Merge pull request '#27504: Add EC2 backend' (#67) from feature/27504/aws into develop

Author: LEDfan

pom.xml

@@ -0,0 +1,37 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy;
+
+import eu.openanalytics.containerproxy.model.runtime.Container;
+
+public class ContainerFailedToStartException extends RuntimeException {
+
+	private final Container Container;
+
+	public ContainerFailedToStartException(String message, Throwable cause, Container container) {
+		super(message, cause);
+		this.Container = container;
+	}
+
+	public Container getContainer() {
+		return Container;
+	}
+}

src/main/java/eu/openanalytics/containerproxy/ContainerFailedToStartException.java

@@ -21,9 +21,14 @@
 package eu.openanalytics.containerproxy;
 
 import com.fasterxml.jackson.datatype.jsr353.JSR353Module;
+import eu.openanalytics.containerproxy.backend.ContainerBackendFactory;
+import eu.openanalytics.containerproxy.backend.docker.DockerEngineBackend;
+import eu.openanalytics.containerproxy.backend.docker.DockerSwarmBackend;
+import eu.openanalytics.containerproxy.backend.kubernetes.KubernetesBackend;
 import eu.openanalytics.containerproxy.service.hearbeat.ActiveProxiesService;
 import eu.openanalytics.containerproxy.service.hearbeat.HeartbeatService;
-import eu.openanalytics.containerproxy.service.hearbeat.SessionReActivatorService;
+import eu.openanalytics.containerproxy.service.hearbeat.IHeartbeatProcessor;
+import eu.openanalytics.containerproxy.util.LoggingConfigurer;
 import eu.openanalytics.containerproxy.util.ProxyMappingManager;
 import io.undertow.Handlers;
 import io.undertow.server.handlers.SameSiteCookieHandler;
@@ -38,7 +43,9 @@
 import org.springframework.boot.actuate.health.HealthIndicator;
 import org.springframework.boot.actuate.redis.RedisHealthIndicator;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory;
 import org.springframework.boot.web.server.PortInUseException;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -47,13 +54,14 @@
 import org.springframework.core.env.Environment;
 import org.springframework.data.redis.connection.RedisConnectionFactory;
 import org.springframework.scheduling.annotation.EnableAsync;
+import org.springframework.scheduling.annotation.EnableScheduling;
 import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.web.session.HttpSessionEventPublisher;
 import org.springframework.session.FindByIndexNameSessionRepository;
 import org.springframework.session.Session;
-import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.session.security.SpringSessionBackedSessionRegistry;
+import org.springframework.session.web.http.DefaultCookieSerializer;
 import org.springframework.web.filter.FormContentFilter;
 
 import javax.annotation.PostConstruct;
@@ -63,13 +71,17 @@
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.Security;
-import java.util.Arrays;
+import java.util.List;
 import java.util.Objects;
 import java.util.Properties;
 import java.util.concurrent.Executor;
 
+import static eu.openanalytics.containerproxy.api.ApiSecurityService.PROP_API_SECURITY_HIDE_SPEC_DETAILS;
+import static eu.openanalytics.containerproxy.service.ProxyService.PROPERTY_STOP_PROXIES_ON_SHUTDOWN;
+
+@EnableScheduling
 @EnableAsync
-@SpringBootApplication
+@SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class})
 @ComponentScan("eu.openanalytics")
 public class ContainerProxyApplication {
 	public static final String CONFIG_FILENAME = "application.yml";
@@ -94,10 +106,18 @@ public class ContainerProxyApplication {
 	public static Boolean secureCookiesEnabled;
 	public static String sameSiteCookiePolicy;
 
-	public static void main(String[] args) {
+	static {
 		Security.addProvider(new BouncyCastleProvider());
+		ContainerBackendFactory.addBackend("docker", DockerEngineBackend.class);
+		ContainerBackendFactory.addBackend("docker-swarm", DockerSwarmBackend.class);
+		ContainerBackendFactory.addBackend("kubernetes", KubernetesBackend.class);
+	}
+
+	public static void main(String[] args) {
 		SpringApplication app = new SpringApplication(ContainerProxyApplication.class);
 
+		app.addListeners(new LoggingConfigurer());
+
 		boolean hasExternalConfig = Files.exists(Paths.get(CONFIG_FILENAME));
 		if (!hasExternalConfig) app.setAdditionalProfiles(CONFIG_DEMO_PROFILE);
 
