Merge branch 'main' from workbench2.git
[arvados.git] / services / keep-web / handler.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package keepweb
6
7 import (
8         "encoding/json"
9         "errors"
10         "fmt"
11         "html"
12         "html/template"
13         "io"
14         "net/http"
15         "net/url"
16         "os"
17         "sort"
18         "strconv"
19         "strings"
20         "sync"
21         "time"
22
23         "git.arvados.org/arvados.git/lib/cmd"
24         "git.arvados.org/arvados.git/lib/webdavfs"
25         "git.arvados.org/arvados.git/sdk/go/arvados"
26         "git.arvados.org/arvados.git/sdk/go/arvadosclient"
27         "git.arvados.org/arvados.git/sdk/go/auth"
28         "git.arvados.org/arvados.git/sdk/go/ctxlog"
29         "git.arvados.org/arvados.git/sdk/go/httpserver"
30         "git.arvados.org/arvados.git/sdk/go/keepclient"
31         "github.com/sirupsen/logrus"
32         "golang.org/x/net/webdav"
33 )
34
35 type handler struct {
36         Cache     cache
37         Cluster   *arvados.Cluster
38         setupOnce sync.Once
39
40         lockMtx    sync.Mutex
41         lock       map[string]*sync.RWMutex
42         lockTidied time.Time
43 }
44
45 var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+")
46
47 var notFoundMessage = "Not Found"
48 var unauthorizedMessage = "401 Unauthorized\n\nA valid Arvados token must be provided to access this resource."
49
50 // parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a
51 // PDH (even if it is a PDH with "+" replaced by " " or "-");
52 // otherwise "".
53 func parseCollectionIDFromURL(s string) string {
54         if arvadosclient.UUIDMatch(s) {
55                 return s
56         }
57         if pdh := urlPDHDecoder.Replace(s); arvadosclient.PDHMatch(pdh) {
58                 return pdh
59         }
60         return ""
61 }
62
63 func (h *handler) setup() {
64         keepclient.DefaultBlockCache.MaxBlocks = h.Cluster.Collections.WebDAVCache.MaxBlockEntries
65 }
66
67 func (h *handler) serveStatus(w http.ResponseWriter, r *http.Request) {
68         json.NewEncoder(w).Encode(struct{ Version string }{cmd.Version.String()})
69 }
70
71 type errorWithHTTPStatus interface {
72         HTTPStatus() int
73 }
74
75 // updateOnSuccess wraps httpserver.ResponseWriter. If the handler
76 // sends an HTTP header indicating success, updateOnSuccess first
77 // calls the provided update func. If the update func fails, an error
78 // response is sent (using the error's HTTP status or 500 if none),
79 // and the status code and body sent by the handler are ignored (all
80 // response writes return the update error).
81 type updateOnSuccess struct {
82         httpserver.ResponseWriter
83         logger     logrus.FieldLogger
84         update     func() error
85         sentHeader bool
86         err        error
87 }
88
89 func (uos *updateOnSuccess) Write(p []byte) (int, error) {
90         if !uos.sentHeader {
91                 uos.WriteHeader(http.StatusOK)
92         }
93         if uos.err != nil {
94                 return 0, uos.err
95         }
96         return uos.ResponseWriter.Write(p)
97 }
98
99 func (uos *updateOnSuccess) WriteHeader(code int) {
100         if !uos.sentHeader {
101                 uos.sentHeader = true
102                 if code >= 200 && code < 400 {
103                         if uos.err = uos.update(); uos.err != nil {
104                                 code := http.StatusInternalServerError
105                                 if he := errorWithHTTPStatus(nil); errors.As(uos.err, &he) {
106                                         code = he.HTTPStatus()
107                                 }
108                                 uos.logger.WithError(uos.err).Errorf("update() returned %T error, changing response to HTTP %d", uos.err, code)
109                                 http.Error(uos.ResponseWriter, uos.err.Error(), code)
110                                 return
111                         }
112                 }
113         }
114         uos.ResponseWriter.WriteHeader(code)
115 }
116
117 var (
118         corsAllowHeadersHeader = strings.Join([]string{
119                 "Authorization", "Content-Type", "Range",
120                 // WebDAV request headers:
121                 "Depth", "Destination", "If", "Lock-Token", "Overwrite", "Timeout", "Cache-Control",
122         }, ", ")
123         writeMethod = map[string]bool{
124                 "COPY":      true,
125                 "DELETE":    true,
126                 "LOCK":      true,
127                 "MKCOL":     true,
128                 "MOVE":      true,
129                 "PROPPATCH": true,
130                 "PUT":       true,
131                 "RMCOL":     true,
132                 "UNLOCK":    true,
133         }
134         webdavMethod = map[string]bool{
135                 "COPY":      true,
136                 "DELETE":    true,
137                 "LOCK":      true,
138                 "MKCOL":     true,
139                 "MOVE":      true,
140                 "OPTIONS":   true,
141                 "PROPFIND":  true,
142                 "PROPPATCH": true,
143                 "PUT":       true,
144                 "RMCOL":     true,
145                 "UNLOCK":    true,
146         }
147         browserMethod = map[string]bool{
148                 "GET":  true,
149                 "HEAD": true,
150                 "POST": true,
151         }
152         // top-level dirs to serve with siteFS
153         siteFSDir = map[string]bool{
154                 "":      true, // root directory
155                 "by_id": true,
156                 "users": true,
157         }
158 )
159
160 func stripDefaultPort(host string) string {
161         // Will consider port 80 and port 443 to be the same vhost.  I think that's fine.
