[server] add interceptor to public api

Author: akosyakov

components/proxy/conf/Caddyfile

@@ -198,9 +198,10 @@ https://{$GITPOD_DOMAIN} {
 	@proxy_server_public_api path /public-api/gitpod.experimental.v1.HelloService*
 	handle @proxy_server_public_api {
 		uri strip_prefix /public-api
+		# TODO(ak) verify that it only enabled for json content-type, not grpc
 		import compression
 
-		reverse_proxy server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3000 {
+		reverse_proxy server.{$KUBE_NAMESPACE}.{$KUBE_DOMAIN}:3001 {
 			import upstream_connection
 		}
 	}

components/server/src/api/dummy.ts

@@ -4,7 +4,7 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { Code, ConnectError, HandlerContext, ServiceImpl } from "@bufbuild/connect";
+import { HandlerContext, ServiceImpl } from "@bufbuild/connect";
 import { User } from "@gitpod/gitpod-protocol";
 import { HelloService } from "@gitpod/public-api/lib/gitpod/experimental/v1/dummy_connectweb";
 import {
@@ -13,55 +13,33 @@ import {
     SayHelloRequest,
     SayHelloResponse,
 } from "@gitpod/public-api/lib/gitpod/experimental/v1/dummy_pb";
-import { inject, injectable } from "inversify";
-import { SessionHandler } from "../session-handler";
+import { injectable } from "inversify";
 
 /**
  * TODO(ak):
- * - server-side observability
- * - client-side observability
- * - rate limitting
- * - logging context
- * - feature flags for unary and stream tests
- * - SLOs
- * - alerting
+ * - client-side observability (add SLOs)
+ * - client-side feature flags for unary and stream tests
  */
 @injectable()
 export class APIHelloService implements ServiceImpl<typeof HelloService> {
-    constructor(
-        @inject(SessionHandler)
-        private readonly sessionHandler: SessionHandler,
-    ) {}
-
     async sayHello(req: SayHelloRequest, context: HandlerContext): Promise<SayHelloResponse> {
-        const user = await this.authUser(context);
         const response = new SayHelloResponse();
-        response.reply = "Hello " + this.getSubject(user);
+        response.reply = "Hello " + this.getSubject(context);
         return response;
     }
     async *lotsOfReplies(req: LotsOfRepliesRequest, context: HandlerContext): AsyncGenerator<LotsOfRepliesResponse> {
-        const user = await this.authUser(context);
         let count = req.previousCount || 0;
         while (true) {
             const response = new LotsOfRepliesResponse();
-            response.reply = `Hello ${this.getSubject(user)} ${count}`;
+            response.reply = `Hello ${this.getSubject(context)} ${count}`;
             response.count = count;
             yield response;
             count++;
             await new Promise((resolve) => setTimeout(resolve, 30000));
         }
     }
 
-    private getSubject(user: User): string {
-        return User.getName(user) || "World";
-    }
-
-    // TODO(ak) decorate
-    private async authUser(context: HandlerContext) {
-        const user = await this.sessionHandler.verify(context.requestHeader.get("cookie"));
-        if (!user) {
-            throw new ConnectError("unauthenticated", Code.Unauthenticated);
-        }
-        return user;
+    private getSubject(context: HandlerContext): string {
+        return User.getName(context.user) || "World";
     }
 }

components/server/src/api/handler-context-augmentation.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import { User } from "@gitpod/gitpod-protocol";
+
+declare module "@bufbuild/connect" {
+    interface HandlerContext {
+        user: User;
+    }
+}

components/server/src/api/server.ts

@@ -4,7 +4,7 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { ConnectRouter } from "@bufbuild/connect";
+import { Code, ConnectError, ConnectRouter, HandlerContext } from "@bufbuild/connect";
 import { expressConnectMiddleware } from "@bufbuild/connect-express";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { HelloService } from "@gitpod/public-api/lib/gitpod/experimental/v1/dummy_connectweb";
@@ -16,6 +16,7 @@ import express from "express";
 import * as http from "http";
 import { inject, injectable, interfaces } from "inversify";
 import { AddressInfo } from "net";
+import { SessionHandler } from "../session-handler";
 import { APIHelloService } from "./dummy";
 import { APIStatsService } from "./stats";
 import { APITeamsService } from "./teams";
@@ -24,24 +25,36 @@ import { APIWorkspacesService } from "./workspaces";
 
