feat: add option to not inject Gitlab tokens

ciyer · ciyer · commit 20d347156f31 · 2025-07-15T11:10:37.000+02:00
diff --git a/internal/config/config.yaml b/internal/config/config.yaml
@@ -25,6 +25,7 @@ sessions:
 revproxy:
   renkuBaseUrl: "https://renkulab.io"
   externalGitlabUrl:
+  enableV1Services: true
   k8sNamespace:
   renkuServices:
     noteboooks:
diff --git a/internal/config/revproxy.go b/internal/config/revproxy.go
@@ -18,6 +18,7 @@ type RenkuServicesConfig struct {
 type RevproxyConfig struct {
 	RenkuBaseURL      *url.URL
 	ExternalGitlabURL *url.URL
+	EnableV1Services  bool
 	K8sNamespace      string
 	RenkuServices     RenkuServicesConfig
 }
diff --git a/internal/config/revproxy_test.go b/internal/config/revproxy_test.go
@@ -14,10 +14,12 @@ func getValidRevproxyConfig(t *testing.T) RevproxyConfig {
 	externalGitlabURL, err := url.Parse("https://gitlab.example.org")
 	require.NoError(t, err)
 	renkuServicesConfig := getValidRenkuServicesConfig(t)
+	enableV1Services := false
 	return RevproxyConfig{
 		RenkuBaseURL:      renkuBaseURL,
 		ExternalGitlabURL: externalGitlabURL,
 		RenkuServices:     renkuServicesConfig,
+		EnableV1Services:  enableV1Services,
 	}
 }
 
diff --git a/internal/revproxy/auth.go b/internal/revproxy/auth.go
@@ -18,6 +18,25 @@ import (
 
 type AuthOption func(*Auth)
 
+type AuthMiddlewareProvider interface {
+	Middleware() echo.MiddlewareFunc
+}
+
+func NewAuthMiddlewareProvider(forceNoOp bool, options ...AuthOption) (AuthMiddlewareProvider, error) {
+	if forceNoOp {
+		auth, err := NewNoOpAuth()
+		if err != nil {
+			return nil, err
+		}
+		return &auth, nil
+	}
+	auth, err := NewAuth(options...)
+	if err != nil {
+		return nil, err
+	}
+	return &auth, nil
+}
+
 type TokenInjector func(c echo.Context, token models.AuthToken) error
 
 func InjectInHeader(headerKey string) AuthOption {
@@ -410,3 +429,31 @@ var dataServiceGitlabAccessTokenInjector TokenInjector = func(c echo.Context, ac
 	)
 	return nil
 }
+
+type NoOpAuth struct {
+	tokenInjector TokenInjector
+}
+
+func NewNoOpAuth() (NoOpAuth, error) {
+	auth := NoOpAuth{tokenInjector: noOpTokenInjector}
+	return auth, nil
+}
+
+func (a *NoOpAuth) Middleware() echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			return next(c)
+		}
+	}
+}
+
+// A token injector that does nothing, it is used when no token injection is needed.
+var noOpTokenInjector TokenInjector = func(_ echo.Context, _ models.AuthToken) error {
+
+	slog.Debug(
+		"PROXY AUTH MIDDLEWARE",
+		"message",
+		"no-op token injector, skipping",
+	)
+	return nil
+}
diff --git a/internal/revproxy/main.go b/internal/revproxy/main.go
@@ -21,9 +21,9 @@ type Revproxy struct {
 	// Auth instances
 
 	coreSvcIdTokenAuth             Auth
-	dataGitlabAccessTokenAuth      Auth
-	gitlabTokenAuth                Auth
-	gitlabCliTokenAuth             Auth
+	dataGitlabAccessTokenAuth      AuthMiddlewareProvider
+	gitlabTokenAuth                AuthMiddlewareProvider
+	gitlabCliTokenAuth             AuthMiddlewareProvider
 	notebooksRenkuAccessTokenAuth  Auth
 	notebooksRenkuRefreshTokenAuth Auth
 	notebooksRenkuIDTokenAuth      Auth
@@ -120,15 +120,16 @@ func (r *Revproxy) initializeAuth() error {
 	if err != nil {
 		return err
 	}
-	r.dataGitlabAccessTokenAuth, err = NewAuth(AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), WithTokenInjector(dataServiceGitlabAccessTokenInjector))
+
+	r.dataGitlabAccessTokenAuth, err = NewAuthMiddlewareProvider(!r.config.EnableV1Services, AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), WithTokenInjector(dataServiceGitlabAccessTokenInjector))
 	if err != nil {
 		return err
 	}
-	r.gitlabTokenAuth, err = NewAuth(AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), InjectBearerToken())
+	r.gitlabTokenAuth, err = NewAuthMiddlewareProvider(!r.config.EnableV1Services, AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), InjectBearerToken())
 	if err != nil {
 		return err
 	}
-	r.gitlabCliTokenAuth, err = NewAuth(AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), WithTokenInjector(gitlabCliTokenInjector))
+	r.gitlabCliTokenAuth, err = NewAuthMiddlewareProvider(!r.config.EnableV1Services, AuthWithSessionStore(r.sessions), WithTokenType(models.AccessTokenType), WithProviderID("gitlab"), WithTokenInjector(gitlabCliTokenInjector))
 	if err != nil {
 		return err
 	}
diff --git a/internal/revproxy/main_test.go b/internal/revproxy/main_test.go
@@ -218,6 +218,8 @@ type TestCase struct {
 	Expected       TestResults
 	RequestHeader  map[string]string
 	RequestCookie  *http.Cookie
+
+	DisableV1Services bool
 }
 
