Merge branch '19862-nokogiri-upgrade'. Closes #19862
[arvados.git] / services / keepstore / proxy_remote_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package keepstore
6
7 import (
8         "context"
9         "crypto/md5"
10         "encoding/json"
11         "fmt"
12         "net"
13         "net/http"
14         "net/http/httptest"
15         "strconv"
16         "strings"
17         "sync/atomic"
18         "time"
19
20         "git.arvados.org/arvados.git/sdk/go/arvados"
21         "git.arvados.org/arvados.git/sdk/go/arvadostest"
22         "git.arvados.org/arvados.git/sdk/go/auth"
23         "git.arvados.org/arvados.git/sdk/go/keepclient"
24         "github.com/prometheus/client_golang/prometheus"
25         check "gopkg.in/check.v1"
26 )
27
28 var _ = check.Suite(&ProxyRemoteSuite{})
29
30 type ProxyRemoteSuite struct {
31         cluster *arvados.Cluster
32         handler *handler
33
34         remoteClusterID      string
35         remoteBlobSigningKey []byte
36         remoteKeepLocator    string
37         remoteKeepData       []byte
38         remoteKeepproxy      *httptest.Server
39         remoteKeepRequests   int64
40         remoteAPI            *httptest.Server
41 }
42
43 func (s *ProxyRemoteSuite) remoteKeepproxyHandler(w http.ResponseWriter, r *http.Request) {
44         expectToken, err := auth.SaltToken(arvadostest.ActiveTokenV2, s.remoteClusterID)
45         if err != nil {
46                 panic(err)
47         }
48         atomic.AddInt64(&s.remoteKeepRequests, 1)
49         var token string
50         if auth := strings.Split(r.Header.Get("Authorization"), " "); len(auth) == 2 && (auth[0] == "OAuth2" || auth[0] == "Bearer") {
51                 token = auth[1]
52         }
53         if r.Method == "GET" && r.URL.Path == "/"+s.remoteKeepLocator && token == expectToken {
54                 w.Write(s.remoteKeepData)
55                 return
56         }
57         http.Error(w, "404", 404)
58 }
59
60 func (s *ProxyRemoteSuite) remoteAPIHandler(w http.ResponseWriter, r *http.Request) {
61         host, port, _ := net.SplitHostPort(strings.Split(s.remoteKeepproxy.URL, "//")[1])
62         portnum, _ := strconv.Atoi(port)
63         if r.URL.Path == "/arvados/v1/discovery/v1/rest" {
64                 json.NewEncoder(w).Encode(arvados.DiscoveryDocument{})
65                 return
66         }
67         if r.URL.Path == "/arvados/v1/keep_services/accessible" {
68                 json.NewEncoder(w).Encode(arvados.KeepServiceList{
69                         Items: []arvados.KeepService{
70                                 {
71                                         UUID:           s.remoteClusterID + "-bi6l4-proxyproxyproxy",
72                                         ServiceType:    "proxy",
73                                         ServiceHost:    host,
74                                         ServicePort:    portnum,
75                                         ServiceSSLFlag: false,
76                                 },
77                         },
78                 })
79                 return
80         }
81         http.Error(w, "404", 404)
82 }
83
84 func (s *ProxyRemoteSuite) SetUpTest(c *check.C) {
85         s.remoteClusterID = "z0000"
86         s.remoteBlobSigningKey = []byte("3b6df6fb6518afe12922a5bc8e67bf180a358bc8")
87         s.remoteKeepproxy = httptest.NewServer(http.HandlerFunc(s.remoteKeepproxyHandler))
88         s.remoteAPI = httptest.NewUnstartedServer(http.HandlerFunc(s.remoteAPIHandler))
89         s.remoteAPI.StartTLS()
90         s.cluster = testCluster(c)
91         s.cluster.Collections.BlobSigningKey = knownKey
92         s.cluster.SystemRootToken = arvadostest.SystemRootToken
93         s.cluster.RemoteClusters = map[string]arvados.RemoteCluster{
94                 s.remoteClusterID: {
95                         Host:     strings.Split(s.remoteAPI.URL, "//")[1],
96                         Proxy:    true,
97                         Scheme:   "http",
98                         Insecure: true,
99                 },
100         }
101         s.cluster.Volumes = map[string]arvados.Volume{"zzzzz-nyw5e-000000000000000": {Driver: "mock"}}
102         s.handler = &handler{}
103         c.Assert(s.handler.setup(context.Background(), s.cluster, "", prometheus.NewRegistry(), testServiceURL), check.IsNil)
104 }
105
106 func (s *ProxyRemoteSuite) TearDownTest(c *check.C) {
107         s.remoteAPI.Close()
108         s.remoteKeepproxy.Close()
109 }
110
111 func (s *ProxyRemoteSuite) TestProxyRemote(c *check.C) {
112         data := []byte("foo bar")
113         s.remoteKeepData = data
114         locator := fmt.Sprintf("%x+%d", md5.Sum(data), len(data))
115         s.remoteKeepLocator = keepclient.SignLocator(locator, arvadostest.ActiveTokenV2, time.Now().Add(time.Minute), time.Minute, s.remoteBlobSigningKey)
116
117         path := "/" + strings.Replace(s.remoteKeepLocator, "+A", "+R"+s.remoteClusterID+"-", 1)