@@ -131,6 +151,26 @@ public void init() {
 		if (sameSiteCookiePolicy.equalsIgnoreCase("none") && !secureCookiesEnabled) {
 			log.warn("WARNING: Invalid configuration detected: same-site-cookie policy is set to None, but secure-cookies are not enabled. Secure cookies must be enabled when using None as same-site-cookie policy ");
 		}
+
+
+		if (environment.getProperty("proxy.store-mode", "").equalsIgnoreCase("Redis")) {
+			if (!environment.getProperty("spring.session.store-type", "").equalsIgnoreCase("redis")) {
+				// running in HA mode, but not using Redis sessions
+				log.warn("WARNING: Invalid configuration detected: store-mode is set to Redis (i.e. High-Availability mode), but you are not using Redis for user sessions!");
+			}
+			if (environment.getProperty(PROPERTY_STOP_PROXIES_ON_SHUTDOWN, Boolean.class, true)) {
+				// running in HA mode, but proxies are removed when shutting down
+				log.warn("WARNING: Invalid configuration detected: store-mode is set to Redis (i.e. High-Availability mode), but proxies are stopped at shutdown of server!");
+			}
+		}
+
+		boolean hideSpecDetails = environment.getProperty(PROP_API_SECURITY_HIDE_SPEC_DETAILS, Boolean.class, true);
+		if (!hideSpecDetails) {
+			log.warn("WARNING: Insecure configuration detected: The API is configured to return the full spec of proxies, " +
+					"this may contain sensitive values such as the container image, secret environment variables etc. " +
+					"Remove the proxy.api-security.hide-spec-details property to enable API security.");
+		}
+
 	}
 
 	@Autowired(required = false)
@@ -213,7 +253,7 @@ public Health health() {
 	@Bean
 	@ConditionalOnProperty(name = "spring.session.store-type", havingValue = "redis")
 	public <S extends Session> SessionRegistry sessionRegistry(FindByIndexNameSessionRepository<S> sessionRepository) {
-		return new SpringSessionBackedSessionRegistry<S>(sessionRepository);
+		return new SpringSessionBackedSessionRegistry<>(sessionRepository);
 	}
 
 	@Bean
@@ -231,8 +271,14 @@ public Executor taskExecutor() {
 	}
 
 	@Bean
-	public HeartbeatService heartbeatService(ActiveProxiesService activeProxiesService, SessionReActivatorService sessionReActivatorService) {
-		return new HeartbeatService(Arrays.asList(activeProxiesService, sessionReActivatorService));
+	public HeartbeatService heartbeatService(List<IHeartbeatProcessor> heartbeatProcessors) {
+		return new HeartbeatService(heartbeatProcessors);
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public ActiveProxiesService activeProxiesService() {
+		return new ActiveProxiesService();
 	}
 
 	public static Properties getDefaultProperties() {
@@ -249,6 +295,7 @@ public static Properties getDefaultProperties() {
 
 		// disable logging of requests, since this reads part of the requests and therefore undertow is unable to correctly handle those requests
 		properties.put("logging.level.org.springframework.web.servlet.DispatcherServlet", "INFO");
+		properties.put("logging.level.io.fabric8.kubernetes.client.dsl.internal.VersionUsageUtils", "ERROR");
 
 		properties.put("spring.application.name", "ContainerProxy");
 
@@ -263,8 +310,9 @@ public static Properties getDefaultProperties() {
 		properties.put("management.server.port", "9090");
 		// enable prometheus endpoint by default (but not the exporter)
 		properties.put("management.endpoint.prometheus.enabled", "true");
+		properties.put("management.endpoint.recyclable.enabled", "true");
 		// include prometheus and health endpoint in exposure
-		properties.put("management.endpoints.web.exposure.include", "health,prometheus");
+		properties.put("management.endpoints.web.exposure.include", "health,prometheus,recyclable");
 
 		// ====================
 
@@ -284,6 +332,10 @@ public static Properties getDefaultProperties() {
 
 		properties.put("spring.config.use-legacy-processing", true);
 
+		// disable openapi docs and swagger ui
+		properties.put("springdoc.api-docs.enabled", false);
+		properties.put("springdoc.swagger-ui.enabled", false);
+
 		return properties;
 	}
 
@@ -293,4 +345,4 @@ private static void setDefaultProperties(SpringApplication app) {
 		System.setProperty("jdk.serialSetFilterAfterRead", "true");
 	}
 
