Merge branch '21216-multiplier-typo-fix' refs #21216
[arvados.git] / services / keep-web / handler.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package keepweb
6
7 import (
8         "encoding/json"
9         "errors"
10         "fmt"
11         "html"
12         "html/template"
13         "io"
14         "net/http"
15         "net/url"
16         "os"
17         "sort"
18         "strconv"
19         "strings"
20         "sync"
21         "time"
22
23         "git.arvados.org/arvados.git/lib/cmd"
24         "git.arvados.org/arvados.git/lib/webdavfs"
25         "git.arvados.org/arvados.git/sdk/go/arvados"
26         "git.arvados.org/arvados.git/sdk/go/arvadosclient"
27         "git.arvados.org/arvados.git/sdk/go/auth"
28         "git.arvados.org/arvados.git/sdk/go/ctxlog"
29         "git.arvados.org/arvados.git/sdk/go/httpserver"
30         "github.com/sirupsen/logrus"
31         "golang.org/x/net/webdav"
32 )
33
34 type handler struct {
35         Cache   cache
36         Cluster *arvados.Cluster
37
38         lockMtx    sync.Mutex
39         lock       map[string]*sync.RWMutex
40         lockTidied time.Time
41 }
42
43 var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+")
44
45 var notFoundMessage = "Not Found"
46 var unauthorizedMessage = "401 Unauthorized\n\nA valid Arvados token must be provided to access this resource."
47
48 // parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a
49 // PDH (even if it is a PDH with "+" replaced by " " or "-");
50 // otherwise "".
51 func parseCollectionIDFromURL(s string) string {
52         if arvadosclient.UUIDMatch(s) {
53                 return s
54         }
55         if pdh := urlPDHDecoder.Replace(s); arvadosclient.PDHMatch(pdh) {
56                 return pdh
57         }
58         return ""
59 }
60
61 func (h *handler) serveStatus(w http.ResponseWriter, r *http.Request) {
62         json.NewEncoder(w).Encode(struct{ Version string }{cmd.Version.String()})
63 }
64
65 type errorWithHTTPStatus interface {
66         HTTPStatus() int
67 }
68
69 // updateOnSuccess wraps httpserver.ResponseWriter. If the handler
70 // sends an HTTP header indicating success, updateOnSuccess first
71 // calls the provided update func. If the update func fails, an error
72 // response is sent (using the error's HTTP status or 500 if none),
73 // and the status code and body sent by the handler are ignored (all
74 // response writes return the update error).
75 type updateOnSuccess struct {
76         httpserver.ResponseWriter
77         logger     logrus.FieldLogger
78         update     func() error
79         sentHeader bool
80         err        error
81 }
82
83 func (uos *updateOnSuccess) Write(p []byte) (int, error) {
84         if !uos.sentHeader {
85                 uos.WriteHeader(http.StatusOK)
86         }
87         if uos.err != nil {
88                 return 0, uos.err
89         }
90         return uos.ResponseWriter.Write(p)
91 }
92
93 func (uos *updateOnSuccess) WriteHeader(code int) {
94         if !uos.sentHeader {
95                 uos.sentHeader = true
96                 if code >= 200 && code < 400 {
97                         if uos.err = uos.update(); uos.err != nil {
98                                 code := http.StatusInternalServerError
99                                 if he := errorWithHTTPStatus(nil); errors.As(uos.err, &he) {
100                                         code = he.HTTPStatus()
101                                 }
102                                 uos.logger.WithError(uos.err).Errorf("update() returned %T error, changing response to HTTP %d", uos.err, code)
103                                 http.Error(uos.ResponseWriter, uos.err.Error(), code)
104                                 return
105                         }
106                 }
107         }
108         uos.ResponseWriter.WriteHeader(code)
109 }
110
111 var (
112         corsAllowHeadersHeader = strings.Join([]string{
113                 "Authorization", "Content-Type", "Range",
114                 // WebDAV request headers:
115                 "Depth", "Destination", "If", "Lock-Token", "Overwrite", "Timeout", "Cache-Control",
116         }, ", ")
117         writeMethod = map[string]bool{
118                 "COPY":      true,
119                 "DELETE":    true,
120                 "LOCK":      true,
121                 "MKCOL":     true,
122                 "MOVE":      true,
123                 "PROPPATCH": true,
124                 "PUT":       true,
125                 "RMCOL":     true,
126                 "UNLOCK":    true,
127         }
128         webdavMethod = map[string]bool{
129                 "COPY":      true,
130                 "DELETE":    true,
131                 "LOCK":      true,
132                 "MKCOL":     true,
133                 "MOVE":      true,
134                 "OPTIONS":   true,
135                 "PROPFIND":  true,
136                 "PROPPATCH": true,
137                 "PUT":       true,
138                 "RMCOL":     true,
139                 "UNLOCK":    true,
140         }
141         browserMethod = map[string]bool{
142                 "GET":  true,
143                 "HEAD": true,
144                 "POST": true,
145         }
146         // top-level dirs to serve with siteFS
147         siteFSDir = map[string]bool{
148                 "":      true, // root directory
149                 "by_id": true,
150                 "users": true,
151         }
152 )
153
154 func stripDefaultPort(host string) string {
155         // Will consider port 80 and port 443 to be the same vhost.  I think that's fine.
