services/keepstore/proxy_remote.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package main
   6
   7 import (
   8         "context"
   9         "errors"
  10         "io"
  11         "net/http"
  12         "regexp"
  13         "strings"
  14         "sync"
  15         "time"
  16
  17         "git.curoverse.com/arvados.git/sdk/go/arvados"
  18         "git.curoverse.com/arvados.git/sdk/go/arvadosclient"
  19         "git.curoverse.com/arvados.git/sdk/go/auth"
  20         "git.curoverse.com/arvados.git/sdk/go/keepclient"
  21 )
  22
  23 type remoteProxy struct {
  24         clients map[string]*keepclient.KeepClient
  25         mtx     sync.Mutex
  26 }
  27
  28 func (rp *remoteProxy) Get(ctx context.Context, w http.ResponseWriter, r *http.Request, cluster *arvados.Cluster) {
  29         // Intervening proxies must not return a cached GET response
  30         // to a prior request if a X-Keep-Signature request header has
  31         // been added or changed.
  32         w.Header().Add("Vary", "X-Keep-Signature")
  33
  34         token := GetAPIToken(r)
  35         if token == "" {
  36                 http.Error(w, "no token provided in Authorization header", http.StatusUnauthorized)
  37                 return
  38         }
  39         if strings.SplitN(r.Header.Get("X-Keep-Signature"), ",", 2)[0] == "local" {
  40                 buf, err := getBufferWithContext(ctx, bufs, BlockSize)
  41                 if err != nil {
  42                         http.Error(w, err.Error(), http.StatusServiceUnavailable)
  43                         return
  44                 }
  45                 defer bufs.Put(buf)
  46                 rrc := &remoteResponseCacher{
  47                         Locator:        r.URL.Path[1:],
  48                         Token:          token,
  49                         Buffer:         buf[:0],
  50                         ResponseWriter: w,
  51                         Context:        ctx,
  52                 }
  53                 defer rrc.Close()
  54                 w = rrc
  55         }
  56         var remoteClient *keepclient.KeepClient
  57         var parts []string
  58         for i, part := range strings.Split(r.URL.Path[1:], "+") {
  59                 switch {
  60                 case i == 0:
  61                         // don't try to parse hash part as hint
  62                 case strings.HasPrefix(part, "A"):
  63                         // drop local permission hint
  64                         continue
  65                 case len(part) > 7 && part[0] == 'R' && part[6] == '-':
  66                         remoteID := part[1:6]
  67                         remote, ok := cluster.RemoteClusters[remoteID]
  68                         if !ok {
  69                                 http.Error(w, "remote cluster not configured", http.StatusBadGateway)
  70                                 return
  71                         }
  72                         kc, err := rp.remoteClient(remoteID, remote, token)
  73                         if err == auth.ErrObsoleteToken {
  74                                 http.Error(w, err.Error(), http.StatusBadRequest)
  75                                 return
  76                         } else if err != nil {
  77                                 http.Error(w, err.Error(), http.StatusInternalServerError)
  78                                 return
  79                         }
  80                         remoteClient = kc
  81                         part = "A" + part[7:]
  82                 }
  83                 parts = append(parts, part)
  84         }
  85         if remoteClient == nil {
  86                 http.Error(w, "bad request", http.StatusBadRequest)
  87                 return
  88         }
  89         locator := strings.Join(parts, "+")
  90         rdr, _, _, err := remoteClient.Get(locator)
  91         switch err.(type) {
  92         case nil:
  93                 defer rdr.Close()
  94                 io.Copy(w, rdr)
  95         case *keepclient.ErrNotFound:
  96                 http.Error(w, err.Error(), http.StatusNotFound)
  97         default:
  98                 http.Error(w, err.Error(), http.StatusBadGateway)
  99         }
 100 }
 101
 102 func (rp *remoteProxy) remoteClient(remoteID string, remoteCluster arvados.RemoteCluster, token string) (*keepclient.KeepClient, error) {
