Added gitproxy endpoint (#2550)

* added DecodeCerts and logrs.Discard * added gitproxy endpoint * added tests * added URL validation and whitelist for gitproxy * added acceptance tests for gitproxy * fixed wrong Gitlab APIs
epinio · Oct 2, 2023 · a2e9652 · a2e9652
1 parent b3c026f
commit a2e9652
Show file tree

Hide file tree

Showing 9 changed files with 768 additions and 2 deletions.
diff --git a/acceptance/api/v1/gitproxy_test.go b/acceptance/api/v1/gitproxy_test.go
@@ -0,0 +1,64 @@
+// Copyright © 2021 - 2023 SUSE LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//     http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1_test
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"github.com/epinio/epinio/pkg/api/core/v1/models"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Gitproxy endpoint", LMisc, func() {
+	It("proxies the request to github", func() {
+		gitproxyRequest := models.GitProxyRequest{
+			URL: "https://api.github.com/repos/epinio/epinio",
+		}
+
+		resp, statusCode := gitproxy(toJSON(gitproxyRequest))
+		Expect(statusCode).To(Equal(http.StatusOK))
+
+		var m map[string]interface{}
+		err := json.Unmarshal(resp, &m)
+		Expect(err).ToNot(HaveOccurred())
+
+		Expect(m["id"]).To(BeEquivalentTo(311485110))
+		Expect(m["full_name"]).To(Equal("epinio/epinio"))
+	})
+
+	It("fails for unknown endpoint", func() {
+		gitproxyRequest := models.GitProxyRequest{
+			URL: "https://example.com",
+		}
+
+		resp, statusCode := gitproxy(toJSON(gitproxyRequest))
+		ExpectBadRequestError(resp, statusCode, "invalid proxied URL: unknown URL 'https://example.com'")
+	})
+
+	It("fails for invalid JSON", func() {
+		resp, statusCode := gitproxy(strings.NewReader(`sjkskl`))
+		ExpectBadRequestError(resp, statusCode, "invalid character 's' looking for beginning of value")
+	})
+
+	It("fails for non whitelisted APIs", func() {
+		gitproxyRequest := models.GitProxyRequest{
+			URL: "https://api.github.com/users",
+		}
+
+		resp, statusCode := gitproxy(toJSON(gitproxyRequest))
+		ExpectBadRequestError(resp, statusCode, "invalid proxied URL: invalid Github URL: '/users'")
+	})
+})
diff --git a/acceptance/api/v1/helpers_api_test.go b/acceptance/api/v1/helpers_api_test.go
@@ -97,6 +97,13 @@ func appImportGit(namespace, app, gitURL, revision string) ([]byte, int) {
 	return bodyBytes, response.StatusCode
 }
 
+func gitproxy(body io.Reader) ([]byte, int) {
+	GinkgoHelper()
+
+	endpoint := makeEndpoint(v1.Routes.Path("GitProxy"))
+	return curl(http.MethodPost, endpoint, body)
+}
+
 func curl(method, endpoint string, body io.Reader) ([]byte, int) {
 	GinkgoHelper()
 

diff --git a/helpers/cahash/cahash.go b/helpers/cahash/cahash.go
@@ -60,3 +60,26 @@ func DecodeOneCert(raw []byte) (*x509.Certificate, error) {
 
 	return nil, errors.New("failed find PEM data")
 }
+
+// DecodeCerts iterates over pem blocks and load all the valid certificates
+func DecodeCerts(raw []byte) ([]*x509.Certificate, error) {
+	certs := []*x509.Certificate{}
+
+	byteData := raw
+	for len(byteData) > 0 {
+		block, rest := pem.Decode(byteData)
+		if block == nil {
+			return nil, errors.New("failed decoding PEM data")
+		}
+
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			byteData = rest
+			continue // pem block is not a cert? (e.g. maybe it was a dh_params block)
+		}
+
+		certs = append(certs, cert)
+	}
+
+	return certs, nil
+}
diff --git a/internal/api/v1/auth_test.go b/internal/api/v1/auth_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/epinio/epinio/internal/auth"
 	"github.com/epinio/epinio/internal/cli/server/requestctx"
 	"github.com/gin-gonic/gin"
-	"github.com/go-logr/stdr"
+	"github.com/go-logr/logr"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 )
@@ -35,7 +35,7 @@ var _ = Describe("Authorization Middleware", func() {
 		gin.SetMode(gin.TestMode)
 		w = httptest.NewRecorder()
 		c, _ = gin.CreateTestContext(w)
-		ctx = requestctx.WithLogger(context.Background(), stdr.New(nil))
+		ctx = requestctx.WithLogger(context.Background(), logr.Discard())
 		url = "http://url.com/endpoint"
 	})