cmd/coordinator: fix authentication to not require a user token

Buildlets have regular builder tokens, not "user-" prefixed ones. So
don't use the auth helper function. Just inline what we need in the
proxy handler.

Fix from testing CL 165779.

Updates golang/go#14594

Change-Id: Ie2d8d7a21f5660d24e929c932571b8df61895374
Reviewed-on: https://go-review.googlesource.com/c/build/+/165780
Reviewed-by: Dmitri Shuralyov <[email protected]>

Author: bradfitz

cmd/coordinator/coordinator.go

@@ -224,7 +224,7 @@ func (httpRouter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if r.Header.Get("X-Proxy-Service") == "module-cache" {
-		requireBuildletProxyAuth(http.HandlerFunc(proxyModuleCache)).ServeHTTP(w, r)
+		proxyModuleCache(w, r)
 		return
 	}
 	http.DefaultServeMux.ServeHTTP(w, r)

cmd/coordinator/modproxy.go

@@ -11,32 +11,46 @@ import (
 	"strings"
 )
 
-// proxyModuleCache proxies from https://farmer.golang.org (with Auth
-// & a magic header, as handled by coordinator.go's httpRouter type)
-// to Go's private module proxy server running on GKE. The module proxy protocol
-// does not define authentication, so we do it ourselves.
+// proxyModuleCache proxies from https://farmer.golang.org (with a
+// magic header, as handled by coordinator.go's httpRouter type) to
+// Go's private module proxy server running on GKE. The module proxy
+// protocol does not define authentication, so we do it ourselves.
 //
 // The complete path is the buildlet listens on localhost:3000 to run
 // an unauthenticated module proxy server for the cmd/go binary to use
 // via GOPROXY=http://localhost:3000. That localhost:3000 server
 // proxies it to https://farmer.golang.org with auth headers and a
 // sentinel X-Proxy-Service:module-cache header. Then coordinator.go's
-// httpRouter sends it here after the auth has been checked.
+// httpRouter sends it here.
 //
 // This code then does the final reverse proxy, sent without auth.
 //
 // In summary:
 //
 //   cmd/go -> localhost:3000 -> buildlet -> coordinator --> GKE server
 func proxyModuleCache(w http.ResponseWriter, r *http.Request) {
+	if r.TLS == nil {
+		http.Error(w, "https required", http.StatusBadRequest)
+		return
+	}
+	builder, pass, ok := r.BasicAuth()
+	if !ok {
+		http.Error(w, "missing required authentication", http.StatusBadRequest)
+		return
+	}
+	if !strings.Contains(builder, "-") || builderKey(builder) != pass {
+		http.Error(w, "bad username or password", http.StatusUnauthorized)
+		return
+	}
+
 	target := moduleProxy()
 	if !strings.HasPrefix(target, "http") {
-		http.Error(w, "module proxy not configured", 500)
+		http.Error(w, "module proxy not configured", http.StatusInternalServerError)
 		return
 	}
 	backend, err := url.Parse(target)
 	if err != nil {
-		http.Error(w, "module proxy misconfigured", 500)
+		http.Error(w, "module proxy misconfigured", http.StatusInternalServerError)
 		return
 	}
 	// TODO: maybe only create this once early. But probably doesn't matter.