19166: Improve error messages.

[arvados.git] / lib / controller / localdb / container_gateway.go

// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0

package localdb

import (
        "bufio"
        "bytes"
        "context"
        "crypto/hmac"
        "crypto/sha256"
        "crypto/subtle"
        "crypto/tls"
        "crypto/x509"
        "errors"
        "fmt"
        "io"
        "io/ioutil"
        "net"
        "net/http"
        "net/url"
        "strings"

        "git.arvados.org/arvados.git/lib/controller/rpc"
        "git.arvados.org/arvados.git/lib/service"
        "git.arvados.org/arvados.git/sdk/go/arvados"
        "git.arvados.org/arvados.git/sdk/go/auth"
        "git.arvados.org/arvados.git/sdk/go/ctxlog"
        "git.arvados.org/arvados.git/sdk/go/httpserver"
        "github.com/hashicorp/yamux"
)

var (
        forceProxyForTest       = false
        forceInternalURLForTest *arvados.URL
)

// ContainerSSH returns a connection to the SSH server in the
// appropriate crunch-run process on the worker node where the
// specified container is running.
//
// If the returned error is nil, the caller is responsible for closing
// sshconn.Conn.
func (conn *Conn) ContainerSSH(ctx context.Context, opts arvados.ContainerSSHOptions) (sshconn arvados.ConnectionResponse, err error) {
        user, err := conn.railsProxy.UserGetCurrent(ctx, arvados.GetOptions{})
        if err != nil {
                return sshconn, err
        }
        ctr, err := conn.railsProxy.ContainerGet(ctx, arvados.GetOptions{UUID: opts.UUID})
        if err != nil {
                return sshconn, err
        }
        ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{conn.cluster.SystemRootToken}})
        if !user.IsAdmin || !conn.cluster.Containers.ShellAccess.Admin {
                if !conn.cluster.Containers.ShellAccess.User {
                        return sshconn, httpserver.ErrorWithStatus(errors.New("shell access is disabled in config"), http.StatusServiceUnavailable)
                }
                crs, err := conn.railsProxy.ContainerRequestList(ctxRoot, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"container_uuid", "=", opts.UUID}}})
                if err != nil {
                        return sshconn, err
                }
                for _, cr := range crs.Items {
                        if cr.ModifiedByUserUUID != user.UUID {
                                return sshconn, httpserver.ErrorWithStatus(errors.New("permission denied: container is associated with requests submitted by other users"), http.StatusForbidden)
                        }
                }
                if crs.ItemsAvailable != len(crs.Items) {
                        return sshconn, httpserver.ErrorWithStatus(errors.New("incomplete response while checking permission"), http.StatusInternalServerError)
                }
        }

        conn.gwTunnelsLock.Lock()
        tunnel := conn.gwTunnels[opts.UUID]
        conn.gwTunnelsLock.Unlock()

        if ctr.State == arvados.ContainerStateQueued || ctr.State == arvados.ContainerStateLocked {
                return sshconn, httpserver.ErrorWithStatus(fmt.Errorf("container is not running yet (state is %q)", ctr.State), http.StatusServiceUnavailable)
        } else if ctr.State != arvados.ContainerStateRunning {
                return sshconn, httpserver.ErrorWithStatus(fmt.Errorf("container has ended (state is %q)", ctr.State), http.StatusGone)
        }

        // targetHost is the value we'll use in the Host header in our
        // "Upgrade: ssh" http request. It's just a placeholder
        // "localhost", unless we decide to connect directly, in which
        // case we'll set it to the gateway's external ip:host. (The
        // gateway doesn't even look at it, but we might as well.)
        targetHost := "localhost"
        myURL, _ := service.URLFromContext(ctx)