162         u := &url.URL{Host: host}
163         if p := u.Port(); p == "80" || p == "443" {
164                 return strings.ToLower(u.Hostname())
165         } else {
166                 return strings.ToLower(host)
167         }
168 }
169
170 // CheckHealth implements service.Handler.
171 func (h *handler) CheckHealth() error {
172         return nil
173 }
174
175 // Done implements service.Handler.
176 func (h *handler) Done() <-chan struct{} {
177         return nil
178 }
179
180 // ServeHTTP implements http.Handler.
181 func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
182         h.setupOnce.Do(h.setup)
183
184         if xfp := r.Header.Get("X-Forwarded-Proto"); xfp != "" && xfp != "http" {
185                 r.URL.Scheme = xfp
186         }
187
188         w := httpserver.WrapResponseWriter(wOrig)
189
190         if r.Method == "OPTIONS" && ServeCORSPreflight(w, r.Header) {
191                 return
192         }
193
194         if !browserMethod[r.Method] && !webdavMethod[r.Method] {
195                 w.WriteHeader(http.StatusMethodNotAllowed)
196                 return
197         }
198
199         if r.Header.Get("Origin") != "" {
200                 // Allow simple cross-origin requests without user
201                 // credentials ("user credentials" as defined by CORS,
202                 // i.e., cookies, HTTP authentication, and client-side
203                 // SSL certificates. See
204                 // http://www.w3.org/TR/cors/#user-credentials).
205                 w.Header().Set("Access-Control-Allow-Origin", "*")
206                 w.Header().Set("Access-Control-Expose-Headers", "Content-Range")
207         }
208
209         if h.serveS3(w, r) {
210                 return
211         }
212
213         webdavPrefix := ""
214         arvPath := r.URL.Path
215         if prefix := r.Header.Get("X-Webdav-Prefix"); prefix != "" {
216                 // Enable a proxy (e.g., container log handler in
217                 // controller) to satisfy a request for path
218                 // "/foo/bar/baz.txt" using content from
219                 // "//abc123-4.internal/bar/baz.txt", by adding a
220                 // request header "X-Webdav-Prefix: /foo"
221                 if !strings.HasPrefix(arvPath, prefix) {
222                         http.Error(w, "X-Webdav-Prefix header is not a prefix of the requested path", http.StatusBadRequest)
223                         return
224                 }
225                 arvPath = r.URL.Path[len(prefix):]
226                 if arvPath == "" {
227                         arvPath = "/"
228                 }
229                 w.Header().Set("Vary", "X-Webdav-Prefix, "+w.Header().Get("Vary"))
230                 webdavPrefix = prefix
231         }
232         pathParts := strings.Split(arvPath[1:], "/")
233
234         var stripParts int
235         var collectionID string
236         var tokens []string
237         var reqTokens []string
238         var pathToken bool
239         var attachment bool
240         var useSiteFS bool
241         credentialsOK := h.Cluster.Collections.TrustAllContent
242         reasonNotAcceptingCredentials := ""
243
244         if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Cluster.Services.WebDAVDownload.ExternalURL.Host) {
245                 credentialsOK = true
246                 attachment = true
247         } else if r.FormValue("disposition") == "attachment" {
248                 attachment = true
249         }
250
251         if !credentialsOK {
252                 reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false",
253                         r.Host, h.Cluster.Services.WebDAVDownload.ExternalURL)
254         }
255
256         if collectionID = arvados.CollectionIDFromDNSName(r.Host); collectionID != "" {
257                 // http://ID.collections.example/PATH...
258                 credentialsOK = true
259         } else if r.URL.Path == "/status.json" {
260                 h.serveStatus(w, r)
261                 return
262         } else if siteFSDir[pathParts[0]] {
263                 useSiteFS = true
264         } else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") {
265                 // /c=ID[/PATH...]
