Use context to store and populate origin

easyCZ · easyCZ · commit 394330f7c0ee · 2023-02-15T12:42:52.000Z
diff --git a/components/public-api-server/pkg/auth/context.go b/components/public-api-server/pkg/auth/context.go
@@ -25,8 +25,6 @@ const (
 type Token struct {
 	Type  TokenType
 	Value string
-	// Only relevant for CookieTokenType
-	OriginHeader string
 }
 
 func NewAccessToken(token string) Token {
@@ -36,11 +34,10 @@ func NewAccessToken(token string) Token {
 	}
 }
 
-func NewCookieToken(cookie string, origin string) Token {
+func NewCookieToken(cookie string) Token {
 	return Token{
-		Type:         CookieTokenType,
-		Value:        cookie,
-		OriginHeader: origin,
+		Type:  CookieTokenType,
+		Value: cookie,
 	}
 }
 
diff --git a/components/public-api-server/pkg/auth/middleware.go b/components/public-api-server/pkg/auth/middleware.go
@@ -11,11 +11,11 @@ import (
 	"github.com/bufbuild/connect-go"
 )
 
-type AuthInterceptor struct {
+type Interceptor struct {
 	accessToken string
 }
 
-func (a *AuthInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
+func (a *Interceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 	return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
 		if req.Spec().IsClient {
 			ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))
@@ -33,7 +33,7 @@ func (a *AuthInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
 	})
 }
 
-func (a *AuthInterceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {
+func (a *Interceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {
 	return func(ctx context.Context, s connect.Spec) connect.StreamingClientConn {
 		ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))
 		conn := next(ctx, s)
@@ -42,7 +42,7 @@ func (a *AuthInterceptor) WrapStreamingClient(next connect.StreamingClientFunc)
 	}
 }
 
-func (a *AuthInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
+func (a *Interceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
 	return func(ctx context.Context, conn connect.StreamingHandlerConn) error {
 		token, err := tokenFromConn(ctx, conn)
 		if err != nil {
@@ -54,7 +54,7 @@ func (a *AuthInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc
 
 // NewServerInterceptor creates a server-side interceptor which validates that an incoming request contains a Bearer Authorization header
 func NewServerInterceptor() connect.Interceptor {
-	return &AuthInterceptor{}
+	return &Interceptor{}
 }
 
 func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error) {
@@ -66,9 +66,8 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error
 	}
 
 	cookie := req.Header().Get("Cookie")
-	origin := req.Header().Get("Origin")
 	if cookie != "" {
-		return NewCookieToken(cookie, origin), nil
+		return NewCookieToken(cookie), nil
 	}
 
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
@@ -83,17 +82,16 @@ func tokenFromConn(ctx context.Context, conn connect.StreamingHandlerConn) (Toke
 	}
 
 	cookie := conn.RequestHeader().Get("Cookie")
-	origin := conn.RequestHeader().Get("Origin")
 	if cookie != "" {
-		return NewCookieToken(cookie, origin), nil
+		return NewCookieToken(cookie), nil
 	}
 
