From ac404c1c96cb349ccc5c05cff077dca556aa37c6 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Tue, 11 Sep 2018 10:12:02 +0300 Subject: [PATCH 1/5] fix: sanitise jira creds in logs --- lib/log.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/log.js b/lib/log.js index 5d4c0d625..397a63241 100644 --- a/lib/log.js +++ b/lib/log.js @@ -4,7 +4,7 @@ const mapValues = require('lodash.mapvalues'); const config = require('./config'); const sanitiseConfigVariable = (raw, variable) => - raw.replace(new RegExp(escapeRegExp(config[variable]), 'igm'), variable); + raw.replace(new RegExp(escapeRegExp(config[variable]), 'igm'), '${' + variable + '}'); // sanitises sensitive values, replacing all occurences with label function sanitise(raw) { @@ -35,6 +35,14 @@ function sanitise(raw) { raw = sanitiseConfigVariable(raw, 'GITLAB_TOKEN'); } + if (config.JIRA_USERNAME) { + raw = sanitiseConfigVariable(raw, 'JIRA_USERNAME'); + } + + if (config.JIRA_USERNAME) { + raw = sanitiseConfigVariable(raw, 'JIRA_PASSWORD'); + } + return raw; } @@ -45,7 +53,7 @@ function sanitiseObject(obj) { function sanitiseHeaders(headers) { const hdrs = JSON.parse(JSON.stringify(headers)); if (hdrs.authorization) { - hdrs.authorization = 'AUTHORIZATION'; + hdrs.authorization = '${AUTHORIZATION}'; } return sanitiseObject(hdrs); } From 1829ebbb69b6ba7eec1ec4bf13b85ff923797586 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 12 Sep 2018 11:35:47 +0300 Subject: [PATCH 2/5] fix: allow config override --- lib/index.js | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/lib/index.js b/lib/index.js index bd81e09c6..1dd66be76 100644 --- a/lib/index.js +++ b/lib/index.js @@ -10,35 +10,38 @@ const app = module.exports = { main: main, }; -function main({ port, client } = {}) { +function main({ port, client, config = {} } = {}) { // note: the config is loaded in the main function to allow us to mock in tests if (process.env.TAP) { delete require.cache[require.resolve('./config')]; } - const config = require('./config'); + + // merge provided config with env + const localConfig = Object.assign({}, require('./config'), config); + if (client === undefined) { - client = !!config.brokerServerUrl; + client = !!localConfig.brokerServerUrl; } - if (!config.BROKER_CLIENT_URL) { - const proto = !config.key && !config.cert ? 'http' : 'https'; - config.BROKER_CLIENT_URL = `${proto}://localhost:${port || config.port}`; + if (!localConfig.BROKER_CLIENT_URL) { + const proto = !localConfig.key && !localConfig.cert ? 'http' : 'https'; + localConfig.BROKER_CLIENT_URL = `${proto}://localhost:${port || localConfig.port}`; } const method = client ? 'client' : 'server'; process.env.BROKER_TYPE = method; - logger.debug({ accept: config.accept }, 'loading rules'); + logger.debug({ accept: localConfig.accept }, 'loading rules'); let filters = {}; - if (config.accept) { - const acceptLocation = path.resolve(process.cwd(), config.accept); + if (localConfig.accept) { + const acceptLocation = path.resolve(process.cwd(), localConfig.accept); filters = yaml.safeLoad(fs.readFileSync(acceptLocation, 'utf8')); } - // if the config has the broker server, then we must assume it's a client - return app[method]({ config, port, filters }); + // if the localConfig has the broker server, then we must assume it's a client + return app[method]({ config: localConfig, port, filters }); } if (!module.parent) { From 5815b99760286764ba64b858c66b94fb3fe5d35f Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Tue, 11 Sep 2018 10:24:02 +0300 Subject: [PATCH 3/5] feat: broker client systemcheck endpoint --- lib/client/index.js | 67 ++++++++++++++- lib/log.js | 3 + lib/relay.js | 3 +- test/functional/healthcheck.test.js | 10 +-- test/functional/systemcheck.test.js | 123 ++++++++++++++++++++++++++++ 5 files changed, 198 insertions(+), 8 deletions(-) create mode 100644 test/functional/systemcheck.test.js diff --git a/lib/client/index.js b/lib/client/index.js index d0a60167e..c11034b68 100644 --- a/lib/client/index.js +++ b/lib/client/index.js @@ -1,4 +1,5 @@ const primus = require('primus'); +const request = require('request'); const socket = require('./socket'); const relay = require('../relay'); const logger = require('../log'); @@ -25,7 +26,7 @@ module.exports = ({ port = null, config = {}, filters = {} }) => { // IMPORTANT: defined before relay (`app.all('/*', ...