Add v1 and v2 machine names to access tokens (#14)

* Use host.Parse to construct correct machine names
* Allow changing the legacy mlab-ns server
* Guarantee that Nearest returns v2 hostnames
* Create access tokens with v1 and v2 hostnames
* Pass platform project to LegacyLocator

Author: stephen-soltesz

.travis.yml

@@ -1,7 +1,7 @@
 language: go
 
 go:
-- 1.13
+- 1.14.2
 
 install:
 - go get -v -t ./...

README.md

@@ -2,4 +2,5 @@
 
 [![Version](https://img.shields.io/github/tag/m-lab/locate.svg)](https://github.com/m-lab/locate/releases) [![Build Status](https://travis-ci.com/m-lab/locate.svg?branch=master)](https://travis-ci.com/m-lab/locate) [![Coverage Status](https://coveralls.io/repos/m-lab/locate/badge.svg?branch=master)](https://coveralls.io/github/m-lab/locate?branch=master) [![GoDoc](https://godoc.org/github.com/m-lab/locate?status.svg)](https://godoc.org/github.com/m-lab/locate) [![Go Report Card](https://goreportcard.com/badge/github.com/m-lab/locate)](https://goreportcard.com/report/github.com/m-lab/locate)
 
-M-Lab Locate Service, a load balancer providing consistent “expected measurement quality” using access control
+M-Lab Locate Service, a load balancer providing consistent “expected
+measurement quality” using access control.

app.yaml.mlab-ns

@@ -10,5 +10,7 @@ manual_scaling:
   instances: 2
 
 env_variables:
+  LEGACY_SERVER: https://mlab-ns.appspot.com
+  PLATFORM_PROJECT: mlab-oti
   LOCATE_SIGNER_KEY: "CiQACaQCar+BO5frUJv1XYxMS+tjdBGdOa7tZDqb1L6zn38HWp8S3QEApOc0SqhOmXanuWUJK36obD1hA0Qg+JTkifO96fq6NnW0iMDuGVFEHp4LJkfpjcGDE5ibMhPFnb3SIGk9kMg54Qk/3HkNTGONjoY2xAKuuNG0kH3W5nvJS2AK452boMLvK74pQCCmJCvw0FTDQFrNDSdv/NMHRJCxCik2pbIbpAqGcj+6WB/jo3sqGzupdRpTdV5ErC5t0GETqopcC3XBnLJh+HbpK7rIn9dDgR8oJcSiG4xCYhZGOATbJ9V1/O3V+cuXFrH1qpqM/uSUdSO4clqUTBcpshPFY/Njiw=="
   MONITORING_VERIFY_KEY: "CiQACaQCath3g+zc257EYcrN7fyhHDChcdlOHrgSeYMZSmd1jqsSrwEApOc0Silmr9MA0tvS+44Eo53p1tI6F9emIFYS4UP5BRhKCB4Svi5sFzGQUqgDlZq5AHGCwvIlzr4TvncpYvaBbtwccj/0W15ItNmzFwqq7mP0rqA/SVhv/8e6usfkFZIDVIuEXzjhf4jw56u2yttZgEhutOvMNUXExNh6TKZcMPaD8XX/LGgPF9qw7E8qTV7Rm7CVwyvzWR6hhpAUsRegTrH+YKgCNiox51o1HjZU"

app.yaml.mlab-sandbox

@@ -10,5 +10,7 @@ manual_scaling:
   instances: 2
 
 env_variables:
+  LEGACY_SERVER: https://mlab-ns.appspot.com
+  PLATFORM_PROJECT: mlab-oti
   LOCATE_SIGNER_KEY: "CiQAdG57X+eNfzELY0Z4DT4kJo8H/8zHE6iAb24zrwOxS548I8US3QEAymHd3rWzCjLXVWYB9IdZQ7ZB2v7b8hSPtAX3Xuw7eeBrK/PhDRBIpJW7ziGeJZ+TfEYxek2XSfR+4hWVPZ9QD4EY5VoALMNt6uCU/DOemBwo1Sehln5sZEtjN7A/FXDun+VNraIASmOplTIyywlxJaoY2o0tJGI3WYurwL2MjkmhbMao8nlvKF7tavaNgB2KKfNkz1vWFqNskRSBfpAzZvqWSteRXMRaQdtC6+FUWmGILGzm2M6QhuL8sjnRayjO+3t5vL3hcwdcjf+lybI8N3RqUrbiBo11sWU6mA=="
   MONITORING_VERIFY_KEY: "CiQAdG57X9xPoBQYA4RbXuNhOGXyqwH9jjQ3FiVaVZkqXtuvw54SrwEAymHd3mcGtKCAVnMj59OmrvRM6m2HgEiqoWwt8N16LjZiI6e0/Sj8V1xH9WXER5QkpBCLgdphQbpy2B8WV4AeBqujABNJkiXzWvQRbWqkZnnrCXXx3FIlMOUqe0p8qZxnOTtALDlKHphjxmccWqevZYq4LMrz+qTRSRUH7UH+VyB0TNPBncFczUMM0ysZtY/yLcXlUSMz8JTlPbKUsBn6Xty7xhwNqyOIazK6wKKh"

