Remove the need to use health check token

in favor of whitelist that will be used to control the access to monitoring resources

Remove the need to use health check token
in favor of whitelist that will be used to control the access to monitoring resources
18521584 · Pawel Chojnacki · 5af1fcd6 · 18521584 · 18521584 · 18521584
Commit 18521584 authored Jul 03, 2017 by Pawel Chojnacki
9 changed files
--- a/app/controllers/concerns/requires_health_token.rb
+++ b/app/controllers/concerns/requires_health_token.rb
-module RequiresHealthToken
+module RequiresWhitelistedMonitoringClient
  extend ActiveSupport::Concern
  included do
-    before_action :validate_health_check_access!
+    before_action :validate_ip_whitelisted!
  end
  private
-  def validate_health_check_access!
+  def validate_ip_whitelisted!
-    render_404 unless token_valid?
+    render_404 unless client_ip_whitelisted?
  end
-  def token_valid?
+  def client_ip_whitelisted?
-    token = params[:token].presence || request.headers['TOKEN']
+    Settings.monitoring.ip_whitelist.any? {|e| e.include?(Gitlab::RequestContext.client_ip) }
-    token.present? &&
-      ActiveSupport::SecurityUtils.variable_size_secure_compare(
-        token,
-        current_application_settings.health_check_access_token
-      )
  end
  def render_404

--- a/app/controllers/health_check_controller.rb
+++ b/app/controllers/health_check_controller.rb
 class HealthCheckController < HealthCheck::HealthCheckController
-  include RequiresHealthToken
+  include RequiresWhitelistedMonitoringClient
 end
--- a/app/controllers/health_controller.rb
+++ b/app/controllers/health_controller.rb
 class HealthController < ActionController::Base
  protect_from_forgery with: :exception
-  include RequiresHealthToken
+  include RequiresWhitelistedMonitoringClient
  CHECKS = [
    Gitlab::HealthChecks::DbCheck,

--- a/app/controllers/metrics_controller.rb
+++ b/app/controllers/metrics_controller.rb
 class MetricsController < ActionController::Base
-  include RequiresHealthToken
+  include RequiresWhitelistedMonitoringClient
  protect_from_forgery with: :exception
  before_action :validate_prometheus_metrics
  def index
-    render text: metrics_service.metrics_text, content_type: 'text/plain; verssion=0.0.4'
+    render text: metrics_service.metrics_text, content_type: 'text/plain; version=0.0.4'
  end
  private

--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -548,6 +548,12 @@ production: &base
    # unicorn_sampler_interval: 10
+  ## Monitoring
+  # Built in monitoring settings
+  monitoring:
+    # IP whitelist to access monitoring endpoints
+    access_whitelist: 127.0.0.0/8
  #
  # 5. Extra customization
  # ==========================

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -494,6 +494,13 @@ Settings.webpack.dev_server['enabled'] ||= false
 Settings.webpack.dev_server['host']    ||= 'localhost'
 Settings.webpack.dev_server['port']    ||= 3808
+#
+# Monitoring settings
+#
+Settings['monitoring'] ||= Settingslogic.new({})
+Settings.monitoring['ip_whitelist'] ||= %w{127.0.0.1/8}
+Settings.monitoring.ip_whitelist.map!(&IPAddr.method(:new))
 #
 # Prometheus metrics settings
 #

