routeEntry) isMatch(cleanedPath string, req *http.Request) bool {
|
|
if ro.method != "" && req.Method != ro.method {
|
|
return false
|
|
}
|
|
|
|
if ro.regex != nil && !ro.regex.MatchString(cleanedPath) {
|
|
return false
|
|
}
|
|
|
|
ok := true
|
|
for _, matcher := range ro.matchers {
|
|
ok = matcher(req)
|
|
if !ok {
|
|
break
|
|
}
|
|
}
|
|
|
|
return ok
|
|
}
|
|
|
|
func buildProxy(backend *url.URL, version string, rt http.RoundTripper, cfg config.Config, dependencyProxyInjector *dependencyproxy.Injector) http.Handler {
|
|
proxier := proxypkg.NewProxy(backend, version, rt)
|
|
|
|
return senddata.SendData(
|
|
sendfile.SendFile(apipkg.Block(proxier)),
|
|
git.SendArchive,
|
|
git.SendBlob,
|
|
git.SendDiff,
|
|
git.SendPatch,
|
|
git.SendSnapshot,
|
|
artifacts.SendEntry,
|
|
sendurl.SendURL,
|
|
imageresizer.NewResizer(cfg),
|
|
dependencyProxyInjector,
|
|
)
|
|
}
|
|
|
|
// Routing table
|
|
// We match against URI not containing the relativeUrlRoot:
|
|
// see upstream.ServeHTTP
|
|
|
|
func configureRoutes(u *upstream) {
|
|
api := u.APIClient
|
|
static := &staticpages.Static{DocumentRoot: u.DocumentRoot, Exclude: staticExclude}
|
|
dependencyProxyInjector := dependencyproxy.NewInjector()
|
|
proxy := buildProxy(u.Backend, u.Version, u.RoundTripper, u.Config, dependencyProxyInjector)
|
|
cableProxy := proxypkg.NewProxy(u.CableBackend, u.Version, u.CableRoundTripper)
|
|
|
|
assetsNotFoundHandler := NotFoundUnless(u.DevelopmentMode, proxy)
|
|
if u.AltDocumentRoot != "" {
|
|
altStatic := &staticpages.Static{DocumentRoot: u.AltDocumentRoot, Exclude: staticExclude}
|
|
assetsNotFoundHandler = altStatic.ServeExisting(
|
|
u.URLPrefix,
|
|
staticpages.CacheExpireMax,
|
|
NotFoundUnless(u.DevelopmentMode, proxy),
|
|
)
|
|
}
|
|
|
|
signingTripper := secret.NewRoundTripper(u.RoundTripper, u.Version)
|
|
signingProxy := buildProxy(u.Backend, u.Version, signingTripper, u.Config, dependencyProxyInjector)
|
|
|
|
preparer := upload.NewObjectStoragePreparer(u.Config)
|
|
requestBodyUploader := upload.RequestBody(api, signingProxy, preparer)
|
|
mimeMultipartUploader := upload.Multipart(api, signingProxy, preparer)
|
|
|
|
tempfileMultipartProxy := upload.FixedPreAuthMultipart(api, proxy, preparer)
|
|
ciAPIProxyQueue := queueing.QueueRequests("ci_api_job_requests", tempfileMultipartProxy, u.APILimit, u.APIQueueLimit, u.APIQueueTimeout, prometheus.DefaultRegisterer)
|
|
ciAPILongPolling := builds.RegisterHandler(ciAPIProxyQueue, u.watchKeyHandler, u.APICILongPollingDuration)
|
|
|
|
dependencyProxyInjector.SetUploadHandler(requestBodyUploader)
|
|
|
|
// Serve static files or forward the requests
|
|
defaultUpstream := static.ServeExisting(
|
|
u.URLPrefix,
|
|
staticpages.CacheDisabled,
|
|
static.DeployPage(static.ErrorPagesUnless(u.DevelopmentMode, staticpages.ErrorFormatHTML, tempfileMultipartProxy)),
|
|
)
|
|
probeUpstream := static.ErrorPagesUnless(u.DevelopmentMode, staticpages.ErrorFormatJSON, proxy)
|
|
healthUpstream := static.ErrorPagesUnless(u.DevelopmentMode, staticpages.ErrorFormatText, proxy)
|
|
|
|
u.Routes = []routeEntry{
|
|
// Git Clone
|
|
u.route("GET", gitProjectPattern+`info/refs\z`, git.GetInfoRefsHandler(api)),
|
|
u.route("POST", gitProjectPattern+`git-upload-pack\z`, contentEncodingHandler(git.UploadPack(api)), withMatcher(isContentType("application/x-git-upload-pack-request"))),
|
|
u.route("POST", gitProjectPattern+`git-receive-pack\z`, contentEncodingHandler(git.ReceivePack(api)), withMatcher(isContentType("application/x-git-receive-pack-request"))),
|
|
u.route("PUT", gitProjectPattern+`gitlab-lfs/objects/([0-9a-f]{64})/([0-9]+)\z`, requestBodyUploader, withMatcher(isContentType("application/octet-stream"))),
|
|
|
|
// CI Artifacts
|
|
u.route("POST", apiPattern+`v4/jobs/[0-9]+/artifacts\z`, contentEncodingHandler(upload.Artifacts(api, signingProxy, preparer))),
|
|