 	return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))
 }
 
 // NewClientInterceptor creates a client-side interceptor which injects token as a Bearer Authorization header
 func NewClientInterceptor(accessToken string) connect.Interceptor {
-	return &AuthInterceptor{
+	return &Interceptor{
 		accessToken: accessToken,
 	}
 }
diff --git a/components/public-api-server/pkg/origin/context.go b/components/public-api-server/pkg/origin/context.go
@@ -0,0 +1,27 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package origin
+
+import (
+	"context"
+)
+
+type contextKey int
+
+const (
+	originContextKey contextKey = iota
+)
+
+func ToContext(ctx context.Context, origin string) context.Context {
+	return context.WithValue(ctx, originContextKey, origin)
+}
+
+func FromContext(ctx context.Context) string {
+	if val, ok := ctx.Value(originContextKey).(string); ok {
+		return val
+	}
+
+	return ""
+}
diff --git a/components/public-api-server/pkg/origin/middleware.go b/components/public-api-server/pkg/origin/middleware.go
@@ -0,0 +1,48 @@
+// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+// Licensed under the GNU Affero General Public License (AGPL).
+// See License.AGPL.txt in the project root for license information.
+
+package origin
+
+import (
+	"context"
+
+	"github.com/bufbuild/connect-go"
+)
+
+func NewInterceptor() *Interceptor {
+	return &Interceptor{}
+}
+
+type Interceptor struct{}
+
+func (i *Interceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {
+	return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {
+		if req.Spec().IsClient {
+			req.Header().Add("Origin", FromContext(ctx))
+		} else {
+			origin := req.Header().Get("Origin")
+			ctx = ToContext(ctx, origin)
+		}
+
+		return next(ctx, req)
+	})
+}
+
+func (a *Interceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {
+	return func(ctx context.Context, s connect.Spec) connect.StreamingClientConn {
+		conn := next(ctx, s)
+		conn.RequestHeader().Add("Origin", FromContext(ctx))
+
+		return conn
+	}
+}
+
+func (a *Interceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {
+	return func(ctx context.Context, conn connect.StreamingHandlerConn) error {
+		origin := conn.RequestHeader().Get("Origin")
+		ctx = ToContext(ctx, origin)
+
+		return next(ctx, conn)
+	}
+}
diff --git a/components/public-api-server/pkg/proxy/conn.go b/components/public-api-server/pkg/proxy/conn.go
@@ -14,6 +14,7 @@ import (
 	"github.com/gitpod-io/gitpod/common-go/log"
 	gitpod "github.com/gitpod-io/gitpod/gitpod-protocol"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/auth"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/origin"
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus"
 
 	lru "github.com/hashicorp/golang-lru"
@@ -41,14 +42,14 @@ func (p *NoConnectionPool) Get(ctx context.Context, token auth.Token) (gitpod.AP
 	opts := gitpod.ConnectToServerOpts{
 		Context: ctx,
 		Log:     logger,
+		Origin:  origin.FromContext(ctx),
 	}
 
 	switch token.Type {
 	case auth.AccessTokenType:
 		opts.Token = token.Value
 	case auth.CookieTokenType:
 		opts.Cookie = token.Value
-		opts.Origin = token.OriginHeader
 	default:
 		return nil, errors.New("unknown token type")
 	}
@@ -83,7 +84,7 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 
 	return &ConnectionPool{
 		cache: cache,
-		connConstructor: func(token auth.Token) (gitpod.APIInterface, error) {
+		connConstructor: func(ctx context.Context, token auth.Token) (gitpod.APIInterface, error) {
 			opts := gitpod.ConnectToServerOpts{
 				// We're using Background context as we want the connection to persist beyond the lifecycle of a single request
 				Context: context.Background(),
@@ -99,7 +100,6 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 				opts.Token = token.Value
 			case auth.CookieTokenType:
 				opts.Cookie = token.Value
-				opts.Origin = token.OriginHeader
 			default:
 				return nil, errors.New("unknown token type")
 			}
@@ -120,15 +120,23 @@ func NewConnectionPool(address *url.URL, poolSize int) (*ConnectionPool, error)
 
 }
 
+type conenctionPoolCacheKey struct {
+	token  auth.Token
+	origin string
+}
+
 type ConnectionPool struct {
-	connConstructor func(token auth.Token) (gitpod.APIInterface, error)
+	connConstructor func(context.Context, auth.Token) (gitpod.APIInterface, error)
 
 	// cache stores token to connection mapping
 	cache *lru.Cache
 }
 
 func (p *ConnectionPool) Get(ctx context.Context, token auth.Token) (gitpod.APIInterface, error) {
-	cached, found := p.cache.Get(token)
+	origin := origin.FromContext(ctx)
+
+	cacheKey := p.cacheKey(token, origin)
+	cached, found := p.cache.Get(cacheKey)
 	reportCacheOutcome(found)
 	if found {
 		conn, ok := cached.(*gitpod.APIoverJSONRPC)
@@ -137,17 +145,24 @@ func (p *ConnectionPool) Get(ctx context.Context, token auth.Token) (gitpod.APII
 		}
 	}
 
-	conn, err := p.connConstructor(token)
+	conn, err := p.connConstructor(ctx, token)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create new connection to server: %w", err)
 	}
 