-}
+}

src/main/java/eu/openanalytics/containerproxy/ContainerProxyApplication.java

@@ -0,0 +1,57 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy;
+
+import eu.openanalytics.containerproxy.model.store.IProxyStore;
+import eu.openanalytics.containerproxy.model.store.IHeartbeatStore;
+import eu.openanalytics.containerproxy.model.store.memory.MemoryProxyStore;
+import eu.openanalytics.containerproxy.model.store.memory.MemoryHeartbeatStore;
+import eu.openanalytics.containerproxy.service.leader.memory.MemoryLeaderService;
+import eu.openanalytics.containerproxy.service.portallocator.memory.MemoryPortAllocator;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConditionalOnProperty(name = "proxy.store-mode", havingValue = "None", matchIfMissing=true)
+public class MemoryStoreConfiguration {
+
+    @Bean
+    public IProxyStore proxyStore() {
+        return new MemoryProxyStore();
+    }
+
+    @Bean
+    public IHeartbeatStore heartbeatStore() {
+        return new MemoryHeartbeatStore();
+    }
+
+    @Bean
+    public MemoryLeaderService leaderService() {
+        return new MemoryLeaderService();
+    }
+
+    @Bean
+    public MemoryPortAllocator portAllocator() {
+        return new MemoryPortAllocator();
+    }
+
+}

src/main/java/eu/openanalytics/containerproxy/MemoryStoreConfiguration.java

@@ -0,0 +1,37 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy;
+
+import eu.openanalytics.containerproxy.model.runtime.Proxy;
+
+public class ProxyFailedToStartException extends RuntimeException {
+
+	private final Proxy proxy;
+
+	public ProxyFailedToStartException(String message, Throwable cause, Proxy proxy) {
+		super(message, cause);
+		this.proxy = proxy;
+	}
+
+	public Proxy getProxy() {
+		return proxy;
+	}
+}

src/main/java/eu/openanalytics/containerproxy/ProxyFailedToStartException.java

@@ -21,63 +21,27 @@
 package eu.openanalytics.containerproxy;
 
 import eu.openanalytics.containerproxy.service.IdentifierService;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.boot.autoconfigure.session.RedisSessionProperties;
-import org.springframework.boot.autoconfigure.session.SessionProperties;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.core.env.Environment;
-import org.springframework.session.data.redis.config.ConfigureNotifyKeyspaceEventsAction;
-import org.springframework.session.data.redis.config.ConfigureRedisAction;
-import org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration;
+import org.springframework.session.config.SessionRepositoryCustomizer;
+import org.springframework.session.data.redis.RedisIndexedSessionRepository;
 
-import javax.inject.Inject;
-import java.time.Duration;
-
-@ConditionalOnProperty(name = "spring.session.store-type", havingValue = "redis")
 @Configuration(proxyBeanMethods = false)
-@EnableConfigurationProperties(RedisSessionProperties.class)
-public class RedisSessionConfig extends RedisHttpSessionConfiguration {
-
-    private String redisNamespace;
-
-    @Inject
-    private IdentifierService identifierService;
+public class RedisSessionConfig {
 
-    @Bean
-    @ConditionalOnMissingBean
-    public ConfigureRedisAction configureRedisAction(RedisSessionProperties redisSessionProperties) {
-        switch (redisSessionProperties.getConfigureAction()) {
-            case NOTIFY_KEYSPACE_EVENTS:
-                return new ConfigureNotifyKeyspaceEventsAction();
-            case NONE:
-                return ConfigureRedisAction.NO_OP;
-        }
-        throw new IllegalStateException(
-                "Unsupported redis configure action '" + redisSessionProperties.getConfigureAction() + "'.");
-
-    }
-
-    @Autowired
-    public void customize(SessionProperties sessionProperties, RedisSessionProperties redisSessionProperties) {
-        Duration timeout = sessionProperties.getTimeout();
-        if (timeout != null) {
-            setMaxInactiveIntervalInSeconds((int) timeout.getSeconds());
-        }
-        setFlushMode(redisSessionProperties.getFlushMode());
-        setSaveMode(redisSessionProperties.getSaveMode());
-        setCleanupCron(redisSessionProperties.getCleanupCron());
+    private final String redisNamespace;
 
+    public RedisSessionConfig(IdentifierService identifierService) {
         if (identifierService.realmId != null) {
-            redisNamespace = String.format("shinyproxy__%s__%s", identifierService.realmId, redisSessionProperties.getNamespace());
+            redisNamespace = String.format("shinyproxy__%s__%s", identifierService.realmId, RedisIndexedSessionRepository.DEFAULT_NAMESPACE);
         } else {
-            redisNamespace = String.format("shinyproxy__%s", redisSessionProperties.getNamespace());
+            redisNamespace = String.format("shinyproxy__%s", RedisIndexedSessionRepository.DEFAULT_NAMESPACE);
         }
+    }
 
-        setRedisNamespace(redisNamespace);
+    @Bean
+    public SessionRepositoryCustomizer<RedisIndexedSessionRepository> sessionRepositorySessionRepositoryCustomizer() {
+        return redisIndexedSessionRepository -> redisIndexedSessionRepository.setRedisKeyNamespace(redisNamespace);
     }
 
     public String getNamespace() {