--- a/spec/controllers/health_check_controller_spec.rb
+++ b/spec/controllers/health_check_controller_spec.rb
@@ -3,52 +3,57 @@ require 'spec_helper'
 describe HealthCheckController do
  include StubENV
-  let(:token) { current_application_settings.health_check_access_token }
  let(:json_response) { JSON.parse(response.body) }
  let(:xml_response) { Hash.from_xml(response.body)['hash'] }
+  let(:whitelisted_ip) { '127.0.0.1' }
+  let(:not_whitelisted_ip) { '127.0.0.2' }
  before do
+    allow(Settings.monitoring).to receive(:ip_whitelist).and_return([IPAddr.new(whitelisted_ip)])
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
  end
  describe 'GET #index' do
-    context 'when services are up but NO access token' do
+    context 'when services are up but accessed from outside whitelisted ips' do
+      before do
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(not_whitelisted_ip)
+      end
      it 'returns a not found page' do
        get :index
        expect(response).to be_not_found
      end
    end
-    context 'when services are up and an access token is provided' do
+    context 'when services are up and accessed from whitelisted ips' do
-      it 'supports passing the token in the header' do
+      let(:ip) { '127.0.0.1' }
-        request.headers['TOKEN'] = token
-        get :index
+      before do
-        expect(response).to be_success
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(whitelisted_ip)
-        expect(response.content_type).to eq 'text/plain'
      end
      it 'supports successful plaintest response' do
-        get :index, token: token
+        get :index
        expect(response).to be_success
        expect(response.content_type).to eq 'text/plain'
      end
      it 'supports successful json response' do
-        get :index, token: token, format: :json
+        get :index, format: :json
        expect(response).to be_success
        expect(response.content_type).to eq 'application/json'
        expect(json_response['healthy']).to be true
      end
      it 'supports successful xml response' do
-        get :index, token: token, format: :xml
+        get :index, format: :xml
        expect(response).to be_success
        expect(response.content_type).to eq 'application/xml'
        expect(xml_response['healthy']).to be true
      end
      it 'supports successful responses for specific checks' do
-        get :index, token: token, checks: 'email', format: :json
+        get :index, checks: 'email', format: :json
        expect(response).to be_success
        expect(response.content_type).to eq 'application/json'
        expect(json_response['healthy']).to be true
@@ -62,29 +67,22 @@ describe HealthCheckController do
      end
    end
-    context 'when a service is down and an access token is provided' do
+    context 'when a service is down and an endpoint is accessed from whitelisted ip' do
      before do
        allow(HealthCheck::Utils).to receive(:process_checks).with(['standard']).and_return('The server is on fire')
        allow(HealthCheck::Utils).to receive(:process_checks).with(['email']).and_return('Email is on fire')
-      end
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(whitelisted_ip)
-      it 'supports passing the token in the header' do
-        request.headers['TOKEN'] = token
-        get :index
-        expect(response).to have_http_status(500)
-        expect(response.content_type).to eq 'text/plain'
-        expect(response.body).to include('The server is on fire')
      end
      it 'supports failure plaintest response' do
-        get :index, token: token
+        get :index
        expect(response).to have_http_status(500)
        expect(response.content_type).to eq 'text/plain'
        expect(response.body).to include('The server is on fire')
      end
      it 'supports failure json response' do
-        get :index, token: token, format: :json
+        get :index, format: :json
        expect(response).to have_http_status(500)
        expect(response.content_type).to eq 'application/json'
        expect(json_response['healthy']).to be false
@@ -92,7 +90,7 @@ describe HealthCheckController do
      end
      it 'supports failure xml response' do
-        get :index, token: token, format: :xml
+        get :index, format: :xml
        expect(response).to have_http_status(500)
        expect(response.content_type).to eq 'application/xml'
        expect(xml_response['healthy']).to be false
@@ -100,7 +98,7 @@ describe HealthCheckController do
      end
      it 'supports failure responses for specific checks' do
-        get :index, token: token, checks: 'email', format: :json
+        get :index, checks: 'email', format: :json
        expect(response).to have_http_status(500)
        expect(response.content_type).to eq 'application/json'
        expect(json_response['healthy']).to be false

--- a/spec/controllers/health_controller_spec.rb
+++ b/spec/controllers/health_controller_spec.rb
@@ -3,17 +3,19 @@ require 'spec_helper'
 describe HealthController do
  include StubENV
-  let(:token) { current_application_settings.health_check_access_token }
  let(:json_response) { JSON.parse(response.body) }
+  let(:whitelisted_ip) { '127.0.0.1' }
+  let(:not_whitelisted_ip) { '127.0.0.2' }
  before do
+    allow(Settings.monitoring).to receive(:ip_whitelist).and_return([IPAddr.new(whitelisted_ip)])
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
  end
  describe '#readiness' do
-    context 'authorization token provided' do
+    context 'accessed from whitelisted ip' do
      before do
-        request.headers['TOKEN'] = token
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(whitelisted_ip)
      end
      it 'returns proper response' do
@@ -25,7 +27,11 @@ describe HealthController do
      end
    end
-    context 'without authorization token' do
+    context 'accessed from not whitelisted ip' do
+      before do
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(not_whitelisted_ip)
+      end
      it 'returns proper response' do
        get :readiness
        expect(response.status).to eq(404)
@@ -34,9 +40,9 @@ describe HealthController do
  end
  describe '#liveness' do
-    context 'authorization token provided' do
+    context 'accessed from whitelisted ip' do
      before do
-        request.headers['TOKEN'] = token
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(whitelisted_ip)
      end
      it 'returns proper response' do
@@ -47,7 +53,11 @@ describe HealthController do
      end
    end
-    context 'without authorization token' do
+    context 'accessed from not whitelisted ip' do
+      before do
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(not_whitelisted_ip)
+      end
      it 'returns proper response' do
        get :liveness
        expect(response.status).to eq(404)

--- a/spec/controllers/metrics_controller_spec.rb
+++ b/spec/controllers/metrics_controller_spec.rb
@@ -3,20 +3,22 @@ require 'spec_helper'
 describe MetricsController do
  include StubENV
-  let(:token) { current_application_settings.health_check_access_token }
  let(:json_response) { JSON.parse(response.body) }
  let(:metrics_multiproc_dir) { Dir.mktmpdir }
+  let(:whitelisted_ip) { '127.0.0.1' }
+  let(:not_whitelisted_ip) { '127.0.0.2' }
  before do
    stub_env('IN_MEMORY_APPLICATION_SETTINGS', 'false')
    stub_env('prometheus_multiproc_dir', metrics_multiproc_dir)
    allow(Gitlab::Metrics).to receive(:prometheus_metrics_enabled?).and_return(true)
+    allow(Settings.monitoring).to receive(:ip_whitelist).and_return([IPAddr.new(whitelisted_ip)])
  end
  describe '#index' do
-    context 'authorization token provided' do
+    context 'accessed from whitelisted ip' do
      before do
-        request.headers['TOKEN'] = token
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(whitelisted_ip)
      end
      it 'returns DB ping metrics' do
@@ -59,7 +61,11 @@ describe MetricsController do
      end
    end
-    context 'without authorization token' do
+    context 'accessed from not whitelisted ip' do
+      before do
+        allow(Gitlab::RequestContext).to receive(:client_ip).and_return(not_whitelisted_ip)
+      end
      it 'returns proper response' do
        get :index