cmd/coordinator: add authenticated proxy to internal module proxy

So builders outside of GCE (Macs, etc) can use a module proxy. It will
be exposed to them via an unauthenticated localhost:3000 server that
adds the necessary authentication to this server.

This is a follow-up of work started in CL 157438.

Updates golang/go#14594

Change-Id: Id824b0ad3a0274048023cc72f8adad23d5f0ea29
Reviewed-on: https://go-review.googlesource.com/c/build/+/165779
Reviewed-by: Dmitri Shuralyov <[email protected]>

Author: bradfitz

cmd/coordinator/coordinator.go

@@ -211,6 +211,25 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
 	return tc, nil
 }
 
+// httpRouter is the coordinator's mux, routing traffic to one of
+// three locations:
+//   1) a buildlet, from gomote clients (if X-Buildlet-Proxy is set)
+//   2) our module proxy cache on GKE (if X-Proxy-Service == module-cache)
+//   3) traffic to the coordinator itself (the default)
+type httpRouter struct{}
+
+func (httpRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Header.Get("X-Buildlet-Proxy") != "" {
+		requireBuildletProxyAuth(http.HandlerFunc(proxyBuildletHTTP)).ServeHTTP(w, r)
+		return
+	}
+	if r.Header.Get("X-Proxy-Service") == "module-cache" {
+		requireBuildletProxyAuth(http.HandlerFunc(proxyModuleCache)).ServeHTTP(w, r)
+		return
+	}
+	http.DefaultServeMux.ServeHTTP(w, r)
+}
+
 type loggerFunc func(event string, optText ...string)
 
 func (fn loggerFunc) LogEventTime(event string, optText ...string) {

cmd/coordinator/modproxy.go

@@ -0,0 +1,47 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+)
+
+// proxyModuleCache proxies from https://farmer.golang.org (with Auth
+// & a magic header, as handled by coordinator.go's httpRouter type)
+// to Go's private module proxy server running on GKE. The module proxy protocol
+// does not define authentication, so we do it ourselves.
+//
+// The complete path is the buildlet listens on localhost:3000 to run
+// an unauthenticated module proxy server for the cmd/go binary to use
+// via GOPROXY=http://localhost:3000. That localhost:3000 server
+// proxies it to https://farmer.golang.org with auth headers and a
+// sentinel X-Proxy-Service:module-cache header. Then coordinator.go's
+// httpRouter sends it here after the auth has been checked.
+//
+// This code then does the final reverse proxy, sent without auth.
+//
+// In summary:
+//
+//   cmd/go -> localhost:3000 -> buildlet -> coordinator --> GKE server
+func proxyModuleCache(w http.ResponseWriter, r *http.Request) {
+	target := moduleProxy()
+	if !strings.HasPrefix(target, "http") {
+		http.Error(w, "module proxy not configured", 500)
+		return
+	}
+	backend, err := url.Parse(target)
+	if err != nil {
+		http.Error(w, "module proxy misconfigured", 500)
+		return
+	}
+	// TODO: maybe only create this once early. But probably doesn't matter.
+	rp := httputil.NewSingleHostReverseProxy(backend)
+	r.Header.Del("Authorization")
+	r.Header.Del("X-Proxy-Service")
+	rp.ServeHTTP(w, r)
+}

cmd/coordinator/remote.go

@@ -265,19 +265,6 @@ func remoteBuildletStatus() string {
 	return buf.String()
 }
 
-// httpRouter separates out HTTP traffic being proxied
-// to buildlets on behalf of remote clients from traffic
-// destined for the coordinator itself (the default).
-type httpRouter struct{}
-
-func (httpRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("X-Buildlet-Proxy") != "" {
-		requireBuildletProxyAuth(http.HandlerFunc(proxyBuildletHTTP)).ServeHTTP(w, r)
-	} else {
-		http.DefaultServeMux.ServeHTTP(w, r)
-	}
-}
-
 func proxyBuildletHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil {
 		http.Error(w, "https required", http.StatusBadRequest)