266                 collectionID = parseCollectionIDFromURL(pathParts[0][2:])
267                 stripParts = 1
268         } else if len(pathParts) >= 2 && pathParts[0] == "collections" {
269                 if len(pathParts) >= 4 && pathParts[1] == "download" {
270                         // /collections/download/ID/TOKEN/PATH...
271                         collectionID = parseCollectionIDFromURL(pathParts[2])
272                         tokens = []string{pathParts[3]}
273                         stripParts = 4
274                         pathToken = true
275                 } else {
276                         // /collections/ID/PATH...
277                         collectionID = parseCollectionIDFromURL(pathParts[1])
278                         stripParts = 2
279                         // This path is only meant to work for public
280                         // data. Tokens provided with the request are
281                         // ignored.
282                         credentialsOK = false
283                         reasonNotAcceptingCredentials = "the '/collections/UUID/PATH' form only works for public data"
284                 }
285         }
286
287         forceReload := false
288         if cc := r.Header.Get("Cache-Control"); strings.Contains(cc, "no-cache") || strings.Contains(cc, "must-revalidate") {
289                 forceReload = true
290         }
291
292         if credentialsOK {
293                 reqTokens = auth.CredentialsFromRequest(r).Tokens
294         }
295
296         formToken := r.FormValue("api_token")
297         origin := r.Header.Get("Origin")
298         cors := origin != "" && !strings.HasSuffix(origin, "://"+r.Host)
299         safeAjax := cors && (r.Method == http.MethodGet || r.Method == http.MethodHead)
300         safeAttachment := attachment && r.URL.Query().Get("api_token") == ""
301         if formToken == "" {
302                 // No token to use or redact.
303         } else if safeAjax || safeAttachment {
304                 // If this is a cross-origin request, the URL won't
305                 // appear in the browser's address bar, so
306                 // substituting a clipboard-safe URL is pointless.
307                 // Redirect-with-cookie wouldn't work anyway, because
308                 // it's not safe to allow third-party use of our
309                 // cookie.
310                 //
311                 // If we're supplying an attachment, we don't need to
312                 // convert POST to GET to avoid the "really resubmit
313                 // form?" problem, so provided the token isn't
314                 // embedded in the URL, there's no reason to do
315                 // redirect-with-cookie in this case either.
316                 reqTokens = append(reqTokens, formToken)
317         } else if browserMethod[r.Method] {
318                 // If this is a page view, and the client provided a
319                 // token via query string or POST body, we must put
320                 // the token in an HttpOnly cookie, and redirect to an
321                 // equivalent URL with the query param redacted and
322                 // method = GET.
323                 h.seeOtherWithCookie(w, r, "", credentialsOK)
324                 return
325         }
326
327         targetPath := pathParts[stripParts:]
328         if tokens == nil && len(targetPath) > 0 && strings.HasPrefix(targetPath[0], "t=") {
329                 // http://ID.example/t=TOKEN/PATH...
330                 // /c=ID/t=TOKEN/PATH...
331                 //
332                 // This form must only be used to pass scoped tokens
333                 // that give permission for a single collection. See
334                 // FormValue case above.
335                 tokens = []string{targetPath[0][2:]}
336                 pathToken = true
337                 targetPath = targetPath[1:]
338                 stripParts++
339         }
340
341         fsprefix := ""
342         if useSiteFS {
343                 if writeMethod[r.Method] {
344                         http.Error(w, webdavfs.ErrReadOnly.Error(), http.StatusMethodNotAllowed)
345                         return
346                 }
347                 if len(reqTokens) == 0 {
348                         w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
349                         http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
350                         return
351                 }
352                 tokens = reqTokens
353         } else if collectionID == "" {
354                 http.Error(w, notFoundMessage, http.StatusNotFound)
355                 return
356         } else {
357                 fsprefix = "by_id/" + collectionID + "/"
358         }
359
360         if src := r.Header.Get("X-Webdav-Source"); strings.HasPrefix(src, "/") && !strings.Contains(src, "//") && !strings.Contains(src, "/../") {
361                 fsprefix += src[1:]
362         }
363
364         if tokens == nil {
365                 tokens = reqTokens
366                 if h.Cluster.Users.AnonymousUserToken != "" {
367                         tokens = append(tokens, h.Cluster.Users.AnonymousUserToken)
368                 }
369         }
370
371         if len(targetPath) > 0 && targetPath[0] == "_" {
372                 // If a collection has a directory called "t=foo" or
373                 // "_", it can be served at
374                 // //collections.example/_/t=foo/ or
375                 // //collections.example/_/_/ respectively:
376                 // //collections.example/t=foo/ won't work because
377                 // t=foo will be interpreted as a token "foo".
