diff --git a/auth/context.go b/auth/context.go index af4cd919..993aea73 100644 --- a/auth/context.go +++ b/auth/context.go @@ -23,21 +23,6 @@ import ( type contextFlags string -/* -// InstanceJWTClaims holds JWT claims -type InstanceJWTClaims struct { - ID string `json:"id"` - Name string `json:"name"` - PoolID string `json:"provider_id"` - // Scope is either repository or organization - Scope common.PoolType `json:"scope"` - // Entity is the repo or org name - Entity string `json:"entity"` - jwt.StandardClaims -} - -*/ - const ( isAdminKey contextFlags = "is_admin" fullNameKey contextFlags = "full_name" @@ -52,7 +37,6 @@ const ( instancePoolTypeKey contextFlags = "scope" instanceEntityKey contextFlags = "entity" instanceRunnerStatus contextFlags = "status" - instanceGithubToken contextFlags = "github_token" ) func SetInstanceID(ctx context.Context, id string) context.Context { @@ -79,18 +63,6 @@ func InstanceRunnerStatus(ctx context.Context) common.RunnerStatus { return elem.(common.RunnerStatus) } -func SetInstanceGithubToken(ctx context.Context, val string) context.Context { - return context.WithValue(ctx, instanceGithubToken, val) -} - -func InstanceGithubToken(ctx context.Context) string { - elem := ctx.Value(instanceGithubToken) - if elem == nil { - return "" - } - return elem.(string) -} - func SetInstanceName(ctx context.Context, val string) context.Context { return context.WithValue(ctx, instanceNameKey, val) } @@ -144,7 +116,6 @@ func PopulateInstanceContext(ctx context.Context, instance params.Instance) cont ctx = SetInstanceName(ctx, instance.Name) ctx = SetInstancePoolID(ctx, instance.PoolID) ctx = SetInstanceRunnerStatus(ctx, instance.RunnerStatus) - ctx = SetInstanceGithubToken(ctx, string(instance.GithubRegistrationToken)) return ctx } diff --git a/cloudconfig/templates.go b/cloudconfig/templates.go index 5ddef837..475081d9 100644 --- a/cloudconfig/templates.go +++ b/cloudconfig/templates.go @@ -29,15 +29,12 @@ set -o pipefail CALLBACK_URL="{{ .CallbackURL }}" METADATA_URL="{{ .MetadataURL }}" BEARER_TOKEN="{{ .CallbackToken }}" -GITHUB_TOKEN="{{ .GithubToken }}" -if [ -z "$GITHUB_TOKEN" ];then - if [ -z "$METADATA_URL" ];then - echo "no token is available and METADATA_URL is not set" - exit 1 - fi - GITHUB_TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${METADATA_URL}/runner-registration-token/") +if [ -z "$METADATA_URL" ];then + echo "no token is available and METADATA_URL is not set" + exit 1 fi +GITHUB_TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${METADATA_URL}/runner-registration-token/") function call() { PAYLOAD="$1" @@ -106,7 +103,6 @@ type InstallRunnerParams struct { RunnerUsername string RunnerGroup string RepoURL string - GithubToken string MetadataURL string RunnerName string RunnerLabels string diff --git a/config/config.go b/config/config.go index edec3436..f6b8329d 100644 --- a/config/config.go +++ b/config/config.go @@ -185,16 +185,16 @@ func (d *Default) Validate() error { if d.CallbackURL == "" { return fmt.Errorf("missing callback_url") } - _, err := url.Parse(d.CallbackURL) if err != nil { return errors.Wrap(err, "validating callback_url") } - if d.MetadataURL != "" { - if _, err := url.Parse(d.MetadataURL); err != nil { - return errors.Wrap(err, "validating metadata_url") - } + if d.MetadataURL == "" { + return fmt.Errorf("missing metadata-url") + } + if _, err := url.Parse(d.MetadataURL); err != nil { + return errors.Wrap(err, "validating metadata_url") } if d.ConfigDir == "" { diff --git a/config/config_test.go b/config/config_test.go index d8a473a6..d8910fc9 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -15,7 +15,6 @@ package config import ( - "io/ioutil" "os" "path/filepath" "testing" @@ -33,6 +32,7 @@ func getDefaultSectionConfig(configDir string) Default { return Default{ ConfigDir: configDir, CallbackURL: "https://garm.example.com/", + MetadataURL: "https://garm.example.com/api/v1/metadata", LogFile: filepath.Join(configDir, "garm.log"), } } @@ -105,7 +105,7 @@ func getDefaultJWTCofig() JWTAuth { } func getDefaultConfig(t *testing.T) Config { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } @@ -129,7 +129,7 @@ func TestConfig(t *testing.T) { } func TestDefaultSectionConfig(t *testing.T) { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } @@ -150,14 +150,25 @@ func TestDefaultSectionConfig(t *testing.T) { name: "CallbackURL cannot be empty", cfg: Default{ CallbackURL: "", + MetadataURL: cfg.MetadataURL, ConfigDir: cfg.ConfigDir, }, errString: "missing callback_url", }, + { + name: "MetadataURL cannot be empty", + cfg: Default{ + CallbackURL: cfg.CallbackURL, + MetadataURL: "", + ConfigDir: cfg.ConfigDir, + }, + errString: "missing metadata-url", + }, { name: "ConfigDir cannot be empty", cfg: Default{ CallbackURL: cfg.CallbackURL, + MetadataURL: cfg.MetadataURL, ConfigDir: "", }, errString: "config_dir cannot be empty", @@ -166,6 +177,7 @@ func TestDefaultSectionConfig(t *testing.T) { name: "config_dir must exist and be accessible", cfg: Default{ CallbackURL: cfg.CallbackURL, + MetadataURL: cfg.MetadataURL, ConfigDir: "/i/do/not/exist", }, errString: "accessing config dir: stat /i/do/not/exist:.*", @@ -306,14 +318,14 @@ func TestAPITLSconfig(t *testing.T) { } func TestTLSConfig(t *testing.T) { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } t.Cleanup(func() { os.RemoveAll(dir) }) invalidCert := filepath.Join(dir, "invalid_cert.pem") - err = ioutil.WriteFile(invalidCert, []byte("bogus content"), 0755) + err = os.WriteFile(invalidCert, []byte("bogus content"), 0755) if err != nil { t.Fatalf("failed to write file: %s", err) } @@ -396,7 +408,7 @@ func TestTLSConfig(t *testing.T) { } func TestDatabaseConfig(t *testing.T) { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } @@ -503,7 +515,7 @@ func TestDatabaseConfig(t *testing.T) { } func TestGormParams(t *testing.T) { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } @@ -527,7 +539,7 @@ func TestGormParams(t *testing.T) { } func TestSQLiteConfig(t *testing.T) { - dir, err := ioutil.TempDir("", "garm-config-test") + dir, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } @@ -676,7 +688,7 @@ func TestNewConfig(t *testing.T) { } func TestNewConfigEmptyConfigDir(t *testing.T) { - dirPath, err := ioutil.TempDir("", "garm-config-test") + dirPath, err := os.MkdirTemp("", "garm-config-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } diff --git a/config/external_test.go b/config/external_test.go index a537b570..1da36d33 100644 --- a/config/external_test.go +++ b/config/external_test.go @@ -16,7 +16,6 @@ package config import ( "fmt" - "io/ioutil" "os" "path/filepath" "testing" @@ -25,13 +24,13 @@ import ( ) func getDefaultExternalConfig(t *testing.T) External { - dir, err := ioutil.TempDir("", "garm-test") + dir, err := os.MkdirTemp("", "garm-test") if err != nil { t.Fatalf("failed to create temporary directory: %s", err) } t.Cleanup(func() { os.RemoveAll(dir) }) - err = ioutil.WriteFile(filepath.Join(dir, "garm-external-provider"), []byte{}, 