Support the JWT param set by Workhorse

During file uploads, Workhorse will set a JWT param per file upload that contain all the upload params. `multipart.rb` has been modified to support these params so that `UploadedFile`s are built from those signed params. This behavior change is gated behind a feature flag: :upload_middleware_jwt_params_handler Support the changes done in: https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/490

Support the JWT param set by Workhorse
During file uploads, Workhorse will set a JWT param per file upload that contain all the upload params. `multipart.rb` has been modified to support these params so that `UploadedFile`s are built from those signed params. This behavior change is gated behind a feature flag: :upload_middleware_jwt_params_handler Support the changes done in: https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/490
1a7a1c3c · David Fernandez · Alessio Caiazza · cbf72932 · 1a7a1c3c · 1a7a1c3c
Commit 1a7a1c3c authored Sep 18, 2020 by David Fernandez Committed by Alessio Caiazza Sep 18, 2020
11 changed files
--- a/changelogs/unreleased/214785-support-jwt-param-from-workhorse-for-file-uploads.yml
+++ b/changelogs/unreleased/214785-support-jwt-param-from-workhorse-for-file-uploads.yml
+---
+title: Support JWT params set by Workhorse during uploads
+merge_request: 33277
+author:
+type: changed
--- a/config/feature_flags/development/upload_middleware_jwt_params_handler.yml
+++ b/config/feature_flags/development/upload_middleware_jwt_params_handler.yml
+---
+name: upload_middleware_jwt_params_handler
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33277
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/233895
+group: group::package
+type: development
+default_enabled: false
--- a/lib/gitlab/middleware/multipart.rb
+++ b/lib/gitlab/middleware/multipart.rb
@@ -29,6 +29,8 @@ module Gitlab
  module Middleware
    class Multipart
      RACK_ENV_KEY = 'HTTP_GITLAB_WORKHORSE_MULTIPART_FIELDS'
+      JWT_PARAM_SUFFIX = '.gitlab-workhorse-upload'
+      JWT_PARAM_FIXED_KEY = 'upload'

      class Handler
        def initialize(env, message)
@@ -133,6 +135,79 @@ module Gitlab
        end
      end

+      # TODO this class is meant to replace Handler when the feature flag
+      # upload_middleware_jwt_params_handler is removed
+      class HandlerForJWTParams < Handler
+        def with_open_files
+          @rewritten_fields.keys.each do |field|
+            parsed_field = Rack::Utils.parse_nested_query(field)
+            raise "unexpected field: #{field.inspect}" unless parsed_field.count == 1
+
+            key, value = parsed_field.first
+            if value.nil? # we have a top level param, eg. field = 'foo' and not 'foo[bar]'
+              raise "invalid field: #{field.inspect}" if field != key
+
+              value = open_file(extract_upload_params_from(@request.params, with_prefix: key))
+              @open_files << value
+            else
+              value = decorate_params_value(value, @request.params[key])
+            end
+
+            update_param(key, value)
+          end
+
+          yield
+        ensure
+          @open_files.compact
+                     .each(&:close)
+        end
+
+        # This function calls itself recursively
+        def decorate_params_value(hash_path, value_hash)
+          unless hash_path.is_a?(Hash) && hash_path.count == 1
+            raise "invalid path: #{hash_path.inspect}"
+          end
+
+          path_key, path_value = hash_path.first
+
+          unless value_hash.is_a?(Hash) && value_hash[path_key]
+            raise "invalid value hash: #{value_hash.inspect}"
+          end
+
+          case path_value
+          when nil
+            value_hash[path_key] = open_file(extract_upload_params_from(value_hash[path_key]))
+            @open_files << value_hash[path_key]
+            value_hash
+          when Hash
+            decorate_params_value(path_value, value_hash[path_key])
+            value_hash
+          else
+            raise "unexpected path value: #{path_value.inspect}"
+          end
+        end
+
+        def open_file(params)
+          ::UploadedFile.from_params_without_field(params, allowed_paths)
+        end
+
+        private
+
+        def extract_upload_params_from(params, with_prefix: '')
+          param_key = "#{with_prefix}#{JWT_PARAM_SUFFIX}"
+          jwt_token = params[param_key]
+          raise "Empty JWT param: #{param_key}" if jwt_token.blank?
+
+          payload = Gitlab::Workhorse.decode_jwt(jwt_token).first
+          raise "Invalid JWT payload: not a Hash" unless payload.is_a?(Hash)
+
+          upload_params = payload.fetch(JWT_PARAM_FIXED_KEY, {})
+          raise "Empty params for: #{param_key}" if upload_params.empty?
+
+          upload_params
+        end
+      end
+
      def initialize(app)
        @app = app
      end
@@ -143,12 +218,22 @@ module Gitlab