378                 targetPath = targetPath[1:]
379                 stripParts++
380         }
381
382         dirOpenMode := os.O_RDONLY
383         if writeMethod[r.Method] {
384                 dirOpenMode = os.O_RDWR
385         }
386
387         var tokenValid bool
388         var tokenScopeProblem bool
389         var token string
390         var tokenUser *arvados.User
391         var sessionFS arvados.CustomFileSystem
392         var session *cachedSession
393         var collectionDir arvados.File
394         for _, token = range tokens {
395                 var statusErr errorWithHTTPStatus
396                 fs, sess, user, err := h.Cache.GetSession(token)
397                 if errors.As(err, &statusErr) && statusErr.HTTPStatus() == http.StatusUnauthorized {
398                         // bad token
399                         continue
400                 } else if err != nil {
401                         http.Error(w, "cache error: "+err.Error(), http.StatusInternalServerError)
402                         return
403                 }
404                 if token != h.Cluster.Users.AnonymousUserToken {
405                         tokenValid = true
406                 }
407                 f, err := fs.OpenFile(fsprefix, dirOpenMode, 0)
408                 if errors.As(err, &statusErr) &&
409                         statusErr.HTTPStatus() == http.StatusForbidden &&
410                         token != h.Cluster.Users.AnonymousUserToken {
411                         // collection id is outside scope of supplied
412                         // token
413                         tokenScopeProblem = true
414                         sess.Release()
415                         continue
416                 } else if os.IsNotExist(err) {
417                         // collection does not exist or is not
418                         // readable using this token
419                         sess.Release()
420                         continue
421                 } else if err != nil {
422                         http.Error(w, err.Error(), http.StatusInternalServerError)
423                         sess.Release()
424                         return
425                 }
426                 defer f.Close()
427                 defer sess.Release()
428
429                 collectionDir, sessionFS, session, tokenUser = f, fs, sess, user
430                 break
431         }
432         if forceReload && collectionDir != nil {
433                 err := collectionDir.Sync()
434                 if err != nil {
435                         if he := errorWithHTTPStatus(nil); errors.As(err, &he) {
436                                 http.Error(w, err.Error(), he.HTTPStatus())
437                         } else {
438                                 http.Error(w, err.Error(), http.StatusInternalServerError)
439                         }
440                         return
441                 }
442         }
443         if session == nil {
444                 if pathToken {
445                         // The URL is a "secret sharing link" that
446                         // didn't work out.  Asking the client for
447                         // additional credentials would just be
448                         // confusing.
449                         http.Error(w, notFoundMessage, http.StatusNotFound)
450                         return
451                 }
452                 if tokenValid {
453                         // The client provided valid token(s), but the
454                         // collection was not found.
455                         http.Error(w, notFoundMessage, http.StatusNotFound)
456                         return
457                 }
458                 if tokenScopeProblem {
459                         // The client provided a valid token but
460                         // fetching a collection returned 401, which
461                         // means the token scope doesn't permit
462                         // fetching that collection.
463                         http.Error(w, notFoundMessage, http.StatusForbidden)
464                         return
465                 }
466                 // The client's token was invalid (e.g., expired), or
467                 // the client didn't even provide one.  Redirect to
468                 // workbench2's login-and-redirect-to-download url if
469                 // this is a browser navigation request. (The redirect
470                 // flow can't preserve the original method if it's not
471                 // GET, and doesn't make sense if the UA is a
472                 // command-line tool, is trying to load an inline
473                 // image, etc.; in these cases, there's nothing we can
474                 // do, so return 401 unauthorized.)
475                 //
476                 // Note Sec-Fetch-Mode is sent by all non-EOL
477                 // browsers, except Safari.
478                 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
479                 //
480                 // TODO(TC): This response would be confusing to
481                 // someone trying (anonymously) to download public
482                 // data that has been deleted.  Allow a referrer to
483                 // provide this context somehow?
484                 if r.Method == http.MethodGet && r.Header.Get("Sec-Fetch-Mode") == "navigate" {
485                         target := url.URL(h.Cluster.Services.Workbench2.ExternalURL)
486                         redirkey := "redirectToPreview"
487                         if attachment {
488                                 redirkey = "redirectToDownload"
489                         }
490                         callback := "/c=" + collectionID + "/" + strings.Join(targetPath, "/")
491                         // target.RawQuery = url.Values{redirkey:
492                         // {target}}.Encode() would be the obvious
493                         // thing to do here, but wb2 doesn't decode
494                         // this as a query param -- it takes
495                         // everything after "${redirkey}=" as the
496                         // target URL. If we encode "/" as "%2F" etc.,
497                         // the redirect won't work.
