fix(api,hatchery): take care of booked JobID (#5156)

* chore: jobID is mandatory on worker (registerOnly false)

Signed-off-by: Yvonnick Esnault <yvonnick.esnault@corp.ovh.com>

Author: yesnault

engine/api/worker/registration.go

@@ -59,8 +59,13 @@ type TakeForm struct {
 // RegisterWorker  Register new worker
 func RegisterWorker(ctx context.Context, db gorp.SqlExecutor, store cache.Store, spawnArgs hatchery.SpawnArguments, hatcheryID int64, consumer *sdk.AuthConsumer, registrationForm sdk.WorkerRegistrationForm) (*sdk.Worker, error) {
 	if spawnArgs.WorkerName == "" {
-		return nil, sdk.WithStack(sdk.ErrWrongRequest)
+		return nil, sdk.NewErrorFrom(sdk.ErrWrongRequest, "unauthorized to register a worker without a name")
 	}
+
+	if !spawnArgs.RegisterOnly && spawnArgs.JobID == 0 {
+		return nil, sdk.NewErrorFrom(sdk.ErrWrongRequest, "unauthorized to register a worker for a job without a JobID")
+	}
+
 	var model *sdk.Model
 	if spawnArgs.Model != nil {
 		// Load Model
@@ -95,6 +100,9 @@ func RegisterWorker(ctx context.Context, db gorp.SqlExecutor, store cache.Store,
 	if model != nil {
 		w.ModelID = &spawnArgs.Model.ID
 	}
+	if spawnArgs.JobID > 0 {
+		w.JobRunID = &spawnArgs.JobID
+	}
 
 	w.Uptodate = registrationForm.Version == sdk.VERSION
 

engine/api/worker/worker_test.go

@@ -95,4 +95,18 @@ func TestRegister(t *testing.T) {
 	assert.Equal(t, w.ID, wk.ID)
 	assert.Equal(t, w.ModelID, wk.ModelID)
 	assert.Equal(t, w.HatcheryID, wk.HatcheryID)
+
+	// try to register a worker for a job, without a JobID
+	w2, err := worker.RegisterWorker(context.TODO(), db, store, hatchery.SpawnArguments{
+		HatcheryName: h.Name,
+		Model:        m,
+		WorkerName:   sdk.RandomString(10),
+	}, h.ID, c, sdk.WorkerRegistrationForm{
+		Arch:               runtime.GOARCH,
+		OS:                 runtime.GOOS,
+		BinaryCapabilities: []string{"bash"},
+	})
+
+	test.Error(t, err)
+	assert.Nil(t, w2)
 }

engine/api/worker_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/ovh/cds/sdk/log"
 )
 
-func RegisterWorker(t *testing.T, api *API, groupID int64, existingWorkerModelName string) (*sdk.Worker, string) {
+func RegisterWorker(t *testing.T, api *API, groupID int64, existingWorkerModelName string, jobID int64, registerOnly bool) (*sdk.Worker, string) {
 	model, err := workermodel.LoadByNameAndGroupID(api.mustDB(), existingWorkerModelName, groupID)
 	if err != nil {
 		t.Fatalf("RegisterWorker> Error getting worker model : %s", err)
@@ -42,6 +42,8 @@ func RegisterWorker(t *testing.T, api *API, groupID int64, existingWorkerModelNa
 		HatcheryName: hSrv.Name,
 		Model:        model,
 		WorkerName:   hSrv.Name + "-worker",
+		JobID:        jobID,
+		RegisterOnly: registerOnly,
 	})
 	test.NoError(t, err)
 	assert.NotNil(t, hConsumer)
@@ -112,7 +114,7 @@ func TestPostRegisterWorkerHandler(t *testing.T) {
 
 	model := LoadOrCreateWorkerModel(t, api, g.ID, "Test1")
 
-	_, workerJWT := RegisterWorker(t, api, g.ID, model.Name)
+	_, workerJWT := RegisterWorker(t, api, g.ID, model.Name, 0, true)
 