        var rawconn net.Conn
        if host, _, splitErr := net.SplitHostPort(ctr.GatewayAddress); splitErr == nil && host != "" && host != "127.0.0.1" {
                // If crunch-run provided a GatewayAddress like
                // "ipaddr:port", that means "ipaddr" is one of the
                // external interfaces where the gateway is
                // listening. In that case, it's the most
                // reliable/direct option, so we use it even if a
                // tunnel might also be available.
                targetHost = ctr.GatewayAddress
                rawconn, err = net.Dial("tcp", ctr.GatewayAddress)
                if err != nil {
                        return sshconn, httpserver.ErrorWithStatus(err, http.StatusServiceUnavailable)
                }
        } else if tunnel != nil && !(forceProxyForTest && !opts.NoForward) {
                // If we can't connect directly, and the gateway has
                // established a yamux tunnel with us, connect through
                // the tunnel.
                //
                // ...except: forceProxyForTest means we are emulating
                // a situation where the gateway has established a
                // yamux tunnel with controller B, and the
                // ContainerSSH request arrives at controller A. If
                // opts.NoForward==false then we are acting as A, so
                // we pretend not to have a tunnel, and fall through
                // to the "tunurl" case below. If opts.NoForward==true
                // then the client is A and we are acting as B, so we
                // connect to our tunnel.
                rawconn, err = tunnel.Open()
                if err != nil {
                        return sshconn, httpserver.ErrorWithStatus(err, http.StatusServiceUnavailable)
                }
        } else if ctr.GatewayAddress == "" {
                return sshconn, httpserver.ErrorWithStatus(errors.New("container is running but gateway is not available"), http.StatusServiceUnavailable)
        } else if tunurl := strings.TrimPrefix(ctr.GatewayAddress, "tunnel "); tunurl != ctr.GatewayAddress &&
                tunurl != "" &&
                tunurl != myURL.String() &&
                !opts.NoForward {
                // If crunch-run provided a GatewayAddress like
                // "tunnel https://10.0.0.10:1010/", that means the
                // gateway has established a yamux tunnel with the
                // controller process at the indicated InternalURL
                // (which isn't us, otherwise we would have had
                // "tunnel != nil" above). We need to proxy through to
                // the other controller process in order to use the
                // tunnel.
                for u := range conn.cluster.Services.Controller.InternalURLs {
                        if u.String() == tunurl {
                                ctxlog.FromContext(ctx).Debugf("proxying ContainerSSH request to other controller at %s", u)
                                u := url.URL(u)
                                arpc := rpc.NewConn(conn.cluster.ClusterID, &u, conn.cluster.TLS.Insecure, rpc.PassthroughTokenProvider)
                                opts.NoForward = true
                                return arpc.ContainerSSH(ctx, opts)
                        }
                }
                ctxlog.FromContext(ctx).Warnf("container gateway provided a tunnel endpoint %s that is not one of Services.Controller.InternalURLs", tunurl)
                return sshconn, httpserver.ErrorWithStatus(errors.New("container gateway is running but tunnel endpoint is invalid"), http.StatusServiceUnavailable)
        } else {
                return sshconn, httpserver.ErrorWithStatus(errors.New("container gateway is running but tunnel is down"), http.StatusServiceUnavailable)
        }

        // crunch-run uses a self-signed / unverifiable TLS
        // certificate, so we use the following scheme to ensure we're
        // not talking to a MITM.
        //
        // 1. Compute ctrKey = HMAC-SHA256(sysRootToken,ctrUUID) --
        // this will be the same ctrKey that a-d-c supplied to
        // crunch-run in the GatewayAuthSecret env var.
        //
        // 2. Compute requestAuth = HMAC-SHA256(ctrKey,serverCert) and
        // send it to crunch-run as the X-Arvados-Authorization
        // header, proving that we know ctrKey. (Note a MITM cannot
        // replay the proof to a real crunch-run server, because the
        // real crunch-run server would have a different cert.)
        //
        // 3. Compute respondAuth = HMAC-SHA256(ctrKey,requestAuth)
        // and ensure the server returns it in the
        // X-Arvados-Authorization-Response header, proving that the
        // server knows ctrKey.
        var requestAuth, respondAuth string
        tlsconn := tls.Client(rawconn, &tls.Config{
                InsecureSkipVerify: true,
                VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
                        if len(rawCerts) == 0 {
                                return errors.New("no certificate received, cannot compute authorization header")
                        }
                        h := hmac.New(sha256.New, []byte(conn.cluster.SystemRootToken))
                        fmt.Fprint(h, opts.UUID)
                        authKey := fmt.Sprintf("%x", h.Sum(nil))
                        h = hmac.New(sha256.New, []byte(authKey))
                        h.Write(rawCerts[0])
                        requestAuth = fmt.Sprintf("%x", h.Sum(nil))
                        h.Reset()
                        h.Write([]byte(requestAuth))
                        respondAuth = fmt.Sprintf("%x", h.Sum(nil))
                        return nil
                },
        })
        err = tlsconn.HandshakeContext(ctx)
        if err != nil {
                return sshconn, httpserver.ErrorWithStatus(fmt.Errorf("TLS handshake failed: %w", err), http.StatusBadGateway)
        }
        if respondAuth == "" {
                tlsconn.Close()
                return sshconn, httpserver.ErrorWithStatus(errors.New("BUG: no respondAuth"), http.StatusInternalServerError)
        }
        bufr := bufio.NewReader(tlsconn)
        bufw := bufio.NewWriter(tlsconn)