498                         target.RawQuery = redirkey + "=" + callback
499                         w.Header().Add("Location", target.String())
500                         w.WriteHeader(http.StatusSeeOther)
501                         return
502                 }
503                 if !credentialsOK {
504                         http.Error(w, fmt.Sprintf("Authorization tokens are not accepted here: %v, and no anonymous user token is configured.", reasonNotAcceptingCredentials), http.StatusUnauthorized)
505                         return
506                 }
507                 // If none of the above cases apply, suggest the
508                 // user-agent (which is either a non-browser agent
509                 // like wget, or a browser that can't redirect through
510                 // a login flow) prompt the user for credentials.
511                 w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
512                 http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
513                 return
514         }
515
516         if r.Method == http.MethodGet || r.Method == http.MethodHead {
517                 targetfnm := fsprefix + strings.Join(pathParts[stripParts:], "/")
518                 if fi, err := sessionFS.Stat(targetfnm); err == nil && fi.IsDir() {
519                         if !strings.HasSuffix(r.URL.Path, "/") {
520                                 h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK)
521                         } else {
522                                 h.serveDirectory(w, r, fi.Name(), sessionFS, targetfnm, !useSiteFS)
523                         }
524                         return
525                 }
526         }
527
528         var basename string
529         if len(targetPath) > 0 {
530                 basename = targetPath[len(targetPath)-1]
531         }
532         if arvadosclient.PDHMatch(collectionID) && writeMethod[r.Method] {
533                 http.Error(w, webdavfs.ErrReadOnly.Error(), http.StatusMethodNotAllowed)
534                 return
535         }
536         if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
537                 http.Error(w, "Not permitted", http.StatusForbidden)
538                 return
539         }
540         h.logUploadOrDownload(r, session.arvadosclient, sessionFS, fsprefix+strings.Join(targetPath, "/"), nil, tokenUser)
541
542         writing := writeMethod[r.Method]
543         locker := h.collectionLock(collectionID, writing)
544         defer locker.Unlock()
545
546         if writing {
547                 // Save the collection only if/when all
548                 // webdav->filesystem operations succeed --
549                 // and send a 500 error if the modified
550                 // collection can't be saved.
551                 //
552                 // Perform the write in a separate sitefs, so
553                 // concurrent read operations on the same
554                 // collection see the previous saved
555                 // state. After the write succeeds and the
556                 // collection record is updated, we reset the
557                 // session so the updates are visible in
558                 // subsequent read requests.
559                 client := session.client.WithRequestID(r.Header.Get("X-Request-Id"))
560                 sessionFS = client.SiteFileSystem(session.keepclient)
561                 writingDir, err := sessionFS.OpenFile(fsprefix, os.O_RDONLY, 0)
562                 if err != nil {
563                         http.Error(w, err.Error(), http.StatusInternalServerError)
564                         return
565                 }
566                 defer writingDir.Close()
567                 w = &updateOnSuccess{
568                         ResponseWriter: w,
569                         logger:         ctxlog.FromContext(r.Context()),
570                         update: func() error {
571                                 err := writingDir.Sync()
572                                 var te arvados.TransactionError
573                                 if errors.As(err, &te) {
574                                         err = te
575                                 }
576                                 if err != nil {
577                                         return err
578                                 }
579                                 // Sync the changes to the persistent
580                                 // sessionfs for this token.
