hatchet-dev · abelanger5 · Jun 26, 2024 · Jun 25, 2024 · Jun 25, 2024 · Jun 25, 2024
diff --git a/api/v1/server/run/run.go b/api/v1/server/run/run.go
@@ -48,15 +48,15 @@ type apiService struct {
 
 func newAPIService(config *server.ServerConfig) *apiService {
 	return &apiService{
-		UserService:           users.NewUserService(config),
-		TenantService:         tenants.NewTenantService(config),
-		EventService:          events.NewEventService(config),
-		LogService:            logs.NewLogService(config),
-		WorkflowService:       workflows.NewWorkflowService(config),
-		WorkerService:         workers.NewWorkerService(config),
-		MetadataService:       metadata.NewMetadataService(config),
-		APITokenService:       apitokens.NewAPITokenService(config),
-		StepRunService:        stepruns.NewStepRunService(config),
+		UserService:     users.NewUserService(config),
+		TenantService:   tenants.NewTenantService(config),
+		EventService:    events.NewEventService(config),
+		LogService:      logs.NewLogService(config),
+		WorkflowService: workflows.NewWorkflowService(config),
+		WorkerService:   workers.NewWorkerService(config),
+		MetadataService: metadata.NewMetadataService(config),
+		APITokenService: apitokens.NewAPITokenService(config),
+		StepRunService:  stepruns.NewStepRunService(config),
 
 		IngestorsService:      ingestors.NewIngestorsService(config),
 		SlackAppService:       slackapp.NewSlackAppService(config),

diff --git a/cmd/hatchet-admin/cli/token.go b/cmd/hatchet-admin/cli/token.go
@@ -61,9 +61,12 @@ func runCreateAPIToken() error {
 	// read in the local config
 	configLoader := loader.NewConfigLoader(configDirectory)
 
-	cleanup, serverConf, err := configLoader.LoadServerConfig(func(scf *server.ServerConfigFile) {
+	cleanup, serverConf, err := configLoader.LoadServerConfig("", func(scf *server.ServerConfigFile) {
 		// disable rabbitmq since it's not needed to create the api token
 		scf.MessageQueue.Enabled = false
+
+		// disable security checks since we're not running the server
+		scf.SecurityCheck.Enabled = false
 	})
 
 	if err != nil {

diff --git a/cmd/hatchet-api/api/run.go b/cmd/hatchet-api/api/run.go
@@ -7,9 +7,9 @@ import (
 	"github.com/hatchet-dev/hatchet/pkg/config/loader"
 )
 
-func Start(cf *loader.ConfigLoader, interruptCh <-chan interface{}) error {
+func Start(cf *loader.ConfigLoader, interruptCh <-chan interface{}, version string) error {
 	// init the repository
-	configCleanup, sc, err := cf.LoadServerConfig()
+	configCleanup, sc, err := cf.LoadServerConfig(version)
 	if err != nil {
 		return fmt.Errorf("error loading server config: %w", err)
 	}

diff --git a/cmd/hatchet-api/main.go b/cmd/hatchet-api/main.go
@@ -28,7 +28,7 @@ var rootCmd = &cobra.Command{
 		cf := loader.NewConfigLoader(configDirectory)
 		interruptChan := cmdutils.InterruptChan()
 
-		if err := api.Start(cf, interruptChan); err != nil {
+		if err := api.Start(cf, interruptChan, Version); err != nil {
 			log.Println("error starting API:", err)
 			os.Exit(1)
 		}

diff --git a/cmd/hatchet-engine/engine/run.go b/cmd/hatchet-engine/engine/run.go
@@ -45,8 +45,8 @@ func init() {
 	}
 }
 
-func Run(ctx context.Context, cf *loader.ConfigLoader) error {
-	serverCleanup, sc, err := cf.LoadServerConfig()
+func Run(ctx context.Context, cf *loader.ConfigLoader, version string) error {
+	serverCleanup, sc, err := cf.LoadServerConfig(version)
 	if err != nil {
 		return fmt.Errorf("could not load server config: %w", err)
 	}

diff --git a/cmd/hatchet-engine/main.go b/cmd/hatchet-engine/main.go
@@ -38,7 +38,7 @@ var rootCmd = &cobra.Command{
 			context = ctx
 		}
 
-		if err := engine.Run(context, cf); err != nil {
+		if err := engine.Run(context, cf, Version); err != nil {
 			log.Printf("engine failure: %s", err.Error())
 			os.Exit(1)
 		}

diff --git a/cmd/hatchet-lite/main.go b/cmd/hatchet-lite/main.go
@@ -35,7 +35,7 @@ var rootCmd = &cobra.Command{
 		cf := loader.NewConfigLoader(configDirectory)
 		interruptChan := cmdutils.InterruptChan()
 