 func ParametrizedRouteTest(scenario TestCase) func(*testing.T) {
@@ -298,6 +300,7 @@ func ParametrizedRouteTest(scenario TestCase) func(*testing.T) {
 			defer gitlab.Close()
 			rpConfig.ExternalGitlabURL = gitlabURL
 		}
+		rpConfig.EnableV1Services = !scenario.DisableV1Services
 		proxy, proxyURL := setupTestRevproxy(&rpConfig, sessionStore)
 		defer upstream.Close()
 		defer upstream2.Close()
@@ -440,6 +443,46 @@ func TestInternalSvcRoutes(t *testing.T) {
 			},
 			RequestCookie: &http.Cookie{Name: sessions.SessionCookieName, Value: "sessionID"},
 		},
+		{
+			Path: "/api/notebooks/test/acceptedAuth",
+			Expected: TestResults{
+				Path:             "/api/data/notebooks/test/acceptedAuth",
+				VisitedServerIDs: []string{"upstream"},
+				UpstreamRequestHeaders: []map[string]string{{
+					echo.HeaderAuthorization:         "Bearer accessTokenValue",
+					"Gitlab-Access-Token":            "",
+					"Gitlab-Access-Token-Expires-At": "",
+					"Renku-Auth-Refresh-Token":       "refreshTokenValue",
+					"Renku-Auth-Anon-Id":             "",
+				}},
+			},
+			Tokens: []models.AuthToken{
+				newTestToken(
+					models.AccessTokenType,
+					tokenID("renku:myToken"),
+					tokenPlainValue("accessTokenValue"),
+					tokenProviderID("renku"),
+				),
+				newTestToken(
+					models.RefreshTokenType,
+					tokenID("renku:myToken"),
+					tokenPlainValue("refreshTokenValue"),
+					tokenProviderID("renku"),
+				),
+				newTestToken(
+					models.AccessTokenType,
+					tokenID("gitlab:otherToken"),
+					tokenPlainValue("gitlabAccessTokenValue"),
+					tokenProviderID("gitlab"),
+					tokenExpiresAt(time.Unix(16746525971, 0)),
+				),
+			},
+			Sessions: []models.Session{
+				newTestSesssion(sessionID("sessionID"), withTokenIDs(map[string]string{"renku": "renku:myToken", "gitlab": "gitlab:otherToken"})),
+			},
+			RequestCookie:     &http.Cookie{Name: sessions.SessionCookieName, Value: "sessionID"},
+			DisableV1Services: true,
+		},
 		{
 			Path:     "/api/notebooks",
 			Expected: TestResults{Path: "/api/data/notebooks", VisitedServerIDs: []string{"upstream"}},

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ type RenkuServicesConfig struct {`
`18`	`18`	`type RevproxyConfig struct {`
`19`	`19`	`RenkuBaseURL *url.URL`
`20`	`20`	`ExternalGitlabURL *url.URL`
	`21`	`+ EnableV1Services bool`
`21`	`22`	`K8sNamespace string`
`22`	`23`	`RenkuServices RenkuServicesConfig`
`23`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,10 +14,12 @@ func getValidRevproxyConfig(t *testing.T) RevproxyConfig {`
`14`	`14`	`externalGitlabURL, err := url.Parse("https://gitlab.example.org")`
`15`	`15`	`require.NoError(t, err)`
`16`	`16`	`renkuServicesConfig := getValidRenkuServicesConfig(t)`
	`17`	`+ enableV1Services := false`
`17`	`18`	`return RevproxyConfig{`
`18`	`19`	`RenkuBaseURL: renkuBaseURL,`
`19`	`20`	`ExternalGitlabURL: externalGitlabURL,`
`20`	`21`	`RenkuServices: renkuServicesConfig,`
	`22`	`+ EnableV1Services: enableV1Services,`
`21`	`23`	`}`
`22`	`24`	`}`
`23`	`25`