0755) + err = os.WriteFile(filepath.Join(dir, "garm-external-provider"), []byte{}, 0755) if err != nil { t.Fatalf("failed to write file: %s", err) } diff --git a/config/testdata/test-empty-config-dir.toml b/config/testdata/test-empty-config-dir.toml index 30f36e7a..f86750a6 100644 --- a/config/testdata/test-empty-config-dir.toml +++ b/config/testdata/test-empty-config-dir.toml @@ -1,5 +1,6 @@ [default] callback_url = "https://garm.example.com/" + metadata_url = "https://garm.example.com/" config_dir = "" [apiserver] diff --git a/config/testdata/test-valid-config.toml b/config/testdata/test-valid-config.toml index 681ce22b..4fee2597 100644 --- a/config/testdata/test-valid-config.toml +++ b/config/testdata/test-valid-config.toml @@ -1,5 +1,6 @@ [default] callback_url = "https://garm.example.com/" + metadata_url = "https://garm.example.com/" config_dir = "./testdata" [apiserver] diff --git a/contrib/providers.d/openstack/garm-external-provider b/contrib/providers.d/openstack/garm-external-provider index 8a955871..fb001e9a 100755 --- a/contrib/providers.d/openstack/garm-external-provider +++ b/contrib/providers.d/openstack/garm-external-provider @@ -191,7 +191,7 @@ function repoURL() { echo "${REPO}" } -function getRegistrationTokenFromAPI() { +function ghAccessToken() { TOKEN_URL=$(runnerTokenURL) BEARER_TOKEN=$(callbackToken) TOKEN=$(curl --fail -s -X GET -H 'Accept: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" "${TOKEN_URL}") @@ -199,15 +199,6 @@ function getRegistrationTokenFromAPI() { echo "${TOKEN}" } -function ghAccessToken() { - TOKEN=$(echo "$INPUT" | jq -c -r '.github_runner_access_token') - if [ -z "$TOKEN" ];then - TOKEN=$(getRegistrationTokenFromAPI) - fi - checkValNotNull "${TOKEN}" "github_runner_access_token" || return $? - echo "${TOKEN}" -} - function callbackURL() { CB_URL=$(echo "$INPUT" | jq -c -r '."callback-url"') checkValNotNull "${CB_URL}" "callback-url" || return $? diff --git a/database/common/mocks/Store.go b/database/common/mocks/Store.go index 27d7f86e..d5bc37bf 100644 --- a/database/common/mocks/Store.go +++ b/database/common/mocks/Store.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks diff --git a/database/sql/enterprise.go b/database/sql/enterprise.go index a23d408c..9d8eb1ca 100644 --- a/database/sql/enterprise.go +++ b/database/sql/enterprise.go @@ -250,13 +250,6 @@ func (s *sqlDatabase) ListEnterpriseInstances(ctx context.Context, enterpriseID ret := []params.Instance{} for _, pool := range pools { for _, instance := range pool.Instances { - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return nil, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } ret = append(ret, s.sqlToParamsInstance(instance)) } } diff --git a/database/sql/instances.go b/database/sql/instances.go index 2bf7b5b1..9696cba5 100644 --- a/database/sql/instances.go +++ b/database/sql/instances.go @@ -16,10 +16,8 @@ package sql import ( "context" - "fmt" runnerErrors "garm/errors" "garm/params" - "garm/util" "github.com/pkg/errors" uuid "github.com/satori/go.uuid" @@ -32,36 +30,22 @@ func (s *sqlDatabase) CreateInstance(ctx context.Context, poolID string, param p if err != nil { return params.Instance{}, errors.Wrap(err, "fetching pool") } - var ghToken []byte - if param.GithubRegistrationToken != nil { - ghToken, err = util.Aes256EncodeString(string(param.GithubRegistrationToken), s.cfg.Passphrase) - if err != nil { - return params.Instance{}, fmt.Errorf("failed to encrypt gh token") - } - } + newInstance := Instance{ - Pool: pool, - Name: param.Name, - Status: param.Status, - RunnerStatus: param.RunnerStatus, - OSType: param.OSType, - OSArch: param.OSArch, - CallbackURL: param.CallbackURL, - MetadataURL: param.MetadataURL, - GithubRegistrationToken: ghToken, + Pool: pool, + Name: param.Name, + Status: param.Status, + RunnerStatus: param.RunnerStatus, + OSType: param.OSType, + OSArch: param.OSArch, + CallbackURL: param.CallbackURL, + MetadataURL: param.MetadataURL, } q := s.conn.Create(&newInstance) if q.Error != nil { return params.Instance{}, errors.Wrap(q.Error, "creating instance") } - if newInstance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(newInstance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - newInstance.GithubRegistrationToken = []byte(decodedTk) - } return s.sqlToParamsInstance(newInstance), nil } @@ -131,20 +115,6 @@ func (s *sqlDatabase) GetPoolInstanceByName(ctx context.Context, poolID string, return params.Instance{}, errors.Wrap(err, "fetching instance") } - if instance.GithubRegistrationToken != nil { - token, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return params.Instance{}, errors.Wrap(err, "decoing token") - } - instance.GithubRegistrationToken = []byte(token) - } - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } return s.sqlToParamsInstance(instance), nil } @@ -154,13 +124,6 @@ func (s *sqlDatabase) GetInstanceByName(ctx context.Context, instanceName string return params.Instance{}, errors.Wrap(err, "fetching instance") } - if instance.GithubRegistrationToken != nil { - token, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return params.Instance{}, errors.Wrap(err, "decoing token") - } - instance.GithubRegistrationToken = []byte(token) - } return s.sqlToParamsInstance(instance), nil } @@ -246,13 +209,7 @@ func (s *sqlDatabase) UpdateInstance(ctx context.Context, instanceID string, par return params.Instance{}, errors.Wrap(err, "updating addresses") } } - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return params.Instance{}, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } + return s.sqlToParamsInstance(instance), nil } @@ -264,13 +221,6 @@ func (s *sqlDatabase) ListPoolInstances(ctx context.Context, poolID string) ([]p ret := make([]params.Instance, len(pool.Instances)) for idx, inst := range pool.Instances { - if inst.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(inst.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return nil, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - inst.GithubRegistrationToken = []byte(decodedTk) - } ret[idx] = s.sqlToParamsInstance(inst) } return ret, nil @@ -285,13 +235,6 @@ func (s *sqlDatabase) ListAllInstances(ctx context.Context) ([]params.Instance, } ret := make([]params.Instance, len(instances)) for idx, instance := range instances { - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return nil, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } ret[idx] = s.sqlToParamsInstance(instance) } return ret, nil diff --git a/database/sql/models.go b/database/sql/models.go index 9009eb09..64eaf4d7 100644 --- a/database/sql/models.go +++ b/database/sql/models.go @@ -127,21 +127,20 @@ type InstanceStatusUpdate struct { type Instance struct { Base - ProviderID *string `gorm:"uniqueIndex"` - Name string `gorm:"uniqueIndex"` - AgentID int64 - OSType config.OSType - OSArch config.OSArch - OSName string - OSVersion string - Addresses []Address `gorm:"foreignKey:InstanceID"` - Status common.InstanceStatus - RunnerStatus