Merge pull request #1591 from bradrydzewski/master

use new 0.5 .drone.sig signature file
2025-10-21 16:35:00 +00:00 · 2016-04-21 17:42:48 -07:00
parent 2afc96456c faf7ff675d
commit fa76617c7c
15 changed files with 301 additions and 64 deletions
--- a/router/middleware/agent.go
+++ b/router/middleware/agent.go
@@ -0,0 +1,45 @@
+package middleware
+
+import (
+	"github.com/drone/drone/shared/token"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/gin-gonic/gin"
+	"github.com/ianschenck/envflag"
+)
+
+var (
+	secret = envflag.String("AGENT_SECRET", "", "")
+	noauth = envflag.Bool("AGENT_NO_AUTH", false, "")
+)
+
+// Agent is a middleware function that initializes the authorization middleware
+// for agents to connect to the queue.
+func AgentMust() gin.HandlerFunc {
+
+	if *secret == "" {
+		logrus.Fatalf("please provide the agent secret to authenticate agent requests")
+	}
+
+	t := token.New(token.AgentToken, "")
+	s, err := t.Sign(*secret)
+	if err != nil {
+		logrus.Fatalf("invalid agent secret. %s", err)
+	}
+
+	logrus.Infof("using agent secret %s", *secret)
+	logrus.Warnf("agents can connect with token %s", s)
+
+	return func(c *gin.Context) {
+		parsed, err := token.ParseRequest(c.Request, func(t *token.Token) (string, error) {
+			return *secret, nil
+		})
+		if err != nil {
+			c.AbortWithError(403, err)
+		} else if parsed.Kind != token.AgentToken {
+			c.AbortWithStatus(403)
+		} else {
+			c.Next()
+		}
+	}
+}
--- a/router/middleware/session/user.go
+++ b/router/middleware/session/user.go
@@ -70,15 +70,14 @@ func MustAdmin() gin.HandlerFunc {
 		user := User(c)
 		switch {
 		case user == nil:
-			c.AbortWithStatus(http.StatusUnauthorized)
-			// c.HTML(http.StatusUnauthorized, "401.html", gin.H{})
+			c.String(401, "User not authorized")
+			c.Abort()
 		case user.Admin == false:
-			c.AbortWithStatus(http.StatusForbidden)
-			// c.HTML(http.StatusForbidden, "401.html", gin.H{})
+			c.String(413, "User not authorized")
+			c.Abort()
 		default:
 			c.Next()
 		}
-
 	}
 }

@@ -87,11 +86,10 @@ func MustUser() gin.HandlerFunc {
 		user := User(c)
 		switch {
 		case user == nil:
-			c.AbortWithStatus(http.StatusUnauthorized)
-			// c.HTML(http.StatusUnauthorized, "401.html", gin.H{})
+			c.String(401, "User not authorized")
+			c.Abort()
 		default:
 			c.Next()
 		}
-
 	}
 }
--- a/router/router.go
+++ b/router/router.go
@@ -8,6 +8,7 @@ import (
 	"github.com/gin-gonic/gin"

 	"github.com/drone/drone/api"
+	"github.com/drone/drone/router/middleware"
 	"github.com/drone/drone/router/middleware/header"
 	"github.com/drone/drone/router/middleware/session"
 	"github.com/drone/drone/router/middleware/token"
@@ -16,7 +17,7 @@ import (
 	"github.com/drone/drone/web"
 )

-func Load(middleware ...gin.HandlerFunc) http.Handler {
+func Load(middlewares ...gin.HandlerFunc) http.Handler {
 	e := gin.New()
 	e.Use(gin.Recovery())

@@ -26,7 +27,7 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {
 	e.Use(header.NoCache)
 	e.Use(header.Options)
 	e.Use(header.Secure)
-	e.Use(middleware...)
+	e.Use(middlewares...)
 	e.Use(session.SetUser())
 	e.Use(token.Refresh)

@@ -163,7 +164,9 @@ func Load(middleware ...gin.HandlerFunc) http.Handler {

 	queue := e.Group("/api/queue")
 	{
+		queue.Use(middleware.AgentMust())
 		queue.POST("/pull", api.Pull)
+		queue.POST("/pull/:os/:arch", api.Pull)
 		queue.POST("/wait/:id", api.Wait)
 		queue.POST("/stream/:id", api.Stream)
 		queue.POST("/status/:id", api.Update)