Merge branch 'master' into v5.7.7

Author: mzur

.gitignore

@@ -1,2 +1 @@
 /vendor/
-composer.lock

README.md

@@ -18,51 +18,19 @@ The service provider is auto-discovered by Laravel.
 
 Add `$app->register(Biigle\RemoteQueue\RemoteQueueServiceProvider::class);` to `bootstrap/app.php`.
 
-## Configuration
-
-You can override any of these configuration options of the `remote-queue` config either directly or via environment variables:
-
-### remote-queue.listen
-
-Default: `false`
-Environment: `REMOTE_QUEUE_LISTEN`
-
-Accept and process jobs sent to this application instance.
-
-### remote-queue.endpoint
-
-Default: `api/v1/remote-queue`
-Environment: `REMOTE_QUEUE_ENDPOINT`
-
-API endpoint to receive new jobs.
-
-### remote-queue.connection
-
-Default: `null`
-Environment: `REMOTE_QUEUE_CONNECTION`
-
-Use this queue connection to process received jobs. If `null`, the default connection is used.
-
-### remote-queue.accept-tokens
-
-Default: `[]`
-Environment: `REMOTE_QUEUE_ACCEPT_TOKENS`
-
-Accept jobs only if they provide one of these tokens. Specify tokens as comma separated list if you use the environment variable. One way to generate tokens is this command: `head -c 32 /dev/urandom | base64`.
-
 ## Usage
 
 This package can be used to submit queued jobs to another Laravel or Lumen application, receive jobs from another application or both.
 
 ### Receive jobs
 
-By default, this package does not allow receiving of jobs from another application. To allow this, set the `remote-queue.listen` config to `true`. Tokens are used to authenticate incoming requests. A token is just some long random string in this case. Configure `remote-queue.accept-tokens` with all tokens that are accepted. All received jobs which are successfully authenticated are pushed to a "regular" queue of this application and processed by the queue worker.
+By default, this package does not allow receiving of jobs from another application. To allow this, set the `remote-queue.listen` configuration to `true`. Tokens are used to authenticate incoming requests. A token is just some long random string in this case. Configure `remote-queue.accept-tokens` with all tokens that are accepted. All received jobs which are successfully authenticated are pushed to a "regular" queue of this application and processed by the queue worker.
 
