Reuse cached token in subprocesses

Author: zyla

src/App.hs

@@ -1,5 +1,6 @@
 {-# LANGUAGE TemplateHaskell #-}
 {-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE RecursiveDo #-}
 {-# OPTIONS_GHC -Wno-ambiguous-fields #-}
 
 module App where
@@ -39,6 +40,7 @@ import Utils
 import qualified RemoteCache
 import RemoteCache (getLatestBuildHash)
 import CommitStatus (updateCommitStatus, StatusRequest (..))
+import qualified CommitStatus
 import qualified System.Process as Process
 import Control.Monad.EarlyReturn (withEarlyReturn, earlyReturn)
 import Data.Time.Format.ISO8601 (iso8601Show)
@@ -124,28 +126,35 @@ main = do
     responsePipeReadFd <- handleToFd responsePipeRead
     hSetBuffering responsePipeWrite LineBuffering
 
-    parentEnv <- getEnvironment
-
-    cwd <- getCurrentDirectory
-
-    -- TODO: handle spawn error here
-    -- TODO: should we use withCreateProcess?
-    -- TODO: should we use delegate_ctlc or DIY? See https://hackage.haskell.org/package/process-1.6.20.0/docs/System-Process.html#g:4
-    -- -> We should DIY because we need to flush stream etc.
-    (Nothing, Just stdoutPipe, Just stderrPipe, processHandle) <- Process.createProcess
-      (proc args.cmd args.args) { std_in = UseHandle devnull, std_out = CreatePipe
-      , std_err = CreatePipe
-      , env=Just $ nubOrdOn fst $
-          [ ("BASH_FUNC_snapshot%%", "() {\n" <> $(embedStringFile "src/snapshot.sh") <> "\n}")
-          , ("_taskrunner_request_pipe", show requestPipeWriteFd)
-          , ("_taskrunner_response_pipe", show responsePipeReadFd)
-          ] <> parentEnv
-        }
+    -- Recursive: AppState is used before process is started (mostly for logging)
+    rec
+
+      appState <- AppState settings jobName buildId isToplevel <$> newIORef Nothing <*> newIORef Nothing <*> newIORef False <*> pure toplevelStderr <*> pure subprocessStderr <*> pure logFile
+        <*> newIORef Nothing
+
+      when isToplevel do
+        -- Note: potentially sets env for subprocesses
+        void $ CommitStatus.getClient appState
 
-    (subprocessStderrRead, subprocessStderr) <- createPipe
+      parentEnv <- getEnvironment
+
+      cwd <- getCurrentDirectory
+
+      -- TODO: handle spawn error here
+      -- TODO: should we use withCreateProcess?
+      -- TODO: should we use delegate_ctlc or DIY? See https://hackage.haskell.org/package/process-1.6.20.0/docs/System-Process.html#g:4
+      -- -> We should DIY because we need to flush stream etc.
+      (Nothing, Just stdoutPipe, Just stderrPipe, processHandle) <- Process.createProcess
+        (proc args.cmd args.args) { std_in = UseHandle devnull, std_out = CreatePipe
+        , std_err = CreatePipe
+        , env=Just $ nubOrdOn fst $
+            [ ("BASH_FUNC_snapshot%%", "() {\n" <> $(embedStringFile "src/snapshot.sh") <> "\n}")
+            , ("_taskrunner_request_pipe", show requestPipeWriteFd)
+            , ("_taskrunner_response_pipe", show responsePipeReadFd)
+            ] <> parentEnv
+          }
 
-    appState <- AppState settings jobName buildId isToplevel <$> newIORef Nothing <*> newIORef Nothing <*> newIORef False <*> pure toplevelStderr <*> pure subprocessStderr <*> pure logFile
-      <*> newIORef Nothing
+      (subprocessStderrRead, subprocessStderr) <- createPipe
 
     logDebug appState $ "Running command: " <> show (args.cmd : args.args)
     logDebug appState $ "  buildId: " <> show buildId

src/CommitStatus.hs

@@ -11,7 +11,7 @@ import qualified Data.Text as T
 import qualified Data.Text.Encoding as TE
 import qualified Network.HTTP.Client as HTTP
 import Network.HTTP.Client.TLS (tlsManagerSettings)
-import System.Environment (getEnv, lookupEnv)
+import System.Environment (getEnv, lookupEnv, setEnv)
 import Network.HTTP.Types.Status (Status(..))
 import Data.Aeson.Decoding (eitherDecode)
 import qualified Data.Text as Text
@@ -55,40 +55,49 @@ initClient appState = do
   -- Prepare the HTTP manager
   manager <- HTTP.newManager tlsManagerSettings
 
-  let privateKeyBytes = encodeUtf8 $ Text.replace "|" "\n" $ toText privateKeyStr
-  let privateKey = fromMaybe (error "Invalid github key") $ readRsaSecret privateKeyBytes
+  let createToken = do
+        let privateKeyBytes = encodeUtf8 $ Text.replace "|" "\n" $ toText privateKeyStr
+        let privateKey = fromMaybe (error "Invalid github key") $ readRsaSecret privateKeyBytes
 