-	p.cache.Add(token, conn)
+	p.cache.Add(cacheKey, conn)
 	connectionPoolSize.Inc()
 
 	return conn, nil
 }
 
+func (p *ConnectionPool) cacheKey(token auth.Token, origin string) conenctionPoolCacheKey {
+	return conenctionPoolCacheKey{
+		token:  token,
+		origin: origin,
+	}
+}
+
 func getEndpointBasedOnToken(t auth.Token, u *url.URL) (string, error) {
 	switch t.Type {
 	case auth.AccessTokenType:
diff --git a/components/public-api-server/pkg/proxy/conn_test.go b/components/public-api-server/pkg/proxy/conn_test.go
@@ -11,6 +11,7 @@ import (
 
 	gitpod "github.com/gitpod-io/gitpod/gitpod-protocol"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/auth"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/origin"
 	"github.com/golang/mock/gomock"
 	lru "github.com/hashicorp/golang-lru"
 	"github.com/stretchr/testify/require"
@@ -25,7 +26,7 @@ func TestConnectionPool(t *testing.T) {
 	require.NoError(t, err)
 	pool := &ConnectionPool{
 		cache: cache,
-		connConstructor: func(token auth.Token) (gitpod.APIInterface, error) {
+		connConstructor: func(ctx context.Context, token auth.Token) (gitpod.APIInterface, error) {
 			return srv, nil
 		},
 	}
@@ -45,8 +46,36 @@ func TestConnectionPool(t *testing.T) {
 	_, err = pool.Get(context.Background(), bazToken)
 	require.NoError(t, err)
 	require.Equal(t, 2, pool.cache.Len(), "must keep only last two connectons")
-	require.True(t, pool.cache.Contains(barToken))
-	require.True(t, pool.cache.Contains(bazToken))
+	require.True(t, pool.cache.Contains(pool.cacheKey(barToken, "")))
+	require.True(t, pool.cache.Contains(pool.cacheKey(bazToken, "")))
+}
+
+func TestConnectionPool_ByDistinctOrigins(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	srv := gitpod.NewMockAPIInterface(ctrl)
+
+	cache, err := lru.New(2)
+	require.NoError(t, err)
+	pool := &ConnectionPool{
+		cache: cache,
+		connConstructor: func(ctx context.Context, token auth.Token) (gitpod.APIInterface, error) {
+			return srv, nil
+		},
+	}
+
+	token := auth.NewAccessToken("foo")
+
+	ctxWithOriginA := origin.ToContext(context.Background(), "originA")
+	ctxWithOriginB := origin.ToContext(context.Background(), "originB")
+
+	_, err = pool.Get(ctxWithOriginA, token)
+	require.NoError(t, err)
+	require.Equal(t, 1, pool.cache.Len())
+
+	_, err = pool.Get(ctxWithOriginB, token)
+	require.NoError(t, err)
+	require.Equal(t, 2, pool.cache.Len())
 }
 
 func TestEndpointBasedOnToken(t *testing.T) {
@@ -57,7 +86,7 @@ func TestEndpointBasedOnToken(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "wss://server:3000/v1", endpointForAccessToken)
 
