.gitlab-ci.yml

@@ -12,14 +12,22 @@ test:1.5:
   image: golang:1.5
   script:
   - make verify-lite
+  - make acceptance
 test:1.6:
   image: golang:1.6
   script:
   - make verify
+  - make acceptance
 test:1.7:
   image: golang:1.7
   script:
   - make verify
   - make acceptance
+
+test:1.8:
+  image: golang:1.8
+  script:
+  - make verify
+  - make acceptance

CHANGELOG

+v 0.4.0
+- Fix the `-redirect-http` option so it redirects from HTTP to HTTPS when enabled !21
+
+v 0.3.2
+- Only pass a metrics fd to the daemon child if a metrics address was specified
+
+v 0.3.1
+- Pass the metrics address fd to the child process
+
 v 0.3.0
 - Prometheus metrics support with `metrics-address`

Makefile

@@ -40,10 +40,11 @@ complexity:
 test:
 	go get golang.org/x/tools/cmd/cover
-	go test ./... -cover
+	go test ./... -short -cover -v -timeout 1m
 acceptance: gitlab-pages
-	go test ./... -run-acceptance-tests
+	go get golang.org/x/tools/cmd/cover
+	go test ./... -cover -v -timeout 1m
 docker:
 	docker run --rm -it -v ${PWD}:/go/src/pages -w /go/src/pages golang:1.5 /bin/bash

README.md

 ## GitLab Pages Daemon
+[![build status](https://gitlab.com/gitlab-org/gitlab-pages/badges/master/build.svg)](https://gitlab.com/gitlab-org/gitlab-pages/commits/master)
+
+[![coverage report](https://gitlab.com/gitlab-org/gitlab-pages/badges/master/coverage.svg)](https://gitlab.com/gitlab-org/gitlab-pages/commits/master)
+
 This is simple HTTP server written in Go made to serve GitLab Pages with CNAMEs and SNI using HTTP/HTTP2.
 This is made to work in small-to-medium scale environments.
@@ -39,15 +43,18 @@ If load balancer is run in SSL-offloading mode the custom TLS certificate will n
 Example:
 ```
-go build
+CGO_ENABLED=0 GO15VENDOREXPERIMENT=1 go build
 ./gitlab-pages -listen-https "" -listen-http ":8090" -pages-root path/to/gitlab/shared/pages -pages-domain example.com
 ```
 ### Run daemon **in secure mode**
-The daemon can be run in chroot with dropped privileges.
-Run daemon as root user and pass the `-daemon-uid` and `-daemon-gid`.
+When compiled with `CGO_ENABLED=0` (which is the default), `gitlab-pages` is a
+static binary and so can be run in chroot with dropped privileges.
+To enter this mode, run `gitlab-pages` as the root user and pass it the
+`-daemon-uid` and `-daemon-gid` arguments to specify the user you want it to run
+as.
 The daemon start listening on ports as root, reads certificates as root and re-executes itself as specified user.
 When re-executing it copies it's own binary to `pages-root` and changes root to that directory.
@@ -74,13 +81,13 @@ This is most useful in dual-stack environments (IPv4+IPv6) where both Gitlab Pag
 ### Enable Prometheus Metrics
-For monitoring purposes, one could pass the `-metrics-address` flag when 
-starting. This will expose general metrics about the Go runtime and pages 
+For monitoring purposes, one could pass the `-metrics-address` flag when
+starting. This will expose general metrics about the Go runtime and pages
 application for [Prometheus](https://prometheus.io/) to scrape.
 Example:
 ```
-./gitlab-pages -listen-http ":8090" -metrics-address ":9101" -pages-root path/to/gitlab/shared/pages -pages-domain example.com
+./gitlab-pages -listen-http ":8090" -metrics-address ":9235" -pages-root path/to/gitlab/shared/pages -pages-domain example.com
 ```
 ### License