156         u := &url.URL{Host: host}
157         if p := u.Port(); p == "80" || p == "443" {
158                 return strings.ToLower(u.Hostname())
159         } else {
160                 return strings.ToLower(host)
161         }
162 }
163
164 // CheckHealth implements service.Handler.
165 func (h *handler) CheckHealth() error {
166         return nil
167 }
168
169 // Done implements service.Handler.
170 func (h *handler) Done() <-chan struct{} {
171         return nil
172 }
173
174 // ServeHTTP implements http.Handler.
175 func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
176         if xfp := r.Header.Get("X-Forwarded-Proto"); xfp != "" && xfp != "http" {
177                 r.URL.Scheme = xfp
178         }
179
180         w := httpserver.WrapResponseWriter(wOrig)
181
182         if r.Method == "OPTIONS" && ServeCORSPreflight(w, r.Header) {
183                 return
184         }
185
186         if !browserMethod[r.Method] && !webdavMethod[r.Method] {
187                 w.WriteHeader(http.StatusMethodNotAllowed)
188                 return
189         }
190
191         if r.Header.Get("Origin") != "" {
192                 // Allow simple cross-origin requests without user
193                 // credentials ("user credentials" as defined by CORS,
194                 // i.e., cookies, HTTP authentication, and client-side
195                 // SSL certificates. See
196                 // http://www.w3.org/TR/cors/#user-credentials).
197                 w.Header().Set("Access-Control-Allow-Origin", "*")
198                 w.Header().Set("Access-Control-Expose-Headers", "Content-Range")
199         }
200
201         if h.serveS3(w, r) {
202                 return
203         }
204
205         webdavPrefix := ""
206         arvPath := r.URL.Path
207         if prefix := r.Header.Get("X-Webdav-Prefix"); prefix != "" {
208                 // Enable a proxy (e.g., container log handler in
209                 // controller) to satisfy a request for path
210                 // "/foo/bar/baz.txt" using content from
211                 // "//abc123-4.internal/bar/baz.txt", by adding a
212                 // request header "X-Webdav-Prefix: /foo"
213                 if !strings.HasPrefix(arvPath, prefix) {
214                         http.Error(w, "X-Webdav-Prefix header is not a prefix of the requested path", http.StatusBadRequest)
215                         return
216                 }
217                 arvPath = r.URL.Path[len(prefix):]
218                 if arvPath == "" {
219                         arvPath = "/"
220                 }
221                 w.Header().Set("Vary", "X-Webdav-Prefix, "+w.Header().Get("Vary"))
222                 webdavPrefix = prefix
223         }
224         pathParts := strings.Split(arvPath[1:], "/")
225
226         var stripParts int
227         var collectionID string
228         var tokens []string
229         var reqTokens []string
230         var pathToken bool
231         var attachment bool
232         var useSiteFS bool
233         credentialsOK := h.Cluster.Collections.TrustAllContent
234         reasonNotAcceptingCredentials := ""
235
236         if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Cluster.Services.WebDAVDownload.ExternalURL.Host) {
237                 credentialsOK = true
238                 attachment = true
239         } else if r.FormValue("disposition") == "attachment" {
240                 attachment = true
241         }
242
243         if !credentialsOK {
244                 reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false",
245                         r.Host, h.Cluster.Services.WebDAVDownload.ExternalURL)
246         }
247
248         if collectionID = arvados.CollectionIDFromDNSName(r.Host); collectionID != "" {
249                 // http://ID.collections.example/PATH...
250                 credentialsOK = true
251         } else if r.URL.Path == "/status.json" {
252                 h.serveStatus(w, r)
253                 return
254         } else if siteFSDir[pathParts[0]] {
255                 useSiteFS = true
256         } else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") {
257                 // /c=ID[/PATH...]