 	uri := api.Router.GetRoute("POST", api.postRefreshWorkerHandler, nil)
 	test.NotEmpty(t, uri)
@@ -132,3 +134,44 @@ func TestPostRegisterWorkerHandler(t *testing.T) {
 	api.Router.Mux.ServeHTTP(rec, req)
 	assert.Equal(t, 204, rec.Code)
 }
+
+// TestPostInvalidRegister tests to register a worker for a job, without a JobID
+func TestPostInvalidRegister(t *testing.T) {
+	api, _, _, end := newTestAPI(t)
+	defer end()
+
+	g := LoadSharedInfraGroup(t, api)
+
+	model := LoadOrCreateWorkerModel(t, api, g.ID, "Test2")
+
+	hSrv, hPrivKey, hConsumer, _ := assets.InsertHatchery(t, api.mustDB(), *g)
+
+	hPubKey, err := jws.ExportPublicKey(hPrivKey)
+	if err != nil {
+		t.Fatalf("RegisterWorker> Error exporting public key : %s", err)
+	}
+	log.Debug("hatchery public key is %s", string(hPubKey))
+
+	jwt, err := hatchery.NewWorkerToken(hSrv.Name, hPrivKey, time.Now().Add(time.Hour), hatchery.SpawnArguments{
+		HatcheryName: hSrv.Name,
+		Model:        model,
+		WorkerName:   hSrv.Name + "-worker",
+		JobID:        0,
+		RegisterOnly: false,
+	})
+	test.NoError(t, err)
+	assert.NotNil(t, hConsumer)
+
+	uri := api.Router.GetRoute("POST", api.postRegisterWorkerHandler, nil)
+	test.NotEmpty(t, uri)
+	req := assets.NewJWTAuthentifiedRequest(t, jwt, "POST", uri, sdk.WorkerRegistrationForm{
+		Arch:    runtime.GOARCH,
+		OS:      runtime.GOOS,
+		Version: sdk.VERSION,
+	})
+
+	//Do the request
+	rec := httptest.NewRecorder()
+	api.Router.Mux.ServeHTTP(rec, req)
+	assert.Equal(t, 401, rec.Code)
+}

engine/api/workflow_queue.go

@@ -60,6 +60,10 @@ func (api *API) postTakeWorkflowJobHandler() service.Handler {
 			return err
 		}
 
+		if wk.JobRunID == nil || *wk.JobRunID != id {
+			return sdk.NewErrorFrom(sdk.ErrForbidden, "unauthorized to take this job. booked:%d vs asked:%d", wk.JobRunID, id)
+		}
+
 		p, err := project.LoadProjectByNodeJobRunID(ctx, api.mustDB(), api.Cache, id, project.LoadOptions.WithVariables, project.LoadOptions.WithClearKeys)
 		if err != nil {
 			return sdk.WrapError(err, "cannot load project by nodeJobRunID: %d", id)

engine/api/workflow_queue_test.go

@@ -268,13 +268,13 @@ func testGetWorkflowJobAsRegularUser(t *testing.T, api *API, router *Router, jwt
 
 	jobs := []sdk.WorkflowNodeJobRun{}
 	require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &jobs))
-	assert.True(t, len(jobs) >= 1)
+	require.True(t, len(jobs) >= 1)
 
 	if t.Failed() {
 		t.FailNow()
 	}
 
-	ctx.job = &jobs[0]
+	ctx.job = &jobs[len(jobs)-1]
 }
 
 func testGetWorkflowJobAsWorker(t *testing.T, api *API, router *Router, ctx *testRunWorkflowCtx) {
@@ -290,7 +290,7 @@ func testGetWorkflowJobAsWorker(t *testing.T, api *API, router *Router, ctx *tes
 
 	jobs := []sdk.WorkflowNodeJobRun{}
 	require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &jobs))
-	assert.Len(t, jobs, 1)
+	require.Len(t, jobs, 1)
 
 	if t.Failed() {
 		t.FailNow()
@@ -312,7 +312,7 @@ func testGetWorkflowJobAsHatchery(t *testing.T, api *API, router *Router, ctx *t
 
 	jobs := []sdk.WorkflowNodeJobRun{}
 	require.NoError(t, json.Unmarshal(rec.Body.Bytes(), &jobs))
-	assert.Len(t, jobs, 1)
+	require.Len(t, jobs, 1)
 
 	if t.Failed() {
 		t.FailNow()
@@ -327,7 +327,11 @@ func testRegisterWorker(t *testing.T, api *API, router *Router, ctx *testRunWork
 		t.Fatalf("Error getting group: %+v", err)
 	}
 	model := LoadOrCreateWorkerModel(t, api, g.ID, "Test1")
-	w, workerJWT := RegisterWorker(t, api, g.ID, model.Name)
+	var jobID int64
+	if ctx.job != nil {
+		jobID = ctx.job.ID
+	}
+	w, workerJWT := RegisterWorker(t, api, g.ID, model.Name, jobID, jobID == 0)
 	ctx.workerToken = workerJWT
 	ctx.worker = w
 	ctx.model = model
@@ -340,17 +344,31 @@ func testRegisterHatchery(t *testing.T, api *API, router *Router, ctx *testRunWo
 }
 
 func TestGetWorkflowJobQueueHandler(t *testing.T) {
-	api, _, router, end := newTestAPI(t)
+	api, db, router, end := newTestAPI(t)
 	defer end()
 
