Basic

buchgr · Aug 18, 2023 · aa6bb9d · aa6bb9d
1 parent cf04071
commit aa6bb9d
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/config/BUILD.bazel b/config/BUILD.bazel
@@ -30,6 +30,7 @@ go_library(
         "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_grpc//credentials:go_default_library",
         "@org_golang_google_grpc//credentials/insecure:go_default_library",
+        "@org_golang_google_grpc//metadata:go_default_library",
     ],
 )
 

diff --git a/config/proxy.go b/config/proxy.go
@@ -1,8 +1,10 @@
 package config
 
 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"os"
@@ -16,11 +18,18 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
 
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	prom "github.com/prometheus/client_golang/prometheus"
 )
 
+type RoundTripperFunc func(req *http.Request) (*http.Response, error)
+
+func (rtf RoundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
+	return rtf(req)
+}
+
 func getTLSConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
 	config := &tls.Config{}
 	if certFile != "" && keyFile != "" {
@@ -70,6 +79,19 @@ func (c *Config) setProxy() error {
 		} else {
 			opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 		}
+		if password, ok := c.GRPCBackend.BaseURL.User.Password(); ok {
+			username := c.GRPCBackend.BaseURL.User.Username()
+			header := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", username, password)))
+			md := metadata.Pairs("authorization", fmt.Sprintf("Basic %s", header))
+			unaryAuth := func(ctx context.Context, method string, req, res interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
+				return invoker(metadata.NewOutgoingContext(ctx, md), method, req, res, cc, opts...)
+			}
+			streamAuth := func(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error) {
+				return streamer(metadata.NewOutgoingContext(ctx, md), desc, cc, method, opts...)
+			}
+			opts = append(opts, grpc.WithChainUnaryInterceptor(unaryAuth), grpc.WithStreamInterceptor(streamAuth))
+		}
+
 		metrics := grpc_prometheus.NewClientMetrics(func(o *prom.CounterOpts) { o.Namespace = "proxy" })
 		metrics.EnableClientHandlingTimeHistogram(func(o *prom.HistogramOpts) { o.Namespace = "proxy" })
 		err := prom.Register(metrics)

diff --git a/server/grpc_basic_auth.go b/server/grpc_basic_auth.go
@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	"encoding/base64"
 	"strings"
 
 	"google.golang.org/grpc"
@@ -123,6 +124,23 @@ func getLogin(ctx context.Context) (username, password string, err error) {
 
 			return username, password, nil
 		}
+
+		if k == "authorization" && len(v) > 0 && strings.HasPrefix(v[0], "Basic ") {
+			// When bazel-remote is run with --grpc_proxy.url=grpc://user:pass@address/"
+			// the value looks like "Basic <base64(user:pass)>".
+			auth, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(v[0], "Basic "))
+			if err != nil {
+				continue
+			}
+			parts := strings.SplitN(string(auth), ":", 2)
+			if len(parts) < 2 {
+				continue
+			}
+
+			username, password = parts[0], parts[1]
+
+			return username, password, nil
+		}
 	}
 
 	return "", "", errNoAuthMetadata