 103         rp.mtx.Lock()
 104         kc, ok := rp.clients[remoteID]
 105         rp.mtx.Unlock()
 106         if !ok {
 107                 c := &arvados.Client{
 108                         APIHost:   remoteCluster.Host,
 109                         AuthToken: "xxx",
 110                         Insecure:  remoteCluster.Insecure,
 111                 }
 112                 ac, err := arvadosclient.New(c)
 113                 if err != nil {
 114                         return nil, err
 115                 }
 116                 kc, err = keepclient.MakeKeepClient(ac)
 117                 if err != nil {
 118                         return nil, err
 119                 }
 120
 121                 rp.mtx.Lock()
 122                 if rp.clients == nil {
 123                         rp.clients = map[string]*keepclient.KeepClient{remoteID: kc}
 124                 } else {
 125                         rp.clients[remoteID] = kc
 126                 }
 127                 rp.mtx.Unlock()
 128         }
 129         accopy := *kc.Arvados
 130         accopy.ApiToken = token
 131         kccopy := *kc
 132         kccopy.Arvados = &accopy
 133         token, err := auth.SaltToken(token, remoteID)
 134         if err != nil {
 135                 return nil, err
 136         }
 137         kccopy.Arvados.ApiToken = token
 138         return &kccopy, nil
 139 }
 140
 141 var localOrRemoteSignature = regexp.MustCompile(`\+[AR][^\+]*`)
 142
 143 // remoteResponseCacher wraps http.ResponseWriter. It buffers the
 144 // response data in the provided buffer, writes/touches a copy on a
 145 // local volume, adds a response header with a locally-signed locator,
 146 // and finally writes the data through.
 147 type remoteResponseCacher struct {
 148         Locator string
 149         Token   string
 150         Buffer  []byte
 151         Context context.Context
 152         http.ResponseWriter
 153         statusCode int
 154 }
 155
 156 func (rrc *remoteResponseCacher) Write(p []byte) (int, error) {
 157         if len(rrc.Buffer)+len(p) > cap(rrc.Buffer) {
 158                 return 0, errors.New("buffer full")
 159         }
 160         rrc.Buffer = append(rrc.Buffer, p...)
 161         return len(p), nil
 162 }
 163
 164 func (rrc *remoteResponseCacher) WriteHeader(statusCode int) {
 165         rrc.statusCode = statusCode
 166 }
 167
 168 func (rrc *remoteResponseCacher) Close() error {
 169         if rrc.statusCode == 0 {
 170                 rrc.statusCode = http.StatusOK
 171         } else if rrc.statusCode != http.StatusOK {
 172                 rrc.ResponseWriter.WriteHeader(rrc.statusCode)
 173                 rrc.ResponseWriter.Write(rrc.Buffer)
 174                 return nil
 175         }
 176         _, err := PutBlock(rrc.Context, rrc.Buffer, rrc.Locator[:32])
 177         if rrc.Context.Err() != nil {
 178                 // If caller hung up, log that instead of subsequent/misleading errors.
 179                 http.Error(rrc.ResponseWriter, rrc.Context.Err().Error(), http.StatusGatewayTimeout)
 180                 return err
 181         }
 182         if err == RequestHashError {
 183                 http.Error(rrc.ResponseWriter, "checksum mismatch in remote response", http.StatusBadGateway)
 184                 return err
 185         }
 186         if err, ok := err.(*KeepError); ok {
 187                 http.Error(rrc.ResponseWriter, err.Error(), err.HTTPCode)
 188                 return err
 189         }
 190         if err != nil {
 191                 http.Error(rrc.ResponseWriter, err.Error(), http.StatusBadGateway)
 192                 return err
 193         }
 194
 195         unsigned := localOrRemoteSignature.ReplaceAllLiteralString(rrc.Locator, "")
 196         signed := SignLocator(unsigned, rrc.Token, time.Now().Add(theConfig.BlobSignatureTTL.Duration()))
 197         if signed == unsigned {
 198                 err = errors.New("could not sign locator")
 199                 http.Error(rrc.ResponseWriter, err.Error(), http.StatusInternalServerError)
 200                 return err
 201         }
 202         rrc.Header().Set("X-Keep-Locator", signed)
 203         rrc.ResponseWriter.WriteHeader(rrc.statusCode)
 204         _, err = rrc.ResponseWriter.Write(rrc.Buffer)
 205         return err
 206 }