+	// delete all existing workers
+	workers, err := worker.LoadAll(context.TODO(), db)
+	test.NoError(t, err)
+	for _, w := range workers {
+		worker.Delete(db, w.ID)
+	}
+
+	// remove all jobs in queue
+	filterClean := workflow.NewQueueFilter()
+	nrj, _ := workflow.LoadNodeJobRunQueue(context.TODO(), db, api.Cache, filterClean)
+	for _, j := range nrj {
+		_ = workflow.DeleteNodeJobRuns(db, j.WorkflowNodeRunID)
+	}
+
 	_, jwt := assets.InsertAdminUser(t, api.mustDB())
 	t.Log("checkin as a user")
 
 	ctx := testRunWorkflow(t, api, router)
 	testGetWorkflowJobAsRegularUser(t, api, router, jwt, &ctx)
 	assert.NotNil(t, ctx.job)
 
-	t.Log("checkin as a worker")
+	t.Logf("checkin as a worker jobId:%d", ctx.job.ID)
 
 	testGetWorkflowJobAsWorker(t, api, router, &ctx)
 	assert.NotNil(t, ctx.job)
@@ -459,6 +477,46 @@ func Test_postTakeWorkflowJobHandler(t *testing.T) {
 	assert.NotEmpty(t, run.HatcheryName)
 }
 
+func Test_postTakeWorkflowInvalidJobHandler(t *testing.T) {
+	api, _, router, end := newTestAPI(t)
+	defer end()
+	ctx := testRunWorkflow(t, api, router)
+	testGetWorkflowJobAsWorker(t, api, router, &ctx)
+	require.NotNil(t, ctx.job)
+
+	//Prepare request
+	vars := map[string]string{
+		"key":              ctx.project.Key,
+		"permWorkflowName": ctx.workflow.Name,
+		"id":               fmt.Sprintf("%d", ctx.job.ID+1), // invalid job
+	}
+
+	//Register the worker
+	testRegisterWorker(t, api, router, &ctx)
+
+	uri := router.GetRoute("POST", api.postTakeWorkflowJobHandler, vars)
+	require.NotEmpty(t, uri)
+
+	//this call must failed, we try to take a jobID not reserved at worker's registration
+	req := assets.NewJWTAuthentifiedRequest(t, ctx.workerToken, "POST", uri, nil)
+	rec := httptest.NewRecorder()
+	router.Mux.ServeHTTP(rec, req)
+	require.Equal(t, 403, rec.Code)
+
+	//This must be ok, take the jobID reserved
+	vars2 := map[string]string{
+		"key":              ctx.project.Key,
+		"permWorkflowName": ctx.workflow.Name,
+		"id":               fmt.Sprintf("%d", ctx.job.ID),
+	}
+	uri2 := router.GetRoute("POST", api.postTakeWorkflowJobHandler, vars2)
+	require.NotEmpty(t, uri2)
+	req2 := assets.NewJWTAuthentifiedRequest(t, ctx.workerToken, "POST", uri2, nil)
+	rec2 := httptest.NewRecorder()
+	router.Mux.ServeHTTP(rec2, req2)
+	require.Equal(t, 200, rec2.Code)
+}
+
 func Test_postBookWorkflowJobHandler(t *testing.T) {
 	api, _, router, end := newTestAPI(t)
 	defer end()

engine/hatchery/local/worker_spawn.go

@@ -52,6 +52,10 @@ const workerCmdTmpl = "{{.WorkerBinary}} --api={{.API}} --token={{.Token}} --log
 func (h *HatcheryLocal) SpawnWorker(ctx context.Context, spawnArgs hatchery.SpawnArguments) error {
 	log.Debug("HatcheryLocal.SpawnWorker> %s want to spawn a worker named %s (jobID = %d)", spawnArgs.HatcheryName, spawnArgs.WorkerName, spawnArgs.JobID)
 