        message = ::Gitlab::Workhorse.decode_jwt(encoded_message)[0]

-        ::Gitlab::Middleware::Multipart::Handler.new(env, message).with_open_files do
+        handler_class.new(env, message).with_open_files do
          @app.call(env)
        end
      rescue UploadedFile::InvalidPathError => e
        [400, { 'Content-Type' => 'text/plain' }, e.message]
      end
+
+      private
+
+      def handler_class
+        if Feature.enabled?(:upload_middleware_jwt_params_handler)
+          ::Gitlab::Middleware::Multipart::HandlerForJWTParams
+        else
+          ::Gitlab::Middleware::Multipart::Handler
+        end
+      end
    end
  end
 end
--- a/lib/uploaded_file.rb
+++ b/lib/uploaded_file.rb
@@ -42,6 +42,32 @@ class UploadedFile
    @remote_id = remote_id
  end

+  def self.from_params_without_field(params, upload_paths)
+    path = params['path']
+    remote_id = params['remote_id']
+    return if path.blank? && remote_id.blank?
+
+    # don't use file_path if remote_id is set
+    if remote_id.present?
+      file_path = nil
+    elsif path.present?
+      file_path = File.realpath(path)
+
+      unless self.allowed_path?(file_path, Array(upload_paths).compact)
+        raise InvalidPathError, "insecure path used '#{file_path}'"
+      end
+    end
+
+    UploadedFile.new(
+      file_path,
+      filename: params['name'],
+      content_type: params['type'] || 'application/octet-stream',
+      sha256: params['sha256'],
+      remote_id: remote_id,
+      size: params['size']
+    )
+  end
+
  def self.from_params(params, field, upload_paths, path_override = nil)
    path = path_override || params["#{field}.path"]
    remote_id = params["#{field}.remote_id"]