581                                 snap, err := writingDir.Snapshot()
582                                 if err != nil {
583                                         return err
584                                 }
585                                 collectionDir.Splice(snap)
586                                 return nil
587                         }}
588         }
589         if r.Method == http.MethodGet {
590                 applyContentDispositionHdr(w, r, basename, attachment)
591         }
592         if webdavPrefix == "" {
593                 webdavPrefix = "/" + strings.Join(pathParts[:stripParts], "/")
594         }
595         wh := webdav.Handler{
596                 Prefix: webdavPrefix,
597                 FileSystem: &webdavfs.FS{
598                         FileSystem:    sessionFS,
599                         Prefix:        fsprefix,
600                         Writing:       writeMethod[r.Method],
601                         AlwaysReadEOF: r.Method == "PROPFIND",
602                 },
603                 LockSystem: webdavfs.NoLockSystem,
604                 Logger: func(r *http.Request, err error) {
605                         if err != nil && !os.IsNotExist(err) {
606                                 ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler")
607                         }
608                 },
609         }
610         wh.ServeHTTP(w, r)
611         if r.Method == http.MethodGet && w.WroteStatus() == http.StatusOK {
612                 wrote := int64(w.WroteBodyBytes())
613                 fnm := strings.Join(pathParts[stripParts:], "/")
614                 fi, err := wh.FileSystem.Stat(r.Context(), fnm)
615                 if err == nil && fi.Size() != wrote {
616                         var n int
617                         f, err := wh.FileSystem.OpenFile(r.Context(), fnm, os.O_RDONLY, 0)
618                         if err == nil {
619                                 n, err = f.Read(make([]byte, 1024))
620                                 f.Close()
621                         }
622                         ctxlog.FromContext(r.Context()).Errorf("stat.Size()==%d but only wrote %d bytes; read(1024) returns %d, %v", fi.Size(), wrote, n, err)
623                 }
624         }
625 }
626
627 var dirListingTemplate = `<!DOCTYPE HTML>
628 <HTML><HEAD>
629   <META name="robots" content="NOINDEX">
630   <TITLE>{{ .CollectionName }}</TITLE>
631   <STYLE type="text/css">
632     body {
633       margin: 1.5em;
634     }
635     pre {
636       background-color: #D9EDF7;
637       border-radius: .25em;
638       padding: .75em;
639       overflow: auto;
640     }
641     .footer p {
642       font-size: 82%;
643     }
644     ul {
645       padding: 0;
646     }
647     ul li {
648       font-family: monospace;
649       list-style: none;
650     }
651   </STYLE>
652 </HEAD>
653 <BODY>
654
655 <H1>{{ .CollectionName }}</H1>
656
657 <P>This collection of data files is being shared with you through
658 Arvados.  You can download individual files listed below.  To download
659 the entire directory tree with wget, try:</P>
660
661 <PRE>$ wget --mirror --no-parent --no-host --cut-dirs={{ .StripParts }} https://{{ .Request.Host }}{{ .Request.URL.Path }}</PRE>
662
663 <H2>File Listing</H2>
664
665 {{if .Files}}
666 <UL>
667 {{range .Files}}
668 {{if .IsDir }}
669   <LI>{{" " | printf "%15s  " | nbsp}}<A href="{{print "./" .Name}}/">{{.Name}}/</A></LI>
670 {{else}}
671   <LI>{{.Size | printf "%15d  " | nbsp}}<A href="{{print "./" .Name}}">{{.Name}}</A></LI>
672 {{end}}
673 {{end}}
674 </UL>
675 {{else}}
676 <P>(No files; this collection is empty.)</P>
677 {{end}}
678
679 <HR noshade>
680 <DIV class="footer">
681   <P>
682     About Arvados:
683     Arvados is a free and open source software bioinformatics platform.
684     To learn more, visit arvados.org.
685     Arvados is not responsible for the files listed on this page.
686   </P>
687 </DIV>
688
689 </BODY>
690 `
691
692 type fileListEnt struct {
693         Name  string
694         Size  int64
695         IsDir bool
696 }
697
698 func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collectionName string, fs http.FileSystem, base string, recurse bool) {
699         var files []fileListEnt
700         var walk func(string) error
701         if !strings.HasSuffix(base, "/") {
702                 base = base + "/"
703         }
704         walk = func(path string) error {
705                 dirname := base + path
706                 if dirname != "/" {
707                         dirname = strings.TrimSuffix(dirname, "/")
708                 }
709                 d, err := fs.Open(dirname)
710                 if err != nil {
711                         return err
712                 }
713                 ents, err := d.Readdir(-1)
714                 if err != nil {
715                         return err
716                 }
717                 for _, ent := range ents {
718                         if recurse && ent.IsDir() {
719                                 err = walk(path + ent.Name() + "/")
720                                 if err != nil {
721                                         return err
722                                 }
723                         } else {
724                                 files = append(files, fileListEnt{
725                                         Name:  path + ent.Name(),
726                                         Size:  ent.Size(),
727                                         IsDir: ent.IsDir(),
728                                 })
729                         }
730                 }
731                 return nil
732         }
733         if err := walk(""); err != nil {
734                 http.Error(w, "error getting directory listing: "+err.Error(), http.StatusInternalServerError)
735                 return
736         }
737
738         funcs := template.FuncMap{
739                 "nbsp": func(s string) template.HTML {
740                         return template.HTML(strings.Replace(s, " ", "&nbsp;", -1))
741                 },
742         }
743         tmpl, err := template.New("dir").Funcs(funcs).Parse(dirListingTemplate)
744         if err != nil {
745                 http.Error(w, "error parsing template: "+err.Error(), http.StatusInternalServerError)
746                 return
747         }
748         sort.Slice(files, func(i, j int) bool {
749                 return files[i].Name < files[j].Name
750         })
751         w.WriteHeader(http.StatusOK)
752         tmpl.Execute(w, map[string]interface{}{
753                 "CollectionName": collectionName,
754                 "Files":          files,
755                 "Request":        r,
756                 "StripParts":     strings.Count(strings.TrimRight(r.URL.Path, "/"), "/"),
757         })
758 }
759
760 func applyContentDispositionHdr(w http.ResponseWriter, r *http.Request, filename string, isAttachment bool) {
761         disposition := "inline"
762         if isAttachment {
763                 disposition = "attachment"
764         }
765         if strings.ContainsRune(r.RequestURI, '?') {
766                 // Help the UA realize that the filename is just
767                 // "filename.txt", not
768                 // "filename.txt?disposition=attachment".
