11 "git.curoverse.com/arvados.git/sdk/go/arvadosclient"
12 "git.curoverse.com/arvados.git/sdk/go/auth"
13 "git.curoverse.com/arvados.git/sdk/go/httpserver"
16 type authHandler struct {
18 clientPool *arvadosclient.ClientPool
22 func (h *authHandler) setup() {
23 os.Setenv("ARVADOS_API_HOST", theConfig.Client.APIHost)
24 if theConfig.Client.Insecure {
25 os.Setenv("ARVADOS_API_HOST_INSECURE", "1")
27 os.Setenv("ARVADOS_API_HOST_INSECURE", "")
29 h.clientPool = arvadosclient.MakeClientPool()
32 func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
33 h.setupOnce.Do(h.setup)
39 var validApiToken bool
41 w := httpserver.WrapResponseWriter(wOrig)
44 if w.WroteStatus() == 0 {
45 // Nobody has called WriteHeader yet: that
47 w.WriteHeader(statusCode)
48 w.Write([]byte(statusText))
51 // If the given password is a valid token, log the first 10 characters of the token.
52 // Otherwise: log the string <invalid> if a password is given, else an empty string.
55 if len(apiToken) > 0 {
56 passwordToLog = "<invalid>"
59 passwordToLog = apiToken[0:10]
62 httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path)
65 creds := auth.NewCredentialsFromHTTPRequest(r)
66 if len(creds.Tokens) == 0 {
67 statusCode, statusText = http.StatusUnauthorized, "no credentials provided"
68 w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"")
71 apiToken = creds.Tokens[0]
73 // Access to paths "/foo/bar.git/*" and "/foo/bar/.git/*" are
74 // protected by the permissions on the repository named
76 pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2)
77 if len(pathParts) != 2 {
78 statusCode, statusText = http.StatusBadRequest, "bad request"
81 repoName = pathParts[0]
82 repoName = strings.TrimRight(repoName, "/")
84 arv := h.clientPool.Get()
86 statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error()
89 defer h.clientPool.Put(arv)
91 // Ask API server whether the repository is readable using
92 // this token (by trying to read it!)
93 arv.ApiToken = apiToken
94 reposFound := arvadosclient.Dict{}
95 if err := arv.List("repositories", arvadosclient.Dict{
96 "filters": [][]string{{"name", "=", repoName}},
97 }, &reposFound); err != nil {
98 statusCode, statusText = http.StatusInternalServerError, err.Error()
102 if avail, ok := reposFound["items_available"].(float64); !ok {
103 statusCode, statusText = http.StatusInternalServerError, "bad list response from API"
105 } else if avail < 1 {
106 statusCode, statusText = http.StatusNotFound, "not found"
108 } else if avail > 1 {
109 statusCode, statusText = http.StatusInternalServerError, "name collision"
113 repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string)
115 isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack")
119 err := arv.Update("repositories", repoUUID, arvadosclient.Dict{
120 "repository": arvadosclient.Dict{
121 "modified_at": time.Now().String(),
123 }, &arvadosclient.Dict{})
125 statusCode, statusText = http.StatusForbidden, err.Error()
131 // Regardless of whether the client asked for "/foo.git" or
132 // "/foo/.git", we choose whichever variant exists in our repo
133 // root, and we try {uuid}.git and {uuid}/.git first. If none
134 // of these exist, we 404 even though the API told us the repo
135 // _should_ exist (presumably this means the repo was just
136 // created, and gitolite sync hasn't run yet).
139 "/" + repoUUID + ".git",
140 "/" + repoUUID + "/.git",
141 "/" + repoName + ".git",
142 "/" + repoName + "/.git",
144 for _, dir := range tryDirs {
145 if fileInfo, err := os.Stat(theConfig.RepoRoot + dir); err != nil {
146 if !os.IsNotExist(err) {
147 statusCode, statusText = http.StatusInternalServerError, err.Error()
150 } else if fileInfo.IsDir() {
151 rewrittenPath = dir + "/" + pathParts[1]
155 if rewrittenPath == "" {
156 log.Println("WARNING:", repoUUID,
157 "git directory not found in", theConfig.RepoRoot, tryDirs)
158 // We say "content not found" to disambiguate from the
159 // earlier "API says that repo does not exist" error.
160 statusCode, statusText = http.StatusNotFound, "content not found"
163 r.URL.Path = rewrittenPath
165 h.handler.ServeHTTP(&w, r)