 @injectable()
 export class API {
-    @inject(APIUserService) protected readonly apiUserService: APIUserService;
-    @inject(APITeamsService) protected readonly apiTeamService: APITeamsService;
-    @inject(APIWorkspacesService) protected readonly apiWorkspacesService: APIWorkspacesService;
-    @inject(APIStatsService) protected readonly apiStatsService: APIStatsService;
+    @inject(APIUserService) private readonly apiUserService: APIUserService;
+    @inject(APITeamsService) private readonly apiTeamService: APITeamsService;
+    @inject(APIWorkspacesService) private readonly apiWorkspacesService: APIWorkspacesService;
+    @inject(APIStatsService) private readonly apiStatsService: APIStatsService;
     @inject(APIHelloService) private readonly apiHelloService: APIHelloService;
+    @inject(SessionHandler) private readonly sessionHandler: SessionHandler;
 
-    public listen(): http.Server {
+    listenPrivate(): http.Server {
         const app = express();
-        this.register(app);
+        this.registerPrivate(app);
 
         const server = app.listen(9877, () => {
-            log.info(`Connect API server listening on port: ${(server.address() as AddressInfo).port}`);
+            log.info(`Connect Private API server listening on port: ${(server.address() as AddressInfo).port}`);
         });
 
         return server;
     }
 
-    private register(app: express.Application) {
+    listen(): http.Server {
+        const app = express();
+        this.register(app);
+
+        const server = app.listen(3001, () => {
+            log.info(`Connect Public API server listening on port: ${(server.address() as AddressInfo).port}`);
+        });
+
+        return server;
+    }
+
+    private registerPrivate(app: express.Application) {
         app.use(
             expressConnectMiddleware({
                 routes: (router: ConnectRouter) => {
@@ -54,16 +67,52 @@ export class API {
         );
     }
 
-    get apiRouter(): express.Router {
-        const router = express.Router();
-        router.use(
+    private register(app: express.Application) {
+        const self = this;
+        const serviceInterceptor: ProxyHandler<any> = {
+            get(target, prop, receiver) {
+                const original = target[prop as any];
+                if (typeof original !== "function") {
+                    return Reflect.get(target, prop, receiver);
+                }
+                return async (...args: any[]) => {
+                    const context = args[1] as HandlerContext;
+                    await self.intercept(context);
+                    return original.apply(target, args);
+                };
+            },
+        };
+        app.use(
             expressConnectMiddleware({
                 routes: (router: ConnectRouter) => {
-                    router.service(HelloService, this.apiHelloService);
+                    for (const service of [this.apiHelloService]) {
+                        router.service(HelloService, new Proxy(service, serviceInterceptor));
+                    }
                 },
             }),
         );
-        return router;
+    }
+
+    /**
+     * intercept handles cross-cutting concerns for all calls:
+     * - authentication
+     * TODO(ak):
+     * - server-side observability (SLOs)
+     * - rate limitting
+     * - logging context
+     * - tracing
+     */
+    private async intercept(context: HandlerContext): Promise<void> {
+        const user = await this.verify(context);
+        context.user = user;
+    }
+
+    private async verify(context: HandlerContext) {
+        const user = await this.sessionHandler.verify(context.requestHeader.get("cookie"));
+        if (!user) {
+            throw new ConnectError("unauthenticated", Code.Unauthenticated);
+        }
+        return user;
     }
 
     static contribute(bind: interfaces.Bind): void {

components/server/src/api/teams.spec.db.ts

@@ -46,7 +46,7 @@ export class APITeamsServiceSpec {
         await this.dbConn.getRepository(DBTeam).delete({});
 
