lib/controller/fed_containers.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "bytes"
   9         "encoding/json"
  10         "fmt"
  11         "io/ioutil"
  12         "net/http"
  13         "strings"
  14
  15         "git.arvados.org/arvados.git/sdk/go/auth"
  16         "git.arvados.org/arvados.git/sdk/go/httpserver"
  17 )
  18
  19 func remoteContainerRequestCreate(
  20         h *genericFederatedRequestHandler,
  21         effectiveMethod string,
  22         clusterId *string,
  23         uuid string,
  24         remainder string,
  25         w http.ResponseWriter,
  26         req *http.Request) bool {
  27
  28         if effectiveMethod != "POST" || uuid != "" || remainder != "" {
  29                 return false
  30         }
  31
  32         // First make sure supplied token is valid.
  33         creds := auth.NewCredentials()
  34         creds.LoadTokensFromHTTPRequest(req)
  35
  36         currentUser, ok, err := h.handler.validateAPItoken(req, creds.Tokens[0])
  37         if err != nil {
  38                 httpserver.Error(w, err.Error(), http.StatusInternalServerError)
  39                 return true
  40         } else if !ok {
  41                 httpserver.Error(w, "invalid API token", http.StatusForbidden)
  42                 return true
  43         }
  44
  45         if *clusterId == "" {
  46                 *clusterId = h.handler.Cluster.ClusterID
  47         }
  48
  49         if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) &&
  50                 *clusterId == h.handler.Cluster.ClusterID {
  51                 // local user submitting container request to local cluster
  52                 return false
  53         }
  54
  55         if req.Header.Get("Content-Type") != "application/json" {
  56                 httpserver.Error(w, "Expected Content-Type: application/json, got "+req.Header.Get("Content-Type"), http.StatusBadRequest)
  57                 return true
  58         }
  59
  60         originalBody := req.Body
  61         defer originalBody.Close()
  62         var request map[string]interface{}
  63         err = json.NewDecoder(req.Body).Decode(&request)
  64         if err != nil {
  65                 httpserver.Error(w, err.Error(), http.StatusBadRequest)
  66                 return true
  67         }
  68
  69         crString, ok := request["container_request"].(string)
  70         if ok {
  71                 var crJson map[string]interface{}
  72                 err := json.Unmarshal([]byte(crString), &crJson)
  73                 if err != nil {
  74                         httpserver.Error(w, err.Error(), http.StatusBadRequest)
  75                         return true
  76                 }
  77
  78                 request["container_request"] = crJson
  79         }
  80
  81         containerRequest, ok := request["container_request"].(map[string]interface{})
  82         if !ok {
  83                 // Use toplevel object as the container_request object
  84                 containerRequest = request
  85         }
  86
  87         // If runtime_token is not set, create a new token
  88         if _, ok := containerRequest["runtime_token"]; !ok {
  89                 if len(currentUser.Authorization.Scopes) != 1 || currentUser.Authorization.Scopes[0] != "all" {
  90                         httpserver.Error(w, "Token scope is not [all]", http.StatusForbidden)
  91                         return true
  92                 }
  93
  94                 if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
  95                         // Local user, submitting to a remote cluster.
  96                         // Create a new time-limited token.
  97                         newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
  98                         if err != nil {
  99                                 httpserver.Error(w, err.Error(), http.StatusForbidden)
 100                                 return true
 101                         }
 102                         containerRequest["runtime_token"] = newtok.TokenV2()
 103                 } else {
 104                         // Remote user. Container request will use the
 105                         // current token, minus the trailing portion
 106                         // (optional container uuid).
 107                         sp := strings.Split(creds.Tokens[0], "/")
 108                         if len(sp) >= 3 {
 109                                 containerRequest["runtime_token"] = strings.Join(sp[0:3], "/")
 110                         } else {
 111                                 containerRequest["runtime_token"] = creds.Tokens[0]
 112                         }
 113                 }
 114         }
 115
 116         newbody, err := json.Marshal(request)
 117         buf := bytes.NewBuffer(newbody)
 118         req.Body = ioutil.NopCloser(buf)
 119         req.ContentLength = int64(buf.Len())
 120         req.Header.Set("Content-Length", fmt.Sprintf("%v", buf.Len()))
 121
 122         resp, err := h.handler.remoteClusterRequest(*clusterId, req)
 123         h.handler.proxy.ForwardResponse(w, resp, err)
 124         return true
 125 }