lib/controller/fed_containers.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "bytes"
   9         "encoding/json"
  10         "fmt"
  11         "io/ioutil"
  12         "net/http"
  13         "strings"
  14
  15         "git.curoverse.com/arvados.git/sdk/go/auth"
  16         "git.curoverse.com/arvados.git/sdk/go/httpserver"
  17 )
  18
  19 func remoteContainerRequestCreate(
  20         h *genericFederatedRequestHandler,
  21         effectiveMethod string,
  22         clusterId *string,
  23         uuid string,
  24         remainder string,
  25         w http.ResponseWriter,
  26         req *http.Request) bool {
  27
  28         if effectiveMethod != "POST" || uuid != "" || remainder != "" {
  29                 return false
  30         }
  31
  32         // First make sure supplied token is valid.
  33         creds := auth.NewCredentials()
  34         creds.LoadTokensFromHTTPRequest(req)
  35
  36         currentUser, err := h.handler.validateAPItoken(req, creds.Tokens[0])
  37         if err != nil {
  38                 httpserver.Error(w, err.Error(), http.StatusForbidden)
  39                 return true
  40         }
  41
  42         if *clusterId == "" {
  43                 *clusterId = h.handler.Cluster.ClusterID
  44         }
  45
  46         if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) &&
  47                 *clusterId == h.handler.Cluster.ClusterID {
  48                 // local user submitting container request to local cluster
  49                 return false
  50         }
  51
  52         if req.Header.Get("Content-Type") != "application/json" {
  53                 httpserver.Error(w, "Expected Content-Type: application/json, got "+req.Header.Get("Content-Type"), http.StatusBadRequest)
  54                 return true
  55         }
  56
  57         originalBody := req.Body
  58         defer originalBody.Close()
  59         var request map[string]interface{}
  60         err = json.NewDecoder(req.Body).Decode(&request)
  61         if err != nil {
  62                 httpserver.Error(w, err.Error(), http.StatusBadRequest)
  63                 return true
  64         }
  65
  66         crString, ok := request["container_request"].(string)
  67         if ok {
  68                 var crJson map[string]interface{}
  69                 err := json.Unmarshal([]byte(crString), &crJson)
  70                 if err != nil {
  71                         httpserver.Error(w, err.Error(), http.StatusBadRequest)
  72                         return true
  73                 }
  74
  75                 request["container_request"] = crJson
  76         }
  77
  78         containerRequest, ok := request["container_request"].(map[string]interface{})
  79         if !ok {
  80                 // Use toplevel object as the container_request object
  81                 containerRequest = request
  82         }
  83
  84         // If runtime_token is not set, create a new token
  85         if _, ok := containerRequest["runtime_token"]; !ok {
  86                 if len(currentUser.Authorization.Scopes) != 1 || currentUser.Authorization.Scopes[0] != "all" {
  87                         httpserver.Error(w, "Token scope is not [all]", http.StatusForbidden)
  88                         return true
  89                 }
  90
  91                 if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
  92                         // Local user, submitting to a remote cluster.
  93                         // Create a new time-limited token.
  94                         newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
  95                         if err != nil {
  96                                 httpserver.Error(w, err.Error(), http.StatusForbidden)
  97                                 return true
  98                         }
  99                         containerRequest["runtime_token"] = newtok.TokenV2()
 100                 } else {
 101                         // Remote user. Container request will use the
 102                         // current token, minus the trailing portion
 103                         // (optional container uuid).
 104                         sp := strings.Split(creds.Tokens[0], "/")
 105                         if len(sp) >= 3 {
 106                                 containerRequest["runtime_token"] = strings.Join(sp[0:3], "/")
 107                         } else {
 108                                 containerRequest["runtime_token"] = creds.Tokens[0]
 109                         }
 110                 }
 111         }
 112
 113         newbody, err := json.Marshal(request)
 114         buf := bytes.NewBuffer(newbody)
 115         req.Body = ioutil.NopCloser(buf)
 116         req.ContentLength = int64(buf.Len())
 117         req.Header.Set("Content-Length", fmt.Sprintf("%v", buf.Len()))
 118
 119         resp, err := h.handler.remoteClusterRequest(*clusterId, req)
 120         h.handler.proxy.ForwardResponse(w, resp, err)
 121         return true
 122 }