         // Start an actual server for tests
-        this.server = this.container.get<API>(API).listen();
+        this.server = this.container.get<API>(API).listenPrivate();
 
         // Construct a client to point against our server
         const address = this.server.address() as AddressInfo;

components/server/src/server.ts

@@ -56,7 +56,8 @@ export class Server {
     protected iamSessionApp?: express.Application;
     protected iamSessionAppServer?: http.Server;
 
-    protected apiServer?: http.Server;
+    protected publicApiServer?: http.Server;
+    protected privateApiServer?: http.Server;
 
     protected readonly eventEmitter = new EventEmitter();
     protected app?: express.Application;
@@ -317,9 +318,6 @@ export class Server {
 
         log.info("Registered Bitbucket Server app at " + BitbucketServerApp.path);
         app.use(BitbucketServerApp.path, this.bitbucketServerApp.router);
-
-        // TODO(ak) move to own app on port 3001
-        app.use(this.api.apiRouter);
     }
 
     public async start(port: number) {
@@ -349,7 +347,8 @@ export class Server {
             });
         }
 
-        this.apiServer = this.api.listen();
+        this.publicApiServer = this.api.listen();
+        this.privateApiServer = this.api.listenPrivate();
 
         this.debugApp.start();
     }
@@ -379,7 +378,8 @@ export class Server {
             race(this.stopServer(this.iamSessionAppServer), "stop iamsessionapp"),
             race(this.stopServer(this.monitoringHttpServer), "stop monitoringapp"),
             race(this.stopServer(this.httpServer), "stop httpserver"),
-            race(this.stopServer(this.apiServer), "stop api server"),
+            race(this.stopServer(this.privateApiServer), "stop private api server"),
+            race(this.stopServer(this.publicApiServer), "stop public api server"),
             race((async () => this.disposables.dispose())(), "dispose disposables"),
         ]);
 

install/installer/pkg/common/constants.go

@@ -41,6 +41,7 @@ const (
 	ServerIAMSessionPort        = 9876
 	ServerInstallationAdminPort = 9000
 	ServerGRPCAPIPort           = 9877
+	ServerPublicAPIPort         = 3001
 	SystemNodeCritical          = "system-node-critical"
 	PublicApiComponent          = "public-api-server"
 	UsageComponent              = "usage"

install/installer/pkg/components/server/constants.go

@@ -32,4 +32,7 @@ const (
 
 	GRPCAPIName = "grpc"
 	GRPCAPIPort = common.ServerGRPCAPIPort
+
+	PublicAPIName = "publicApi"
+	PublicAPIPort = common.ServerPublicAPIPort
 )

install/installer/pkg/components/server/deployment.go

@@ -382,6 +382,9 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 							}, {
 								Name:          GRPCAPIName,
 								ContainerPort: GRPCAPIPort,
+							}, {
+								Name:          PublicAPIName,
+								ContainerPort: PublicAPIPort,
 							},
 							},
 							// todo(sje): do we need to cater for serverContainer.env from values.yaml?

install/installer/pkg/components/server/networkpolicy.go

@@ -36,6 +36,10 @@ func Networkpolicy(ctx *common.RenderContext, component string) ([]runtime.Objec
 								Protocol: common.TCPProtocol,
 								Port:     &intstr.IntOrString{IntVal: ContainerPort},
 							},
+							{
+								Protocol: common.TCPProtocol,
+								Port:     &intstr.IntOrString{IntVal: PublicAPIPort},
+							},
 						},
 						From: []networkingv1.NetworkPolicyPeer{
 							{

install/installer/pkg/components/server/objects.go

@@ -59,6 +59,11 @@ var Objects = common.CompositeRenderFunc(
 			ContainerPort: GRPCAPIPort,
 			ServicePort:   GRPCAPIPort,
 		},
+		{
+			Name:          PublicAPIName,
+			ContainerPort: PublicAPIPort,
+			ServicePort:   PublicAPIPort,
+		},
 	}),
 	common.DefaultServiceAccount(Component),
 )