Builds: don't use an build API token for healthcheck (#12350)

Make that endpoint public. The endpoint checks the build is not in final
states and the builder hostname matches with the builder saved in the
database for that build.

Author: humitos

readthedocs/api/v2/views/model_views.py

@@ -32,6 +32,7 @@
 from readthedocs.aws.security_token_service import AWSTemporaryCredentialsError
 from readthedocs.aws.security_token_service import get_s3_build_media_scoped_credentials
 from readthedocs.aws.security_token_service import get_s3_build_tools_scoped_credentials
+from readthedocs.builds.constants import BUILD_FINAL_STATES
 from readthedocs.builds.constants import INTERNAL
 from readthedocs.builds.models import Build
 from readthedocs.builds.models import BuildCommandResult
@@ -300,22 +301,24 @@ def concurrent(self, request, **kwargs):
 
     @decorators.action(
         detail=True,
-        permission_classes=[HasBuildAPIKey],
+        # We make this endpoint public because we don't want to expose the build API key inside the user's container.
+        # To emulate "auth" we check for the builder hostname to match the `Build.builder` defined in the database.
+        permission_classes=[],
         methods=["post"],
     )
     def healthcheck(self, request, **kwargs):
         build = self.get_object()
-        log.debug(
-            "Healthcheck received.",
+        builder_hostname = request.GET.get("builder")
+        structlog.contextvars.bind_contextvars(
             build_id=build.pk,
             project_slug=build.version.project.slug,
+            builder_hostname=builder_hostname,
         )
-        build_api_key = request.build_api_key
-        if build.version.project.slug != build_api_key.project.slug:
+
+        log.info("Healthcheck received.")
+        if build.state in BUILD_FINAL_STATES or build.builder != builder_hostname:
             log.warning(
-                "Project slug doesn't match the one attached to the API key.",
-                api_key_id=build_api_key.id,
-                project_slug=build.version.project.slug,
+                "Build is not running anymore or builder hostname doesn't match.",
             )
             raise Http404()
 

readthedocs/doc_builder/director.py

@@ -120,7 +120,6 @@ def create_vcs_environment(self):
             environment=self.get_vcs_env_vars(),
             container_image=settings.RTD_DOCKER_CLONE_IMAGE,
             api_client=self.data.api_client,
-            build_api_key=self.data.build_api_key,
         )
 
     def create_build_environment(self):
@@ -131,7 +130,6 @@ def create_build_environment(self):
             build=self.data.build,
             environment=self.get_build_env_vars(),
             api_client=self.data.api_client,
-            build_api_key=self.data.build_api_key,
         )
 
     def setup_environment(self):

readthedocs/doc_builder/environments.py

@@ -585,7 +585,6 @@ class DockerBuildEnvironment(BaseBuildEnvironment):
     container_time_limit = DOCKER_LIMITS.get("time")
 
     def __init__(self, *args, **kwargs):
-        self.build_api_key = kwargs.pop("build_api_key", None)
         container_image = kwargs.pop("container_image", None)
         super().__init__(*args, **kwargs)
         self.client = None
@@ -862,6 +861,7 @@ def _run_background_healthcheck(self):
         log.debug("Running build with healthcheck.")
 
         build_id = self.build.get("id")
+        build_builder = self.build.get("builder")
         healthcheck_url = reverse("build-healthcheck", kwargs={"pk": build_id})
         if settings.RTD_DOCKER_COMPOSE and "ngrok" in settings.PRODUCTION_DOMAIN:
             # NOTE: we do require using NGROK here to go over internet because I
@@ -874,7 +874,10 @@ def _run_background_healthcheck(self):
         else:
             url = f"{settings.SLUMBER_API_HOST}{healthcheck_url}"
 
-        cmd = f"/bin/bash -c 'while true; do curl --max-time 2 -H \"Authorization: Token {self.build_api_key}\" -X POST {url}; sleep {settings.RTD_BUILD_HEALTHCHECK_DELAY}; done;'"
+        # Add the builder hostname to the URL
+        url += f"?builder={build_builder}"
+
+        cmd = f"/bin/bash -c 'while true; do curl --max-time 2 -X POST {url}; sleep {settings.RTD_BUILD_HEALTHCHECK_DELAY}; done;'"
         log.debug("Healthcheck command to run.", command=cmd)
 
         client = self.get_client()

readthedocs/projects/tasks/builds.py

@@ -108,7 +108,6 @@ class TaskData:
 
     # Slumber client to interact with the API v2.
     api_client: API = None
-    build_api_key: str = None
 
     start_time: timezone.datetime = None
     environment_class: type[DockerBuildEnvironment] | type[LocalBuildEnvironment] = None
@@ -382,8 +381,7 @@ def before_start(self, task_id, args, kwargs):
             # anymore and we are not using it
             self.data.environment_class = LocalBuildEnvironment
 
-        self.data.build_api_key = kwargs["build_api_key"]
-        self.data.api_client = setup_api(self.data.build_api_key)
+        self.data.api_client = setup_api(kwargs["build_api_key"])
 
         self.data.build = self.get_build(self.data.build_pk)
         self.data.version = self.get_version(self.data.version_pk)