14804: Exposes the bug with a test.
[arvados.git] / services / keepproxy / keepproxy.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package main
6
7 import (
8         "errors"
9         "flag"
10         "fmt"
11         "io"
12         "io/ioutil"
13         "net"
14         "net/http"
15         "os"
16         "os/signal"
17         "regexp"
18         "strings"
19         "sync"
20         "syscall"
21         "time"
22
23         "git.curoverse.com/arvados.git/sdk/go/arvados"
24         "git.curoverse.com/arvados.git/sdk/go/arvadosclient"
25         "git.curoverse.com/arvados.git/sdk/go/config"
26         "git.curoverse.com/arvados.git/sdk/go/health"
27         "git.curoverse.com/arvados.git/sdk/go/httpserver"
28         "git.curoverse.com/arvados.git/sdk/go/keepclient"
29         "github.com/coreos/go-systemd/daemon"
30         "github.com/ghodss/yaml"
31         "github.com/gorilla/mux"
32         log "github.com/sirupsen/logrus"
33 )
34
35 var version = "dev"
36
37 type Config struct {
38         Client          arvados.Client
39         Listen          string
40         DisableGet      bool
41         DisablePut      bool
42         DefaultReplicas int
43         Timeout         arvados.Duration
44         PIDFile         string
45         Debug           bool
46         ManagementToken string
47 }
48
49 func DefaultConfig() *Config {
50         return &Config{
51                 Listen:  ":25107",
52                 Timeout: arvados.Duration(15 * time.Second),
53         }
54 }
55
56 var (
57         listener net.Listener
58         router   http.Handler
59 )
60
61 const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00"
62
63 func main() {
64         log.SetFormatter(&log.JSONFormatter{
65                 TimestampFormat: rfc3339NanoFixed,
66         })
67
68         cfg := DefaultConfig()
69
70         flagset := flag.NewFlagSet("keepproxy", flag.ExitOnError)
71         flagset.Usage = usage
72
73         const deprecated = " (DEPRECATED -- use config file instead)"
74         flagset.StringVar(&cfg.Listen, "listen", cfg.Listen, "Local port to listen on."+deprecated)
75         flagset.BoolVar(&cfg.DisableGet, "no-get", cfg.DisableGet, "Disable GET operations."+deprecated)
76         flagset.BoolVar(&cfg.DisablePut, "no-put", cfg.DisablePut, "Disable PUT operations."+deprecated)
77         flagset.IntVar(&cfg.DefaultReplicas, "default-replicas", cfg.DefaultReplicas, "Default number of replicas to write if not specified by the client. If 0, use site default."+deprecated)
78         flagset.StringVar(&cfg.PIDFile, "pid", cfg.PIDFile, "Path to write pid file."+deprecated)
79         timeoutSeconds := flagset.Int("timeout", int(time.Duration(cfg.Timeout)/time.Second), "Timeout (in seconds) on requests to internal Keep services."+deprecated)
80         flagset.StringVar(&cfg.ManagementToken, "management-token", cfg.ManagementToken, "Authorization token to be included in all health check requests.")
81
82         var cfgPath string
83         const defaultCfgPath = "/etc/arvados/keepproxy/keepproxy.yml"
84         flagset.StringVar(&cfgPath, "config", defaultCfgPath, "Configuration file `path`")
85         dumpConfig := flagset.Bool("dump-config", false, "write current configuration to stdout and exit")
86         getVersion := flagset.Bool("version", false, "Print version information and exit.")
87         flagset.Parse(os.Args[1:])
88
89         // Print version information if requested
90         if *getVersion {
91                 fmt.Printf("keepproxy %s\n", version)
92                 return
93         }
94
95         err := config.LoadFile(cfg, cfgPath)
96         if err != nil {
97                 h := os.Getenv("ARVADOS_API_HOST")
98                 t := os.Getenv("ARVADOS_API_TOKEN")
99                 if h == "" || t == "" || !os.IsNotExist(err) || cfgPath != defaultCfgPath {
100                         log.Fatal(err)
101                 }
102                 log.Print("DEPRECATED: No config file found, but ARVADOS_API_HOST and ARVADOS_API_TOKEN environment variables are set. Please use a config file instead.")