VERSION

-0.3.0
+0.4.0

acceptance_test.go

@@ -4,12 +4,12 @@ import (
 	"flag"
 	"io/ioutil"
 	"net/http"
+	"os"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
-var shouldRun = flag.Bool("run-acceptance-tests", false, "Run the acceptance tests?")
 var pagesBinary = flag.String("gitlab-pages-binary", "./gitlab-pages", "Path to the gitlab-pages binary")
 // TODO: Use TCP port 0 everywhere to avoid conflicts. The binary could output
@@ -24,27 +24,34 @@ var listeners = []ListenSpec{
 	{"proxy", "::1", "37002"},
 }
+var (
+	httpListener  = listeners[0]
+	httpsListener = listeners[2]
+)
+
 func skipUnlessEnabled(t *testing.T) {
-	if *shouldRun {
-		return
+	if testing.Short() {
+		t.Log("Acceptance tests disabled")
+		t.SkipNow()
 	}
-	t.Log("Acceptance tests disabled")
-	t.SkipNow()
+	if _, err := os.Stat(*pagesBinary); os.IsNotExist(err) {
+		t.Errorf("Couldn't find gitlab-pages binary at %s", *pagesBinary)
+		t.FailNow()
+	}
 }
 func TestUnknownHostReturnsNotFound(t *testing.T) {
 	skipUnlessEnabled(t)
-	teardown := RunPagesProcess(t, *pagesBinary, listeners, "")
+	teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-redirect-http=false")
 	defer teardown()
 	for _, spec := range listeners {
 		rsp, err := GetPageFromListener(t, spec, "invalid.invalid", "")
-		if assert.NoError(t, err) {
-			rsp.Body.Close()
-			assert.Equal(t, http.StatusNotFound, rsp.StatusCode)
-		}
+		assert.NoError(t, err)
+		rsp.Body.Close()
+		assert.Equal(t, http.StatusNotFound, rsp.StatusCode)
 	}
 }
@@ -56,13 +63,46 @@ func TestKnownHostReturns200(t *testing.T) {
 	for _, spec := range listeners {
 		rsp, err := GetPageFromListener(t, spec, "group.gitlab-example.com", "project/")
-		if assert.NoError(t, err) {
-			rsp.Body.Close()
-			assert.Equal(t, http.StatusOK, rsp.StatusCode)
-		}
+		assert.NoError(t, err)
+		rsp.Body.Close()
+		assert.Equal(t, http.StatusOK, rsp.StatusCode)
 	}
 }
+func TestHttpToHttpsRedirectDisabled(t *testing.T) {
+	skipUnlessEnabled(t)
+	teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-redirect-http=false")
+	defer teardown()
+
+	rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "project/")
+	assert.NoError(t, err)
+	defer rsp.Body.Close()
+	assert.Equal(t, http.StatusOK, rsp.StatusCode)
+
+	rsp, err = GetPageFromListener(t, httpsListener, "group.gitlab-example.com", "project/")
+	assert.NoError(t, err)
+	defer rsp.Body.Close()
+	assert.Equal(t, http.StatusOK, rsp.StatusCode)
+}
+
+func TestHttpToHttpsRedirectEnabled(t *testing.T) {
+	skipUnlessEnabled(t)
+	teardown := RunPagesProcess(t, *pagesBinary, listeners, "", "-redirect-http=true")
+	defer teardown()
+
+	rsp, err := GetRedirectPage(t, httpListener, "group.gitlab-example.com", "project/")
+	assert.NoError(t, err)
+	defer rsp.Body.Close()
+	assert.Equal(t, http.StatusTemporaryRedirect, rsp.StatusCode)
+	assert.Equal(t, 1, len(rsp.Header["Location"]))
+	assert.Equal(t, "https://group.gitlab-example.com/project/", rsp.Header.Get("Location"))
+
+	rsp, err = GetPageFromListener(t, httpsListener, "group.gitlab-example.com", "project/")
+	assert.NoError(t, err)
+	defer rsp.Body.Close()
+	assert.Equal(t, http.StatusOK, rsp.StatusCode)
+}
+
 func TestPrometheusMetricsCanBeScraped(t *testing.T) {
 	skipUnlessEnabled(t)
 	listener := []ListenSpec{{"http", "127.0.0.1", "37003"}}

app.go

@@ -52,7 +52,7 @@ func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https boo
 	defer metrics.SessionsActive.Dec()
 	// Add auto redirect
-	if https && !a.RedirectHTTP {
+	if !https && a.RedirectHTTP {
 		u := *r.URL
 		u.Scheme = "https"
 		u.Host = r.Host

daemon.go

@@ -188,7 +188,7 @@ func daemonize(config appConfig, uid, gid uint) {
 	// Run daemon in chroot environment
 	temporaryExecutable, err := daemonChroot(cmd)
 	if err != nil {
-		println("Chroot failed", err)
+		log.Println("Chroot failed", err)
 		return
 	}
 	defer os.Remove(temporaryExecutable)
@@ -205,10 +205,13 @@ func daemonize(config appConfig, uid, gid uint) {
 	daemonUpdateFds(cmd, config.ListenHTTP)
 	daemonUpdateFds(cmd, config.ListenHTTPS)
 	daemonUpdateFds(cmd, config.ListenProxy)
+	if config.ListenMetrics != 0 {
+		config.ListenMetrics = daemonUpdateFd(cmd, config.ListenMetrics)
+	}
 	// Start the process
 	if err = cmd.Start(); err != nil {
-		println("Start failed", err)
+		log.Println("Start failed", err)
 		return
 	}

domain.go

@@ -34,7 +34,7 @@ func (d *domain) serveFile(w http.ResponseWriter, r *http.Request, fullPath stri
 		return err
 	}
-	println("Serving", fullPath, "for", r.URL.Path)
+	fmt.Println("Serving", fullPath, "for", r.URL.Path)
 	http.ServeContent(w, r, filepath.Base(file.Name()), fi.ModTime(), file)
 	return nil
 }
@@ -52,7 +52,7 @@ func (d *domain) serveCustomFile(w http.ResponseWriter, r *http.Request, code in
 		return err
 	}
-	println("Serving", fullPath, "for", r.URL.Path, "with", code)
+	fmt.Println("Serving", fullPath, "for", r.URL.Path, "with", code)
 	// Serve the file
 	_, haveType := w.Header()["Content-Type"]