u.route("POST", ciAPIPattern+`v1/builds/[0-9]+/artifacts\z`, contentEncodingHandler(upload.Artifacts(api, signingProxy, preparer))),
|
|
|
|
// ActionCable websocket
|
|
u.wsRoute(`^/-/cable\z`, cableProxy),
|
|
|
|
// Terminal websocket
|
|
u.wsRoute(projectPattern+`-/environments/[0-9]+/terminal.ws\z`, channel.Handler(api)),
|
|
u.wsRoute(projectPattern+`-/jobs/[0-9]+/terminal.ws\z`, channel.Handler(api)),
|
|
|
|
// Proxy Job Services
|
|
u.wsRoute(projectPattern+`-/jobs/[0-9]+/proxy.ws\z`, channel.Handler(api)),
|
|
|
|
// Long poll and limit capacity given to jobs/request and builds/register.json
|
|
u.route("", apiPattern+`v4/jobs/request\z`, ciAPILongPolling),
|
|
u.route("", ciAPIPattern+`v1/builds/register.json\z`, ciAPILongPolling),
|
|
|
|
// Not all API endpoints support encoded project IDs
|
|
// (e.g. `group%2Fproject`), but for the sake of consistency we
|
|
// use the apiProjectPattern regex throughout. API endpoints
|
|
// that do not support this will return 400 regardless of
|
|
// whether they are accelerated by Workhorse or not. See
|
|
// https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56731.
|
|
|
|
// Maven Artifact Repository
|
|
u.route("PUT", apiProjectPattern+`/packages/maven/`, requestBodyUploader),
|
|
|
|
// Conan Artifact Repository
|
|
u.route("PUT", apiPattern+`v4/packages/conan/`, requestBodyUploader),
|
|
u.route("PUT", apiProjectPattern+`/packages/conan/`, requestBodyUploader),
|
|
|
|
// Generic Packages Repository
|
|
u.route("PUT", apiProjectPattern+`/packages/generic/`, requestBodyUploader),
|
|
|
|
// NuGet Artifact Repository
|
|
u.route("PUT", apiProjectPattern+`/packages/nuget/`, mimeMultipartUploader),
|
|
|
|
// PyPI Artifact Repository
|
|
u.route("POST", apiProjectPattern+`/packages/pypi`, mimeMultipartUploader),
|
|
|
|
// Debian Artifact Repository
|
|
u.route("PUT", apiProjectPattern+`/packages/debian/`, requestBodyUploader),
|
|
|
|
// RPM Artifact Repository
|
|
u.route("POST", apiProjectPattern+`/packages/rpm/`, requestBodyUploader),
|
|
|
|
// Gem Artifact Repository
|
|
u.route("POST", apiProjectPattern+`/packages/rubygems/`, requestBodyUploader),
|
|
|
|
// Terraform Module Package Repository
|
|
u.route("PUT", apiProjectPattern+`/packages/terraform/modules/`, requestBodyUploader),
|
|
|
|
// Helm Artifact Repository
|
|
u.route("POST", apiProjectPattern+`/packages/helm/api/[^/]+/charts\z`, mimeMultipartUploader),
|
|
|
|
// We are porting API to disk acceleration
|
|
// we need to declare each routes until we have fixed all the routes on the rails codebase.
|
|
// Overall status can be seen at https://gitlab.com/groups/gitlab-org/-/epics/1802#current-status
|
|
u.route("POST", apiProjectPattern+`/wikis/attachments\z`, tempfileMultipartProxy),
|
|
u.route("POST", apiGroupPattern+`/wikis/attachments\z`, tempfileMultipartProxy),
|
|
u.route("POST", apiPattern+`graphql\z`, tempfileMultipartProxy),
|
|
u.route("POST", apiTopicPattern, tempfileMultipartProxy),
|
|
u.route("PUT", apiTopicPattern, tempfileMultipartProxy),
|
|
u.route("POST", apiPattern+`v4/groups/import`, mimeMultipartUploader),
|
|
u.route("POST", apiPattern+`v4/projects/import`, mimeMultipartUploader),
|
|
|
|
// Project Import via UI upload acceleration
|
|
u.route("POST", importPattern+`gitlab_project`, mimeMultipartUploader),
|
|
// Group Import via UI upload acceleration
|
|
u.route("POST", importPattern+`gitlab_group`, mimeMultipartUploader),
|
|
|
|
// Issuable Metric image upload
|
|
u.route("POST", apiProjectPattern+`/issues/[0-9]+/metric_images\z`, mimeMultipartUploader),
|
|
|
|
// Alert Metric image upload
|
|
u.route("POST", apiProjectPattern+`/alert_management_alerts/[0-9]+/metric_images\z`, mimeMultipartUploader),
|
|
|
|
// Requirements Import via UI upload acceleration
|
|
u.route("POST", projectPattern+`requirements_management/requirements/import_csv`, mimeMultipartUploader),
|
|
|
|
// Uploads via API
|
|
u.route("POST", apiProjectPattern+`/uploads\z`, mimeMultipartUploader),