common.RunnerStatus - CallbackURL string - MetadataURL string - ProviderFault []byte `gorm:"type:longblob"` - CreateAttempt int - GithubRegistrationToken []byte `gorm:"type:longblob"` + ProviderID *string `gorm:"uniqueIndex"` + Name string `gorm:"uniqueIndex"` + AgentID int64 + OSType config.OSType + OSArch config.OSArch + OSName string + OSVersion string + Addresses []Address `gorm:"foreignKey:InstanceID"` + Status common.InstanceStatus + RunnerStatus common.RunnerStatus + CallbackURL string + MetadataURL string + ProviderFault []byte `gorm:"type:longblob"` + CreateAttempt int PoolID uuid.UUID Pool Pool `gorm:"foreignKey:PoolID"` diff --git a/database/sql/organizations.go b/database/sql/organizations.go index 8a4b8ee4..35b4b241 100644 --- a/database/sql/organizations.go +++ b/database/sql/organizations.go @@ -255,13 +255,6 @@ func (s *sqlDatabase) ListOrgInstances(ctx context.Context, orgID string) ([]par ret := []params.Instance{} for _, pool := range pools { for _, instance := range pool.Instances { - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return nil, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } ret = append(ret, s.sqlToParamsInstance(instance)) } } diff --git a/database/sql/repositories.go b/database/sql/repositories.go index a6ef5ce6..73cf4295 100644 --- a/database/sql/repositories.go +++ b/database/sql/repositories.go @@ -264,13 +264,6 @@ func (s *sqlDatabase) ListRepoInstances(ctx context.Context, repoID string) ([]p ret := []params.Instance{} for _, pool := range pools { for _, instance := range pool.Instances { - if instance.GithubRegistrationToken != nil { - decodedTk, err := util.Aes256DecodeString(instance.GithubRegistrationToken, s.cfg.Passphrase) - if err != nil { - return nil, errors.Wrap(err, "decrypting GithubRegistrationToken") - } - instance.GithubRegistrationToken = []byte(decodedTk) - } ret = append(ret, s.sqlToParamsInstance(instance)) } } diff --git a/database/sql/util.go b/database/sql/util.go index 430ca7ec..dfcb74fd 100644 --- a/database/sql/util.go +++ b/database/sql/util.go @@ -29,23 +29,22 @@ func (s *sqlDatabase) sqlToParamsInstance(instance Instance) params.Instance { id = *instance.ProviderID } ret := params.Instance{ - ID: instance.ID.String(), - ProviderID: id, - AgentID: instance.AgentID, - Name: instance.Name, - OSType: instance.OSType, - OSName: instance.OSName, - OSVersion: instance.OSVersion, - OSArch: instance.OSArch, - Status: instance.Status, - RunnerStatus: instance.RunnerStatus, - PoolID: instance.PoolID.String(), - CallbackURL: instance.CallbackURL, - MetadataURL: instance.MetadataURL, - StatusMessages: []params.StatusMessage{}, - CreateAttempt: instance.CreateAttempt, - UpdatedAt: instance.UpdatedAt, - GithubRegistrationToken: instance.GithubRegistrationToken, + ID: instance.ID.String(), + ProviderID: id, + AgentID: instance.AgentID, + Name: instance.Name, + OSType: instance.OSType, + OSName: instance.OSName, + OSVersion: instance.OSVersion, + OSArch: instance.OSArch, + Status: instance.Status, + RunnerStatus: instance.RunnerStatus, + PoolID: instance.PoolID.String(), + CallbackURL: instance.CallbackURL, + MetadataURL: instance.MetadataURL, + StatusMessages: []params.StatusMessage{}, + CreateAttempt: instance.CreateAttempt, + UpdatedAt: instance.UpdatedAt, } if len(instance.ProviderFault) > 0 { diff --git a/params/params.go b/params/params.go index 9e22ef3f..9eb09878 100644 --- a/params/params.go +++ b/params/params.go @@ -76,10 +76,9 @@ type Instance struct { UpdatedAt time.Time `json:"updated_at"` // Do not serialize sensitive info. - CallbackURL string `json:"-"` - MetadataURL string `json:"-"` - CreateAttempt int `json:"-"` - GithubRegistrationToken []byte `json:"-"` + CallbackURL string `json:"-"` + MetadataURL string `json:"-"` + CreateAttempt int `json:"-"` } func (i Instance) GetName() string { @@ -95,9 +94,6 @@ type BootstrapInstance struct { Tools []*github.RunnerApplicationDownload `json:"tools"` // RepoURL is the URL the github runner agent needs to configure itself. RepoURL string `json:"repo_url"` - // GithubRunnerAccessToken is the token we fetch from github to allow the runner to - // register itself. - GithubRunnerAccessToken string `json:"github_runner_access_token"` // CallbackUrl is the URL where the instance can send a post, signaling // progress or status. CallbackURL string `json:"callback-url"` diff --git a/runner/common/mocks/GithubClient.go b/runner/common/mocks/GithubClient.go index b8db134a..a5b08140 100644 --- a/runner/common/mocks/GithubClient.go +++ b/runner/common/mocks/GithubClient.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks diff --git a/runner/common/mocks/GithubEnterpriseClient.go b/runner/common/mocks/GithubEnterpriseClient.go index 741d139c..e9c3acc9 100644 --- a/runner/common/mocks/GithubEnterpriseClient.go +++ b/runner/common/mocks/GithubEnterpriseClient.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks diff --git a/runner/common/mocks/PoolManager.go b/runner/common/mocks/PoolManager.go index 4d55c339..9f327279 100644 --- a/runner/common/mocks/PoolManager.go +++ b/runner/common/mocks/PoolManager.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks @@ -27,6 +27,27 @@ func (_m *PoolManager) ForceDeleteRunner(runner params.Instance) error { return r0 } +// GithubRunnerRegistrationToken provides a mock function with given fields: +func (_m *PoolManager) GithubRunnerRegistrationToken() (string, error) { + ret := _m.Called() + + var r0 string + if rf, ok := ret.Get(0).(func() string); ok { + r0 = rf() + } else { + r0 = ret.Get(0).(string) + } + + var r1 error + if rf, ok := ret.Get(1).(func() error); ok { + r1 = rf() + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + // HandleWorkflowJob provides a mock function with given fields: job func (_m *PoolManager) HandleWorkflowJob(job params.WorkflowJob) error { ret := _m.Called(job) diff --git a/runner/common/mocks/Provider.go b/runner/common/mocks/Provider.go index fa6b5f2b..35206df6 100644 --- a/runner/common/mocks/Provider.go +++ b/runner/common/mocks/Provider.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks diff --git a/runner/common/pool.go b/runner/common/pool.go index 113125e9..a075eb61 100644 --- a/runner/common/pool.go +++ b/runner/common/pool.go @@ -43,6 +43,7 @@ const ( type PoolManager interface { ID() string WebhookSecret() string + GithubRunnerRegistrationToken() (string, error) HandleWorkflowJob(job params.WorkflowJob) error RefreshState(param params.UpdatePoolStateParams) error ForceDeleteRunner(runner params.Instance) error diff --git a/runner/mocks/PoolManagerController.go b/runner/mocks/PoolManagerController.go index a310f483..ce708fcd 100644 --- a/runner/mocks/PoolManagerController.go +++ b/runner/mocks/PoolManagerController.go @@ -1,4 +1,4 @@ -// Code generated by mockery v2.14.0. DO NOT EDIT. +// Code generated by mockery v2.15.0. DO NOT EDIT. package mocks diff --git a/runner/pool/pool.go b/runner/pool/pool.go index 927a8c90..9ea4a8aa 100644 --- a/runner/pool/pool.go +++ b/runner/pool/pool.go @@ -522,19 +522,6 @@ func (r *basePoolManager) addInstanceToProvider(instance params.Instance) error labels = append(labels, r.controllerLabel()) labels = append(labels, r.poolLabel(pool.ID)) - if instance.GithubRegistrationToken == nil { - tk, err := r.helper.GetGithubRegistrationToken() - if err != nil { - if errors.Is(err, runnerErrors.ErrUnauthorized) { - failureReason := fmt.Sprintf("failed to fetch registration token: %q", err) - r.setPoolRunningState(false, failureReason) - log.Print(failureReason) - } - return errors.Wrap(err, "fetching registration token") - } - instance.GithubRegistrationToken = []byte(tk) - } - jwtValidity := pool.RunnerTimeout() var poolType common.PoolType = common.RepositoryPool if pool.OrgID != "" { @@ -562,10 +549,6 @@ func (r *basePoolManager) addInstanceToProvider(instance params.Instance) error CACertBundle: r.credsDetails.CABundle, } - if instance.MetadataURL == "" { - bootstrapArgs.GithubRunnerAccessToken = string(instance.GithubRegistrationToken) - } - var instanceIDToDelete string defer func() { @@ -986,6 +969,10 @@ func (r *basePoolManager) WebhookSecret() string { return r.helper.WebhookSecret() } +func (r *basePoolManager) GithubRunnerRegistrationToken() (string, error) { + return r.helper.GetGithubRegistrationToken() +} + func (r *basePoolManager) ID() string { return r.helper.ID() } diff --git a/runner/providers/external/util.go b/runner/providers/external/util.go index 4a39b2e3..33375122 100644 --- a/runner/providers/external/util.go +++ b/runner/providers/external/util.go @@ -29,7 +29,6 @@ func bootstrapParamsToEnv(param params.BootstrapInstance) []string { fmt.Sprintf("%s_BOOTSTRAP_CALLBACK_URL='%s'", envPrefix, param.CallbackURL), fmt.Sprintf("%s_BOOTSTRAP_REPO_URL='%s'", envPrefix, param.RepoURL), fmt.Sprintf("%s_BOOTSTRAP_LABELS='%s'", envPrefix, strings.Join(param.Labels, ",")), - fmt.Sprintf("%s_BOOTSTRAP_GITHUB_ACCESS_TOKEN='%s'", envPrefix, param.GithubRunnerAccessToken), } for idx, tool := range param.Tools { diff --git a/runner/runner.go b/runner/runner.go index 1e289bd9..c363daec 100644 --- a/runner/runner.go +++ b/runner/runner.go @@ -724,8 +724,8 @@ func (r *Runner) AddInstanceStatusMessage(ctx context.Context, param params.Inst } func (r *Runner) GetInstanceGithubRegistrationToken(ctx context.Context) (string, error) { - instanceID := auth.InstanceID(ctx) - if instanceID == "" { + instanceName := auth.InstanceName(ctx) + if instanceName == "" { return "", runnerErrors.ErrUnauthorized } @@ -733,10 +733,65 @@ func (r *Runner) GetInstanceGithubRegistrationToken(ctx context.Context) (string if status != providerCommon.RunnerPending && status != providerCommon.RunnerInstalling { return "", runnerErrors.ErrUnauthorized } - token := auth.InstanceGithubToken(ctx) + + instance, err := r.store.GetInstanceByName(ctx, instanceName) + if err != nil { + return "", errors.Wrap(err, "fetching instance") + } + + poolMgr, err := r.getPoolManagerFromInstance(ctx, instance) + if err != nil { + return "", errors.Wrap(err, "fetching pool manager for instance") + } + + token, err := poolMgr.GithubRunnerRegistrationToken() + if err != nil { + return "", errors.Wrap(err, "fetching runner token") + } + return token, nil } +func (r *Runner) getPoolManagerFromInstance(ctx context.Context, instance params.Instance) (common.PoolManager, error) { + pool, err := r.store.GetPoolByID(ctx, instance.PoolID) + if err != nil { + return nil, errors.Wrap(err, "fetching pool") + } + + var poolMgr