lib/controller/federation.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "bufio"
   9         "bytes"
  10         "database/sql"
  11         "encoding/json"
  12         "fmt"
  13         "io/ioutil"
  14         "net/http"
  15         "net/url"
  16         "regexp"
  17         "strings"
  18
  19         "git.curoverse.com/arvados.git/sdk/go/arvados"
  20         "git.curoverse.com/arvados.git/sdk/go/auth"
  21         "git.curoverse.com/arvados.git/sdk/go/httpserver"
  22         "git.curoverse.com/arvados.git/sdk/go/keepclient"
  23 )
  24
  25 var wfRe = regexp.MustCompile(`^/arvados/v1/workflows/([0-9a-z]{5})-[^/]+$`)
  26 var collectionRe = regexp.MustCompile(`^/arvados/v1/collections/([0-9a-z]{5})-[^/]+$`)
  27
  28 type genericFederatedRequestHandler struct {
  29         next    http.Handler
  30         handler *Handler
  31 }
  32
  33 type collectionFederatedRequestHandler struct {
  34         next    http.Handler
  35         handler *Handler
  36 }
  37
  38 func (h *Handler) remoteClusterRequest(remoteID string, w http.ResponseWriter, req *http.Request, filter ResponseFilter) {
  39         remote, ok := h.Cluster.RemoteClusters[remoteID]
  40         if !ok {
  41                 httpserver.Error(w, "no proxy available for cluster "+remoteID, http.StatusNotFound)
  42                 return
  43         }
  44         scheme := remote.Scheme
  45         if scheme == "" {
  46                 scheme = "https"
  47         }
  48         err := h.saltAuthToken(req, remoteID)
  49         if err != nil {
  50                 httpserver.Error(w, err.Error(), http.StatusBadRequest)
  51                 return
  52         }
  53         urlOut := &url.URL{
  54                 Scheme:   scheme,
  55                 Host:     remote.Host,
  56                 Path:     req.URL.Path,
  57                 RawPath:  req.URL.RawPath,
  58                 RawQuery: req.URL.RawQuery,
  59         }
  60         client := h.secureClient
  61         if remote.Insecure {
  62                 client = h.insecureClient
  63         }
  64         h.proxy.Do(w, req, urlOut, client, filter)
  65 }
  66
  67 func (h *genericFederatedRequestHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
  68         m := wfRe.FindStringSubmatch(req.URL.Path)
  69         if len(m) < 2 || m[1] == h.handler.Cluster.ClusterID {
  70                 h.next.ServeHTTP(w, req)
  71                 return
  72         }
  73         h.handler.remoteClusterRequest(m[1], w, req, nil)
  74 }
  75
  76 type rewriteSignaturesClusterId string
  77
  78 func (clusterId rewriteSignaturesClusterId) rewriteSignatures(resp *http.Response) (newResponse *http.Response, err error) {
  79         if resp.StatusCode != 200 {
  80                 return resp, nil
  81         }
  82
  83         originalBody := resp.Body
  84         defer originalBody.Close()
  85
  86         var col arvados.Collection
  87         err = json.NewDecoder(resp.Body).Decode(&col)
  88         if err != nil {
  89                 return nil, err
  90         }
  91
  92         // rewriting signatures will make manifest text 5-10% bigger so calculate
  93         // capacity accordingly
  94         updatedManifest := bytes.NewBuffer(make([]byte, 0, int(float64(len(col.ManifestText))*1.1)))
  95
  96         scanner := bufio.NewScanner(strings.NewReader(col.ManifestText))
  97         scanner.Buffer(make([]byte, 1048576), len(col.ManifestText))
  98         for scanner.Scan() {
  99                 line := scanner.Text()
 100                 tokens := strings.Split(line, " ")
 101                 if len(tokens) < 3 {
 102                         return nil, fmt.Errorf("Invalid stream (<3 tokens): %q", line)
 103                 }
 104
 105                 updatedManifest.WriteString(tokens[0])
 106                 for _, token := range tokens[1:] {
 107                         updatedManifest.WriteString(" ")
 108                         m := keepclient.SignedLocatorRe.FindStringSubmatch(token)
 109                         if m != nil {
 110                                 // Rewrite the block signature to be a remote signature
 111                                 fmt.Fprintf(updatedManifest, "%s%s%s+R%s-%s%s", m[1], m[2], m[3], clusterId, m[5][2:], m[8])
 112                         } else {
 113                                 updatedManifest.WriteString(token)
 114                         }
 115
 116                 }
 117                 updatedManifest.WriteString("\n")
 118         }
 119
 120         col.ManifestText = updatedManifest.String()
 121
 122         newbody, err := json.Marshal(col)
 123         if err != nil {
 124                 return nil, err
 125         }
 126
 127         buf := bytes.NewBuffer(newbody)
 128         resp.Body = ioutil.NopCloser(buf)