`) app.get(config.brokerHealthcheckPath || '/healthcheck', (req, res) => { - // io.readyState sets the success of the healthcheck + // healthcheck state depends on websocket connection status // value of primus.Spark.OPEN means the websocket connection is open const isConnOpen = (io.readyState === primus.Spark.OPEN); const status = isConnOpen ? 200 : 500; @@ -39,6 +40,70 @@ module.exports = ({ port = null, config = {}, filters = {} }) => { return res.status(status).json(data); }); + app.get(config.brokerSystemcheckPath || '/systemcheck', (req, res) => { + // Systemcheck is the broker client's ability to assert the network + // reachability and some correctness of credentials for the service + // being proxied by the broker client. + + const brokerClientValidationMethod = + config.brokerClientValidationMethod || 'GET'; + const brokerClientValidationTimeoutMs = + config.brokerClientValidationTimeoutMs || 5000; + + const data = { + brokerClientValidationUrl: logger.sanitise(config.brokerClientValidationUrl), + brokerClientValidationMethod, + brokerClientValidationTimeoutMs, + }; + + const validationRequestHeaders = { + 'user-agent': 'Snyk Broker client ' + version, + }; + + // set auth header according to config + if (config.brokerClientValidationAuthorizationHeader) { + validationRequestHeaders.authorization = config.brokerClientValidationAuthorizationHeader; + } else if (config.brokerClientValidationBasicAuth) { + validationRequestHeaders.authorization = + `Basic ${new Buffer(config.brokerClientValidationBasicAuth).toString('base64')}`; + } + + // make the internal validation request + request({ + url: config.brokerClientValidationUrl, + headers: validationRequestHeaders, + method: brokerClientValidationMethod, + timeout: brokerClientValidationTimeoutMs, + json: true, + }, (error, response) => { + // test logic requires to surface internal data + // which is best not exposed in production + if (process.env.TAP) { + data.testError = error; + data.testResponse = response; + } + + if (error) { + data.ok = false; + data.error = error.message; + return res.status(500).json(data); + } + + data.brokerClientValidationUrlStatusCode = response && response.statusCode; + // check for 2xx status code + const goodStatusCode = /^2/.test(response && response.statusCode); + if (!goodStatusCode) { + data.ok = false; + data.error = 'Status code is not 2xx'; + return res.status(500).json(data); + } + + data.ok = true; + return res.status(200).json(data); + }); + }); + + // relay all other URL paths app.all('/*', (req, res, next) => { res.locals.io = io; next(); diff --git a/lib/log.js b/lib/log.js index 397a63241..f10fbf21b 100644 --- a/lib/log.js +++ b/lib/log.js @@ -70,4 +70,7 @@ const log = bunyan.createLogger({ log.level(process.env.LOG_LEVEL || 'info'); +// pin sanitation function on the log so it can be used publicly +log.sanitise = sanitise; + module.exports = log; diff --git a/lib/relay.js b/lib/relay.js index 3c15174c3..1932e2151 100644 --- a/lib/relay.js +++ b/lib/relay.js @@ -7,6 +7,7 @@ const Filters = require('./filters'); const replace = require('./replace-vars'); const tryJSONParse = require('./try-json-parse'); const logger = require('./log'); +const version = require('./version'); module.exports = { request: requestHandler, @@ -105,7 +106,7 @@ function responseHandler(filterRules, config) { logContext.httpUrl = result.url; if (!headers['user-agent']) { - headers['user-agent'] = 