app.yaml.mlab-staging

@@ -10,5 +10,7 @@ manual_scaling:
   instances: 2
 
 env_variables:
+  LEGACY_SERVER: https://mlab-ns.appspot.com
+  PLATFORM_PROJECT: mlab-oti
   LOCATE_SIGNER_KEY: "CiQA1JQH7XBe+fVeL2x2Y8de6Lt3SsB+CA4HzJSNMuac6rq01u8S3QEAIb7fPKzhq0lGB8Nw9J4CNOuGEJVfO8KDrCf4dH1X6ULIAHRBf6RLN8tg0FxXvx8aMYmu1ree5ERVkD4proREtU4Gh3Y/lZHmpdjgrjJ3pM/jNQawfqUHBlGVkAn6trrOdSG5X4molBUL7Dr+M4YFwc+40ByTagFEintSQGvLRpGsHyrj43v3kSwjzWi6UgPjXNoLJYTY10gEEm+QGhne5IUnbVcYEVqtGQKzPPQnelDDD3120XuN0tUhvVgBIq3g96SxwJN/EAoSJENHa3SZ8BetEJC7WTu/58+VpQ=="
   MONITORING_VERIFY_KEY: "CiQA1JQH7Zp2+UW/CgEW7KIaAsjDAjZZUBcuiMVhBoJzH7xK5MwSrwEAIb7fPG/G2DN+O4DAIy0i8gOm4NsuZWqT/Nc7eYK3EJjr8/WchEFvWkKd5a8D/SQrl+Ui7oHNPjyMtFP+VjH+8DAJX/5P1lHvdl4exYr4flkDJ3GcE7eWy1YcAcuLPTqrjcYQaegqQllDDJdlNDeYn+FGRkr6nDHrGbvuYevTC5Tz+MTBYLVQrgNnRGlQ54BMK9UPmmcO6bHSjnSUlC4y2FZmCIiq2IERJquMwOfK"

cloudbuild/cloudbuild.yaml

@@ -8,6 +8,8 @@ options:
 steps:
 # Run unit tests for environment.
 - name: gcr.io/$PROJECT_ID/golang-cbif
+  env:
+  - GONOPROXY=github.com/m-lab/go/*
   args:
   - go version
   - go get -v -t ./...

handler/handler.go

@@ -14,6 +14,7 @@ import (
 
 	"gopkg.in/square/go-jose.v2/jwt"
 
+	"github.com/m-lab/go/host"
 	"github.com/m-lab/go/rtx"
 	v2 "github.com/m-lab/locate/api/v2"
 	"github.com/m-lab/locate/static"
@@ -101,11 +102,19 @@ func (c *Client) Heartbeat(rw http.ResponseWriter, req *http.Request) {
 // getAccessToken allocates a new access token using the given machine name as
 // the intended audience and the subject as the target service.
 func (c *Client) getAccessToken(machine, subject string) string {
+	// Create canonical v1 and v2 machine names.
+	name, err := host.Parse(machine)
+	rtx.PanicOnError(err, "failed to parse given machine name")
+	aud := jwt.Audience{name.String()}
+	// TODO: after the v2 migration, eliminate machine parsing and v1 logic.
+	name.Version = "v1"
+	aud = append(aud, name.String())
+
 	// Create the token. The same access token is used for each target port.
 	cl := jwt.Claims{
 		Issuer:   static.IssuerLocate,
 		Subject:  subject,
-		Audience: jwt.Audience{machine},
+		Audience: aud,
 		Expiry:   jwt.NewNumericDate(time.Now().Add(time.Minute)),
 	}
 	token, err := c.Sign(cl)

locate.go

@@ -23,6 +23,8 @@ import (
 var (
 	listenPort          string
 	project             string
+	platform            string
+	legacyServer        string
 	locateSignerKey     string
 	monitoringVerifyKey = flagx.StringArray{}
 )
@@ -31,6 +33,8 @@ func init() {
 	// PORT and GOOGLE_CLOUD_PROJECT are part of the default App Engine environment.
 	flag.StringVar(&listenPort, "port", "8080", "AppEngine port environment variable")
 	flag.StringVar(&project, "google-cloud-project", "", "AppEngine project environment variable")
+	flag.StringVar(&platform, "platform-project", "", "GCP project for platform machine names")
+	flag.StringVar(&legacyServer, "legacy-server", proxy.DefaultLegacyServer, "Base URL to mlab-ns server")
 	flag.StringVar(&locateSignerKey, "locate-signer-key", "", "Private key of the locate+service key pair")
 	flag.Var(&monitoringVerifyKey, "monitoring-verify-key", "Public keys of the monitoring+locate key pair")
 }
@@ -49,7 +53,7 @@ func main() {
 	// Load encrypted signer key from environment, using variable name derived from project.
 	signer, err := cfg.LoadSigner(mainCtx, client, locateSignerKey)
 	rtx.Must(err, "Failed to load signer key")
-	locator := proxy.MustNewLegacyLocator(proxy.DefaultLegacyServer)
+	locator := proxy.MustNewLegacyLocator(legacyServer, platform)
 	c := handler.NewClient(project, signer, locator)
 
