lib/controller/localdb/container_gateway.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "bufio"
   9         "context"
  10         "crypto/hmac"
  11         "crypto/sha256"
  12         "crypto/tls"
  13         "crypto/x509"
  14         "errors"
  15         "fmt"
  16         "net/http"
  17         "net/url"
  18         "strings"
  19
  20         "git.arvados.org/arvados.git/sdk/go/arvados"
  21         "git.arvados.org/arvados.git/sdk/go/auth"
  22         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  23         "git.arvados.org/arvados.git/sdk/go/httpserver"
  24 )
  25
  26 // ContainerSSH returns a connection to the SSH server in the
  27 // appropriate crunch-run process on the worker node where the
  28 // specified container is running.
  29 //
  30 // If the returned error is nil, the caller is responsible for closing
  31 // sshconn.Conn.
  32 func (conn *Conn) ContainerSSH(ctx context.Context, opts arvados.ContainerSSHOptions) (sshconn arvados.ContainerSSHConnection, err error) {
  33         user, err := conn.railsProxy.UserGetCurrent(ctx, arvados.GetOptions{})
  34         if err != nil {
  35                 return
  36         }
  37         ctr, err := conn.railsProxy.ContainerGet(ctx, arvados.GetOptions{UUID: opts.UUID})
  38         if err != nil {
  39                 return
  40         }
  41
  42         ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
  43         crs, err := conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
  44         if err != nil {
  45                 return
  46         }
  47         for _, cr := range crs.Items {
  48                 if cr.ModifiedByUserUUID != user.UUID {
  49                         err = httpserver.ErrorWithStatus(errors.New("permission denied: container is associated with requests submitted by other users"), http.StatusForbidden)
  50                         return
  51                 }
  52         }
  53         if crs.ItemsAvailable != len(crs.Items) {
  54                 err = httpserver.ErrorWithStatus(errors.New("incomplete response while checking permission"), http.StatusInternalServerError)
  55                 return
  56         }
  57
  58         ctr, err := conn.railsProxy.ContainerGet(ctx, arvados.GetOptions{UUID: opts.UUID})
  59         if err != nil {
  60                 return
  61         }
  62         if ctr.GatewayAddress == "" || ctr.State != arvados.ContainerStateRunning {
  63                 err = httpserver.ErrorWithStatus(fmt.Errorf("gateway is not available, container is %s", strings.ToLower(string(ctr.State))), http.StatusBadGateway)
  64                 return
  65         }
  66         // crunch-run uses a self-signed / unverifiable TLS
  67         // certificate, so we use the following scheme to ensure we're
  68         // not talking to a MITM.
  69         //
  70         // 1. Compute ctrKey = HMAC-SHA256(sysRootToken,ctrUUID) --
  71         // this will be the same ctrKey that a-d-c supplied to
  72         // crunch-run in the GatewayAuthSecret env var.
  73         //
  74         // 2. Compute requestAuth = HMAC-SHA256(ctrKey,serverCert) and
  75         // send it to crunch-run as the X-Arvados-Authorization
  76         // header, proving that we know ctrKey. (Note a MITM cannot
  77         // replay the proof to a real crunch-run server, because the
  78         // real crunch-run server would have a different cert.)
  79         //
  80         // 3. Compute respondAuth = HMAC-SHA256(ctrKey,requestAuth)
  81         // and ensure the server returns it in the
  82         // X-Arvados-Authorization-Response header, proving that the
  83         // server knows ctrKey.
  84         var requestAuth, respondAuth string
  85         netconn, err := tls.Dial("tcp", ctr.GatewayAddress, &tls.Config{
  86                 InsecureSkipVerify: true,
  87                 VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
  88                         if len(rawCerts) == 0 {
  89                                 return errors.New("no certificate received, cannot compute authorization header")
  90                         }
  91                         h := hmac.New(sha256.New, []byte(conn.cluster.SystemRootToken))
  92                         fmt.Fprint(h, opts.UUID)
  93                         authKey := fmt.Sprintf("%x", h.Sum(nil))
  94                         h = hmac.New(sha256.New, []byte(authKey))
  95                         h.Write(rawCerts[0])
  96                         requestAuth = fmt.Sprintf("%x", h.Sum(nil))
  97                         h.Reset()
  98                         h.Write([]byte(requestAuth))
  99                         respondAuth = fmt.Sprintf("%x", h.Sum(nil))
 100                         return nil
 101                 },
 102         })
 103         if err != nil {
 104                 return
 105         }
 106         if respondAuth == "" {
 107                 err = httpserver.ErrorWithStatus(errors.New("BUG: no respondAuth"), http.StatusInternalServerError)
 108                 return
 109         }
 110         bufr := bufio.NewReader(netconn)
 111         bufw := bufio.NewWriter(netconn)
 112
 113         u := url.URL{
 114                 Scheme: "http",
 115                 Host:   ctr.GatewayAddress,
 116                 Path:   "/ssh",
 117         }
 118         bufw.WriteString("GET " + u.String() + " HTTP/1.1\r\n")
 119         bufw.WriteString("Host: " + u.Host + "\r\n")
 120         bufw.WriteString("Upgrade: ssh\r\n")
 121         bufw.WriteString("X-Arvados-Target-Uuid: " + opts.UUID + "\r\n")
 122         bufw.WriteString("X-Arvados-Authorization: " + requestAuth + "\r\n")
 123         bufw.WriteString("X-Arvados-Detach-Keys: " + opts.DetachKeys + "\r\n")
 124         bufw.WriteString("X-Arvados-Login-Username: " + opts.LoginUsername + "\r\n")
 125         bufw.WriteString("\r\n")
 126         bufw.Flush()
 127         resp, err := http.ReadResponse(bufr, &http.Request{Method: "GET"})
 128         if err != nil {
 129                 err = httpserver.ErrorWithStatus(fmt.Errorf("error reading http response from gateway: %w", err), http.StatusBadGateway)
 130                 netconn.Close()
 131                 return
 132         }
 133         if resp.Header.Get("X-Arvados-Authorization-Response") != respondAuth {
 134                 err = httpserver.ErrorWithStatus(errors.New("bad X-Arvados-Authorization-Response header"), http.StatusBadGateway)
 135                 netconn.Close()
 136                 return
 137         }
 138         if strings.ToLower(resp.Header.Get("Upgrade")) != "ssh" ||
 139                 strings.ToLower(resp.Header.Get("Connection")) != "upgrade" {
 140                 err = httpserver.ErrorWithStatus(errors.New("bad upgrade"), http.StatusBadGateway)
 141                 netconn.Close()
 142                 return
 143         }
 144         sshconn.Conn = netconn
 145         sshconn.Bufrw = &bufio.ReadWriter{Reader: bufr, Writer: bufw}
 146         sshconn.Logger = ctxlog.FromContext(ctx)
 147         return
 148 }