+	if spawnArgs.JobID == 0 && !spawnArgs.RegisterOnly {
+		return sdk.WithStack(fmt.Errorf("no job ID and no register"))
+	}
+
 	// Generate a random string 16 chars length
 	bs := make([]byte, 16)
 	if _, err := rand.Read(bs); err != nil {
@@ -79,10 +83,9 @@ func (h *HatcheryLocal) SpawnWorker(ctx context.Context, spawnArgs hatchery.Spaw
 		GraylogExtraKey:   h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraKey,
 		GraylogExtraValue: h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraValue,
 		WorkerBinary:      path.Join(h.BasedirDedicated, h.getWorkerBinaryName()),
+		WorkflowJobID:     spawnArgs.JobID,
 	}
 
-	udataParam.WorkflowJobID = spawnArgs.JobID
-
 	tmpl, errt := template.New("cmd").Parse(workerCmdTmpl)
 	if errt != nil {
 		return errt

engine/hatchery/marathon/marathon.go

@@ -210,6 +210,10 @@ func (h *HatcheryMarathon) SpawnWorker(ctx context.Context, spawnArgs hatchery.S
 		log.Debug("spawnWorker> spawning worker %s (%s)", spawnArgs.Model.Name, spawnArgs.Model.ModelDocker.Image)
 	}
 
+	if spawnArgs.JobID == 0 && !spawnArgs.RegisterOnly {
+		return sdk.WithStack(fmt.Errorf("no job ID and no register"))
+	}
+
 	// Estimate needed memory, we will set 110% of required memory
 	memory := int64(h.Config.DefaultMemory)
 
@@ -228,10 +232,9 @@ func (h *HatcheryMarathon) SpawnWorker(ctx context.Context, spawnArgs hatchery.S
 		GraylogPort:       h.Configuration().Provision.WorkerLogsOptions.Graylog.Port,
 		GraylogExtraKey:   h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraKey,
 		GraylogExtraValue: h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraValue,
+		WorkflowJobID:     spawnArgs.JobID,
 	}
 
-	udataParam.WorkflowJobID = spawnArgs.JobID
-
 	tmpl, errt := template.New("cmd").Parse(spawnArgs.Model.ModelDocker.Cmd)
 	if errt != nil {
 		return errt

engine/hatchery/openstack/spawn.go

@@ -25,6 +25,10 @@ func (h *HatcheryOpenstack) SpawnWorker(ctx context.Context, spawnArgs hatchery.
 		log.Debug("spawnWorker> spawning worker %s model:%s", spawnArgs.WorkerName, spawnArgs.Model.Name)
 	}
 
+	if spawnArgs.JobID == 0 && !spawnArgs.RegisterOnly {
+		return sdk.WithStack(fmt.Errorf("no job ID and no register"))
+	}
+
 	if len(h.getServers(ctx)) == h.Configuration().Provision.MaxWorker {
 		log.Debug("MaxWorker limit (%d) reached", h.Configuration().Provision.MaxWorker)
 		return nil

engine/hatchery/vsphere/spawn.go

@@ -30,6 +30,10 @@ type annotation struct {
 
 // SpawnWorker creates a new vm instance
 func (h *HatcheryVSphere) SpawnWorker(ctx context.Context, spawnArgs hatchery.SpawnArguments) error {
+	if spawnArgs.JobID == 0 && !spawnArgs.RegisterOnly {
+		return sdk.WithStack(fmt.Errorf("no job ID and no register"))
+	}
+
 	var vm *object.VirtualMachine
 	var errV error
 	_, errM := h.getModelByName(ctx, spawnArgs.Model.Name)
@@ -196,10 +200,9 @@ func (h *HatcheryVSphere) launchScriptWorker(name string, jobID int64, token str
 		GraylogPort:       h.Configuration().Provision.WorkerLogsOptions.Graylog.Port,
 		GraylogExtraKey:   h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraKey,
 		GraylogExtraValue: h.Configuration().Provision.WorkerLogsOptions.Graylog.ExtraValue,
+		WorkflowJobID:     jobID,
 	}
 
-	udataParam.WorkflowJobID = jobID
-
 	var buffer bytes.Buffer
 	if err := tmpl.Execute(&buffer, udataParam); err != nil {
 		return err

engine/worker/cmd_run.go

@@ -37,6 +37,10 @@ func runCmd() func(cmd *cobra.Command, args []string) {
 		// Get the booked job ID
 		bookedWJobID := FlagInt64(cmd, flagBookedWorkflowJobID)
 
+		if bookedWJobID == 0 {
+			sdk.Exit("flag --booked-workflow-job-id is mandatory")
+		}
+
 		ctx, cancel := context.WithCancel(ctx)
 		// Gracefully shutdown connections
 		c := make(chan os.Signal, 1)