-	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo", "server"), u)
+	endpointForCookie, err := getEndpointBasedOnToken(auth.NewCookieToken("foo"), u)
 	require.NoError(t, err)
 	require.Equal(t, "wss://server:3000/gitpod", endpointForCookie)
 }
diff --git a/components/public-api-server/pkg/server/server.go b/components/public-api-server/pkg/server/server.go
@@ -28,6 +28,7 @@ import (
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/auth"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/billingservice"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/oidc"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/origin"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/proxy"
 	"github.com/gitpod-io/gitpod/public-api-server/pkg/webhooks"
 	"github.com/sirupsen/logrus"
@@ -154,6 +155,7 @@ func register(srv *baseserver.Server, deps *registerDependencies) error {
 			NewMetricsInterceptor(connectMetrics),
 			NewLogInterceptor(log.Log),
 			auth.NewServerInterceptor(),
+			origin.NewInterceptor(),
 		),
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,6 @@ const (`
`25`	`25`	`type Token struct {`
`26`	`26`	`Type TokenType`
`27`	`27`	`Value string`
`28`		`- // Only relevant for CookieTokenType`
`29`		`- OriginHeader string`
`30`	`28`	`}`
`31`	`29`
`32`	`30`	`func NewAccessToken(token string) Token {`
`@@ -36,11 +34,10 @@ func NewAccessToken(token string) Token {`
`36`	`34`	`}`
`37`	`35`	`}`
`38`	`36`
`39`		`-func NewCookieToken(cookie string, origin string) Token {`
	`37`	`+func NewCookieToken(cookie string) Token {`
`40`	`38`	`return Token{`
`41`		`- Type: CookieTokenType,`
`42`		`- Value: cookie,`
`43`		`- OriginHeader: origin,`
	`39`	`+ Type: CookieTokenType,`
	`40`	`+ Value: cookie,`
`44`	`41`	`}`
`45`	`42`	`}`
`46`	`43`
Original file line number	Diff line number	Diff line change
`@@ -11,11 +11,11 @@ import (`
`11`	`11`	`"github.com/bufbuild/connect-go"`
`12`	`12`	`)`
`13`	`13`
`14`		`-type AuthInterceptor struct {`
	`14`	`+type Interceptor struct {`
`15`	`15`	`accessToken string`
`16`	`16`	`}`
`17`	`17`
`18`		`-func (a *AuthInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {`
	`18`	`+func (a *Interceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {`
`19`	`19`	`return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {`
`20`	`20`	`if req.Spec().IsClient {`
`21`	`21`	`ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))`
`@@ -33,7 +33,7 @@ func (a *AuthInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {`
`33`	`33`	`})`
`34`	`34`	`}`
`35`	`35`
`36`		`-func (a *AuthInterceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {`
	`36`	`+func (a *Interceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {`
`37`	`37`	`return func(ctx context.Context, s connect.Spec) connect.StreamingClientConn {`
`38`	`38`	`ctx = TokenToContext(ctx, NewAccessToken(a.accessToken))`
`39`	`39`	`conn := next(ctx, s)`
`@@ -42,7 +42,7 @@ func (a *AuthInterceptor) WrapStreamingClient(next connect.StreamingClientFunc)`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`45`		`-func (a *AuthInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {`
	`45`	`+func (a *Interceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {`
`46`	`46`	`return func(ctx context.Context, conn connect.StreamingHandlerConn) error {`
`47`	`47`	`token, err := tokenFromConn(ctx, conn)`
`48`	`48`	`if err != nil {`
`@@ -54,7 +54,7 @@ func (a *AuthInterceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc`
`54`	`54`
`55`	`55`	`// NewServerInterceptor creates a server-side interceptor which validates that an incoming request contains a Bearer Authorization header`
`56`	`56`	`func NewServerInterceptor() connect.Interceptor {`
`57`		`- return &AuthInterceptor{}`
	`57`	`+ return &Interceptor{}`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error) {`
`@@ -66,9 +66,8 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (Token, error`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`cookie := req.Header().Get("Cookie")`
`69`		`- origin := req.Header().Get("Origin")`
`70`	`69`	`if cookie != "" {`
`71`		`- return NewCookieToken(cookie, origin), nil`
	`70`	`+ return NewCookieToken(cookie), nil`
`72`	`71`	`}`
`73`	`72`
`74`	`73`	`return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))`
`@@ -83,17 +82,16 @@ func tokenFromConn(ctx context.Context, conn connect.StreamingHandlerConn) (Toke`
`83`	`82`	`}`
`84`	`83`
`85`	`84`	`cookie := conn.RequestHeader().Get("Cookie")`
`86`		`- origin := conn.RequestHeader().Get("Origin")`
`87`	`85`	`if cookie != "" {`
`88`		`- return NewCookieToken(cookie, origin), nil`
	`86`	`+ return NewCookieToken(cookie), nil`
`89`	`87`	`}`
`90`	`88`
`91`	`89`	`return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))`
`92`	`90`	`}`
`93`	`91`
`94`	`92`	`// NewClientInterceptor creates a client-side interceptor which injects token as a Bearer Authorization header`
`95`	`93`	`func NewClientInterceptor(accessToken string) connect.Interceptor {`
`96`		`- return &AuthInterceptor{`
	`94`	`+ return &Interceptor{`
`97`	`95`	`accessToken: accessToken,`
`98`	`96`	`}`
`99`	`97`	`}`