helpers_test.go

 package main
 import (
+	"bytes"
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
@@ -15,6 +16,16 @@ import (
 	"github.com/stretchr/testify/assert"
 )
+type tWriter struct {
+	t *testing.T
+}
+
+func (t *tWriter) Write(b []byte) (int, error) {
+	t.t.Log(string(bytes.TrimRight(b, "\r\n")))
+
+	return len(b), nil
+}
+
 var chdirSet = false
 func setUpTests() {
@@ -125,12 +136,14 @@ func (l ListenSpec) JoinHostPort() string {
 // GetPageFromProcess to do a HTTP GET against a listener.
 //
 // If run as root via sudo, the gitlab-pages process will drop privileges
-func RunPagesProcess(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string) (teardown func()) {
+func RunPagesProcess(t *testing.T, pagesPath string, listeners []ListenSpec, promPort string, extraArgs ...string) (teardown func()) {
 	_, err := os.Stat(pagesPath)
 	assert.NoError(t, err)
-	args, tempfiles := getPagesArgs(t, listeners, promPort)
+	args, tempfiles := getPagesArgs(t, listeners, promPort, extraArgs)
 	cmd := exec.Command(pagesPath, args...)
+	cmd.Stdout = &tWriter{t}
+	cmd.Stderr = &tWriter{t}
 	cmd.Start()
 	t.Logf("Running %s %v", pagesPath, args)
@@ -144,10 +157,10 @@ func RunPagesProcess(t *testing.T, pagesPath string, listeners []ListenSpec, pro
 	for _, spec := range listeners {
 		spec.WaitUntilListening()
 	}
-	time.Sleep(50 * time.Millisecond)
+	time.Sleep(500 * time.Millisecond)
 	return func() {
-		cmd.Process.Kill()
+		cmd.Process.Signal(os.Interrupt)
 		cmd.Process.Wait()
 		for _, tempfile := range tempfiles {
 			os.Remove(tempfile)
@@ -155,7 +168,7 @@ func RunPagesProcess(t *testing.T, pagesPath string, listeners []ListenSpec, pro
 	}
 }
-func getPagesArgs(t *testing.T, listeners []ListenSpec, promPort string) (args, tempfiles []string) {
+func getPagesArgs(t *testing.T, listeners []ListenSpec, promPort string, extraArgs []string) (args, tempfiles []string) {
 	var hasHTTPS bool
 	for _, spec := range listeners {
@@ -176,11 +189,15 @@ func getPagesArgs(t *testing.T, listeners []ListenSpec, promPort string) (args,
 		args = append(args, "-metrics-address", promPort)
 	}
-	if os.Geteuid() == 0 && os.Getenv("SUDO_UID") != "" && os.Getenv("SUDO_GID") != "" {
-		t.Log("Pages process will drop privileges")
-		args = append(args, "-daemon-uid", os.Getenv("SUDO_UID"), "-daemon-gid", os.Getenv("SUDO_GID"))
+	// At least one of `-daemon-uid` and `-daemon-gid` must be non-zero
+	if os.Geteuid() == 0 {
+		t.Log("Running pages as a daemon")
+		args = append(args, "-daemon-uid", "0")
+		args = append(args, "-daemon-gid", "65534") // Root user can switch to "nobody"
 	}
+	args = append(args, extraArgs...)
+
 	return
 }
@@ -199,3 +216,15 @@ func GetPageFromListener(t *testing.T, spec ListenSpec, host, urlsuffix string)
 	return InsecureHTTPSClient.Do(req)
 }
+
+func GetRedirectPage(t *testing.T, spec ListenSpec, host, urlsuffix string) (*http.Response, error) {
+	url := spec.URL(urlsuffix)
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Host = host
+
+	return InsecureHTTPSClient.Transport.RoundTrip(req)
+}

main.go

@@ -16,7 +16,7 @@ var REVISION = "HEAD"
 var (
 	pagesRootCert  = flag.String("root-cert", "", "The default path to file certificate to serve static pages")
 	pagesRootKey   = flag.String("root-key", "", "The default path to file certificate to serve static pages")
-	redirectHTTP   = flag.Bool("redirect-http", true, "Serve the pages under HTTP")
+	redirectHTTP   = flag.Bool("redirect-http", false, "Redirect pages from HTTP to HTTPS")
 	useHTTP2       = flag.Bool("use-http2", true, "Enable HTTP2 support")
 	pagesRoot      = flag.String("pages-root", "shared/pages", "The directory where pages are stored")
 	pagesDomain    = flag.String("pages-domain", "gitlab-example.com", "The domain to serve static pages")