Merge pull request #354 from depot/billy/feat/req-ipc-allow-builder-ip

feat: allowlist builder IPs by telling agentd over HTTP

Author: billyb2

go.mod

@@ -56,7 +56,7 @@ require (
 
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 // indirect

go.sum

@@ -58,8 +58,8 @@ github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZ
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Microsoft/hcsshim v0.9.8 h1:lf7xxK2+Ikbj9sVf2QZsouGjRjEp2STj1yDHgoVtU5k=
 github.com/Microsoft/hcsshim v0.9.8/go.mod h1:7pLA8lDk46WKDWlVsENo92gC0XFa8rbKfyFRBqxEbCc=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=

pkg/helpers/gha.go

@@ -1,6 +1,9 @@
 package helpers
 
-import "os"
+import (
+	"os"
+	"runtime"
+)
 
 // If the CLI is running inside a Depot GitHub Actions runner, restore the original
 // GitHub Actions cache URL so that the remote BuildKit doesn't attempt to use the internal cache.
@@ -17,3 +20,35 @@ func FixGitHubActionsCacheEnv() {
 		os.Setenv("ACTIONS_RESULTS_URL", original)
 	}
 }
+
+// IsDepotGitHubActionsRunner detects Depot runners by checking for agentd binary in OS-specific locations.
+func IsDepotGitHubActionsRunner() bool {
+	var agentdPaths []string
+
+	switch runtime.GOOS {
+	case "windows":
+		agentdPaths = []string{
+			"C:\\ProgramData\\Agentd\\agentd-service.exe",
+		}
+	case "darwin":
+		agentdPaths = []string{
+			"/usr/local/bin/agentd",
+		}
+	case "linux":
+		agentdPaths = []string{
+			"/usr/local/bin/agentd",
+		}
+	default:
+		agentdPaths = []string{
+			"/usr/local/bin/agentd",
+		}
+	}
+
+	for _, path := range agentdPaths {
+		if _, err := os.Stat(path); err == nil {
+			return true
+		}
+	}
+
+	return false
+}

pkg/machine/agentd_client.go

@@ -0,0 +1,82 @@
+package machine
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+)
+
+type AllowIPRequest struct {
+	AllowIPs []string `json:"allowIPs"`
+}
+
+func AllowBuilderIPViaHTTP(ctx context.Context, endpoint string) error {
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	ip, err := extractIPFromEndpoint(endpoint)
+	if err != nil {
+		return fmt.Errorf("failed to extract IP from endpoint: %w", err)
+	}
+
+	req := AllowIPRequest{
+		AllowIPs: []string{ip},
+	}
+
+	reqJSON, err := json.Marshal(req)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	client := &http.Client{
+		Timeout: 30 * time.Second,
+	}
+
+	httpReq, err := http.NewRequestWithContext(ctx, "POST", "http://127.0.0.1:912/", bytes.NewBuffer(reqJSON))
+	if err != nil {
+		return fmt.Errorf("failed to create HTTP request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	resp, err := client.Do(httpReq)
+	if err != nil {
+		// The HTTP server only runs if the egress filter is enabled, so don't worry about not being able to connect
+		return nil
+	}
+	defer resp.Body.Close()
+
+	var response map[string]any
+	if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
+		return fmt.Errorf("failed to decode HTTP response: %w", err)
+	}
+
+	if success, ok := response["success"].(bool); ok && success {
+		return nil
+	}
+
+	if errMsg, ok := response["error"].(string); ok {
+		return fmt.Errorf("HTTP request failed: %s", errMsg)
+	}
+
+	return fmt.Errorf("unexpected HTTP response: %v", response)
+}
+
+func extractIPFromEndpoint(endpoint string) (string, error) {
+	endpoint = strings.TrimPrefix(endpoint, "tcp://")
+
+	host, _, err := net.SplitHostPort(endpoint)
+	if err != nil {
+		return "", fmt.Errorf("failed to split host and port: %w", err)
+	}
+
+	if net.ParseIP(host) == nil {
+		return "", fmt.Errorf("not a valid IP address: %s", host)
+	}
+
+	return host, nil
+}

pkg/machine/machine.go

@@ -12,6 +12,7 @@ import (
 	"connectrpc.com/connect"
 	"github.com/depot/cli/pkg/api"
 	"github.com/depot/cli/pkg/cleanup"
+	"github.com/depot/cli/pkg/helpers"
 	cliv1 "github.com/depot/cli/pkg/proto/depot/cli/v1"
 	"github.com/depot/cli/pkg/proto/depot/cli/v1/cliv1connect"
 	"github.com/moby/buildkit/client"
@@ -81,6 +82,12 @@ func Acquire(ctx context.Context, buildID, token, platform string) (*Machine, er
 		case *cliv1.GetBuildKitConnectionResponse_Active:
 			m.Addr = connection.Active.Endpoint
 			m.ServerName = connection.Active.ServerName
+
+			if helpers.IsDepotGitHubActionsRunner() {
+				// if this is failing, we can check what the actual issue is by ssh'ing into the GHA runner machine
+				_ = AllowBuilderIPViaHTTP(ctx, m.Addr)
+			}
+
 			// When testing locally, we don't have TLS certs.
 			if connection.Active.CaCert == nil || connection.Active.Cert == nil {
 				return m, nil