 	// MONITORING VERIFIER - for access tokens provided by monitoring.

proxy/proxy.go

@@ -9,9 +9,9 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/url"
-	"regexp"
 	"time"
 
+	"github.com/m-lab/go/host"
 	"github.com/m-lab/go/rtx"
 	"github.com/m-lab/locate/static"
 )
@@ -30,16 +30,18 @@ type target struct {
 
 // LegacyLocator manages requests to the legacy mlab-ns service.
 type LegacyLocator struct {
-	Server url.URL
+	Server  url.URL
+	project string
 }
 
 // MustNewLegacyLocator creates a new LegacyLocator instance. If the given url
 // fails to parse, the function will exit.
-func MustNewLegacyLocator(u string) *LegacyLocator {
+func MustNewLegacyLocator(u, project string) *LegacyLocator {
 	server, err := url.Parse(u)
 	rtx.Must(err, "Failed to parse given url: %q", u)
 	return &LegacyLocator{
-		Server: *server,
+		Server:  *server,
+		project: project,
 	}
 }
 
@@ -74,7 +76,7 @@ func (ll *LegacyLocator) Nearest(ctx context.Context, service, lat, lon string)
 	if err != nil {
 		return nil, err
 	}
-	return collect(opts), nil
+	return ll.collect(opts), nil
 }
 
 // UnmarshalResponse reads the response from the given request and unmarshals
@@ -96,18 +98,23 @@ func UnmarshalResponse(req *http.Request, result interface{}) error {
 	return json.Unmarshal(b, result)
 }
 
-// NOTE: this pattern assumes mlab-ns is returning flat host names, and should
-// be future compatible with project-decorated DNS names.
-var machinePattern = regexp.MustCompile("([a-z-]+)-(mlab[1-4][.-][a-z]{3}[0-9ct]{2}(\\.mlab-[a-z]+)?.measurement-lab.org)")
-
-func collect(opts *geoOptions) []string {
+// collect reads all FQDN results from the given options and guarantees to
+// return v2 formatted hostnames.
+func (ll *LegacyLocator) collect(opts *geoOptions) []string {
 	targets := []string{}
 	for _, opt := range *opts {
-		fields := machinePattern.FindStringSubmatch(opt.FQDN)
-		if len(fields) < 3 {
+		name, err := host.Parse(opt.FQDN)
+		if err != nil {
 			continue
 		}
-		targets = append(targets, fields[2])
+		// TODO: after the v2 migration, eliminate v1 logic.
+		if name.Version == "v1" {
+			// Convert name to v2.
+			name.Project = ll.project
+			name.Version = "v2"
+		}
+		// Convert the service name into a canonical machine name.
+		targets = append(targets, name.String())
 	}
 	return targets
 }

proxy/proxy_test.go

@@ -143,7 +143,7 @@ func TestNearest(t *testing.T) {
 			content: legacyNames,
 			status:  http.StatusOK,
 			want: []string{
-				"mlab1-lga06.measurement-lab.org", "mlab3-lga05.measurement-lab.org",
+				"mlab1-lga06.mlab-testing.measurement-lab.org", "mlab3-lga05.mlab-testing.measurement-lab.org",
 			},
 		},
 		{
@@ -165,7 +165,7 @@ func TestNearest(t *testing.T) {
 			content: shortNames,
 			status:  http.StatusOK,
 			want: []string{
-				"mlab2-lga03.measurement-lab.org", "mlab3-lga08.measurement-lab.org",
+				"mlab2-lga03.mlab-testing.measurement-lab.org", "mlab3-lga08.mlab-testing.measurement-lab.org",
 			},
 		},
 		{
@@ -222,7 +222,7 @@ func TestNearest(t *testing.T) {
 			mux := http.NewServeMux()
 			mux.HandleFunc("/"+static.LegacyServices[tt.service], f.defaultHandler)
 			srv := httptest.NewServer(mux)
-			ll := MustNewLegacyLocator(srv.URL)
+			ll := MustNewLegacyLocator(srv.URL, "mlab-testing")
 			if tt.badScheme != "" {
 				// While a url with a bad scheme can be converted using .String(),
 				// it will fail to parse again. This injects an error in NewRequestWithContext().