 **Important:** Make sure that the job class exists in both the submitting and receiving application.
 
 ### Submit jobs
 
-Jobs pushed to the remote queue are transmitted via HTTP and processed on another application. To use the remote queue, configure a queue connection in the `queue.connections` config to use the `remote`. Example:
+Jobs pushed to the remote queue are transmitted via HTTP and processed on another application. To use the remote queue, configure a queue connection in the `queue.connections` config to use the `remote` driver. Example:
 
 ```php
 [
@@ -91,3 +59,47 @@ MyJob::dispatch($data)->onConnection('remote');
 We developed this package to be able to process jobs on a remote machine with GPU. To return the computed results, we applied what we call the "submit/response" pattern.
 
 In this pattern, this package is installed on both Laravel/Lumen instances (let's call them A and B). In instance A, the remote queue is configured to push jobs to instance B (the one with the GPU). In instance B, the remote queue is configured to push jobs to instance A. New GPU jobs are submitted from instance A to the remote queue on instance B. Once the results are computed, they are returned as a "response job" to the remote queue on instance A where the results can be further processed.
+
+## Configuration
+
+You can override any of these configuration options of the `remote-queue` config either directly or via environment variables:
+
+### remote-queue.listen
+
+Default: `false`
+Environment: `REMOTE_QUEUE_LISTEN`
+
+Accept and process jobs sent to this application instance.
+
+### remote-queue.endpoint
+
+Default: `api/v1/remote-queue`
+Environment: `REMOTE_QUEUE_ENDPOINT`
+
+API endpoint to receive new jobs.
+
+### remote-queue.connection
+
+Default: `null`
+Environment: `REMOTE_QUEUE_CONNECTION`
+
+Use this queue connection to process received jobs. If `null`, the default connection is used.
+
+### remote-queue.accept_tokens
+
+Default: `[]`
+Environment: `REMOTE_QUEUE_ACCEPT_TOKENS`
+
+Accept jobs only if they provide one of these tokens. Specify tokens as comma separated list if you use the environment variable. One way to generate tokens is this command: `head -c 32 /dev/urandom | base64`.
+
+### remote-queue.accept_ips
+
+Default: `[]`
+
+Accept requests only from the IP addresses of this whitelist. Leave empty to accept jobs from all IPs.
+
+### remote-queue.accept_jobs
+
+Default: `[]`
+
+Accept only jobs of this whitelist of class names. Leave empty to accept all job classes.

composer.lock

@@ -34,19 +34,39 @@ public function store(Request $request, $queue)
 
         $job = @unserialize($request->input('job'));
 
-        if (is_object($job)) {
-            if ($job instanceof __PHP_Incomplete_Class) {
-                return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
-            }
-        } else {
-            $job = $request->input('job');
-
-            if (!class_exists($job)) {
-                return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
-            }
+        if ($this->isIncompleteClass($job)) {
+            return response()->json(['errors' => ['job' => ['Unknown job class']]], 422);
+        } elseif (!$this->isWhitelistedJob($job)) {
+            return response()->json(['errors' => ['job' => ['Job class not whitelisted']]], 422);
         }
 
         app('queue')->connection(config('remote-queue.connection'))
             ->push($job, $request->input('data', ''), $queue);
     }
+
+    /**
+     * Determine if the received job class exists.
+     *
+     * @param object $job Job class name
+     *
+     * @return boolean
+     */
+    protected function isIncompleteClass($job)
+    {
+        return !is_object($job) || $job instanceof __PHP_Incomplete_Class;
+    }
+
+    /**
+     * Determine if the received job is whitelisted.
+     *
+     * @param object $job Job class name
+     *
+     * @return boolean
+     */
+    protected function isWhitelistedJob($job)
+    {
+        $whitelist = config('remote-queue.accept_jobs');
+
+        return empty($whitelist) || in_array(get_class($job), $whitelist);
+    }
 }

src/Http/Controllers/QueueController.php

@@ -17,7 +17,7 @@ class Authenticate
     public function handle($request, Closure $next, $guard = null)
     {
         $token = $request->bearerToken();
-        if ($token && in_array($token, config('remote-queue.accept-tokens'))) {
+        if ($token && in_array($token, config('remote-queue.accept_tokens'))) {
             return $next($request);
         }
 

src/Http/Middleware/Authenticate.php

@@ -0,0 +1,28 @@
+<?php
+
+namespace Biigle\RemoteQueue\Http\Middleware;
+
+use Closure;
+
+class WhitelistIps
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @param  string|null  $guard
+     * @return mixed
+     */
+    public function handle($request, Closure $next, $guard = null)
+    {
+        $whitelist = config('remote-queue.accept_ips');
+
+        $token = $request->bearerToken();
+        if (empty($whitelist) || in_array($request->ip(), $whitelist)) {
+            return $next($request);
+        }
+
+        return response('Unauthorized.', 401);
+    }
+}

src/Http/Middleware/WhitelistIps.php

@@ -4,6 +4,7 @@
 
 use Illuminate\Support\ServiceProvider;
 use Biigle\RemoteQueue\Http\Middleware\Authenticate;
+use Biigle\RemoteQueue\Http\Middleware\WhitelistIps;
 
 class RemoteQueueServiceProvider extends ServiceProvider
 {
@@ -22,7 +23,7 @@ public function boot()
             $this->app['router']->group([
                 'prefix' => config('remote-queue.endpoint'),
                 'namespace' => 'Biigle\RemoteQueue\Http\Controllers',
-                'middleware' => Authenticate::class,
+                'middleware' => [Authenticate::class, WhitelistIps::class],
             ], function ($router) {
                 $router->post('{queue}', 'QueueController@store');
                 $router->get('{queue}/size', 'QueueController@show');

src/RemoteQueueServiceProvider.php

@@ -25,6 +25,18 @@
     | Accept jobs only if they provide one of these tokens.
     */
 
-    'accept-tokens' => array_filter(explode(',', env('REMOTE_QUEUE_ACCEPT_TOKENS'))),
+    'accept_tokens' => array_filter(explode(',', env('REMOTE_QUEUE_ACCEPT_TOKENS'))),
+
+    /*
+    | Accept jobs only from the IP addresses of this whitelist. Leave empty to accept
+    | jobs from all IPs.
+    */
+    'accept_ips' => [],
+
+    /*
+    | Accept only jobs of this whitelist of class names. Leave empty to accept all job
+    | classes.
+    */
+    'accept_jobs' => [],
 
 ];

src/config/remote-queue.php

@@ -41,8 +41,34 @@ public function testStore()
             ->postJson('api/v1/remote-queue/myqueue', $payload)
             ->assertStatus(200);
     }
+
+    public function testStoreJobWhitelist()
+    {
+        config(['remote-queue.accept_jobs' => [TestJob::class]]);
+        $payload = ['job' => serialize(new TestJob2), 'data' => 'mydata'];
+
+        $mock = Mockery::mock();
+        $mock->shouldReceive('push')->once()
+            ->with(Mockery::type(TestJob::class), 'mydata', 'myqueue');
+        Queue::shouldReceive('connection')->once()->andReturn($mock);
+
+        $this->withoutMiddleware()
+            ->postJson('api/v1/remote-queue/myqueue', $payload)
+            // Job class is not whitelisted.
+            ->assertStatus(422);
+
+        $payload = ['job' => serialize(new TestJob), 'data' => 'mydata'];
+
+        $this->withoutMiddleware()
+            ->postJson('api/v1/remote-queue/myqueue', $payload)
+            ->assertStatus(200);
+    }
 }
 
 class TestJob
 {
 }
+
+class TestJob2
+{
+}

tests/Http/Controllers/QueueControllerTest.php

@@ -8,7 +8,7 @@ class AuthenticateTest extends TestCase
 {
     public function testHandle()
     {
-        config(['remote-queue.accept-tokens' => ['mytoken']]);
+        config(['remote-queue.accept_tokens' => ['mytoken']]);
 
         $this->get('api/v1/remote-queue/default/size')->assertStatus(401);