-		if err := start(cf, interruptChan); err != nil {
+		if err := start(cf, interruptChan, Version); err != nil {
 			log.Println("error starting API:", err)
 			os.Exit(1)
 		}
@@ -67,7 +67,7 @@ func main() {
 }
 
 // runs a static file server, api and engine in the same process.
-func start(cf *loader.ConfigLoader, interruptCh <-chan interface{}) error {
+func start(cf *loader.ConfigLoader, interruptCh <-chan interface{}, version string) error {
 	// read static asset directory and frontend URL from the environment
 	staticAssetDir := os.Getenv("LITE_STATIC_ASSET_DIR")
 	frontendPort := os.Getenv("LITE_FRONTEND_PORT")
@@ -91,7 +91,7 @@ func start(cf *loader.ConfigLoader, interruptCh <-chan interface{}) error {
 		return fmt.Errorf("error parsing frontend URL: %w", err)
 	}
 
-	_, sc, err := cf.LoadServerConfig()
+	_, sc, err := cf.LoadServerConfig(version)
 
 	if err != nil {
 		return fmt.Errorf("error loading server config: %w", err)
@@ -105,7 +105,7 @@ func start(cf *loader.ConfigLoader, interruptCh <-chan interface{}) error {
 
 	// api process
 	go func() {
-		api.Start(cf, interruptCh) // nolint:errcheck
+		api.Start(cf, interruptCh, version) // nolint:errcheck
 	}()
 
 	// static file server
@@ -128,7 +128,7 @@ func start(cf *loader.ConfigLoader, interruptCh <-chan interface{}) error {
 	defer cancel()
 
 	go func() {
-		if err := engine.Run(ctx, cf); err != nil {
+		if err := engine.Run(ctx, cf, version); err != nil {
 			log.Printf("engine failure: %s", err.Error())
 			os.Exit(1)
 		}

diff --git a/internal/testutils/env.go b/internal/testutils/env.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"github.com/hatchet-dev/hatchet/pkg/config/loader"
+	"github.com/hatchet-dev/hatchet/pkg/config/server"
 	"github.com/hatchet-dev/hatchet/pkg/repository"
 	"github.com/hatchet-dev/hatchet/pkg/repository/prisma/db"
 )
@@ -43,6 +44,8 @@ func Prepare(t *testing.T) {
 	_ = os.Setenv("SERVER_AUTH_COOKIE_INSECURE", "false")
 	_ = os.Setenv("SERVER_AUTH_SET_EMAIL_VERIFIED", "true")
 
+	_ = os.Setenv("SERVER_SECURITY_CHECK_ENABLED", "false")
+
 	_ = os.Setenv("SERVER_LOGGER_LEVEL", "error")
 	_ = os.Setenv("SERVER_LOGGER_FORMAT", "json")
 	_ = os.Setenv("DATABASE_LOGGER_LEVEL", "error")
@@ -51,7 +54,10 @@ func Prepare(t *testing.T) {
 	// read in the local config
 	configLoader := loader.NewConfigLoader(path.Join(testPath, baseDir, "generated"))
 
-	cleanup, serverConf, err := configLoader.LoadServerConfig()
+	cleanup, serverConf, err := configLoader.LoadServerConfig("", func(scf *server.ServerConfigFile) {
+		// disable security checks since we're not running the server
+		scf.SecurityCheck.Enabled = false
+	})
 	if err != nil {
 		t.Fatalf("could not load server config: %v", err)
 	}

diff --git a/internal/testutils/setup.go b/internal/testutils/setup.go
@@ -33,9 +33,11 @@ func SetupEngine(ctx context.Context, t *testing.T) {
 	_ = os.Setenv("SERVER_AUTH_COOKIE_INSECURE", "false")
 	_ = os.Setenv("SERVER_AUTH_SET_EMAIL_VERIFIED", "true")
 
+	_ = os.Setenv("SERVER_SECURITY_CHECK_ENABLED", "false")
+
 	cf := loader.NewConfigLoader(path.Join(dir, "./generated/"))
 
-	if err := engine.Run(ctx, cf); err != nil {
+	if err := engine.Run(ctx, cf, ""); err != nil {
 		t.Fatalf("engine failure: %s", err.Error())
 	}
 }
diff --git a/pkg/config/loader/loader.go b/pkg/config/loader/loader.go
@@ -38,6 +38,7 @@ import (
 	"github.com/hatchet-dev/hatchet/pkg/repository/metered"
 	"github.com/hatchet-dev/hatchet/pkg/repository/prisma"
 	"github.com/hatchet-dev/hatchet/pkg/repository/prisma/db"
+	"github.com/hatchet-dev/hatchet/pkg/security"
 	"github.com/hatchet-dev/hatchet/pkg/validator"
 )
 
@@ -96,7 +97,7 @@ func (c *ConfigLoader) LoadDatabaseConfig() (res *database.Config, err error) {
 type ServerConfigFileOverride func(*server.ServerConfigFile)
 