|
|
|
|
// Project Avatar
|
|
u.route("POST", apiPattern+`v4/projects\z`, tempfileMultipartProxy),
|
|
u.route("PUT", apiProjectPattern+`\z`, tempfileMultipartProxy),
|
|
|
|
// Group Avatar
|
|
u.route("POST", apiPattern+`v4/groups\z`, tempfileMultipartProxy),
|
|
u.route("PUT", apiPattern+`v4/groups/[^/]+\z`, tempfileMultipartProxy),
|
|
|
|
// User Avatar
|
|
u.route("POST", apiPattern+`v4/users\z`, tempfileMultipartProxy),
|
|
u.route("PUT", apiPattern+`v4/users/[0-9]+\z`, tempfileMultipartProxy),
|
|
|
|
// Explicitly proxy API requests
|
|
u.route("", apiPattern, proxy),
|
|
u.route("", ciAPIPattern, proxy),
|
|
|
|
// Serve assets
|
|
u.route(
|
|
"", `^/assets/`,
|
|
static.ServeExisting(
|
|
u.URLPrefix,
|
|
staticpages.CacheExpireMax,
|
|
assetsNotFoundHandler,
|
|
),
|
|
withoutTracing(), // Tracing on assets is very noisy
|
|
),
|
|
|
|
// Uploads
|
|
u.route("POST", projectPattern+`uploads\z`, mimeMultipartUploader),
|
|
u.route("POST", snippetUploadPattern, mimeMultipartUploader),
|
|
u.route("POST", userUploadPattern, mimeMultipartUploader),
|
|
|
|
// health checks don't intercept errors and go straight to rails
|
|
// TODO: We should probably not return a HTML deploy page?
|
|
// https://gitlab.com/gitlab-org/gitlab/-/issues/336326
|
|
u.route("", "^/-/(readiness|liveness)$", static.DeployPage(probeUpstream)),
|
|
u.route("", "^/-/health$", static.DeployPage(healthUpstream)),
|
|
|
|
// This route lets us filter out health checks from our metrics.
|
|
u.route("", "^/-/", defaultUpstream),
|
|
|
|
u.route("", "", defaultUpstream),
|
|
}
|
|
|
|
// Routes which should actually be served locally by a Geo Proxy. If none
|
|
// matches, then then proxy the request.
|
|
u.geoLocalRoutes = []routeEntry{
|
|
// Git and LFS requests
|
|
//
|
|
// Note that Geo already redirects pushes, with special terminal output.
|
|
// Note that excessive secondary lag can cause unexpected behavior since
|
|
// pulls are performed against a different source of truth. Ideally, we'd
|
|
// proxy/redirect pulls as well, when the secondary is not up-to-date.
|
|
//
|
|
u.route("GET", geoGitProjectPattern+`info/refs\z`, git.GetInfoRefsHandler(api)),
|
|
u.route("POST", geoGitProjectPattern+`git-upload-pack\z`, contentEncodingHandler(git.UploadPack(api)), withMatcher(isContentType("application/x-git-upload-pack-request"))),
|
|
u.route("GET", geoGitProjectPattern+`gitlab-lfs/objects/([0-9a-f]{64})\z`, defaultUpstream),
|
|
|
|
// Serve health checks from this Geo secondary
|
|
u.route("", "^/-/(readiness|liveness)$", static.DeployPage(probeUpstream)),
|
|
u.route("", "^/-/health$", static.DeployPage(healthUpstream)),
|
|
u.route("", "^/-/metrics$", defaultUpstream),
|
|
|
|
// Authentication routes
|
|
u.route("", "^/users/auth/geo/(sign_in|sign_out)$", defaultUpstream),
|
|
u.route("", "^/oauth/geo/(auth|callback|logout)$", defaultUpstream),
|
|
|
|
// Admin Area > Geo routes
|
|
u.route("", "^/admin/geo/replication/projects", defaultUpstream),
|
|
u.route("", "^/admin/geo/replication/designs", defaultUpstream),
|
|
|
|
// Geo API routes
|
|
u.route("", "^/api/v4/geo_replication", defaultUpstream),
|
|
u.route("", "^/api/v4/geo/proxy_git_ssh", defaultUpstream),
|
|
u.route("", "^/api/v4/geo/graphql", defaultUpstream),
|
|
|
|
// Internal API routes
|
|
u.route("", "^/api/v4/internal", defaultUpstream),
|
|
|
|
u.route(
|
|
"", `^/assets/`,
|
|
static.ServeExisting(
|
|
u.URLPrefix,
|
|
staticpages.CacheExpireMax,
|
|
assetsNotFoundHandler,
|
|
),
|
|
withoutTracing(), // Tracing on assets is very noisy
|
|
),
|
|
|
|
// Don't define a catch-all route. If a route does not match, then we know
|
|
// the request should be proxied.
|
|
}
|
|
}
|
|
|
|
func denyWebsocket(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if websocket.IsWebSocketUpgrade(r) {
|
|
helper.HTTPError(w, r, "websocket upgrade not allowed", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|