769                 //
770                 // TODO(TC): Follow advice at RFC 6266 appendix D
771                 disposition += "; filename=" + strconv.QuoteToASCII(filename)
772         }
773         if disposition != "inline" {
774                 w.Header().Set("Content-Disposition", disposition)
775         }
776 }
777
778 func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, location string, credentialsOK bool) {
779         if formToken := r.FormValue("api_token"); formToken != "" {
780                 if !credentialsOK {
781                         // It is not safe to copy the provided token
782                         // into a cookie unless the current vhost
783                         // (origin) serves only a single collection or
784                         // we are in TrustAllContent mode.
785                         http.Error(w, "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)", http.StatusBadRequest)
786                         return
787                 }
788
789                 // The HttpOnly flag is necessary to prevent
790                 // JavaScript code (included in, or loaded by, a page
791                 // in the collection being served) from employing the
792                 // user's token beyond reading other files in the same
793                 // domain, i.e., same collection.
794                 //
795                 // The 303 redirect is necessary in the case of a GET
796                 // request to avoid exposing the token in the Location
797                 // bar, and in the case of a POST request to avoid
798                 // raising warnings when the user refreshes the
799                 // resulting page.
800                 http.SetCookie(w, &http.Cookie{
801                         Name:     "arvados_api_token",
802                         Value:    auth.EncodeTokenCookie([]byte(formToken)),
803                         Path:     "/",
804                         HttpOnly: true,
805                         SameSite: http.SameSiteLaxMode,
806                 })
807         }
808
809         // Propagate query parameters (except api_token) from
810         // the original request.
811         redirQuery := r.URL.Query()
812         redirQuery.Del("api_token")
813
814         u := r.URL
815         if location != "" {
816                 newu, err := u.Parse(location)
817                 if err != nil {
818                         http.Error(w, "error resolving redirect target: "+err.Error(), http.StatusInternalServerError)
819                         return
820                 }
821                 u = newu
822         }
823         redir := (&url.URL{
824                 Scheme:   r.URL.Scheme,
825                 Host:     r.Host,
826                 Path:     u.Path,
827                 RawQuery: redirQuery.Encode(),
828         }).String()
829
830         w.Header().Add("Location", redir)
831         w.WriteHeader(http.StatusSeeOther)
832         io.WriteString(w, `<A href="`)
833         io.WriteString(w, html.EscapeString(redir))
834         io.WriteString(w, `">Continue</A>`)
835 }
836
837 func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
838         var permitDownload bool
839         var permitUpload bool
840         if tokenUser != nil && tokenUser.IsAdmin {
841                 permitUpload = h.Cluster.Collections.WebDAVPermission.Admin.Upload
842                 permitDownload = h.Cluster.Collections.WebDAVPermission.Admin.Download
843         } else {
844                 permitUpload = h.Cluster.Collections.WebDAVPermission.User.Upload
845                 permitDownload = h.Cluster.Collections.WebDAVPermission.User.Download
846         }
847         if (method == "PUT" || method == "POST") && !permitUpload {
848                 // Disallow operations that upload new files.
849                 // Permit webdav operations that move existing files around.
850                 return false
851         } else if method == "GET" && !permitDownload {
852                 // Disallow downloading file contents.
853                 // Permit webdav operations like PROPFIND that retrieve metadata
854                 // but not file contents.
855                 return false
856         }
857         return true
858 }
859
860 func (h *handler) logUploadOrDownload(
861         r *http.Request,
862         client *arvadosclient.ArvadosClient,
863         fs arvados.CustomFileSystem,
864         filepath string,
865         collection *arvados.Collection,
866         user *arvados.User) {
867
868         log := ctxlog.FromContext(r.Context())
869         props := make(map[string]string)
870         props["reqPath"] = r.URL.Path
871         var useruuid string
872         if user != nil {
873                 log = log.WithField("user_uuid", user.UUID).