103                 cfg.Client.APIHost = h
104                 cfg.Client.AuthToken = t
105                 if regexp.MustCompile("^(?i:1|yes|true)$").MatchString(os.Getenv("ARVADOS_API_HOST_INSECURE")) {
106                         cfg.Client.Insecure = true
107                 }
108                 if y, err := yaml.Marshal(cfg); err == nil && !*dumpConfig {
109                         log.Print("Current configuration:\n", string(y))
110                 }
111                 cfg.Timeout = arvados.Duration(time.Duration(*timeoutSeconds) * time.Second)
112         }
113
114         if *dumpConfig {
115                 log.Fatal(config.DumpAndExit(cfg))
116         }
117
118         log.Printf("keepproxy %s started", version)
119
120         arv, err := arvadosclient.New(&cfg.Client)
121         if err != nil {
122                 log.Fatalf("Error setting up arvados client %s", err.Error())
123         }
124
125         if cfg.Debug {
126                 keepclient.DebugPrintf = log.Printf
127         }
128         kc, err := keepclient.MakeKeepClient(arv)
129         if err != nil {
130                 log.Fatalf("Error setting up keep client %s", err.Error())
131         }
132         keepclient.RefreshServiceDiscoveryOnSIGHUP()
133
134         if cfg.PIDFile != "" {
135                 f, err := os.Create(cfg.PIDFile)
136                 if err != nil {
137                         log.Fatal(err)
138                 }
139                 defer f.Close()
140                 err = syscall.Flock(int(f.Fd()), syscall.LOCK_EX|syscall.LOCK_NB)
141                 if err != nil {
142                         log.Fatalf("flock(%s): %s", cfg.PIDFile, err)
143                 }
144                 defer os.Remove(cfg.PIDFile)
145                 err = f.Truncate(0)
146                 if err != nil {
147                         log.Fatalf("truncate(%s): %s", cfg.PIDFile, err)
148                 }
149                 _, err = fmt.Fprint(f, os.Getpid())
150                 if err != nil {
151                         log.Fatalf("write(%s): %s", cfg.PIDFile, err)
152                 }
153                 err = f.Sync()
154                 if err != nil {
155                         log.Fatal("sync(%s): %s", cfg.PIDFile, err)
156                 }
157         }
158
159         if cfg.DefaultReplicas > 0 {
160                 kc.Want_replicas = cfg.DefaultReplicas
161         }
162
163         listener, err = net.Listen("tcp", cfg.Listen)
164         if err != nil {
165                 log.Fatalf("listen(%s): %s", cfg.Listen, err)
166         }
167         if _, err := daemon.SdNotify(false, "READY=1"); err != nil {
168                 log.Printf("Error notifying init daemon: %v", err)
169         }
170         log.Println("Listening at", listener.Addr())
171
172         // Shut down the server gracefully (by closing the listener)
173         // if SIGTERM is received.
174         term := make(chan os.Signal, 1)
175         go func(sig <-chan os.Signal) {
176                 s := <-sig
177                 log.Println("caught signal:", s)
178                 listener.Close()
179         }(term)
180         signal.Notify(term, syscall.SIGTERM)
181         signal.Notify(term, syscall.SIGINT)
182
183         // Start serving requests.
184         router = MakeRESTRouter(!cfg.DisableGet, !cfg.DisablePut, kc, time.Duration(cfg.Timeout), cfg.ManagementToken)
185         http.Serve(listener, httpserver.AddRequestIDs(httpserver.LogRequests(nil, router)))
186
187         log.Println("shutting down")
188 }
189
190 type ApiTokenCache struct {
191         tokens     map[string]int64
192         lock       sync.Mutex
193         expireTime int64
194 }
195
196 // Cache the token and set an expire time.  If we already have an expire time
197 // on the token, it is not updated.
198 func (this *ApiTokenCache) RememberToken(token string) {
199         this.lock.Lock()
200         defer this.lock.Unlock()
201
202         now := time.Now().Unix()
203         if this.tokens[token] == 0 {
204                 this.tokens[token] = now + this.expireTime
205         }
206 }
207
208 // Check if the cached token is known and still believed to be valid.
209 func (this *ApiTokenCache) RecallToken(token string) bool {
210         this.lock.Lock()
211         defer this.lock.Unlock()
212
213         now := time.Now().Unix()
214         if this.tokens[token] == 0 {
215                 // Unknown token
216                 return false
217         } else if now < this.tokens[token] {
218                 // Token is known and still valid
219                 return true
220         } else {
221                 // Token is expired
222                 this.tokens[token] = 0
223                 return false
224         }
225 }
226
227 func GetRemoteAddress(req *http.Request) string {
228         if xff := req.Header.Get("X-Forwarded-For"); xff != "" {
229                 return xff + "," + req.RemoteAddr
230         }
231         return req.RemoteAddr
232 }
233
234 func CheckAuthorizationHeader(kc *keepclient.KeepClient, cache *ApiTokenCache, req *http.Request) (pass bool, tok string) {
235         parts := strings.SplitN(req.Header.Get("Authorization"), " ", 2)
236         if len(parts) < 2 || !(parts[0] == "OAuth2" || parts[0] == "Bearer") || len(parts[1]) == 0 {
237                 return false, ""
238         }
239         tok = parts[1]
240
241         // Tokens are validated differently depending on what kind of
242         // operation is being performed. For example, tokens in
243         // collection-sharing links permit GET requests, but not
244         // PUT requests.
245         var op string
246         if req.Method == "GET" || req.Method == "HEAD" {
247                 op = "read"
248         } else {
249                 op = "write"
250         }
251
252         if cache.RecallToken(op + ":" + tok) {
253                 // Valid in the cache, short circuit
254                 return true, tok
255         }
256
257         var err error
258         arv := *kc.Arvados
259         arv.ApiToken = tok
260         arv.RequestID = req.Header.Get("X-Request-Id")
261         if op == "read" {
262                 err = arv.Call("HEAD", "keep_services", "", "accessible", nil, nil)
263         } else {
264                 err = arv.Call("HEAD", "users", "", "current", nil, nil)
265         }
266         if err != nil {
267                 log.Printf("%s: CheckAuthorizationHeader error: %v", GetRemoteAddress(req), err)
268                 return false, ""
269         }
270
271         // Success!  Update cache
272         cache.RememberToken(op + ":" + tok)
273
274         return true, tok
275 }
276
277 // We need to make a private copy of the default http transport early
278 // in initialization, then make copies of our private copy later. It
279 // won't be safe to copy http.DefaultTransport itself later, because
280 // its private mutexes might have already been used. (Without this,
281 // the test suite sometimes panics "concurrent map writes" in
282 // net/http.(*Transport).removeIdleConnLocked().)
283 var defaultTransport = *(http.DefaultTransport.(*http.Transport))
284
285 type proxyHandler struct {
286         http.Handler
287         *keepclient.KeepClient
288         *ApiTokenCache
289         timeout   time.Duration
290         transport *http.Transport
291 }
292
293 // MakeRESTRouter returns an http.Handler that passes GET and PUT
294 // requests to the appropriate handlers.
