Use tokens for per request gitaly authentication

internal/gitaly/gitaly.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	pb "gitlab.com/gitlab-org/gitaly-proto/go"
+	"gitlab.com/gitlab-org/gitaly/auth"
 	"google.golang.org/grpc"
 )
 
@@ -19,15 +20,15 @@ type Server struct {
 
 type connectionsCache struct {
 	sync.RWMutex
-	connections map[string]*grpc.ClientConn
+	connections map[Server]*grpc.ClientConn
 }
 
 var cache = connectionsCache{
-	connections: make(map[string]*grpc.ClientConn),
+	connections: make(map[Server]*grpc.ClientConn),
 }
 
 func NewSmartHTTPClient(server Server) (*SmartHTTPClient, error) {
-	conn, err := getOrCreateConnection(server.Address)
+	conn, err := getOrCreateConnection(server)
 	if err != nil {
 		return nil, err
 	}
@@ -35,20 +36,20 @@ func NewSmartHTTPClient(server Server) (*SmartHTTPClient, error) {
 	return &SmartHTTPClient{grpcClient}, nil
 }
 
-func getOrCreateConnection(address string) (*grpc.ClientConn, error) {
+func getOrCreateConnection(server Server) (*grpc.ClientConn, error) {
 	cache.Lock()
 	defer cache.Unlock()
 
-	if conn := cache.connections[address]; conn != nil {
+	if conn := cache.connections[server]; conn != nil {
 		return conn, nil
 	}
 
-	conn, err := newConnection(address)
+	conn, err := newConnection(server)
 	if err != nil {
 		return nil, err
 	}
 
-	cache.connections[address] = conn
+	cache.connections[server] = conn
 
 	return conn, nil
 }
@@ -62,8 +63,8 @@ func CloseConnections() {
 	}
 }
 
-func newConnection(rawAddress string) (*grpc.ClientConn, error) {
-	network, addr, err := parseAddress(rawAddress)
+func newConnection(server Server) (*grpc.ClientConn, error) {
+	network, addr, err := parseAddress(server.Address)
 	if err != nil {
 		return nil, err
 	}
@@ -73,6 +74,7 @@ func newConnection(rawAddress string) (*grpc.ClientConn, error) {
 		grpc.WithDialer(func(a string, _ time.Duration) (net.Conn, error) {
 			return net.Dial(network, a)
 		}),
+		grpc.WithPerRPCCredentials(gitalyauth.RPCCredentials(server.Token)),
 	}
 	conn, err := grpc.Dial(addr, connOpts...)
 	if err != nil {

vendor/gitlab.com/gitlab-org/gitaly/LICENSE

+The MIT License (MIT)
+
+Copyright (c) 2016-2017 GitLab B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/gitlab.com/gitlab-org/gitaly/auth/rpccredentials.go

+package gitalyauth
+
+import (
+	"encoding/base64"
+
+	"golang.org/x/net/context"
+	"google.golang.org/grpc/credentials"
+)
+
+// RPCCredentials can be used with grpc.WithPerRPCCredentials to create a
+// grpc.DialOption that inserts the supplied token for authentication
+// with a Gitaly server.
+func RPCCredentials(token string) credentials.PerRPCCredentials {
+	return &rpcCredentials{token: base64.StdEncoding.EncodeToString([]byte(token))}
+}
+
+type rpcCredentials struct {
+	token string
+}
+
+func (*rpcCredentials) RequireTransportSecurity() bool { return false }
+
+func (rc *rpcCredentials) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
+	return map[string]string{"authorization": "Bearer " + rc.token}, nil
+}

vendor/vendor.json

@@ -143,6 +143,14 @@
 			"version": "v0.9.0",
 			"versionExact": "v0.9.0"
 		},
+		{
+			"checksumSHA1": "dUHJbKas746n5fLzlwxHb6FOCxs=",
+			"path": "gitlab.com/gitlab-org/gitaly/auth",
+			"revision": "b933e5ce4843ec6c332a0184afb8e69820cc9050",
+			"revisionTime": "2017-06-22T09:36:09Z",
+			"version": "v0.13.0",
+			"versionExact": "v0.13.0"
+		},
 		{
 			"checksumSHA1": "9jjO5GjLa0XF/nfWihF02RoH4qc=",
 			"path": "golang.org/x/net/context",