common.PoolManager + + if pool.RepoID != "" { + repo, err := r.store.GetRepositoryByID(ctx, pool.RepoID) + if err != nil { + return nil, errors.Wrap(err, "fetching repo") + } + poolMgr, err = r.findRepoPoolManager(repo.Owner, repo.Name) + if err != nil { + return nil, errors.Wrapf(err, "fetching pool manager for repo %s", pool.RepoName) + } + } else if pool.OrgID != "" { + org, err := r.store.GetOrganizationByID(ctx, pool.OrgID) + if err != nil { + return nil, errors.Wrap(err, "fetching org") + } + poolMgr, err = r.findOrgPoolManager(org.Name) + if err != nil { + return nil, errors.Wrapf(err, "fetching pool manager for org %s", pool.OrgName) + } + } else if pool.EnterpriseID != "" { + enterprise, err := r.store.GetEnterpriseByID(ctx, pool.EnterpriseID) + if err != nil { + return nil, errors.Wrap(err, "fetching enterprise") + } + poolMgr, err = r.findEnterprisePoolManager(enterprise.Name) + if err != nil { + return nil, errors.Wrapf(err, "fetching pool manager for enterprise %s", pool.EnterpriseName) + } + } + + return poolMgr, nil +} + func (r *Runner) ForceDeleteRunner(ctx context.Context, instanceName string) error { if !auth.IsAdmin(ctx) { return runnerErrors.ErrUnauthorized @@ -747,46 +802,9 @@ func (r *Runner) ForceDeleteRunner(ctx context.Context, instanceName string) err return errors.Wrap(err, "fetching instance") } - switch instance.Status { - case providerCommon.InstanceRunning, providerCommon.InstanceError: - default: - return runnerErrors.NewBadRequestError("runner must be in %q or %q state", providerCommon.InstanceRunning, providerCommon.InstanceError) - } - - pool, err := r.store.GetPoolByID(ctx, instance.PoolID) + poolMgr, err := r.getPoolManagerFromInstance(ctx, instance) if err != nil { - return errors.Wrap(err, "fetching pool") - } - - var poolMgr common.PoolManager - - if pool.RepoID != "" { - repo, err := r.store.GetRepositoryByID(ctx, pool.RepoID) - if err != nil { - return errors.Wrap(err, "fetching repo") - } - poolMgr, err = r.findRepoPoolManager(repo.Owner, repo.Name) - if err != nil { - return errors.Wrapf(err, "fetching pool manager for repo %s", pool.RepoName) - } - } else if pool.OrgID != "" { - org, err := r.store.GetOrganizationByID(ctx, pool.OrgID) - if err != nil { - return errors.Wrap(err, "fetching org") - } - poolMgr, err = r.findOrgPoolManager(org.Name) - if err != nil { - return errors.Wrapf(err, "fetching pool manager for org %s", pool.OrgName) - } - } else if pool.EnterpriseID != "" { - enterprise, err := r.store.GetEnterpriseByID(ctx, pool.EnterpriseID) - if err != nil { - return errors.Wrap(err, "fetching enterprise") - } - poolMgr, err = r.findEnterprisePoolManager(enterprise.Name) - if err != nil { - return errors.Wrapf(err, "fetching pool manager for enterprise %s", pool.EnterpriseName) - } + return errors.Wrap(err, "fetching pool manager for instance") } if err := poolMgr.ForceDeleteRunner(instance); err != nil { diff --git a/util/util.go b/util/util.go index e3b9e9ba..eba4f188 100644 --- a/util/util.go +++ b/util/util.go @@ -222,11 +222,6 @@ func GetCloudConfig(bootstrapParams params.BootstrapInstance, tools github.Runne CallbackToken: bootstrapParams.InstanceToken, } - if bootstrapParams.MetadataURL == "" { - // Token URL is not set. Add the GH runner registration token to userdata. - installRunnerParams.GithubToken = bootstrapParams.GithubRunnerAccessToken - } - installScript, err := cloudconfig.InstallRunnerScript(installRunnerParams) if err != nil { return "", errors.Wrap(err, "generating script")