--- a/spec/lib/gitlab/middleware/multipart/handler_for_jwt_params_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart/handler_for_jwt_params_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Middleware::Multipart::HandlerForJWTParams do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be(:env) { Rack::MockRequest.env_for('/', method: 'post', params: {}) }
+  let_it_be(:message) { { 'rewritten_fields' => {} } }
+
+  describe '#allowed_paths' do
+    let_it_be(:expected_allowed_paths) do
+      [
+        Dir.tmpdir,
+        ::FileUploader.root,
+        ::Gitlab.config.uploads.storage_path,
+        ::JobArtifactUploader.workhorse_upload_path,
+        ::LfsObjectUploader.workhorse_upload_path,
+        File.join(Rails.root, 'public/uploads/tmp')
+      ]
+    end
+
+    let_it_be(:expected_with_packages_path) { expected_allowed_paths + [::Packages::PackageFileUploader.workhorse_upload_path] }
+
+    subject { described_class.new(env, message).send(:allowed_paths) }
+
+    where(:package_features_enabled, :object_storage_enabled, :direct_upload_enabled, :expected_paths) do
+      false | false | true  | :expected_allowed_paths
+      false | false | false | :expected_allowed_paths
+      false | true  | true  | :expected_allowed_paths
+      false | true  | false | :expected_allowed_paths
+      true  | false | true  | :expected_with_packages_path
+      true  | false | false | :expected_with_packages_path
+      true  | true  | true  | :expected_allowed_paths
+      true  | true  | false | :expected_with_packages_path
+    end
+
+    with_them do
+      before do
+        stub_config(packages: {
+          enabled: package_features_enabled,
+          object_store: {
+            enabled: object_storage_enabled,
+            direct_upload: direct_upload_enabled
+          },
+          storage_path: '/any/dir'
+        })
+      end
+
+      it { is_expected.to eq(send(expected_paths)) }
+    end
+  end
+end
--- a/spec/lib/gitlab/middleware/multipart_with_handler_for_jwt_params_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_with_handler_for_jwt_params_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Middleware::Multipart do
+  include MultipartHelpers
+
+  describe '#call' do
+    let(:app) { double(:app) }
+    let(:middleware) { described_class.new(app) }
+    let(:secret) { Gitlab::Workhorse.secret }
+    let(:issuer) { 'gitlab-workhorse' }
+
+    subject do
+      env = post_env(
+        rewritten_fields: rewritten_fields,
+        params: params,
+        secret: secret,
+        issuer: issuer
+      )
+      middleware.call(env)
+    end
+
+    before do
+      stub_feature_flags(upload_middleware_jwt_params_handler: true)
+    end
+
+    context 'remote file mode' do
+      let(:mode) { :remote }
+
+      it_behaves_like 'handling all upload parameters conditions'
+
+      context 'and a path set' do
+        include_context 'with one temporary file for multipart'
+
+        let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+        let(:params) { upload_parameters_for(key: 'file', filename: filename, remote_id: remote_id).merge('file.path' => '/should/not/be/read') }
+
+        it 'builds an UploadedFile' do
+          expect_uploaded_files(original_filename: filename, remote_id: remote_id, size: uploaded_file.size, params_path: %w(file))
+
+          subject
+        end
+      end
+    end
+
+    context 'local file mode' do
+      let(:mode) { :local }
+
+      it_behaves_like 'handling all upload parameters conditions'
+
+      context 'when file is' do
+        include_context 'with one temporary file for multipart'
+
+        let(:allowed_paths) { [Dir.tmpdir] }
+
+        before do
+          expect_next_instance_of(::Gitlab::Middleware::Multipart::HandlerForJWTParams) do |handler|
+            expect(handler).to receive(:allowed_paths).and_return(allowed_paths)
+          end
+        end
+
+        context 'in allowed paths' do
+          let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+          let(:params) { upload_parameters_for(filepath: uploaded_filepath, key: 'file', filename: filename) }
+
+          it 'builds an UploadedFile' do
+            expect_uploaded_files(filepath: uploaded_filepath, original_filename: filename, size: uploaded_file.size, params_path: %w(file))
+
+            subject
+          end
+        end
+
+        context 'not in allowed paths' do
+          let(:allowed_paths) { [] }
+
+          let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+          let(:params) { upload_parameters_for(filepath: uploaded_filepath, key: 'file') }
+
+          it 'returns an error' do
+            result = subject
+
+            expect(result[0]).to eq(400)
+            expect(result[2]).to include('insecure path used')
+          end
+        end
+      end
+    end
+
+    context 'with dummy params in remote mode' do
+      let(:rewritten_fields) { { 'file' => 'should/not/be/read' } }
+      let(:params) { upload_parameters_for(key: 'file') }
+      let(:mode) { :remote }
+
+      context 'with an invalid secret' do
+        let(:secret) { 'INVALID_SECRET' }
+
+        it { expect { subject }.to raise_error(JWT::VerificationError) }
+      end
+
+      context 'with an invalid issuer' do
+        let(:issuer) { 'INVALID_ISSUER' }
+
+        it { expect { subject }.to raise_error(JWT::InvalidIssuerError) }
+      end
+
+      context 'with invalid rewritten field key' do
+        invalid_keys = [
+          '[file]',
+          ';file',
+          'file]',
+          ';file]',
+          'file]]',
+          'file;;'
+        ]
+
+        invalid_keys.each do |invalid_key|
+          context invalid_key do
+            let(:rewritten_fields) { { invalid_key => 'should/not/be/read' } }
+
+            it { expect { subject }.to raise_error(RuntimeError, "invalid field: \"#{invalid_key}\"") }
+          end
+        end
+      end
+
+      context 'with invalid key in parameters' do
+        include_context 'with one temporary file for multipart'
+
+        let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+        let(:params) { upload_parameters_for(filepath: uploaded_filepath, key: 'wrong_key', filename: filename, remote_id: remote_id) }
+
+        it 'raises an error' do
+          expect { subject }.to raise_error(RuntimeError, 'Empty JWT param: file.gitlab-workhorse-upload')
+        end
+      end
+
+      context 'with a modified JWT payload' do
+        include_context 'with one temporary file for multipart'
+
+        let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+        let(:crafted_payload) { Base64.urlsafe_encode64({ 'path' => 'test' }.to_json) }
+        let(:params) do
+          upload_parameters_for(filepath: uploaded_filepath, key: 'file', filename: filename, remote_id: remote_id).tap do |params|
+            header, _, sig = params['file.gitlab-workhorse-upload'].split('.')
+            params['file.gitlab-workhorse-upload'] = [header, crafted_payload, sig].join('.')
+          end
+        end
+
+        it 'raises an error' do
+          expect { subject }.to raise_error(JWT::VerificationError, 'Signature verification raised')
+        end
+      end
+
+      context 'with a modified JWT sig' do
+        include_context 'with one temporary file for multipart'
+
+        let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
+        let(:params) do
+          upload_parameters_for(filepath: uploaded_filepath, key: 'file', filename: filename, remote_id: remote_id).tap do |params|
+            header, payload, sig = params['file.gitlab-workhorse-upload'].split('.')
+            params['file.gitlab-workhorse-upload'] = [header, payload, "#{sig}modified"].join('.')
+          end
+        end
+
+        it 'raises an error' do
+          expect { subject }.to raise_error(JWT::VerificationError, 'Signature verification raised')
+        end
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/middleware/multipart_spec.rb
+++ b/spec/lib/gitlab/middleware/multipart_spec.rb
@@ -21,7 +21,11 @@ RSpec.describe Gitlab::Middleware::Multipart do
      middleware.call(env)
    end

