Merge pull request #38 from depot/tls-auth

Allow using TLS certificates for auth

Author: jacobwgillespie

pkg/api/api.go

@@ -45,6 +45,12 @@ type BuilderResponse struct {
 	BuilderState string `json:"builderState"`
 	PollSeconds  int    `json:"pollSeconds"`
 	Platform     string `json:"platform"`
+
+	// Version 2 uses mTLS for authentication
+	Version string `json:"version"`
+	CACert  string `json:"caCert"`
+	Cert    string `json:"cert"`
+	Key     string `json:"key"`
 }
 
 func (d *Depot) GetBuilder(buildID string, platform string) (*BuilderResponse, error) {
@@ -56,6 +62,19 @@ func (d *Depot) GetBuilder(buildID string, platform string) (*BuilderResponse, e
 	)
 }
 
+type BuilderHealthResponse struct {
+	OK bool `json:"ok"`
+}
+
+func (d *Depot) ReportBuilderHealth(buildID string, platform string, status string) (*BuilderHealthResponse, error) {
+	return apiRequest[BuilderHealthResponse](
+		"POST",
+		fmt.Sprintf("%s/api/internal/cli/builds/%s/platform/%s/health", d.BaseURL, buildID, platform),
+		d.token,
+		map[string]string{"status": status},
+	)
+}
+
 type FinishResponse struct {
 	OK bool `json:"ok"`
 }

pkg/api/context.go

@@ -2,12 +2,12 @@ package api
 
 import "context"
 
-const depotClientKey = "depot.client"
+type depotClientKey struct{}
 
 func WithClient(ctx context.Context, client *Depot) context.Context {
-	return context.WithValue(ctx, depotClientKey, client)
+	return context.WithValue(ctx, depotClientKey{}, client)
 }
 
 func GetContextClient(ctx context.Context) *Depot {
-	return ctx.Value(depotClientKey).(*Depot)
+	return ctx.Value(depotClientKey{}).(*Depot)
 }

pkg/api/request.go

@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"runtime"
 
@@ -65,7 +64,7 @@ func apiRequest[Response interface{}](method, url, token string, payload interfa
 		fmt.Println(warnStyle.Render(warnMessage))
 	}
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

pkg/builder/builder.go

@@ -1,14 +1,11 @@
 package builder
 
 import (
-	"context"
 	"fmt"
-	"net"
 	"time"
 
 	"github.com/depot/cli/pkg/api"
 	"github.com/docker/buildx/util/progress"
-	"github.com/moby/buildkit/client"
 	"github.com/pkg/errors"
 )
 
@@ -28,11 +25,19 @@ func NewBuilder(depot *api.Depot, buildID, platform string) *Builder {
 	}
 }
 
-func (b *Builder) Acquire(l progress.Logger) (string, error) {
-	var addr string
+type AcquiredBuilder struct {
+	Version     string
+	Addr        string
+	AccessToken string
+	CACert      string
+	Cert        string
+	Key         string
+}
+
+func (b *Builder) Acquire(l progress.Logger) (*AcquiredBuilder, error) {
 	var resp *api.BuilderResponse
 	var err error
-	var accessToken string
+	var builder AcquiredBuilder
 
 	acquireFn := func(sub progress.SubLogger) error {
 		resp, err = b.depot.GetBuilder(b.BuildID, b.Platform)
@@ -41,7 +46,11 @@ func (b *Builder) Acquire(l progress.Logger) (string, error) {
 		}
 
 		if resp.OK {
-			accessToken = resp.AccessToken
+			builder.Version = resp.Version
+			builder.AccessToken = resp.AccessToken
+			builder.CACert = resp.CACert
+			builder.Cert = resp.Cert
+			builder.Key = resp.Key
 		}
 
 		// Loop if the builder is not ready
@@ -79,64 +88,31 @@ func (b *Builder) Acquire(l progress.Logger) (string, error) {
 	if err != nil {
 		err = progress.Wrap("[depot] launching "+b.Platform+" builder", l, acquireFn)
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 	}
 
-	err = progress.Wrap("[depot] connecting to "+b.Platform+" builder", l, func(sub progress.SubLogger) error {
-		proxy, err := newProxyServer(resp.Endpoint, accessToken)
-		if err != nil {
-			return errors.Wrap(err, "failed to construct proxy server")
-		}
-
-		b.proxy = proxy
-		proxy.Start()
-		addr = proxy.Addr().String()
-
-		sub.Log(2, []byte("Waiting for builder to report ready...\n"))
-
-		count := 0
-
-		for {
-			if count > 30 {
-				return fmt.Errorf("timed out waiting for builder to be ready")
-			}
-
-			if count > 0 && count%10 == 0 {
-				sub.Log(2, []byte("Still waiting for builder to report ready...\n"))
-			}
-
-			if count > 0 {
-				time.Sleep(time.Second)
-			}
-
-			count++
+	if builder.Version == "2" {
+		builder.Addr = resp.Endpoint
+		return &builder, nil
+	}
 
-			conn, err := net.Dial("tcp", proxy.Addr().String())
-			if err != nil {
-				continue
-			}
+	proxy, err := newProxyServer(resp.Endpoint, builder.AccessToken)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to construct proxy server")
+	}
 
-			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-			defer cancel()
-			testClient, err := client.New(ctx, "", client.WithContextDialer(func(context.Context, string) (net.Conn, error) {
-				return conn, nil
-			}))
-			if err != nil {
-				continue
-			}
+	b.proxy = proxy
+	proxy.Start()
+	builder.Addr = fmt.Sprintf("tcp://%s", proxy.Addr().String())
 
-			ctx2, cancel2 := context.WithTimeout(context.Background(), 5*time.Second)
-			defer cancel2()
-			workers, err := testClient.ListWorkers(ctx2)
-			if err != nil {
-				continue
-			}
+	return &builder, err
+}
 
-			if len(workers) > 0 {
-				return nil
-			}
-		}
-	})
-	return addr, err
+func (b *Builder) ReportHealth(status string) error {
+	_, err := b.depot.ReportBuilderHealth(b.BuildID, b.Platform, status)
+	if err != nil {
+		return err
+	}
+	return nil
 }