295 func MakeRESTRouter(enable_get bool, enable_put bool, kc *keepclient.KeepClient, timeout time.Duration, mgmtToken string) http.Handler {
296         rest := mux.NewRouter()
297
298         transport := defaultTransport
299         transport.DialContext = (&net.Dialer{
300                 Timeout:   keepclient.DefaultConnectTimeout,
301                 KeepAlive: keepclient.DefaultKeepAlive,
302                 DualStack: true,
303         }).DialContext
304         transport.TLSClientConfig = arvadosclient.MakeTLSConfig(kc.Arvados.ApiInsecure)
305         transport.TLSHandshakeTimeout = keepclient.DefaultTLSHandshakeTimeout
306
307         h := &proxyHandler{
308                 Handler:    rest,
309                 KeepClient: kc,
310                 timeout:    timeout,
311                 transport:  &transport,
312                 ApiTokenCache: &ApiTokenCache{
313                         tokens:     make(map[string]int64),
314                         expireTime: 300,
315                 },
316         }
317
318         if enable_get {
319                 rest.HandleFunc(`/{locator:[0-9a-f]{32}\+.*}`, h.Get).Methods("GET", "HEAD")
320                 rest.HandleFunc(`/{locator:[0-9a-f]{32}}`, h.Get).Methods("GET", "HEAD")
321
322                 // List all blocks
323                 rest.HandleFunc(`/index`, h.Index).Methods("GET")
324
325                 // List blocks whose hash has the given prefix
326                 rest.HandleFunc(`/index/{prefix:[0-9a-f]{0,32}}`, h.Index).Methods("GET")
327         }
328
329         if enable_put {
330                 rest.HandleFunc(`/{locator:[0-9a-f]{32}\+.*}`, h.Put).Methods("PUT")
331                 rest.HandleFunc(`/{locator:[0-9a-f]{32}}`, h.Put).Methods("PUT")
332                 rest.HandleFunc(`/`, h.Put).Methods("POST")
333                 rest.HandleFunc(`/{any}`, h.Options).Methods("OPTIONS")
334                 rest.HandleFunc(`/`, h.Options).Methods("OPTIONS")
335         }
336
337         rest.Handle("/_health/{check}", &health.Handler{
338                 Token:  mgmtToken,
339                 Prefix: "/_health/",
340         }).Methods("GET")
341
342         rest.NotFoundHandler = InvalidPathHandler{}
343         return h
344 }
345
346 var errLoopDetected = errors.New("loop detected")
347
348 func (*proxyHandler) checkLoop(resp http.ResponseWriter, req *http.Request) error {
349         if via := req.Header.Get("Via"); strings.Index(via, " "+viaAlias) >= 0 {
350                 log.Printf("proxy loop detected (request has Via: %q): perhaps keepproxy is misidentified by gateway config as an external client, or its keep_services record does not have service_type=proxy?", via)
351                 http.Error(resp, errLoopDetected.Error(), http.StatusInternalServerError)
352                 return errLoopDetected
353         }
354         return nil
355 }
356
357 func SetCorsHeaders(resp http.ResponseWriter) {
358         resp.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, POST, PUT, OPTIONS")
359         resp.Header().Set("Access-Control-Allow-Origin", "*")
360         resp.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Length, Content-Type, X-Keep-Desired-Replicas")
361         resp.Header().Set("Access-Control-Max-Age", "86486400")
362 }
363
364 type InvalidPathHandler struct{}
365
366 func (InvalidPathHandler) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
367         log.Printf("%s: %s %s unroutable", GetRemoteAddress(req), req.Method, req.URL.Path)
368         http.Error(resp, "Bad request", http.StatusBadRequest)
369 }
370
371 func (h *proxyHandler) Options(resp http.ResponseWriter, req *http.Request) {
372         log.Printf("%s: %s %s", GetRemoteAddress(req), req.Method, req.URL.Path)
373         SetCorsHeaders(resp)
374 }
375
376 var BadAuthorizationHeader = errors.New("Missing or invalid Authorization header")
377 var ContentLengthMismatch = errors.New("Actual length != expected content length")
378 var MethodNotSupported = errors.New("Method not supported")
379
380 var removeHint, _ = regexp.Compile("\\+K@[a-z0-9]{5}(\\+|$)")
381
382 func (h *proxyHandler) Get(resp http.ResponseWriter, req *http.Request) {
383         if err := h.checkLoop(resp, req); err != nil {
384                 return
385         }
386         SetCorsHeaders(resp)
387         resp.Header().Set("Via", req.Proto+" "+viaAlias)
388
389         locator := mux.Vars(req)["locator"]
390         var err error
391         var status int
392         var expectLength, responseLength int64
393         var proxiedURI = "-"
394
395         defer func() {
396                 log.Println(GetRemoteAddress(req), req.Method, req.URL.Path, status, expectLength, responseLength, proxiedURI, err)
397                 if status != http.StatusOK {
398                         http.Error(resp, err.Error(), status)
399                 }
400         }()
401
402         kc := h.makeKeepClient(req)
403