118
119         for _, trial := range []struct {
120                 label            string
121                 method           string
122                 token            string
123                 xKeepSignature   string
124                 expectRemoteReqs int64
125                 expectCode       int
126                 expectSignature  bool
127         }{
128                 {
129                         label:            "GET only",
130                         method:           "GET",
131                         token:            arvadostest.ActiveTokenV2,
132                         expectRemoteReqs: 1,
133                         expectCode:       http.StatusOK,
134                 },
135                 {
136                         label:            "obsolete token",
137                         method:           "GET",
138                         token:            arvadostest.ActiveToken,
139                         expectRemoteReqs: 0,
140                         expectCode:       http.StatusBadRequest,
141                 },
142                 {
143                         label:            "bad token",
144                         method:           "GET",
145                         token:            arvadostest.ActiveTokenV2[:len(arvadostest.ActiveTokenV2)-3] + "xxx",
146                         expectRemoteReqs: 1,
147                         expectCode:       http.StatusNotFound,
148                 },
149                 {
150                         label:            "HEAD only",
151                         method:           "HEAD",
152                         token:            arvadostest.ActiveTokenV2,
153                         expectRemoteReqs: 1,
154                         expectCode:       http.StatusOK,
155                 },
156                 {
157                         label:            "HEAD with local signature",
158                         method:           "HEAD",
159                         xKeepSignature:   "local, time=" + time.Now().Format(time.RFC3339),
160                         token:            arvadostest.ActiveTokenV2,
161                         expectRemoteReqs: 1,
162                         expectCode:       http.StatusOK,
163                         expectSignature:  true,
164                 },
165                 {
166                         label:            "GET with local signature",
167                         method:           "GET",
168                         xKeepSignature:   "local, time=" + time.Now().Format(time.RFC3339),
169                         token:            arvadostest.ActiveTokenV2,
170                         expectRemoteReqs: 1,
171                         expectCode:       http.StatusOK,
172                         expectSignature:  true,
173                 },
174         } {
175                 c.Logf("trial: %s", trial.label)
176
177                 s.remoteKeepRequests = 0
178
179                 var req *http.Request
180                 var resp *httptest.ResponseRecorder
181                 req = httptest.NewRequest(trial.method, path, nil)
182                 req.Header.Set("Authorization", "Bearer "+trial.token)
183                 if trial.xKeepSignature != "" {
184                         req.Header.Set("X-Keep-Signature", trial.xKeepSignature)
185                 }
186                 resp = httptest.NewRecorder()
187                 s.handler.ServeHTTP(resp, req)
188                 c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs)
189                 c.Check(resp.Code, check.Equals, trial.expectCode)
190                 if resp.Code == http.StatusOK {
191                         c.Check(resp.Body.String(), check.Equals, string(data))
192                 } else {
193                         c.Check(resp.Body.String(), check.Not(check.Equals), string(data))
194                 }
195
196                 c.Check(resp.Header().Get("Vary"), check.Matches, `(.*, )?X-Keep-Signature(, .*)?`)
197
198                 locHdr := resp.Header().Get("X-Keep-Locator")
199                 if !trial.expectSignature {
200                         c.Check(locHdr, check.Equals, "")
201                         continue
202                 }
203
204                 c.Check(locHdr, check.Not(check.Equals), "")
205                 c.Check(locHdr, check.Not(check.Matches), `.*\+R.*`)
206                 c.Check(VerifySignature(s.cluster, locHdr, trial.token), check.IsNil)
207
208                 // Ensure block can be requested using new signature
209                 req = httptest.NewRequest("GET", "/"+locHdr, nil)
210                 req.Header.Set("Authorization", "Bearer "+trial.token)
211                 resp = httptest.NewRecorder()
212                 s.handler.ServeHTTP(resp, req)
213                 c.Check(resp.Code, check.Equals, http.StatusOK)
214                 c.Check(s.remoteKeepRequests, check.Equals, trial.expectRemoteReqs)
215         }
216 }