1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
20 "git.arvados.org/arvados.git/sdk/go/arvados"
21 "git.arvados.org/arvados.git/sdk/go/arvadostest"
22 "git.arvados.org/arvados.git/sdk/go/auth"
23 "git.arvados.org/arvados.git/sdk/go/keepclient"
24 "github.com/prometheus/client_golang/prometheus"
25 check "gopkg.in/check.v1"
28 var _ = check.Suite(&ProxyRemoteSuite{})
30 type ProxyRemoteSuite struct {
31 cluster *arvados.Cluster
34 remoteClusterID string
35 remoteBlobSigningKey []byte
36 remoteKeepLocator string
38 remoteKeepproxy *httptest.Server
39 remoteKeepRequests int64
40 remoteAPI *httptest.Server
43 func (s *ProxyRemoteSuite) remoteKeepproxyHandler(w http.ResponseWriter, r *http.Request) {
44 expectToken, err := auth.SaltToken(arvadostest.ActiveTokenV2, s.remoteClusterID)
48 atomic.AddInt64(&s.remoteKeepRequests, 1)
50 if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) == 2 && (auth[0] == "OAuth2" || auth[0] == "Bearer") {
53 if r.Method == "GET" && r.URL.Path == "/"+s.remoteKeepLocator && token == expectToken {
54 w.Write(s.remoteKeepData)
57 http.Error(w, "404", 404)
60 func (s *ProxyRemoteSuite) remoteAPIHandler(w http.ResponseWriter, r *http.Request) {
61 host, port, _ := net.SplitHostPort(strings.Split(s.remoteKeepproxy.URL, "//")[1])
62 portnum, _ := strconv.Atoi(port)
63 if r.URL.Path == "/arvados/v1/discovery/v1/rest" {
64 json.NewEncoder(w).Encode(arvados.DiscoveryDocument{})
67 if r.URL.Path == "/arvados/v1/keep_services/accessible" {
68 json.NewEncoder(w).Encode(arvados.KeepServiceList{
69 Items: []arvados.KeepService{
71 UUID: s.remoteClusterID + "-bi6l4-proxyproxyproxy",
75 ServiceSSLFlag: false,
81 http.Error(w, "404", 404)
84 func (s *ProxyRemoteSuite) SetUpTest(c *check.C) {
85 s.remoteClusterID = "z0000"
86 s.remoteBlobSigningKey = []byte("3b6df6fb6518afe12922a5bc8e67bf180a358bc8")
87 s.remoteKeepproxy = httptest.NewServer(http.HandlerFunc(s.remoteKeepproxyHandler))
88 s.remoteAPI = httptest.NewUnstartedServer(http.HandlerFunc(s.remoteAPIHandler))
89 s.remoteAPI.StartTLS()
90 s.cluster = testCluster(c)
91 s.cluster.Collections.BlobSigningKey = knownKey
92 s.cluster.SystemRootToken = arvadostest.SystemRootToken
93 s.cluster.RemoteClusters = map[string]arvados.RemoteCluster{
95 Host: strings.Split(s.remoteAPI.URL, "//")[1],
101 s.cluster.Volumes = map[string]arvados.Volume{"zzzzz-nyw5e-000000000000000": {Driver: "mock"}}
102 s.handler = &handler{}
103 c.Assert(s.handler.setup(context.Background(), s.cluster, "", prometheus.NewRegistry(), testServiceURL), check.IsNil)
106 func (s *ProxyRemoteSuite) TearDownTest(c *check.C) {
108 s.remoteKeepproxy.Close()
111 func (s *ProxyRemoteSuite) TestProxyRemote(c *check.C) {
112 data := []byte("foo bar")
113 s.remoteKeepData = data
114 locator := fmt.Sprintf("%x+%d", md5.Sum(data), len(data))
115 s.remoteKeepLocator = keepclient.SignLocator(locator, arvadostest.ActiveTokenV2, time.Now().Add(time.Minute), time.Minute, s.remoteBlobSigningKey)
117 path := "/" + strings.Replace(s.remoteKeepLocator, "+A", "+R"+s.remoteClusterID+"-", 1)
119 for _, trial := range []struct {
123 xKeepSignature string
124 expectRemoteReqs int64
131 token: arvadostest.ActiveTokenV2,
133 expectCode: http.StatusOK,
136 label: "obsolete token",
138 token: arvadostest.ActiveToken,
140 expectCode: http.StatusBadRequest,
145 token: arvadostest.ActiveTokenV2[:len(arvadostest.ActiveTokenV2)-3] + "xxx",
147 expectCode: http.StatusNotFound,
152 token: arvadostest.ActiveTokenV2,
154 expectCode: http.StatusOK,
157 label: "HEAD with local signature",
159 xKeepSignature: "local, time=" + time.Now().Format(time.RFC3339),
160 token: arvadostest.ActiveTokenV2,
162 expectCode: http.StatusOK,
163 expectSignature: true,
166 label: "GET with local signature",
168 xKeepSignature: "local, time=" + time.Now().Format(time.RFC3339),
169 token: arvadostest.ActiveTokenV2,
171 expectCode: http.StatusOK,
172 expectSignature: true,
175 c.Logf("trial: %s", trial.label)
177 s.remoteKeepRequests = 0
179 var req *http.Request
180 var resp *httptest.ResponseRecorder
181 req = httptest.NewRequest(trial.method, path, nil)
182 req.Header.Set("Authorization", "Bearer "+trial.token)
183 if trial.xKeepSignature != "" {
184 req.Header.Set("X-Keep-Signature", trial.xKeepSignature)
186 resp = httptest.NewRecorder()
187 s.handler.ServeHTTP(resp, req)
188 c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs)
189 c.Check(resp.Code, check.Equals, trial.expectCode)
190 if resp.Code == http.StatusOK {
191 c.Check(resp.Body.String(), check.Equals, string(data))
193 c.Check(resp.Body.String(), check.Not(check.Equals), string(data))
196 c.Check(resp.Header().Get("Vary"), check.Matches, `(.*, )?X-Keep-Signature(, .*)?`)
198 locHdr := resp.Header().Get("X-Keep-Locator")
199 if !trial.expectSignature {
200 c.Check(locHdr, check.Equals, "")
204 c.Check(locHdr, check.Not(check.Equals), "")
205 c.Check(locHdr, check.Not(check.Matches), `.*\+R.*`)
206 c.Check(VerifySignature(s.cluster, locHdr, trial.token), check.IsNil)
208 // Ensure block can be requested using new signature
209 req = httptest.NewRequest("GET", "/"+locHdr, nil)
210 req.Header.Set("Authorization", "Bearer "+trial.token)
211 resp = httptest.NewRecorder()
212 s.handler.ServeHTTP(resp, req)
213 c.Check(resp.Code, check.Equals, http.StatusOK)
214 c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs)