From f238405ef55064c7fb7c387ed133e101540da660 Mon Sep 17 00:00:00 2001
From: Oleksandr Garagatyi <ogaragat@redhat.com>
Date: Fri, 13 Oct 2017 17:13:35 +0300
Subject: [PATCH] CHE-6648: Added authentication to installers bootstrapper.

Added authentication to installers bootstrapper.
Signed-off-by: Oleksandr Garagatyi <ogaragat@redhat.com>
---
 agents/go-agents/bootstrapper/cfg/cfg.go      | 18 ++++++++++++++
 agents/go-agents/bootstrapper/main.go         | 24 ++++++++++++-------
 .../core/jsonrpc/jsonrpcws/jsonrpc_impl.go    | 13 +++++++---
 .../docker/bootstrap/DockerBootstrapper.java  |  1 +
 .../bootstrapper/OpenShiftBootstrapper.java   |  7 +++---
 5 files changed, 48 insertions(+), 15 deletions(-)

diff --git a/agents/go-agents/bootstrapper/cfg/cfg.go b/agents/go-agents/bootstrapper/cfg/cfg.go
index 77148119a0..7d2cf6b55f 100644
--- a/agents/go-agents/bootstrapper/cfg/cfg.go
+++ b/agents/go-agents/bootstrapper/cfg/cfg.go
@@ -32,6 +32,12 @@ var (
 	// PushLogsEndpoint where to push logs.
 	PushLogsEndpoint string
 
+	// AuthEnabled whether authentication is needed
+	AuthEnabled bool
+
+	// Token to access wsmaster API
+	Token string
+
 	// RuntimeID the id of workspace runtime this machine belongs to.
 	RuntimeID    booter.RuntimeID
 	runtimeIDRaw string
@@ -72,6 +78,12 @@ func init() {
 		"",
 		"WebSocket endpoint where to push logs",
 	)
+	flag.BoolVar(
+		&AuthEnabled,
+		"enable-auth",
+		false,
+		"Whether authenication on workspace master is needed",
+	)
 	flag.StringVar(
 		&runtimeIDRaw,
 		"runtime-id",
@@ -124,6 +136,11 @@ func Parse() {
 		log.Fatal("Push logs endpoint protocol must be either ws or wss")
 	}
 
+	// auth-enabled - fetch USER_TOKEN
+	if AuthEnabled {
+		Token = os.Getenv("USER_TOKEN")
+	}
+
 	// runtime-id
 	if len(runtimeIDRaw) == 0 {
 		log.Fatal("Runtime ID required(set it with -runtime-id argument)")
@@ -152,6 +169,7 @@ func Print() {
 	log.Print("Bootstrapper configuration")
 	log.Printf("  Push endpoint: %s", PushStatusesEndpoint)
 	log.Printf("  Push logs endpoint: %s", PushLogsEndpoint)
+	log.Printf("  Auth enabled: %t", AuthEnabled)
 	log.Print("  Runtime ID:")
 	log.Printf("    Workspace: %s", RuntimeID.Workspace)
 	log.Printf("    Environment: %s", RuntimeID.Environment)
diff --git a/agents/go-agents/bootstrapper/main.go b/agents/go-agents/bootstrapper/main.go
index 10806f3ec1..de5c70d38e 100644
--- a/agents/go-agents/bootstrapper/main.go
+++ b/agents/go-agents/bootstrapper/main.go
@@ -37,16 +37,19 @@ func main() {
 	booter.AddAll(cfg.ReadInstallersConfig())
 
 	// push statuses
-	statusTun := connectOrFail(cfg.PushStatusesEndpoint)
+	statusTun := connectOrFail(cfg.PushStatusesEndpoint, cfg.Token)
 	booter.PushStatuses(statusTun)
 
 	// push logs
 	if len(cfg.PushLogsEndpoint) != 0 {
-		connector := &wsDialConnector{cfg.PushLogsEndpoint}
+		connector := &wsDialConnector{
+			endpoint: cfg.PushLogsEndpoint,
+			token:    cfg.Token,
+		}
 		if cfg.PushLogsEndpoint == cfg.PushStatusesEndpoint {
 			booter.PushLogs(statusTun, connector)
 		} else {
-			booter.PushLogs(connectOrFail(cfg.PushLogsEndpoint), connector)
+			booter.PushLogs(connectOrFail(cfg.PushLogsEndpoint, cfg.Token), connector)
 		}
 	}
 
@@ -55,22 +58,25 @@ func main() {
 	}
 }
 
-func connectOrFail(endpoint string) *jsonrpc.Tunnel {
-	tunnel, err := connect(endpoint)
+func connectOrFail(endpoint string, token string) *jsonrpc.Tunnel {
+	tunnel, err := connect(endpoint, token)
 	if err != nil {
 		log.Fatalf("Couldn't connect to endpoint '%s', due to error '%s'", endpoint, err)
 	}
 	return tunnel
 }
 
-func connect(endpoint string) (*jsonrpc.Tunnel, error) {
-	conn, err := jsonrpcws.Dial(endpoint)
+func connect(endpoint string, token string) (*jsonrpc.Tunnel, error) {
+	conn, err := jsonrpcws.Dial(endpoint, token)
 	if err != nil {
 		return nil, err
 	}
 	return jsonrpc.NewManagedTunnel(conn), nil
 }
 
-type wsDialConnector struct{ endpoint string }
+type wsDialConnector struct {
+	endpoint string
+	token    string
+}
 
-func (c *wsDialConnector) Connect() (*jsonrpc.Tunnel, error) { return connect(c.endpoint) }
+func (c *wsDialConnector) Connect() (*jsonrpc.Tunnel, error) { return connect(c.endpoint, c.token) }
diff --git a/agents/go-agents/core/jsonrpc/jsonrpcws/jsonrpc_impl.go b/agents/go-agents/core/jsonrpc/jsonrpcws/jsonrpc_impl.go
index d9da6e34fe..f713215b4a 100644
--- a/agents/go-agents/core/jsonrpc/jsonrpcws/jsonrpc_impl.go
+++ b/agents/go-agents/core/jsonrpc/jsonrpcws/jsonrpc_impl.go
@@ -14,7 +14,7 @@
 // The example:
 //
 // Client:
-//	conn, err := jsonrpcws.Dial("ws://host:port/path")
+//	conn, err := jsonrpcws.Dial("ws://host:port/path", token123456798)
 //	if err != nil {
 //      	panic(err)
 //      }
@@ -50,8 +50,15 @@ var (
 )
 
 // Dial establishes a new client WebSocket connection.
-func Dial(url string) (*NativeConnAdapter, error) {
-	conn, _, err := websocket.DefaultDialer.Dial(url, nil)
+// If argument 'token' is empty authentication won't be used,
+// otherwise authorization token will be added.
+func Dial(url string, token string) (*NativeConnAdapter, error) {
+	var headers http.Header
+	if token != "" {
+		headers = make(map[string][]string)
+		headers.Add("Authorization", token)
+	}
+	conn, _, err := websocket.DefaultDialer.Dial(url, headers)
 	if err != nil {
 		return nil, err
 	}
diff --git a/infrastructures/docker/src/main/java/org/eclipse/che/workspace/infrastructure/docker/bootstrap/DockerBootstrapper.java b/infrastructures/docker/src/main/java/org/eclipse/che/workspace/infrastructure/docker/bootstrap/DockerBootstrapper.java
index c74c842c10..bac7bb3e8f 100644
--- a/infrastructures/docker/src/main/java/org/eclipse/che/workspace/infrastructure/docker/bootstrap/DockerBootstrapper.java
+++ b/infrastructures/docker/src/main/java/org/eclipse/che/workspace/infrastructure/docker/bootstrap/DockerBootstrapper.java
@@ -100,6 +100,7 @@ public class DockerBootstrapper extends AbstractBootstrapper {
             + installerWebsocketEndpoint
             + " -push-logs-endpoint "
             + outputWebsocketEndpoint
+            + " -enable-auth"
             + " -server-check-period "
             + serverCheckPeriodSeconds
             + " -installer-timeout "
diff --git a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/bootstrapper/OpenShiftBootstrapper.java b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/bootstrapper/OpenShiftBootstrapper.java
index cdf3450161..5c8dc06ae5 100644
--- a/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/bootstrapper/OpenShiftBootstrapper.java
+++ b/infrastructures/openshift/src/main/java/org/eclipse/che/workspace/infrastructure/openshift/bootstrapper/OpenShiftBootstrapper.java
@@ -98,6 +98,7 @@ public class OpenShiftBootstrapper extends AbstractBootstrapper {
             + outputWebsocketEndpoint
             + " -server-check-period "
             + Integer.toString(serverCheckPeriodSeconds)
+            + " -enable-auth"
             + " -installer-timeout "
             + Integer.toString(installerTimeoutSeconds)
             + " -file "
@@ -106,14 +107,14 @@ public class OpenShiftBootstrapper extends AbstractBootstrapper {
   }
 
   private void injectBootstrapper() throws InfrastructureException {
-    LOG.info("Creating folder for bootstrapper");
+    LOG.debug("Creating folder for bootstrapper");
     openShiftMachine.exec("mkdir", "-p", BOOTSTRAPPER_DIR);
-    LOG.info("Downloading bootstrapper binary");
+    LOG.debug("Downloading bootstrapper binary");
     openShiftMachine.exec(
         "curl", "-o", BOOTSTRAPPER_DIR + BOOTSTRAPPER_FILE, bootstrapperBinaryUrl);
     openShiftMachine.exec("chmod", "+x", BOOTSTRAPPER_DIR + BOOTSTRAPPER_FILE);
 
-    LOG.info("Creating bootstrapper config file");
+    LOG.debug("Creating bootstrapper config file");
     openShiftMachine.exec(
         "sh",
         "-c",