 // LoadServerConfig loads the server configuration
-func (c *ConfigLoader) LoadServerConfig(overrides ...ServerConfigFileOverride) (cleanup func() error, res *server.ServerConfig, err error) {
+func (c *ConfigLoader) LoadServerConfig(version string, overrides ...ServerConfigFileOverride) (cleanup func() error, res *server.ServerConfig, err error) {
 	log.Printf("Loading server config from %s", c.directory)
 	sharedFilePath := filepath.Join(c.directory, "server.yaml")
 	log.Printf("Shared file path: %s", sharedFilePath)
@@ -120,7 +121,7 @@ func (c *ConfigLoader) LoadServerConfig(overrides ...ServerConfigFileOverride) (
 		override(cf)
 	}
 
-	return GetServerConfigFromConfigfile(dc, cf)
+	return GetServerConfigFromConfigfile(dc, cf, version)
 }
 
 func GetDatabaseConfigFromConfigFile(cf *database.ConfigFile, runtime *server.ConfigFileRuntime) (res *database.Config, err error) {
@@ -187,7 +188,7 @@ func GetDatabaseConfigFromConfigFile(cf *database.ConfigFile, runtime *server.Co
 	}, nil
 }
 
-func GetServerConfigFromConfigfile(dc *database.Config, cf *server.ServerConfigFile) (cleanup func() error, res *server.ServerConfig, err error) {
+func GetServerConfigFromConfigfile(dc *database.Config, cf *server.ServerConfigFile, version string) (cleanup func() error, res *server.ServerConfig, err error) {
 	l := logger.NewStdErr(&cf.Logger, "server")
 
 	tls, err := loaderutils.LoadServerTLSConfig(&cf.TLS)
@@ -249,6 +250,17 @@ func GetServerConfigFromConfigfile(dc *database.Config, cf *server.ServerConfigF
 		alerter = errors.NoOpAlerter{}
 	}
 
+	if cf.SecurityCheck.Enabled {
+		securityCheck := security.NewSecurityCheck(&security.DefaultSecurityCheck{
+			Enabled:  cf.SecurityCheck.Enabled,
+			Endpoint: cf.SecurityCheck.Endpoint,
+			Logger:   &l,
+			Version:  version,
+		}, dc.APIRepository.SecurityCheck())
+
+		defer securityCheck.Check()
+	}
+
 	var analyticsEmitter analytics.Analytics
 	var feAnalyticsConfig *server.FePosthogConfig
 

diff --git a/pkg/config/server/server.go b/pkg/config/server/server.go
@@ -45,6 +45,8 @@ type ServerConfigFile struct {
 
 	OpenTelemetry shared.OpenTelemetryConfigFile `mapstructure:"otel" json:"otel,omitempty"`
 
+	SecurityCheck SecurityCheckConfigFile `mapstructure:"securityCheck" json:"securityCheck,omitempty"`
+
 	TenantAlerting ConfigFileTenantAlerting `mapstructure:"tenantAlerting" json:"tenantAlerting,omitempty"`
 
 	Email ConfigFileEmail `mapstructure:"email" json:"email,omitempty"`
@@ -79,6 +81,11 @@ type ConfigFileRuntime struct {
 	Limits LimitConfigFile `mapstructure:"limits" json:"limits,omitempty"`
 }
 
+type SecurityCheckConfigFile struct {
+	Enabled  bool   `mapstructure:"enabled" json:"enabled,omitempty" default:"true"`
+	Endpoint string `mapstructure:"endpoint" json:"endpoint,omitempty" default:"https://security.hatchet.run"`
+}
+
 type LimitConfigFile struct {
 	DefaultWorkflowRunLimit      int           `mapstructure:"defaultWorkflowRunLimit" json:"defaultWorkflowRunLimit,omitempty" default:"1000"`
 	DefaultWorkflowRunAlarmLimit int           `mapstructure:"defaultWorkflowRunAlarmLimit" json:"defaultWorkflowRunAlarmLimit,omitempty" default:"750"`
@@ -342,6 +349,10 @@ func BindAllEnv(v *viper.Viper) {
 	_ = v.BindEnv("services", "SERVER_SERVICES")
 	_ = v.BindEnv("runtime.enforceLimits", "SERVER_ENFORCE_LIMITS")
 
+	// security check options
+	_ = v.BindEnv("securityCheck.enabled", "SERVER_SECURITY_CHECK_ENABLED")
+	_ = v.BindEnv("securityCheck.endpoint", "SERVER_SECURITY_CHECK_ENDPOINT")
+
 	// limit options
 	_ = v.BindEnv("runtime.limits.defaultWorkflowRunLimit", "SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_LIMIT")
 	_ = v.BindEnv("runtime.limits.defaultWorkflowRunAlarmLimit", "SERVER_LIMITS_DEFAULT_WORKFLOW_RUN_ALARM_LIMIT")