Proxy VCS HTTP requests

epriestley · epriestley · commit fb5e50e6cc1f · 2015-01-27T14:51:09.000-08:00
Summary: Ref T7019. When we receive a `git clone https://` (or `git push` on HTTP/S), and the repository is not local, proxy the request to the appropriate service. This has scalability limits, but they are not more severe than the existing limits (T4369) and are about as abstracted as we can get them. This doesn't fully work in a Phacility context because the commit hook does not know which instance it is running in, but that problem is not unique to HTTP. Test Plan: - Pushed and pulled a Git repo via proxy. - Pulled a Git repo normally. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7019 Differential Revision: https://secure.phabricator.com/D11494
diff --git a/src/aphront/AphrontRequest.php b/src/aphront/AphrontRequest.php
@@ -1,9 +1,9 @@
 <?php
 
 /**
- * @task data   Accessing Request Data
- * @task cookie Managing Cookies
- *
+ * @task data     Accessing Request Data
+ * @task cookie   Managing Cookies
+ * @task cluster  Working With a Phabricator Cluster
  */
 final class AphrontRequest {
 
@@ -625,4 +625,130 @@ public static function getHTTPHeader($name, $default = null, $data = null) {
     return $default;
   }
 
+
+/* -(  Working With a Phabricator Cluster  )--------------------------------- */
+
+
+  /**
+   * Is this a proxied request originating from within the Phabricator cluster?
+   *
+   * IMPORTANT: This means the request is dangerous!
+   *
+   * These requests are **more dangerous** than normal requests (they can not
+   * be safely proxied, because proxying them may cause a loop). Cluster
+   * requests are not guaranteed to come from a trusted source, and should
+   * never be treated as safer than normal requests. They are strictly less
+   * safe.
+   */
+  public function isProxiedClusterRequest() {
+    return (bool)AphrontRequest::getHTTPHeader('X-Phabricator-Cluster');
+  }
+
+
+  /**
+   * Build a new @{class:HTTPSFuture} which proxies this request to another
+   * node in the cluster.
+   *
+   * IMPORTANT: This is very dangerous!
+   *
+   * The future forwards authentication information present in the request.
+   * Proxied requests must only be sent to trusted hosts. (We attempt to
+   * enforce this.)
+   *
+   * This is not a general-purpose proxying method; it is a specialized
+   * method with niche applications and severe security implications.
+   *
+   * @param string URI identifying the host we are proxying the request to.
+   * @return HTTPSFuture New proxy future.
+   *
+   * @phutil-external-symbol class PhabricatorStartup
+   */
+  public function newClusterProxyFuture($uri) {
+    $uri = new PhutilURI($uri);
+
+    $domain = $uri->getDomain();
+    $ip = gethostbyname($domain);
+    if (!$ip) {
+      throw new Exception(
+        pht(
+          'Unable to resolve domain "%s"!',
+          $domain));
+    }
+
+    if (!PhabricatorEnv::isClusterAddress($ip)) {
+      throw new Exception(
+        pht(
+          'Refusing to proxy a request to IP address ("%s") which is not '.
+          'in the cluster address block (this address was derived by '.
+          'resolving the domain "%s").',
+          $ip,
+          $domain));
+    }
+
+    $uri->setPath($this->getPath());
+    $uri->setQueryParams(self::flattenData($_GET));
+
+    $input = PhabricatorStartup::getRawInput();
+
+    $future = id(new HTTPSFuture($uri))
+      ->addHeader('Host', self::getHost())
+      ->addHeader('X-Phabricator-Cluster', true)
+      ->setMethod($_SERVER['REQUEST_METHOD'])
+      ->write($input);
+
+    if (isset($_SERVER['PHP_AUTH_USER'])) {
+      $future->setHTTPBasicAuthCredentials(
+        $_SERVER['PHP_AUTH_USER'],
+        new PhutilOpaqueEnvelope(idx($_SERVER, 'PHP_AUTH_PW', '')));
+    }
+
+    $headers = array();
+    $seen = array();
+
+    // NOTE: apache_request_headers() might provide a nicer way to do this,
+    // but isn't available under FCGI until PHP 5.4.0.
+    foreach ($_SERVER as $key => $value) {
+      if (preg_match('/^HTTP_/', $key)) {
+        // Unmangle the header as best we can.
+        $key = str_replace('_', ' ', $key);
+        $key = strtolower($key);
+        $key = ucwords($key);
+        $key = str_replace(' ', '-', $key);
+
+        $headers[] = array($key, $value);
+        $seen[$key] = true;
+      }
+    }
+
+    // In some situations, this may not be mapped into the HTTP_X constants.
+    // CONTENT_LENGTH is similarly affected, but we trust cURL to take care
+    // of that if it matters, since we're handing off a request body.
+    if (empty($seen['Content-Type'])) {
+      if (isset($_SERVER['CONTENT_TYPE'])) {
+        $headers[] = array('Content-Type', $_SERVER['CONTENT_TYPE']);
+      }
+    }
+
+    foreach ($headers as $header) {
+      list($key, $value) = $header;
+      switch ($key) {
+        case 'Host':
+        case 'Authorization':
+          // Don't forward these headers, we've already handled them elsewhere.
+          unset($headers[$key]);
+          break;
+        default:
+          break;
+      }
+    }
+
+    foreach ($headers as $header) {
+      list($key, $value) = $header;
+      $future->addHeader($key, $value);
+    }
+
+    return $future;
+  }
+
+
 }
diff --git a/src/applications/diffusion/controller/DiffusionServeController.php b/src/applications/diffusion/controller/DiffusionServeController.php
@@ -205,10 +205,8 @@ protected function processDiffusionRequest(AphrontRequest $request) {
     } else {
       switch ($vcs_type) {
         case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
-          $result = $this->serveGitRequest($repository, $viewer);
-          break;
         case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
-          $result = $this->serveMercurialRequest($repository, $viewer);
+          $result = $this->serveVCSRequest($repository, $viewer);
           break;
         case PhabricatorRepositoryType::REPOSITORY_TYPE_SVN:
           $result = new PhabricatorVCSResponse(
@@ -238,6 +236,42 @@ protected function processDiffusionRequest(AphrontRequest $request) {
     return $result;
   }
 
+  private function serveVCSRequest(
+    PhabricatorRepository $repository,
+    PhabricatorUser $viewer) {
+
+    // If this repository is hosted on a service, we need to proxy the request
+    // to a host which can serve it.
+    $is_cluster_request = $this->getRequest()->isProxiedClusterRequest();
+
+    $uri = $repository->getAlmanacServiceURI(
+      $viewer,
+      $is_cluster_request,
+      array(
+        'http',
+        'https',
+      ));
+    if ($uri) {
+      $future = $this->getRequest()->newClusterProxyFuture($uri);
+      return id(new AphrontHTTPProxyResponse())
+        ->setHTTPFuture($future);
+    }
+
+    // Otherwise, we're going to handle the request locally.
+
+    $vcs_type = $repository->getVersionControlSystem();
+    switch ($vcs_type) {
+      case PhabricatorRepositoryType::REPOSITORY_TYPE_GIT:
+        $result = $this->serveGitRequest($repository, $viewer);
+        break;
+      case PhabricatorRepositoryType::REPOSITORY_TYPE_MERCURIAL:
+        $result = $this->serveMercurialRequest($repository, $viewer);
+        break;
+    }
+
+    return $result;
+  }
+
   private function isReadOnlyRequest(
     PhabricatorRepository $repository) {
     $request = $this->getRequest();