404         var pass bool
405         var tok string
406         if pass, tok = CheckAuthorizationHeader(kc, h.ApiTokenCache, req); !pass {
407                 status, err = http.StatusForbidden, BadAuthorizationHeader
408                 return
409         }
410
411         // Copy ArvadosClient struct and use the client's API token
412         arvclient := *kc.Arvados
413         arvclient.ApiToken = tok
414         kc.Arvados = &arvclient
415
416         var reader io.ReadCloser
417
418         locator = removeHint.ReplaceAllString(locator, "$1")
419
420         switch req.Method {
421         case "HEAD":
422                 expectLength, proxiedURI, err = kc.Ask(locator)
423         case "GET":
424                 reader, expectLength, proxiedURI, err = kc.Get(locator)
425                 if reader != nil {
426                         defer reader.Close()
427                 }
428         default:
429                 status, err = http.StatusNotImplemented, MethodNotSupported
430                 return
431         }
432
433         if expectLength == -1 {
434                 log.Println("Warning:", GetRemoteAddress(req), req.Method, proxiedURI, "Content-Length not provided")
435         }
436
437         switch respErr := err.(type) {
438         case nil:
439                 status = http.StatusOK
440                 resp.Header().Set("Content-Length", fmt.Sprint(expectLength))
441                 switch req.Method {
442                 case "HEAD":
443                         responseLength = 0
444                 case "GET":
445                         responseLength, err = io.Copy(resp, reader)
446                         if err == nil && expectLength > -1 && responseLength != expectLength {
447                                 err = ContentLengthMismatch
448                         }
449                 }
450         case keepclient.Error:
451                 if respErr == keepclient.BlockNotFound {
452                         status = http.StatusNotFound
453                 } else if respErr.Temporary() {
454                         status = http.StatusBadGateway
455                 } else {
456                         status = 422
457                 }
458         default:
459                 status = http.StatusInternalServerError
460         }
461 }
462
463 var LengthRequiredError = errors.New(http.StatusText(http.StatusLengthRequired))
464 var LengthMismatchError = errors.New("Locator size hint does not match Content-Length header")
465
466 func (h *proxyHandler) Put(resp http.ResponseWriter, req *http.Request) {
467         if err := h.checkLoop(resp, req); err != nil {
468                 return
469         }
470         SetCorsHeaders(resp)
471         resp.Header().Set("Via", "HTTP/1.1 "+viaAlias)
472
473         kc := h.makeKeepClient(req)
474
475         var err error
476         var expectLength int64
477         var status = http.StatusInternalServerError
478         var wroteReplicas int
479         var locatorOut string = "-"
480
481         defer func() {
482                 log.Println(GetRemoteAddress(req), req.Method, req.URL.Path, status, expectLength, kc.Want_replicas, wroteReplicas, locatorOut, err)
483                 if status != http.StatusOK {
484                         http.Error(resp, err.Error(), status)
485                 }
486         }()
487
488         locatorIn := mux.Vars(req)["locator"]
489
490         // Check if the client specified storage classes
491         if req.Header.Get("X-Keep-Storage-Classes") != "" {
492                 var scl []string
493                 for _, sc := range strings.Split(req.Header.Get("X-Keep-Storage-Classes"), ",") {
494                         scl = append(scl, strings.Trim(sc, " "))
495                 }
496                 kc.StorageClasses = scl
497         }
498
499         _, err = fmt.Sscanf(req.Header.Get("Content-Length"), "%d", &expectLength)
500         if err != nil || expectLength < 0 {
501                 err = LengthRequiredError
502                 status = http.StatusLengthRequired
503                 return
504         }
505
506         if locatorIn != "" {
507                 var loc *keepclient.Locator
508                 if loc, err = keepclient.MakeLocator(locatorIn); err != nil {
509                         status = http.StatusBadRequest
510                         return
511                 } else if loc.Size > 0 && int64(loc.Size) != expectLength {
512                         err = LengthMismatchError
513                         status = http.StatusBadRequest
514                         return
515                 }
516         }
517
518         var pass bool
519         var tok string
520         if pass, tok = CheckAuthorizationHeader(kc, h.ApiTokenCache, req); !pass {
521                 err = BadAuthorizationHeader
522                 status = http.StatusForbidden
523                 return
524         }
525
526         // Copy ArvadosClient struct and use the client's API token
