14198: Strip 4th position when setting runtime_token from provided auth
[arvados.git] / lib / controller / fed_containers.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package controller
6
7 import (
8         "bytes"
9         "encoding/json"
10         "fmt"
11         "io/ioutil"
12         "net/http"
13         "strings"
14
15         "git.curoverse.com/arvados.git/sdk/go/auth"
16         "git.curoverse.com/arvados.git/sdk/go/httpserver"
17 )
18
19 func remoteContainerRequestCreate(
20         h *genericFederatedRequestHandler,
21         effectiveMethod string,
22         clusterId *string,
23         uuid string,
24         remainder string,
25         w http.ResponseWriter,
26         req *http.Request) bool {
27
28         if effectiveMethod != "POST" || uuid != "" || remainder != "" {
29                 return false
30         }
31
32         // First make sure supplied token is valid.
33         creds := auth.NewCredentials()
34         creds.LoadTokensFromHTTPRequest(req)
35
36         currentUser, err := h.handler.validateAPItoken(req, creds.Tokens[0])
37         if err != nil {
38                 httpserver.Error(w, err.Error(), http.StatusForbidden)
39                 return true
40         }
41
42         if *clusterId == "" {
43                 *clusterId = h.handler.Cluster.ClusterID
44         }
45
46         if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) &&
47                 *clusterId == h.handler.Cluster.ClusterID {
48                 // local user submitting container request to local cluster
49                 return false
50         }
51
52         if req.Header.Get("Content-Type") != "application/json" {
53                 httpserver.Error(w, "Expected Content-Type: application/json, got "+req.Header.Get("Content-Type"), http.StatusBadRequest)
54                 return true
55         }
56
57         originalBody := req.Body
58         defer originalBody.Close()
59         var request map[string]interface{}
60         err = json.NewDecoder(req.Body).Decode(&request)
61         if err != nil {
62                 httpserver.Error(w, err.Error(), http.StatusBadRequest)
63                 return true
64         }
65
66         crString, ok := request["container_request"].(string)
67         if ok {
68                 var crJson map[string]interface{}
69                 err := json.Unmarshal([]byte(crString), &crJson)
70                 if err != nil {
71                         httpserver.Error(w, err.Error(), http.StatusBadRequest)
72                         return true
73                 }
74
75                 request["container_request"] = crJson
76         }
77
78         containerRequest, ok := request["container_request"].(map[string]interface{})
79         if !ok {
80                 // Use toplevel object as the container_request object
81                 containerRequest = request
82         }
83
84         // If runtime_token is not set, create a new token
85         if _, ok := containerRequest["runtime_token"]; !ok {
86                 if len(currentUser.Authorization.Scopes) != 1 || currentUser.Authorization.Scopes[0] != "all" {
87                         httpserver.Error(w, "Token scope is not [all]", http.StatusForbidden)
88                         return true
89                 }
90
91                 if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
92                         // Local user, submitting to a remote cluster.
93                         // Create a new time-limited token.
94                         newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
95                         if err != nil {
96                                 httpserver.Error(w, err.Error(), http.StatusForbidden)
97                                 return true
98                         }
99                         containerRequest["runtime_token"] = newtok.TokenV2()
100                 } else {
101                         // Remote user. Container request will use the
102                         // current token, minus the trailing portion
103                         // (optional container uuid).
104                         sp := strings.Split(creds.Tokens[0], "/")
105                         if len(sp) >= 3 {
106                                 containerRequest["runtime_token"] = strings.Join(sp[0:3], "/")
107                         } else {
108                                 containerRequest["runtime_token"] = creds.Tokens[0]
109                         }
110                 }
111         }
112
113         newbody, err := json.Marshal(request)
114         buf := bytes.NewBuffer(newbody)
115         req.Body = ioutil.NopCloser(buf)
116         req.ContentLength = int64(buf.Len())
117         req.Header.Set("Content-Length", fmt.Sprintf("%v", buf.Len()))
118
119         resp, err := h.handler.remoteClusterRequest(*clusterId, req)
120         h.handler.proxy.ForwardResponse(w, resp, err)
121         return true
122 }