 129         resp.ContentLength = int64(buf.Len())
 130         resp.Header.Set("Content-Length", fmt.Sprintf("%v", buf.Len()))
 131
 132         return resp, nil
 133 }
 134
 135 func (h *collectionFederatedRequestHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 136         m := collectionRe.FindStringSubmatch(req.URL.Path)
 137         if len(m) < 2 || m[1] == h.handler.Cluster.ClusterID {
 138                 h.next.ServeHTTP(w, req)
 139                 return
 140         }
 141         h.handler.remoteClusterRequest(m[1], w, req,
 142                 rewriteSignaturesClusterId(m[1]).rewriteSignatures)
 143 }
 144
 145 func (h *Handler) setupProxyRemoteCluster(next http.Handler) http.Handler {
 146         mux := http.NewServeMux()
 147         mux.Handle("/arvados/v1/workflows", next)
 148         mux.Handle("/arvados/v1/workflows/", &genericFederatedRequestHandler{next, h})
 149         mux.Handle("/arvados/v1/collections/", &collectionFederatedRequestHandler{next, h})
 150         mux.Handle("/", next)
 151
 152         return mux
 153 }
 154
 155 type CurrentUser struct {
 156         Authorization arvados.APIClientAuthorization
 157         UUID          string
 158 }
 159
 160 func (h *Handler) validateAPItoken(req *http.Request, user *CurrentUser) error {
 161         db, err := h.db(req)
 162         if err != nil {
 163                 return err
 164         }
 165         return db.QueryRowContext(req.Context(), `SELECT api_client_authorizations.uuid, users.uuid FROM api_client_authorizations JOIN users on api_client_authorizations.user_id=users.id WHERE api_token=$1 AND (expires_at IS NULL OR expires_at > current_timestamp) LIMIT 1`, user.Authorization.APIToken).Scan(&user.Authorization.UUID, &user.UUID)
 166 }
 167
 168 // Extract the auth token supplied in req, and replace it with a
 169 // salted token for the remote cluster.
 170 func (h *Handler) saltAuthToken(req *http.Request, remote string) error {
 171         creds := auth.NewCredentials()
 172         creds.LoadTokensFromHTTPRequest(req)
 173         if len(creds.Tokens) == 0 && req.Header.Get("Content-Type") == "application/x-www-form-encoded" {
 174                 // Override ParseForm's 10MiB limit by ensuring
 175                 // req.Body is a *http.maxBytesReader.
 176                 req.Body = http.MaxBytesReader(nil, req.Body, 1<<28) // 256MiB. TODO: use MaxRequestSize from discovery doc or config.
 177                 if err := creds.LoadTokensFromHTTPRequestBody(req); err != nil {
 178                         return err
 179                 }
 180                 // Replace req.Body with a buffer that re-encodes the
 181                 // form without api_token, in case we end up
 182                 // forwarding the request.
 183                 if req.PostForm != nil {
 184                         req.PostForm.Del("api_token")
 185                 }
 186                 req.Body = ioutil.NopCloser(bytes.NewBufferString(req.PostForm.Encode()))
 187         }
 188         if len(creds.Tokens) == 0 {
 189                 return nil
 190         }
 191         token, err := auth.SaltToken(creds.Tokens[0], remote)
 192         if err == auth.ErrObsoleteToken {
 193                 // If the token exists in our own database, salt it
 194                 // for the remote. Otherwise, assume it was issued by
 195                 // the remote, and pass it through unmodified.
 196                 currentUser := CurrentUser{Authorization: arvados.APIClientAuthorization{APIToken: creds.Tokens[0]}}
 197                 err = h.validateAPItoken(req, &currentUser)
 198                 if err == sql.ErrNoRows {
 199                         // Not ours; pass through unmodified.
 200                         token = currentUser.Authorization.APIToken
 201                 } else if err != nil {
 202                         return err
 203                 } else {
 204                         // Found; make V2 version and salt it.
 205                         token, err = auth.SaltToken(currentUser.Authorization.TokenV2(), remote)
 206                         if err != nil {
 207                                 return err
 208                         }
 209                 }
 210         } else if err != nil {
 211                 return err
 212         }
 213         req.Header.Set("Authorization", "Bearer "+token)
 214
 215         // Remove api_token=... from the the query string, in case we
 216         // end up forwarding the request.
 217         if values, err := url.ParseQuery(req.URL.RawQuery); err != nil {
 218                 return err
 219         } else if _, ok := values["api_token"]; ok {
 220                 delete(values, "api_token")
 221                 req.URL.RawQuery = values.Encode()
 222         }
 223         return nil
 224 }