874                         WithField("user_full_name", user.FullName)
875                 useruuid = user.UUID
876         } else {
877                 useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Cluster.ClusterID)
878         }
879         if collection == nil && fs != nil {
880                 collection, filepath = h.determineCollection(fs, filepath)
881         }
882         if collection != nil {
883                 log = log.WithField("collection_file_path", filepath)
884                 props["collection_file_path"] = filepath
885                 // h.determineCollection populates the collection_uuid
886                 // prop with the PDH, if this collection is being
887                 // accessed via PDH. For logging, we use a different
888                 // field depending on whether it's a UUID or PDH.
889                 if len(collection.UUID) > 32 {
890                         log = log.WithField("portable_data_hash", collection.UUID)
891                         props["portable_data_hash"] = collection.UUID
892                 } else {
893                         log = log.WithField("collection_uuid", collection.UUID)
894                         props["collection_uuid"] = collection.UUID
895                 }
896         }
897         if r.Method == "PUT" || r.Method == "POST" {
898                 log.Info("File upload")
899                 if h.Cluster.Collections.WebDAVLogEvents {
900                         go func() {
901                                 lr := arvadosclient.Dict{"log": arvadosclient.Dict{
902                                         "object_uuid": useruuid,
903                                         "event_type":  "file_upload",
904                                         "properties":  props}}
905                                 err := client.Create("logs", lr, nil)
906                                 if err != nil {
907                                         log.WithError(err).Error("Failed to create upload log event on API server")
908                                 }
909                         }()
910                 }
911         } else if r.Method == "GET" {
912                 if collection != nil && collection.PortableDataHash != "" {
913                         log = log.WithField("portable_data_hash", collection.PortableDataHash)
914                         props["portable_data_hash"] = collection.PortableDataHash
915                 }
916                 log.Info("File download")
917                 if h.Cluster.Collections.WebDAVLogEvents {
918                         go func() {
919                                 lr := arvadosclient.Dict{"log": arvadosclient.Dict{
920                                         "object_uuid": useruuid,
921                                         "event_type":  "file_download",
922                                         "properties":  props}}
923                                 err := client.Create("logs", lr, nil)
924                                 if err != nil {
925                                         log.WithError(err).Error("Failed to create download log event on API server")
926                                 }
927                         }()
928                 }
929         }
930 }
931
932 func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
933         target := strings.TrimSuffix(path, "/")
934         for cut := len(target); cut >= 0; cut = strings.LastIndexByte(target, '/') {
935                 target = target[:cut]
936                 fi, err := fs.Stat(target)
937                 if os.IsNotExist(err) {
938                         // creating a new file/dir, or download
939                         // destined to fail
940                         continue
941                 } else if err != nil {
942                         return nil, ""
943                 }
944                 switch src := fi.Sys().(type) {
945                 case *arvados.Collection:
946                         return src, strings.TrimPrefix(path[len(target):], "/")
947                 case *arvados.Group:
948                         return nil, ""
949                 default:
950                         if _, ok := src.(error); ok {
951                                 return nil, ""
952                         }
953                 }
954         }
955         return nil, ""
956 }
957
958 var lockTidyInterval = time.Minute * 10
959
960 // Lock the specified collection for reading or writing. Caller must
961 // call Unlock() on the returned Locker when the operation is
962 // finished.
963 func (h *handler) collectionLock(collectionID string, writing bool) sync.Locker {
964         h.lockMtx.Lock()
965         defer h.lockMtx.Unlock()
966         if time.Since(h.lockTidied) > lockTidyInterval {
967                 // Periodically delete all locks that aren't in use.
968                 h.lockTidied = time.Now()
969                 for id, locker := range h.lock {
970                         if locker.TryLock() {
971                                 locker.Unlock()
972                                 delete(h.lock, id)
973                         }
974                 }
975         }
976         locker := h.lock[collectionID]
977         if locker == nil {
978                 locker = new(sync.RWMutex)
979                 if h.lock == nil {
980                         h.lock = map[string]*sync.RWMutex{}
981                 }
982                 h.lock[collectionID] = locker
983         }
984         if writing {
985                 locker.Lock()
986                 return locker
987         } else {
988                 locker.RLock()
989                 return locker.RLocker()
990         }
991 }
992
993 func ServeCORSPreflight(w http.ResponseWriter, header http.Header) bool {
994         method := header.Get("Access-Control-Request-Method")
995         if method == "" {
996                 return false
997         }
998         if !browserMethod[method] && !webdavMethod[method] {
999                 w.WriteHeader(http.StatusMethodNotAllowed)
1000                 return true
1001         }
1002         w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
1003         w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
1004         w.Header().Set("Access-Control-Allow-Origin", "*")
1005         w.Header().Set("Access-Control-Max-Age", "86400")
1006         return true
1007 }