-    context 'with remote file mode params' do
+    before do
+      stub_feature_flags(upload_middleware_jwt_params_handler: false)
+    end
+
+    context 'remote file mode' do
      let(:mode) { :remote }

      it_behaves_like 'handling all upload parameters conditions'
@@ -58,10 +62,10 @@ RSpec.describe Gitlab::Middleware::Multipart do

        context 'in allowed paths' do
          let(:rewritten_fields) { rewritten_fields_hash('file' => uploaded_filepath) }
-          let(:params) { upload_parameters_for(filepath: uploaded_filepath, key: 'file', filename: filename, remote_id: remote_id) }
+          let(:params) { upload_parameters_for(filepath: uploaded_filepath, key: 'file', filename: filename) }

          it 'builds an UploadedFile' do
-            expect_uploaded_files(filepath: uploaded_filepath, original_filename: filename, remote_id: remote_id, size: uploaded_file.size, params_path: %w(file))
+            expect_uploaded_files(filepath: uploaded_filepath, original_filename: filename, size: uploaded_file.size, params_path: %w(file))

            subject
          end

--- a/spec/lib/uploaded_file_spec.rb
+++ b/spec/lib/uploaded_file_spec.rb
--- a/spec/support/helpers/multipart_helpers.rb
+++ b/spec/support/helpers/multipart_helpers.rb
 # frozen_string_literal: true

 module MultipartHelpers
+  include WorkhorseHelpers
+
  def post_env(rewritten_fields:, params:, secret:, issuer:)
    token = JWT.encode({ 'iss' => issuer, 'rewritten_fields' => rewritten_fields }, secret, 'HS256')
    Rack::MockRequest.env_for(
@@ -29,7 +31,14 @@ module MultipartHelpers
      raise ArgumentError, "can't handle #{mode} mode"
    end