'Snyk Broker'; + headers['user-agent'] = 'Snyk Broker ' + version; logContext.userAgentHeaderSet = true; } diff --git a/test/functional/healthcheck.test.js b/test/functional/healthcheck.test.js index 6a776696d..247d2e567 100644 --- a/test/functional/healthcheck.test.js +++ b/test/functional/healthcheck.test.js @@ -17,7 +17,7 @@ test('proxy requests originating from behind the broker client', t => { */ process.env.ACCEPT = 'filters.json'; - + process.chdir(path.resolve(root, '../fixtures/server')); process.env.BROKER_TYPE = 'server'; const serverPort = port(); @@ -92,11 +92,9 @@ test('proxy requests originating from behind the broker client', t => { }); t.test('misconfigured client fails healthcheck', t => { - // set a bad server url - process.env.BROKER_SERVER_URL = 'https://snyk.io'; - var badClient = app.main({ port: clientPort }); - // revert to a good server url - process.env.BROKER_SERVER_URL = `http://localhost:${serverPort}`; + var badClient = app.main({ port: clientPort, config: { + brokerServerUrl: 'http://no-such-server', + }}); request({url: clientHealth, json: true }, (err, res) => { if (err) { return t.threw(err); } diff --git a/test/functional/systemcheck.test.js b/test/functional/systemcheck.test.js new file mode 100644 index 000000000..bd34f1b33 --- /dev/null +++ b/test/functional/systemcheck.test.js @@ -0,0 +1,123 @@ +const tap = require('tap'); +const test = require('tap-only'); +const path = require('path'); +const request = require('request'); +const app = require('../../lib'); +const root = __dirname; + +const { port } = require('../utils')(tap); + +test('broker client systemcheck endpoint', t => { + /** + * 1. start broker in server mode + * 2. start broker in client mode and join (1) + * 3. check /healthcheck on client and server + * 4. stop client and check it's on "disconnected" in the server + * 5. restart client with same token, make sure it's not in "disconnected" + */ + + process.env.ACCEPT = 'filters.json'; + + process.chdir(path.resolve(root, '../fixtures/client')); + const clientPort = port(); + + t.plan(4); + + const clientUrl = `http://localhost:${clientPort}`; + + t.test('good validation url, custom endpoint', t => { + const client = app.main({ port: clientPort, config: { + brokerType: 'client', + brokerToken: '1234567890', + brokerServerUrl: 'http://localhost:12345', + brokerClientValidationUrl: 'https://snyk.io', + brokerSystemcheckPath: '/custom-systemcheck', + }}); + + request({url: `${clientUrl}/custom-systemcheck`, json: true }, (err, res) => { + if (err) { return t.threw(err); } + + t.equal(res.statusCode, 200, '200 statusCode'); + t.equal(res.body.ok, true, '{ ok: true } in body'); + t.equal(res.body.brokerClientValidationUrl, 'https://snyk.io', 'validation url present'); + + client.close(); + setTimeout(() => { + t.end(); + }, 100); + }); + }); + + t.test('good validation url, authorization header', t => { + const client = app.main({ port: clientPort, config: { + brokerType: 'client', + brokerToken: '1234567890', + brokerServerUrl: 'http://localhost:12345', + brokerClientValidationUrl: 'https://httpbin.org/headers', + brokerClientValidationAuthorizationHeader: 'token my-special-access-token', + }}); + + request({url: `${clientUrl}/systemcheck`, json: true }, (err, res) => { + if (err) { return t.threw(err); } + + t.equal(res.statusCode, 200, '200 statusCode'); + t.equal(res.body.ok, true, '{ ok: true } in body'); + t.equal(res.body.brokerClientValidationUrl, 'https://httpbin.org/headers', 'validation url present'); + t.ok(res.body.testResponse.body.headers['User-Agent'], 'user-agent header is present in validation request'); + t.equal(res.body.testResponse.body.headers.Authorization, 'token my-special-access-token', 'proper authorization header in validation request'); + + client.close(); + setTimeout(() => { + t.end(); + }, 100); + }); + }); + + t.test('good