527         arvclient := *kc.Arvados
528         arvclient.ApiToken = tok
529         kc.Arvados = &arvclient
530
531         // Check if the client specified the number of replicas
532         if req.Header.Get("X-Keep-Desired-Replicas") != "" {
533                 var r int
534                 _, err := fmt.Sscanf(req.Header.Get(keepclient.X_Keep_Desired_Replicas), "%d", &r)
535                 if err == nil {
536                         kc.Want_replicas = r
537                 }
538         }
539
540         // Now try to put the block through
541         if locatorIn == "" {
542                 bytes, err2 := ioutil.ReadAll(req.Body)
543                 if err2 != nil {
544                         _ = errors.New(fmt.Sprintf("Error reading request body: %s", err2))
545                         status = http.StatusInternalServerError
546                         return
547                 }
548                 locatorOut, wroteReplicas, err = kc.PutB(bytes)
549         } else {
550                 locatorOut, wroteReplicas, err = kc.PutHR(locatorIn, req.Body, expectLength)
551         }
552
553         // Tell the client how many successful PUTs we accomplished
554         resp.Header().Set(keepclient.X_Keep_Replicas_Stored, fmt.Sprintf("%d", wroteReplicas))
555
556         switch err.(type) {
557         case nil:
558                 status = http.StatusOK
559                 _, err = io.WriteString(resp, locatorOut)
560
561         case keepclient.OversizeBlockError:
562                 // Too much data
563                 status = http.StatusRequestEntityTooLarge
564
565         case keepclient.InsufficientReplicasError:
566                 if wroteReplicas > 0 {
567                         // At least one write is considered success.  The
568                         // client can decide if getting less than the number of
569                         // replications it asked for is a fatal error.
570                         status = http.StatusOK
571                         _, err = io.WriteString(resp, locatorOut)
572                 } else {
573                         status = http.StatusServiceUnavailable
574                 }
575
576         default:
577                 status = http.StatusBadGateway
578         }
579 }
580
581 // ServeHTTP implementation for IndexHandler
582 // Supports only GET requests for /index/{prefix:[0-9a-f]{0,32}}
583 // For each keep server found in LocalRoots:
584 //   Invokes GetIndex using keepclient
585 //   Expects "complete" response (terminating with blank new line)
586 //   Aborts on any errors
587 // Concatenates responses from all those keep servers and returns
588 func (h *proxyHandler) Index(resp http.ResponseWriter, req *http.Request) {
589         SetCorsHeaders(resp)
590
591         prefix := mux.Vars(req)["prefix"]
592         var err error
593         var status int
594
595         defer func() {
596                 if status != http.StatusOK {
597                         http.Error(resp, err.Error(), status)
598                 }
599         }()
600
601         kc := h.makeKeepClient(req)
602         ok, token := CheckAuthorizationHeader(kc, h.ApiTokenCache, req)
603         if !ok {
604                 status, err = http.StatusForbidden, BadAuthorizationHeader
605                 return
606         }
607
608         // Copy ArvadosClient struct and use the client's API token
609         arvclient := *kc.Arvados
610         arvclient.ApiToken = token
611         kc.Arvados = &arvclient
612
613         // Only GET method is supported
614         if req.Method != "GET" {
615                 status, err = http.StatusNotImplemented, MethodNotSupported
616                 return
617         }
618
619         // Get index from all LocalRoots and write to resp
620         var reader io.Reader
621         for uuid := range kc.LocalRoots() {
622                 reader, err = kc.GetIndex(uuid, prefix)
623                 if err != nil {
624                         status = http.StatusBadGateway
625                         return
626                 }
627
628                 _, err = io.Copy(resp, reader)
629                 if err != nil {
630                         status = http.StatusBadGateway
631                         return
632                 }
633         }
634
635         // Got index from all the keep servers and wrote to resp
636         status = http.StatusOK
637         resp.Write([]byte("\n"))
638 }
639
640 func (h *proxyHandler) makeKeepClient(req *http.Request) *keepclient.KeepClient {
641         kc := *h.KeepClient
642         kc.RequestID = req.Header.Get("X-Request-Id")
643         kc.HTTPClient = &proxyClient{
644                 client: &http.Client{
645                         Timeout:   h.timeout,
646                         Transport: h.transport,
647                 },
648                 proto: req.Proto,
649         }
650         return &kc
651 }