1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
17 "git.arvados.org/arvados.git/lib/controller/api"
18 "git.arvados.org/arvados.git/lib/controller/federation"
19 "git.arvados.org/arvados.git/lib/controller/localdb"
20 "git.arvados.org/arvados.git/lib/controller/railsproxy"
21 "git.arvados.org/arvados.git/lib/controller/router"
22 "git.arvados.org/arvados.git/lib/ctrlctx"
23 "git.arvados.org/arvados.git/sdk/go/arvados"
24 "git.arvados.org/arvados.git/sdk/go/ctxlog"
25 "git.arvados.org/arvados.git/sdk/go/health"
26 "git.arvados.org/arvados.git/sdk/go/httpserver"
27 "github.com/jmoiron/sqlx"
29 // sqlx needs lib/pq to talk to PostgreSQL
34 Cluster *arvados.Cluster
35 BackgroundContext context.Context
38 federation *federation.Conn
39 handlerStack http.Handler
41 secureClient *http.Client
42 insecureClient *http.Client
47 func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
48 h.setupOnce.Do(h.setup)
49 if req.Method != "GET" && req.Method != "HEAD" {
50 // http.ServeMux returns 301 with a cleaned path if
51 // the incoming request has a double slash. Some
52 // clients (including the Go standard library) change
53 // the request method to GET when following a 301
54 // redirect if the original method was not HEAD
55 // (RFC7231 6.4.2 specifically allows this in the case
56 // of POST). Thus "POST //foo" gets misdirected to
57 // "GET /foo". To avoid this, eliminate double slashes
58 // before passing the request to ServeMux.
59 for strings.Contains(req.URL.Path, "//") {
60 req.URL.Path = strings.Replace(req.URL.Path, "//", "/", -1)
63 h.handlerStack.ServeHTTP(w, req)
66 func (h *Handler) CheckHealth() error {
67 h.setupOnce.Do(h.setup)
68 _, err := h.db(context.TODO())
72 _, _, err = railsproxy.FindRailsAPI(h.Cluster)
76 if h.Cluster.API.VocabularyPath != "" {
77 req, err := http.NewRequest("GET", "/arvados/v1/vocabulary", nil)
81 var resp httptest.ResponseRecorder
82 h.handlerStack.ServeHTTP(&resp, req)
83 if resp.Result().StatusCode != http.StatusOK {
84 return fmt.Errorf("%d %s", resp.Result().StatusCode, resp.Result().Status)
90 func (h *Handler) Done() <-chan struct{} {
94 func neverRedirect(*http.Request, []*http.Request) error { return http.ErrUseLastResponse }
96 func (h *Handler) setup() {
97 mux := http.NewServeMux()
98 healthFuncs := make(map[string]health.Func)
100 oidcAuthorizer := localdb.OIDCAccessTokenAuthorizer(h.Cluster, h.db)
101 h.federation = federation.New(h.Cluster, &healthFuncs)
102 rtr := router.New(h.federation, router.Config{
103 MaxRequestSize: h.Cluster.API.MaxRequestSize,
104 WrapCalls: api.ComposeWrappers(
105 ctrlctx.WrapCallsInTransactions(h.db),
106 oidcAuthorizer.WrapCalls,
107 ctrlctx.WrapCallsWithAuth(h.Cluster)),
110 healthRoutes := health.Routes{"ping": func() error { _, err := h.db(context.TODO()); return err }}
111 for name, f := range healthFuncs {
112 healthRoutes[name] = f
114 mux.Handle("/_health/", &health.Handler{
115 Token: h.Cluster.ManagementToken,
117 Routes: healthRoutes,
119 mux.Handle("/arvados/v1/config", rtr)
120 mux.Handle("/arvados/v1/vocabulary", rtr)
121 mux.Handle("/"+arvados.EndpointUserAuthenticate.Path, rtr) // must come before .../users/
122 mux.Handle("/arvados/v1/collections", rtr)
123 mux.Handle("/arvados/v1/collections/", rtr)
124 mux.Handle("/arvados/v1/users", rtr)
125 mux.Handle("/arvados/v1/users/", rtr)
126 mux.Handle("/arvados/v1/connect/", rtr)
127 mux.Handle("/arvados/v1/container_requests", rtr)
128 mux.Handle("/arvados/v1/container_requests/", rtr)
129 mux.Handle("/arvados/v1/groups", rtr)
130 mux.Handle("/arvados/v1/groups/", rtr)
131 mux.Handle("/arvados/v1/links", rtr)
132 mux.Handle("/arvados/v1/links/", rtr)
133 mux.Handle("/login", rtr)
134 mux.Handle("/logout", rtr)
135 mux.Handle("/arvados/v1/api_client_authorizations", rtr)
136 mux.Handle("/arvados/v1/api_client_authorizations/", rtr)
138 hs := http.NotFoundHandler()
139 hs = prepend(hs, h.proxyRailsAPI)
140 hs = h.setupProxyRemoteCluster(hs)
141 hs = prepend(hs, oidcAuthorizer.Middleware)
145 sc := *arvados.DefaultSecureClient
146 sc.CheckRedirect = neverRedirect
149 ic := *arvados.InsecureHTTPClient
150 ic.CheckRedirect = neverRedirect
151 h.insecureClient = &ic
154 Name: "arvados-controller",
157 go h.trashSweepWorker()
160 var errDBConnection = errors.New("database connection error")
162 func (h *Handler) db(ctx context.Context) (*sqlx.DB, error) {
164 defer h.pgdbMtx.Unlock()
169 db, err := sqlx.Open("postgres", h.Cluster.PostgreSQL.Connection.String())
171 ctxlog.FromContext(ctx).WithError(err).Error("postgresql connect failed")
172 return nil, errDBConnection
174 if p := h.Cluster.PostgreSQL.ConnectionPool; p > 0 {
175 db.SetMaxOpenConns(p)
177 if err := db.Ping(); err != nil {
178 ctxlog.FromContext(ctx).WithError(err).Error("postgresql connect succeeded but ping failed")
179 return nil, errDBConnection
185 type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler)
187 func prepend(next http.Handler, middleware middlewareFunc) http.Handler {
188 return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
189 middleware(w, req, next)
193 func (h *Handler) localClusterRequest(req *http.Request) (*http.Response, error) {
194 urlOut, insecure, err := railsproxy.FindRailsAPI(h.Cluster)
199 Scheme: urlOut.Scheme,
202 RawPath: req.URL.RawPath,
203 RawQuery: req.URL.RawQuery,
205 client := h.secureClient
207 client = h.insecureClient
209 return h.proxy.Do(req, urlOut, client)
212 func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) {
213 resp, err := h.localClusterRequest(req)
214 n, err := h.proxy.ForwardResponse(w, resp, err)
216 httpserver.Logger(req).WithError(err).WithField("bytesCopied", n).Error("error copying response body")
220 // Use a localhost entry from Services.RailsAPI.InternalURLs if one is
221 // present, otherwise choose an arbitrary entry.
222 func findRailsAPI(cluster *arvados.Cluster) (*url.URL, bool, error) {
224 for target := range cluster.Services.RailsAPI.InternalURLs {
225 target := url.URL(target)
227 if strings.HasPrefix(target.Host, "localhost:") || strings.HasPrefix(target.Host, "127.0.0.1:") || strings.HasPrefix(target.Host, "[::1]:") {
232 return nil, false, fmt.Errorf("Services.RailsAPI.InternalURLs is empty")
234 return best, cluster.TLS.Insecure, nil