feat: add worker authentication

AOSC-Dev · Mar 11, 2024 · 36f32e7 · 36f32e7
1 parent 399ae5e
commit 36f32e7
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 5 deletions.
diff --git a/common/src/lib.rs b/common/src/lib.rs
@@ -4,6 +4,7 @@ use serde::{Deserialize, Serialize};
 pub struct WorkerPollRequest {
     pub hostname: String,
     pub arch: String,
+    pub worker_secret: String,
 }
 
 #[derive(Serialize, Deserialize, Debug)]
@@ -21,6 +22,7 @@ pub struct WorkerHeartbeatRequest {
     pub git_commit: String,
     pub memory_bytes: i64,
     pub logical_cores: i32,
+    pub worker_secret: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -53,4 +55,5 @@ pub struct WorkerJobUpdateRequest {
     pub arch: String,
     pub job_id: i32,
     pub result: JobResult,
+    pub worker_secret: String,
 }
diff --git a/server/src/lib.rs b/server/src/lib.rs
@@ -25,21 +25,24 @@ pub struct Args {
     #[arg(env = "DATABASE_URL")]
     pub database_url: String,
 
-    #[arg(env = "ABBS_PATH")]
+    #[arg(env = "BUILDIT_ABBS_PATH")]
     pub abbs_path: PathBuf,
 
     /// GitHub access token
     #[arg(env = "BUILDIT_GITHUB_ACCESS_TOKEN")]
     pub github_access_token: String,
 
+    #[arg(env = "BUILDIT_WORKER_SECRET")]
+    pub worker_secret: String,
+
     /// Secret
-    #[arg(env = "GITHUB_SECRET")]
+    #[arg(env = "BUILDIT_GITHUB_SECRET")]
     pub github_secret: Option<String>,
 
-    #[arg(env = "GITHUB_APP_ID")]
+    #[arg(env = "BUILDIT_GITHUB_APP_ID")]
     pub github_app_id: Option<String>,
 
-    #[arg(env = "GITHUB_APP_KEY_PEM_PATH")]
+    #[arg(env = "BUILDIT_GITHUB_APP_KEY_PEM_PATH")]
     pub github_app_key: Option<PathBuf>,
 }
 

diff --git a/server/src/routes.rs b/server/src/routes.rs
@@ -108,8 +108,11 @@ pub async fn worker_heartbeat(
     State(AppState { pool, .. }): State<AppState>,
     Json(payload): Json<WorkerHeartbeatRequest>,
 ) -> Result<(), AnyhowError> {
-    // insert or update worker
+    if payload.worker_secret != ARGS.worker_secret {
+        return Err(anyhow!("Invalid worker secret").into());
+    }
 
+    // insert or update worker
     let mut conn = pool
         .get()
         .context("Failed to get db connection from pool")?;
@@ -156,6 +159,10 @@ pub async fn worker_poll(
     State(AppState { pool, .. }): State<AppState>,
     Json(payload): Json<WorkerPollRequest>,
 ) -> Result<Json<Option<WorkerPollResponse>>, AnyhowError> {
+    if payload.worker_secret != ARGS.worker_secret {
+        return Err(anyhow!("Invalid worker secret").into());
+    }
+
     // find a job that can be assigned to the worker
     let mut conn = pool
         .get()
@@ -213,6 +220,10 @@ pub async fn worker_job_update(
     State(AppState { pool, bot }): State<AppState>,
     Json(payload): Json<WorkerJobUpdateRequest>,
 ) -> Result<(), AnyhowError> {
+    if payload.worker_secret != ARGS.worker_secret {
+        return Err(anyhow!("Invalid worker secret").into());
+    }
+
     let mut conn = pool
         .get()
         .context("Failed to get db connection from pool")?;

diff --git a/worker/src/build.rs b/worker/src/build.rs
@@ -265,6 +265,7 @@ async fn build(
     let result = WorkerJobUpdateRequest {
         hostname: gethostname::gethostname().to_string_lossy().to_string(),
         arch: args.arch.clone(),
+        worker_secret: args.worker_secret.clone(),
         job_id: job.job_id,
         result: common::JobResult::Ok(JobOk {
             build_success: success,
@@ -290,6 +291,7 @@ async fn build_worker_inner(args: &Args) -> anyhow::Result<()> {
     let req = WorkerPollRequest {
         hostname: gethostname::gethostname().to_string_lossy().to_string(),
         arch: args.arch.clone(),
+        worker_secret: args.worker_secret.clone(),
     };
 
     loop {
@@ -320,6 +322,7 @@ async fn build_worker_inner(args: &Args) -> anyhow::Result<()> {
                         .json(&WorkerJobUpdateRequest {
                             hostname: gethostname::gethostname().to_string_lossy().to_string(),
                             arch: args.arch.clone(),
+                            worker_secret: args.worker_secret.clone(),
                             job_id: job.job_id,
                             result: common::JobResult::Error(err.to_string()),
                         })

diff --git a/worker/src/heartbeat.rs b/worker/src/heartbeat.rs
@@ -12,6 +12,7 @@ pub async fn heartbeat_worker_inner(args: &Args) -> anyhow::Result<()> {
             .json(&WorkerHeartbeatRequest {
                 hostname: gethostname::gethostname().to_string_lossy().to_string(),
                 arch: args.arch.clone(),
+                worker_secret: args.worker_secret.clone(),
                 git_commit: env!("VERGEN_GIT_DESCRIBE").to_string(),
                 memory_bytes: sysinfo::System::new_all().total_memory() as i64,
                 logical_cores: num_cpus::get() as i32,

diff --git a/worker/src/lib.rs b/worker/src/lib.rs
@@ -11,6 +11,10 @@ pub struct Args {
     #[arg(short = 'H', long, env = "BUILDIT_SERVER")]
     pub server: String,
 
+    /// Worker secret
+    #[arg(short = 'S', long, env = "BUILDIT_WORKER_SECRET")]
+    pub worker_secret: String,
+
     /// Architecture that can build
     #[arg(short = 'A', long, env = "BUILDIT_ARCH")]
     pub arch: String,