Merge pull request #110 from timothy-spencer/gcphealthcheck

added an option to enable GCP healthcheck endpoints
2019-03-27 11:58:14 +00:00 · 2019-03-27 11:58:14 +00:00 · e9d4f6e0a1
commit e9d4f6e0a1
parent da0d4ac50d 6bb32c8059
7 changed files with 167 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,7 @@

 ## Changes since v3.1.0

+- [#110](https://github.com/pusher/oauth2_proxy/pull/110) Added GCP healthcheck option (@timothy-spencer)
 - [#112](https://github.com/pusher/oauth2_proxy/pull/112) Improve websocket support (@gyson)
 - [#63](https://github.com/pusher/oauth2_proxy/pull/63) Use encoding/json for SessionState serialization (@yaegashi)
  - Use JSON to encode session state to be stored in browser cookies
--- a/README.md
+++ b/README.md
@ -48,7 +48,7 @@ Valid providers are :
 - [GitHub](#github-auth-provider)
 - [GitLab](#gitlab-auth-provider)
 - [LinkedIn](#linkedin-auth-provider)
- [login.gov](#login.gov-provider)
+- [login.gov](#logingov-provider)

 The provider can be selected using the `provider` configuration value.

@ -272,6 +272,7 @@ Usage of oauth2_proxy:
  -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
  -flush-interval: period between flushing response buffers when streaming responses (default "1s")
  -footer string: custom footer string. Use "-" to disable default footer.
+  -gcp-healthchecks: will enable /liveness_check, /readiness_check, and / (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses (default false)
  -github-org string: restrict logins to members of this organisation
  -github-team string: restrict logins to members of any of these teams (slug), separated by a comma
  -google-admin-email string: the google admin to impersonate for api calls
--- a/http.go
+++ b/http.go
@ -24,6 +24,45 @@ func (s *Server) ListenAndServe() {
 	}
 }

+// Used with gcpHealthcheck()
+const userAgentHeader = "User-Agent"
+const googleHealthCheckUserAgent = "GoogleHC/1.0"
+const rootPath = "/"
+
+// gcpHealthcheck handles healthcheck queries from GCP.
+func gcpHealthcheck(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check for liveness and readiness:  used for Google App Engine
+		if r.URL.EscapedPath() == "/liveness_check" {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte("OK"))
+			return
+		}
+		if r.URL.EscapedPath() == "/readiness_check" {
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte("OK"))
+			return
+		}
+
+		// Check for GKE ingress healthcheck:  The ingress requires the root
+		// path of the target to return a 200 (OK) to indicate the service's good health. This can be quite a challenging demand
+		// depending on the application's path structure. This middleware filters out the requests from the health check by
+		//
+		// 1. checking that the request path is indeed the root path
+		// 2. ensuring that the User-Agent is "GoogleHC/1.0", the health checker
+		// 3. ensuring the request method is "GET"
+		if r.URL.Path == rootPath &&
+			r.Header.Get(userAgentHeader) == googleHealthCheckUserAgent &&
+			r.Method == http.MethodGet {
+
+			w.WriteHeader(http.StatusOK)
+			return
+		}
+
+		h.ServeHTTP(w, r)
+	})
+}
+
 // ServeHTTP constructs a net.Listener and starts handling HTTP requests
 func (s *Server) ServeHTTP() {
 	HTTPAddress := s.Opts.HTTPAddress
--- a/http_test.go
+++ b/http_test.go
@ -0,0 +1,105 @@
+package main
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGCPHealthcheckLiveness(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/liveness_check", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, 200, rw.Code)
+	assert.Equal(t, "OK", rw.Body.String())
+}
+
+func TestGCPHealthcheckReadiness(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/readiness_check", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, 200, rw.Code)
+	assert.Equal(t, "OK", rw.Body.String())
+}
+
+func TestGCPHealthcheckNotHealthcheck(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/not_any_check", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, "test", rw.Body.String())
+}
+
+func TestGCPHealthcheckIngress(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, 200, rw.Code)
+	assert.Equal(t, "", rw.Body.String())
+}
+
+func TestGCPHealthcheckNotIngress(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/foo", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, "test", rw.Body.String())
+}
+
+func TestGCPHealthcheckNotIngressPut(t *testing.T) {
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := gcpHealthcheck(http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("PUT", "/", nil)
+	r.RemoteAddr = "127.0.0.1"
+	r.Host = "test-server"
+	r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, "test", rw.Body.String())
+}
--- a/main.go
+++ b/main.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log"
 	"math/rand"
+	"net/http"
 	"os"
 	"runtime"
 	"strings"
@ -92,6 +93,7 @@ func main() {
 	flagSet.String("acr-values", "http://idmanagement.gov/ns/assurance/loa/1", "acr values string:  optional, used by login.gov")
 	flagSet.String("jwt-key", "", "private key used to sign JWT: required by login.gov")
 	flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
+	flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")

 	flagSet.Parse(os.Args[1:])

@ -139,8 +141,14 @@ func main() {

 	rand.Seed(time.Now().UnixNano())

+	var handler http.Handler
+	if opts.GCPHealthChecks {
+		handler = gcpHealthcheck(LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat))
+	} else {
+		handler = LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat)
+	}
 	s := &Server{
-		Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat),
+		Handler: handler,
 		Opts:    opts,
 	}
 	s.ListenAndServe()
--- a/options.go
+++ b/options.go
@ -86,10 +86,11 @@ type Options struct {
 	RequestLogging       bool   `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_PROXY_REQUEST_LOGGING"`
 	RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"`

-	SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
-	AcrValues    string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
-	JWTKey       string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
-	PubJWKURL    string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
+	SignatureKey    string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
+	AcrValues       string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
+	JWTKey          string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
+	PubJWKURL       string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
+	GCPHealthChecks bool   `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`

 	// internal values that are set after config validation
 	redirectURL   *url.URL
--- a/options_test.go
+++ b/options_test.go
@ -268,3 +268,9 @@ func TestSkipOIDCDiscovery(t *testing.T) {

 	assert.Equal(t, nil, o.Validate())
 }
+
+func TestGCPHealthcheck(t *testing.T) {
+	o := testOptions()
+	o.GCPHealthChecks = true
+	assert.Equal(t, nil, o.Validate())
+}