-    result
+    return result if ::Feature.disabled?(:upload_middleware_jwt_params_handler)
+
+    # the HandlerForJWTParams expects a jwt token with the upload parameters
+    # *without* the "#{key}." prefix
+    result.deep_transform_keys! { |k| k.remove("#{key}.") }
+    {
+      "#{key}.gitlab-workhorse-upload" => jwt_token('upload' => result)
+    }
  end

  # This function assumes a `mode` variable to be set

--- a/spec/support/helpers/workhorse_helpers.rb
+++ b/spec/support/helpers/workhorse_helpers.rb
@@ -3,6 +3,8 @@
 module WorkhorseHelpers
  extend self

+  UPLOAD_PARAM_NAMES = %w[name size path remote_id sha256 type].freeze
+
  def workhorse_send_data
    @_workhorse_send_data ||= begin
      header = response.headers[Gitlab::Workhorse::SEND_DATA_HEADER]
@@ -59,6 +61,7 @@ module WorkhorseHelpers
      file = workhorse_params.delete(key)
      rewritten_fields[key] = file.path if file
      workhorse_params = workhorse_disk_accelerated_file_params(key, file).merge(workhorse_params)
+      workhorse_params = workhorse_params.merge(jwt_file_upload_param(key: key, params: workhorse_params))
    end

    headers = if send_rewritten_field
@@ -74,8 +77,19 @@ module WorkhorseHelpers

  private

-  def jwt_token(data = {})
-    JWT.encode({ 'iss' => 'gitlab-workhorse' }.merge(data), Gitlab::Workhorse.secret, 'HS256')
+  def jwt_file_upload_param(key:, params:)
+    upload_params = UPLOAD_PARAM_NAMES.map do |file_upload_param|
+      [file_upload_param, params["#{key}.#{file_upload_param}"]]
+    end
+    upload_params = upload_params.to_h.compact
+
+    return {} if upload_params.empty?
+
+    { "#{key}.gitlab-workhorse-upload" => jwt_token('upload' => upload_params) }
+  end
+
+  def jwt_token(data = {}, issuer: 'gitlab-workhorse', secret: Gitlab::Workhorse.secret, algorithm: 'HS256')
+    JWT.encode({ 'iss' => issuer }.merge(data), secret, algorithm)
  end

  def workhorse_rewritten_fields_header(fields)

--- a/spec/support/shared_examples/features/file_uploads_shared_examples.rb
+++ b/spec/support/shared_examples/features/file_uploads_shared_examples.rb
@@ -2,6 +2,28 @@

 RSpec.shared_examples 'handling file uploads' do |shared_examples_name|
  context 'with object storage disabled' do
-    it_behaves_like shared_examples_name
+    context 'with upload_middleware_jwt_params_handler disabled' do
+      before do
+        stub_feature_flags(upload_middleware_jwt_params_handler: false)
+
+        expect_next_instance_of(Gitlab::Middleware::Multipart::Handler) do |handler|
+          expect(handler).to receive(:with_open_files).and_call_original
+        end
+      end
+
+      it_behaves_like shared_examples_name
+    end
+
+    context 'with upload_middleware_jwt_params_handler enabled' do
+      before do
+        stub_feature_flags(upload_middleware_jwt_params_handler: true)
+
+        expect_next_instance_of(Gitlab::Middleware::Multipart::HandlerForJWTParams) do |handler|
+          expect(handler).to receive(:with_open_files).and_call_original
+        end
+      end
+
+      it_behaves_like shared_examples_name
+    end
  end
 end