validation url, basic auth', t => { + const client = app.main({ port: clientPort, config: { + brokerType: 'client', + brokerToken: '1234567890', + brokerServerUrl: 'http://localhost:12345', + brokerClientValidationUrl: 'https://httpbin.org/headers', + brokerClientValidationBasicAuth: 'username:password', + }}); + + request({url: `${clientUrl}/systemcheck`, json: true }, (err, res) => { + if (err) { return t.threw(err); } + + t.equal(res.statusCode, 200, '200 statusCode'); + t.equal(res.body.ok, true, '{ ok: true } in body'); + t.equal(res.body.brokerClientValidationUrl, 'https://httpbin.org/headers', 'validation url present'); + t.ok(res.body.testResponse.body.headers['User-Agent'], 'user-agent header is present in validation request'); + const expectedAuthHeader = `Basic ${Buffer('username:password').toString('base64')}`; + t.equal(res.body.testResponse.body.headers.Authorization, expectedAuthHeader, 'proper authorization header in request'); + + client.close(); + setTimeout(() => { + t.end(); + }, 100); + }); + }); + + t.test('bad validation url', t => { + const client = app.main({ port: clientPort, config: { + brokerType: 'client', + brokerToken: '1234567890', + brokerServerUrl: 'http://localhost:12345', + brokerClientValidationUrl: 'https://snyk.io/no-such-url-ever', + }}); + + request({url: `${clientUrl}/systemcheck`, json: true }, (err, res) => { + if (err) { return t.threw(err); } + + t.equal(res.statusCode, 500, '500 statusCode'); + t.equal(res.body.ok, false, '{ ok: false } in body'); + t.equal(res.body.brokerClientValidationUrl, 'https://snyk.io/no-such-url-ever', 'validation url present'); + + client.close(); + setTimeout(() => { + t.end(); + }, 100); + }); + }); +}); From e00cba2add118174f5466de34b4f7696acf9a321 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 12 Sep 2018 16:01:15 +0300 Subject: [PATCH 4/5] feat: define internal validation URLs for broker client templates --- README.md | 51 +++++++++++++------ client-templates/bitbucket-server/.env.sample | 6 +++ client-templates/github-com/.env.sample | 26 +++++----- .../github-enterprise/.env.sample | 15 +++--- client-templates/gitlab/.env.sample | 3 ++ client-templates/jira/.env.sample | 14 +++-- dockerfiles/bitbucket-server/Dockerfile | 8 ++- dockerfiles/github-com/Dockerfile | 8 ++- dockerfiles/github-enterprise/Dockerfile | 8 ++- dockerfiles/gitlab/Dockerfile | 6 ++- dockerfiles/jira/Dockerfile | 13 ++++- 11 files changed, 116 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 5c42b94a2..de25405cb 100644 --- a/README.md +++ b/README.md @@ -187,7 +187,7 @@ To use the the broker client with a Jira deployment, run `docker pull snyk/broke - `BROKER_TOKEN` - the snyk broker token, obtained from your Jira integration settings view. - `JIRA_USERNAME` - the Jira username. - `JIRA_PASSWORD` - the Jira password. -- `JIRA_BASE_URL` - the URL of your Jira deployment, such as `https://your.jira.domain.com`. +- `JIRA_HOSTNAME` - the hostname of your Jira deployment, such as `your.jira.domain.com`. - `BROKER_CLIENT_URL` - the full URL of the broker client as it will be accessible by your Jira for webhooks, such as `http://my.broker.client:7341` - `PORT` - the local port at which the broker client accepts connections. Default is 7341. @@ -201,7 +201,7 @@ docker run --restart=always \ -e BROKER_TOKEN=secret-broker-token \ -e JIRA_USERNAME=username \ -e JIRA_PASSWORD=password \ - -e JIRA_BASE_URL=https://your.jira.domain.com \ + -e JIRA_HOSTNAME=your.jira.domain.com \ -e BROKER_CLIENT_URL=http://my.broker.client:8000 \ -e PORT=8000 \ snyk/broker:jira @@ -217,10 +217,43 @@ FROM snyk/broker:jira ENV BROKER_TOKEN secret-broker-token ENV JIRA_USERNAME username ENV JIRA_PASSWORD password -ENV JIRA_BASE_URL https://your.jira.domain.com +ENV JIRA_HOSTNAME your.jira.domain.com ENV PORT 8000 ``` +### Monitoring + +#### Healthcheck + +The broker exposes an endpoint at `/healthcheck`, which can be used to monitor the health of the running application. This endpoint responds with status code `200 OK` when the internal request is successful, and returns `{ ok: true }` in the response body. + +In the case of the broker client, this endpoint also reports on the status of the broker websocket connection. If the websocket connection is not open, this endpoint responds with status code `500 Internal Server Error` and `{ ok: false }` in the response body. + +To change the location of the healthcheck endpoint, you can specify an alternative path via an environment variable: + +``` +ENV BROKER_HEALTHCHECK_PATH /path/to/healthcheck +``` + +#### Systemcheck + +The broker client exposes an endpoint at `/systemcheck`, which can be used to validate the brokered service (SCM or the like) connectivity and credentials. This endpoint causes the broker client to make a request to a preconfigured URL, and report on the success of the request. The supported configuration is: + +* `BROKER_CLIENT_VALIDATION_URL` - the URL to which the request will be made. +* `BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER` - [optional] the `Authorization` header value of the request. Mutually exclusive with `BROKER_CLIENT_VALIDATION_BASIC_AUTH`. +* `BROKER_CLIENT_VALIDATION_BASIC_AUTH` - [optional] the basic auth credentials (`username:password`) to be base64 encoded and placed in the `Authorization` header value of the request. Mutually exclusive with `BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER`. +* `BROKER_CLIENT_VALIDATION_METHOD` - [optional] the HTTP method of the request (default is `GET`). +* `BROKER_CLIENT_VALIDATION_TIMEOUT_MS` - [optional] the request timeout in milliseconds (default is 5000 ms). + +This endpoint responds with status code `200 OK` when the internal request is successful, and returns `{ ok: true }` in the response body. If the internal request fails, this endpoint responds with status code `500 Internal Server Error` and `{ ok: false }` in the response body. + +To change the location of the systemcheck endpoint, you can specify an alternative path via an environment variable: + +``` +ENV BROKER_SYSTEMCHECK_PATH /path/to/systemcheck +``` + + ### Advanced Configuration #### HTTPS @@ -244,18 +277,6 @@ docker run --restart=always \ Note that `BROKER_CLIENT_URL` now has the HTTPS scheme. - -#### Monitoring - -The broker exposes an endpoint at `/healthcheck`, which can be used to monitor the health of the running application. This endpoint returns `200 OK` status code when the application is healthy, and will return a JSON object containing `ok: true`. - -To change the location of this endpoint, you can specify an alternative path via an environment variable: - -``` -ENV BROKER_HEALTHCHECK_PATH /path/to/healthcheck -``` - - #### SCM with an internal certificate By default, the broker client establishes HTTPS connections to the SCM. If your SCM is serving an internal certificate (signed by your own CA), you can provide the CA certificate to the broker client. diff --git a/client-templates/bitbucket-server/.env.sample b/client-templates/bitbucket-server/.env.sample index cf33e70b7..a413cbc7f 100644 --- a/client-templates/bitbucket-server/.env.sample +++ b/client-templates/bitbucket-server/.env.sample @@ -20,6 +20,12 @@ BITBUCKET_API=$BITBUCKET/rest/api/1.0 # the url of your broker client (including scheme and port) # BROKER_CLIENT_URL= +# Bitbucket server validation url, checked by broker client systemcheck endpoint +BROKER_CLIENT_VALIDATION_URL=https://$BITBUCKET/rest/api/1.0/projects + +# Bitbucket server basic auth creds +BROKER_CLIENT_VALIDATION_BASIC_AUTH="$BITBUCKET_USERNAME:$BITBUCKET_PASSWORD" + # The URL of the Snyk broker server BROKER_SERVER_URL=https://broker.snyk.io diff --git a/client-templates/github-com/.env.sample b/client-templates/github-com/.env.sample index 