-  -- Create the JWT token
-  now <- getPOSIXTime
-  let claims = mempty { iss = stringOrURI $ T.pack appId
-                   , iat = numericDate now
-                   , exp = numericDate (now + 5 * 60)
-                   }
-  let jwt = encodeSigned (EncodeRSAPrivateKey privateKey) (mempty { alg = Just RS256 }) claims
+        -- Create the JWT token
+        now <- getPOSIXTime
+        let claims = mempty { iss = stringOrURI $ T.pack appId
+                         , iat = numericDate now
+                         , exp = numericDate (now + 5 * 60)
+                         }
+        let jwt = encodeSigned (EncodeRSAPrivateKey privateKey) (mempty { alg = Just RS256 }) claims
 
-  -- Get the installation access token
-  let installUrl = apiUrl <> "/app/installations/" ++ installationId ++ "/access_tokens"
-  initRequest <- HTTP.parseRequest installUrl
-  let request = initRequest
-                { HTTP.method = "POST"
-                , HTTP.requestHeaders =
-                    [ ("Authorization", "Bearer " <> TE.encodeUtf8 jwt)
-                    , ("Accept", "application/vnd.github.v3+json")
-                    , ("User-Agent", "restaumatic-bot")
-                    ]
-                }
-  response <- HTTP.httpLbs request manager
-  let mTokenResponse = eitherDecode @InstallationTokenResponse (HTTP.responseBody response)
-  accessToken <- case mTokenResponse of
-    Left err -> do
-      logError appState $ "CommitStatus: Failed to parse installation token response: " <> show err
-      logError appState $ "CommitStatus: Response: " <> decodeUtf8 response.responseBody
+        -- Get the installation access token
+        let installUrl = apiUrl <> "/app/installations/" ++ installationId ++ "/access_tokens"
+        initRequest <- HTTP.parseRequest installUrl
+        let request = initRequest
+                      { HTTP.method = "POST"
+                      , HTTP.requestHeaders =
+                          [ ("Authorization", "Bearer " <> TE.encodeUtf8 jwt)
+                          , ("Accept", "application/vnd.github.v3+json")
+                          , ("User-Agent", "restaumatic-bot")
+                          ]
+                      }
+        response <- HTTP.httpLbs request manager
+        let mTokenResponse = eitherDecode @InstallationTokenResponse (HTTP.responseBody response)
+        case mTokenResponse of
+          Left err -> do
+            logError appState $ "CommitStatus: Failed to parse installation token response: " <> show err
+            logError appState $ "CommitStatus: Response: " <> decodeUtf8 response.responseBody
 
-      -- FIXME: handle the error better
-      exitFailure
-    Right tokenResponse ->
-      pure tokenResponse.token
+            -- FIXME: handle the error better
+            exitFailure
+          Right tokenResponse ->
+            pure tokenResponse.token
 
+  -- Try to read token from environment variable
+  -- Otherwise generate a new one, and set env for future uses (also in child processes)
+  accessToken <- lookupEnv "_taskrunner_github_access_token" >>= \case
+    Just token -> pure $ T.pack token
+    Nothing -> do
+      token <- createToken
+      setEnv "_taskrunner_github_access_token" $ T.unpack token
+      pure token
 
   pure $ GithubClient { apiUrl = T.pack apiUrl
                       , appId = T.pack appId

test/FakeGithubApi.hs

@@ -49,12 +49,13 @@ data Server = Server
   }
 
 start :: Int -> IO Server
-start port = mdo
+start port = do
   started <- newEmptyMVar
   output <- newIORef []
   let settings = Warp.setPort port $ Warp.setBeforeMainLoop (putMVar started ()) Warp.defaultSettings
-  tid <- forkIO $ Warp.runSettings settings $ app server
-  let server = Server {tid, output}
+  rec
+    let server = Server {tid, output}
+    tid <- forkIO $ Warp.runSettings settings $ app server
   takeMVar started
   pure server
 

test/t/github-commit-status-failure-nested.out

@@ -4,6 +4,5 @@
 Requested access token for installation 123
 Updated commit status for fakeowner/fakerepo to {"context":"othertask","description":"not cached","state":"pending","target_url":null}
 Updated commit status for fakeowner/fakerepo to {"context":"othertask","description":null,"state":"failure","target_url":null}
-Requested access token for installation 123
 Updated commit status for fakeowner/fakerepo to {"context":"mytask","description":null,"state":"failure","target_url":null}
 -- exit code: 1

test/t/github-commit-status-nested.out

@@ -3,7 +3,6 @@
 -- github:
 Requested access token for installation 123
 Updated commit status for fakeowner/fakerepo to {"context":"mytask","description":"not cached","state":"pending","target_url":null}
-Requested access token for installation 123
 Updated commit status for fakeowner/fakerepo to {"context":"othertask","description":"not cached","state":"pending","target_url":null}
 Updated commit status for fakeowner/fakerepo to {"context":"othertask","description":null,"state":"success","target_url":null}
 Updated commit status for fakeowner/fakerepo to {"context":"mytask","description":null,"state":"success","target_url":null}