        u := url.URL{
                Scheme: "http",
                Host:   targetHost,
                Path:   "/ssh",
        }
        postform := url.Values{
                "uuid":           {opts.UUID},
                "detach_keys":    {opts.DetachKeys},
                "login_username": {opts.LoginUsername},
                "no_forward":     {fmt.Sprintf("%v", opts.NoForward)},
        }
        postdata := postform.Encode()
        bufw.WriteString("POST " + u.String() + " HTTP/1.1\r\n")
        bufw.WriteString("Host: " + u.Host + "\r\n")
        bufw.WriteString("Upgrade: ssh\r\n")
        bufw.WriteString("X-Arvados-Authorization: " + requestAuth + "\r\n")
        bufw.WriteString("Content-Type: application/x-www-form-urlencoded\r\n")
        fmt.Fprintf(bufw, "Content-Length: %d\r\n", len(postdata))
        bufw.WriteString("\r\n")
        bufw.WriteString(postdata)
        bufw.Flush()
        resp, err := http.ReadResponse(bufr, &http.Request{Method: "POST"})
        if err != nil {
                tlsconn.Close()
                return sshconn, httpserver.ErrorWithStatus(fmt.Errorf("error reading http response from gateway: %w", err), http.StatusBadGateway)
        }
        defer resp.Body.Close()
        if resp.StatusCode != http.StatusSwitchingProtocols {
                body, _ := ioutil.ReadAll(io.LimitReader(resp.Body, 1000))
                tlsconn.Close()
                return sshconn, httpserver.ErrorWithStatus(fmt.Errorf("unexpected status %s %q", resp.Status, body), http.StatusBadGateway)
        }
        if strings.ToLower(resp.Header.Get("Upgrade")) != "ssh" ||
                strings.ToLower(resp.Header.Get("Connection")) != "upgrade" {
                tlsconn.Close()
                return sshconn, httpserver.ErrorWithStatus(errors.New("bad upgrade"), http.StatusBadGateway)
        }
        if resp.Header.Get("X-Arvados-Authorization-Response") != respondAuth {
                tlsconn.Close()
                return sshconn, httpserver.ErrorWithStatus(errors.New("bad X-Arvados-Authorization-Response header"), http.StatusBadGateway)
        }

        if !ctr.InteractiveSessionStarted {
                _, err = conn.railsProxy.ContainerUpdate(ctxRoot, arvados.UpdateOptions{
                        UUID: opts.UUID,
                        Attrs: map[string]interface{}{
                                "interactive_session_started": true,
                        },
                })
                if err != nil {
                        tlsconn.Close()
                        return sshconn, httpserver.ErrorWithStatus(err, http.StatusInternalServerError)
                }
        }

        sshconn.Conn = tlsconn
        sshconn.Bufrw = &bufio.ReadWriter{Reader: bufr, Writer: bufw}
        sshconn.Logger = ctxlog.FromContext(ctx)
        sshconn.Header = http.Header{"Upgrade": {"ssh"}}
        return sshconn, nil
}

// ContainerGatewayTunnel sets up a tunnel enabling us (controller) to
// connect to the caller's (crunch-run's) gateway server.
func (conn *Conn) ContainerGatewayTunnel(ctx context.Context, opts arvados.ContainerGatewayTunnelOptions) (resp arvados.ConnectionResponse, err error) {
        h := hmac.New(sha256.New, []byte(conn.cluster.SystemRootToken))
        fmt.Fprint(h, opts.UUID)
        authSecret := fmt.Sprintf("%x", h.Sum(nil))
        if subtle.ConstantTimeCompare([]byte(authSecret), []byte(opts.AuthSecret)) != 1 {
                ctxlog.FromContext(ctx).Info("received incorrect auth_secret")
                return resp, httpserver.ErrorWithStatus(errors.New("authentication error"), http.StatusUnauthorized)
        }

        muxconn, clientconn := net.Pipe()
        tunnel, err := yamux.Server(muxconn, nil)
        if err != nil {
                clientconn.Close()
                return resp, httpserver.ErrorWithStatus(err, http.StatusInternalServerError)
        }

        conn.gwTunnelsLock.Lock()
        if conn.gwTunnels == nil {
                conn.gwTunnels = map[string]*yamux.Session{opts.UUID: tunnel}
        } else {
                conn.gwTunnels[opts.UUID] = tunnel
        }
        conn.gwTunnelsLock.Unlock()

        go func() {
                <-tunnel.CloseChan()
                conn.gwTunnelsLock.Lock()
                if conn.gwTunnels[opts.UUID] == tunnel {
                        delete(conn.gwTunnels, opts.UUID)
                }
                conn.gwTunnelsLock.Unlock()
        }()

        // Assuming we're acting as the backend of an http server,
        // lib/controller/router will call resp's ServeHTTP handler,
        // which upgrades the incoming http connection to a raw socket
        // and connects it to our yamux.Server through our net.Pipe().
        resp.Conn = clientconn
        resp.Bufrw = &bufio.ReadWriter{Reader: bufio.NewReader(&bytes.Buffer{}), Writer: bufio.NewWriter(&bytes.Buffer{})}
        resp.Logger = ctxlog.FromContext(ctx)
        resp.Header = http.Header{"Upgrade": {"tunnel"}}
        if u, ok := service.URLFromContext(ctx); ok {
                resp.Header.Set("X-Arvados-Internal-Url", u.String())
        } else if forceInternalURLForTest != nil {
                resp.Header.Set("X-Arvados-Internal-Url", forceInternalURLForTest.String())
        }
        return
}