67a0c2ae5..b07cfd112 100644 --- a/client-templates/github-com/.env.sample +++ b/client-templates/github-com/.env.sample @@ -4,25 +4,27 @@ BROKER_TOKEN= # your personal access token to your github.com account GITHUB_TOKEN= -# the host GitHub, excluding scheme. For github.com -# this should be "github.com" -GITHUB= +# the host for GitHub, excluding scheme +GITHUB=github.com -# the host for GitHub's raw content, excluding scheme. For github.com -# this should be "raw.githubusercontent.com" -GITHUB_RAW= +# the host for GitHub's raw content, excluding scheme +GITHUB_RAW=raw.githubusercontent.com -# the url that the github API should be accessed at. For github.com this should be -# changed to "api.github.com" -GITHUB_API=$GITHUB/api/v3 +# the GitHub REST API url, excluding scheme +GITHUB_API=api.github.com -# the url that the github graphql API should be accessed at. -# For github.com this should be changed to "api.github.com" -GITHUB_GRAPHQL=$GITHUB/api +# the GitHub GraphQL API url, excluding scheme +GITHUB_GRAPHQL=api.github.com # the url of your broker client (including scheme and port) # BROKER_CLIENT_URL= +# GitHub validation url, checked by broker client systemcheck endpoint +BROKER_CLIENT_VALIDATION_URL=https://$GITHUB_API/user + +# GitHub validation request Authorization header +BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER="token $GITHUB_TOKEN" + # The URL of the Snyk broker server BROKER_SERVER_URL=https://broker.snyk.io diff --git a/client-templates/github-enterprise/.env.sample b/client-templates/github-enterprise/.env.sample index bb5962597..91df3ced8 100644 --- a/client-templates/github-enterprise/.env.sample +++ b/client-templates/github-enterprise/.env.sample @@ -4,21 +4,24 @@ BROKER_TOKEN= # your personal access token to your github enterprise account GITHUB_TOKEN= -# the host where your GitHub Enterprise is running, excluding scheme. For github.com -# this should be "github.com" +# the host for your GitHub Enterprise deployment, excluding scheme GITHUB= -# the url that the github API should be accessed at. For github.com this should be -# changed to "api.github.com" +# the GitHub Enterprise REST API url, excluding scheme GITHUB_API=$GITHUB/api/v3 -# the url that the github graphql API should be accessed at. -# For github.com this should be changed to "api.github.com" +# the GitHub Enterprise GraphQL API url, excluding scheme GITHUB_GRAPHQL=$GITHUB/api # the url of your broker client (including scheme and port) # BROKER_CLIENT_URL= +# GitHub Enterprise validation url, checked by broker client systemcheck endpoint +BROKER_CLIENT_VALIDATION_URL=https://$GITHUB_API/user + +# GitHub Enterprise validation request Authorization header +BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER="token $GITHUB_TOKEN" + # The URL of the Snyk broker server BROKER_SERVER_URL=https://broker.snyk.io diff --git a/client-templates/gitlab/.env.sample b/client-templates/gitlab/.env.sample index 85b9efed6..b5fcab7a7 100644 --- a/client-templates/gitlab/.env.sample +++ b/client-templates/gitlab/.env.sample @@ -11,6 +11,9 @@ GITLAB= # the url of your broker client (including scheme and port) # BROKER_CLIENT_URL= +# GitLab validation url, checked by broker client systemcheck endpoint +BROKER_CLIENT_VALIDATION_URL=https://$GITLAB/api/v3/user?private_token=$GITLAB_TOKEN + # The URL of the Snyk broker server BROKER_SERVER_URL=https://broker.snyk.io diff --git a/client-templates/jira/.env.sample b/client-templates/jira/.env.sample index 49aef3835..db20ef49a 100644 --- a/client-templates/jira/.env.sample +++ b/client-templates/jira/.env.sample @@ -4,16 +4,24 @@ BROKER_TOKEN= # your personal username to your Jira Server account JIRA_USERNAME= -# your personal password to your Jira Server account +# your personal password or API token to your Jira Server account JIRA_PASSWORD= +# your Jira Server hostname, i.e. jira.yourdomain.com +JIRA_HOSTNAME= + # Your Jira Server URL, including scheme and hostname -# i.e. https://jira.yourdomain.com -JIRA_BASE_URL= +JIRA_BASE_URL=https://$JIRA_HOSTNAME # the url of your broker client (including scheme and port) # BROKER_CLIENT_URL= +# Jira validation url, checked by broker client systemcheck endpoint +BROKER_CLIENT_VALIDATION_URL=https://$JIRA_HOSTNAME/rest/api/2/myself + +# Jira basic auth creds +BROKER_CLIENT_VALIDATION_BASIC_AUTH="$JIRA_USERNAME:$JIRA_PASSWORD" + # The URL of the Snyk broker server BROKER_SERVER_URL=https://broker.snyk.io diff --git a/dockerfiles/bitbucket-server/Dockerfile b/dockerfiles/bitbucket-server/Dockerfile index f4937c342..ba788af9c 100644 --- a/dockerfiles/bitbucket-server/Dockerfile +++ b/dockerfiles/bitbucket-server/Dockerfile @@ -59,10 +59,16 @@ ENV ACCEPT accept.json # The path for the broker's internal healthcheck URL. Must start with a '/'. ENV BROKER_HEALTHCHECK_PATH /healthcheck +# Bitbucket server validation url, checked by broker client healthcheck endpoint +ENV BROKER_CLIENT_VALIDATION_URL https://$BITBUCKET/rest/api/1.0/projects + +# Bitbucket server basic auth creds +ENV BROKER_CLIENT_VALIDATION_BASIC_AUTH "$BITBUCKET_USERNAME:$BITBUCKET_PASSWORD" + EXPOSE $PORT -HEALTHCHECK --interval=10s --timeout=1s \ +HEALTHCHECK --interval=60s --timeout=10s \ CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} CMD ["broker", "--verbose"] diff --git a/dockerfiles/github-com/Dockerfile b/dockerfiles/github-com/Dockerfile index 96f7a5275..855d874d4 100644 --- a/dockerfiles/github-com/Dockerfile +++ b/dockerfiles/github-com/Dockerfile @@ -62,10 +62,16 @@ ENV ACCEPT accept.json # The path for the broker's internal healthcheck URL. Must start with a '/'. ENV BROKER_HEALTHCHECK_PATH /healthcheck +# GitHub validation url, checked by broker client healthcheck endpoint +ENV BROKER_CLIENT_VALIDATION_URL https://$GITHUB_API/user + +# GitHub validation request Authorization header +ENV BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER "token $GITHUB_TOKEN" + EXPOSE $PORT -HEALTHCHECK --interval=10s --timeout=1s \ +HEALTHCHECK --interval=60s --timeout=10s \ CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} CMD ["broker", "--verbose"] diff --git a/dockerfiles/github-enterprise/Dockerfile b/dockerfiles/github-enterprise/Dockerfile index fb5eb8adb..b0538e5b6 100644 --- a/dockerfiles/github-enterprise/Dockerfile +++ b/dockerfiles/github-enterprise/Dockerfile @@ -59,10 +59,16 @@ ENV ACCEPT accept.json # The path for the broker's internal healthcheck URL. Must start with a '/'. ENV BROKER_HEALTHCHECK_PATH /healthcheck +# GitHub Enterprise validation url, checked by broker client healthcheck endpoint +ENV BROKER_CLIENT_VALIDATION_URL https://$GITHUB_API/user + +# GitHub Enterprise validation request Authorization header +ENV BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER "token $GITHUB_TOKEN" + EXPOSE $PORT -HEALTHCHECK --interval=10s --timeout=1s \ +HEALTHCHECK --interval=60s --timeout=10s \ CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} CMD ["broker", "--verbose"] diff --git a/dockerfiles/gitlab/Dockerfile b/dockerfiles/gitlab/Dockerfile index 93bdf7f91..13481f560 100644 --- a/dockerfiles/gitlab/Dockerfile +++ b/dockerfiles/gitlab/Dockerfile @@ -53,10 +53,14 @@ ENV ACCEPT accept.json # The path for the broker's internal healthcheck URL. Must start with a '/'. ENV BROKER_HEALTHCHECK_PATH /healthcheck +# GitLab validation url, checked by broker client healthcheck endpoint +ENV BROKER_CLIENT_VALIDATION_URL https://$GITLAB/api/v3/user?private_token=$GITLAB_TOKEN + + EXPOSE $PORT -HEALTHCHECK --interval=10s --timeout=1s \ +HEALTHCHECK --interval=60s --timeout=10s \ CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} CMD ["broker", "--verbose"] diff --git a/dockerfiles/jira/Dockerfile b/dockerfiles/jira/Dockerfile index f6f6c77ba..95e9d5cf0 100644 --- a/dockerfiles/jira/Dockerfile +++ b/dockerfiles/jira/Dockerfile @@ -27,8 +27,11 @@ ENV BROKER_TOKEN ENV JIRA_USERNAME ENV JIRA_PASSWORD +# Your Jira Server host +ENV JIRA_HOSTNAME your.jira.server.hostname + # Your Jira Server URL, including scheme and hostname -ENV JIRA_BASE_URL https://your.jira.server.hostname +ENV JIRA_BASE_URL https://$JIRA_HOSTNAME # The port used by the broker client to accept internal connections # Default value is 7341 @@ -54,10 +57,16 @@ ENV ACCEPT accept.json # The path for the broker's internal healthcheck URL. Must start with a '/'. ENV BROKER_HEALTHCHECK_PATH /healthcheck +# Jira validation url, checked by broker client healthcheck endpoint +ENV BROKER_CLIENT_VALIDATION_URL https://$JIRA_HOSTNAME/rest/api/2/myself + +# Jira basic auth creds +ENV BROKER_CLIENT_VALIDATION_BASIC_AUTH "$JIRA_USERNAME:$JIRA_PASSWORD" + EXPOSE $PORT -HEALTHCHECK --interval=10s --timeout=1s \ +HEALTHCHECK --interval=60s --timeout=10s \ CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} CMD ["broker", "--verbose"] From 3e426155bdb70b2ac1ae39674b44cadc8ade7587 Mon Sep 17 00:00:00 2001 From: Anton Drukh Date: Wed, 12 Sep 2018 16:47:58 +0300 Subject: [PATCH 5/5] fix: remove docker internal healthcheck Since both the healthcheck and the systemcheck are exposed as HTTP endpoints, users will have more flexibility querying them externally rather than relying on the internal docker healthcheck feature. --- dockerfiles/bitbucket-server/Dockerfile | 3 --- dockerfiles/github-com/Dockerfile | 3 --- dockerfiles/github-enterprise/Dockerfile | 3 --- dockerfiles/gitlab/Dockerfile | 3 --- dockerfiles/jira/Dockerfile | 3 --- 5 files changed, 15 deletions(-) diff --git a/dockerfiles/bitbucket-server/Dockerfile b/dockerfiles/bitbucket-server/Dockerfile index ba788af9c..3c39ba781 100644 --- a/dockerfiles/bitbucket-server/Dockerfile +++ b/dockerfiles/bitbucket-server/Dockerfile @@ -68,7 +68,4 @@ ENV BROKER_CLIENT_VALIDATION_BASIC_AUTH "$BITBUCKET_USERNAME:$BITBUCKET_PASSWORD EXPOSE $PORT -HEALTHCHECK --interval=60s --timeout=10s \ - CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} - CMD ["broker", "--verbose"] diff --git a/dockerfiles/github-com/Dockerfile b/dockerfiles/github-com/Dockerfile index 855d874d4..a84c1ad14 100644 --- a/dockerfiles/github-com/Dockerfile +++ b/dockerfiles/github-com/Dockerfile @@ -71,7 +71,4 @@ ENV BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER "token $GITHUB_TOKEN" EXPOSE $PORT -HEALTHCHECK --interval=60s --timeout=10s \ - CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} - CMD ["broker", "--verbose"] diff --git a/dockerfiles/github-enterprise/Dockerfile b/dockerfiles/github-enterprise/Dockerfile index b0538e5b6..135c21e62 100644 --- a/dockerfiles/github-enterprise/Dockerfile +++ b/dockerfiles/github-enterprise/Dockerfile @@ -68,7 +68,4 @@ ENV BROKER_CLIENT_VALIDATION_AUTHORIZATION_HEADER "token $GITHUB_TOKEN" EXPOSE $PORT -HEALTHCHECK --interval=60s --timeout=10s \ - CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} - CMD ["broker", "--verbose"] diff --git a/dockerfiles/gitlab/Dockerfile b/dockerfiles/gitlab/Dockerfile index 13481f560..cd9b46311 100644 --- a/dockerfiles/gitlab/Dockerfile +++ b/dockerfiles/gitlab/Dockerfile @@ -60,7 +60,4 @@ ENV BROKER_CLIENT_VALIDATION_URL https://$GITLAB/api/v3/user?private_token=$GITL EXPOSE $PORT -HEALTHCHECK --interval=60s --timeout=10s \ - CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} - CMD ["broker", "--verbose"] diff --git a/dockerfiles/jira/Dockerfile b/dockerfiles/jira/Dockerfile index 95e9d5cf0..2629be516 100644 --- a/dockerfiles/jira/Dockerfile +++ b/dockerfiles/jira/Dockerfile @@ -66,7 +66,4 @@ ENV BROKER_CLIENT_VALIDATION_BASIC_AUTH "$JIRA_USERNAME:$JIRA_PASSWORD" EXPOSE $PORT -HEALTHCHECK --interval=60s --timeout=10s \ - CMD wget -q --spider http://localhost:${PORT}${BROKER_HEALTHCHECK_PATH} - CMD ["broker", "--verbose"]