258                 collectionID = parseCollectionIDFromURL(pathParts[0][2:])
259                 stripParts = 1
260         } else if len(pathParts) >= 2 && pathParts[0] == "collections" {
261                 if len(pathParts) >= 4 && pathParts[1] == "download" {
262                         // /collections/download/ID/TOKEN/PATH...
263                         collectionID = parseCollectionIDFromURL(pathParts[2])
264                         tokens = []string{pathParts[3]}
265                         stripParts = 4
266                         pathToken = true
267                 } else {
268                         // /collections/ID/PATH...
269                         collectionID = parseCollectionIDFromURL(pathParts[1])
270                         stripParts = 2
271                         // This path is only meant to work for public
272                         // data. Tokens provided with the request are
273                         // ignored.
274                         credentialsOK = false
275                         reasonNotAcceptingCredentials = "the '/collections/UUID/PATH' form only works for public data"
276                 }
277         }
278
279         forceReload := false
280         if cc := r.Header.Get("Cache-Control"); strings.Contains(cc, "no-cache") || strings.Contains(cc, "must-revalidate") {
281                 forceReload = true
282         }
283
284         if credentialsOK {
285                 reqTokens = auth.CredentialsFromRequest(r).Tokens
286         }
287
288         r.ParseForm()
289         origin := r.Header.Get("Origin")
290         cors := origin != "" && !strings.HasSuffix(origin, "://"+r.Host)
291         safeAjax := cors && (r.Method == http.MethodGet || r.Method == http.MethodHead)
292         // Important distinction: safeAttachment checks whether api_token exists
293         // as a query parameter. haveFormTokens checks whether api_token exists
294         // as request form data *or* a query parameter. Different checks are
295         // necessary because both the request disposition and the location of
296         // the API token affect whether or not the request needs to be
297         // redirected. The different branch comments below explain further.
298         safeAttachment := attachment && !r.URL.Query().Has("api_token")
299         if formTokens, haveFormTokens := r.Form["api_token"]; !haveFormTokens {
300                 // No token to use or redact.
301         } else if safeAjax || safeAttachment {
302                 // If this is a cross-origin request, the URL won't
303                 // appear in the browser's address bar, so
304                 // substituting a clipboard-safe URL is pointless.
305                 // Redirect-with-cookie wouldn't work anyway, because
306                 // it's not safe to allow third-party use of our
307                 // cookie.
308                 //
309                 // If we're supplying an attachment, we don't need to
310                 // convert POST to GET to avoid the "really resubmit
311                 // form?" problem, so provided the token isn't
312                 // embedded in the URL, there's no reason to do
313                 // redirect-with-cookie in this case either.
314                 for _, tok := range formTokens {
315                         reqTokens = append(reqTokens, tok)
316                 }
317         } else if browserMethod[r.Method] {
318                 // If this is a page view, and the client provided a
319                 // token via query string or POST body, we must put
320                 // the token in an HttpOnly cookie, and redirect to an
321                 // equivalent URL with the query param redacted and
322                 // method = GET.
323                 h.seeOtherWithCookie(w, r, "", credentialsOK)
324                 return
325         }
326
327         targetPath := pathParts[stripParts:]
328         if tokens == nil && len(targetPath) > 0 && strings.HasPrefix(targetPath[0], "t=") {
329                 // http://ID.example/t=TOKEN/PATH...
330                 // /c=ID/t=TOKEN/PATH...
331                 //
332                 // This form must only be used to pass scoped tokens
333                 // that give permission for a single collection. See
334                 // FormValue case above.
335                 tokens = []string{targetPath[0][2:]}
336                 pathToken = true
337                 targetPath = targetPath[1:]
338                 stripParts++
339         }
340
341         fsprefix := ""
342         if useSiteFS {
343                 if writeMethod[r.Method] {
344                         http.Error(w, webdavfs.ErrReadOnly.Error(), http.StatusMethodNotAllowed)
345                         return
346                 }
347                 if len(reqTokens) == 0 {
348                         w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
349                         http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
350                         return
351                 }
352                 tokens = reqTokens
353         } else if collectionID == "" {
354                 http.Error(w, notFoundMessage, http.StatusNotFound)
355                 return
356         } else {
357                 fsprefix = "by_id/" + collectionID + "/"
358         }
359
360         if src := r.Header.Get("X-Webdav-Source"); strings.HasPrefix(src, "/") && !strings.Contains(src, "//") && !strings.Contains(src, "/../") {
361                 fsprefix += src[1:]
362         }
363
364         if tokens == nil {
365                 tokens = reqTokens
366                 if h.Cluster.Users.AnonymousUserToken != "" {
367                         tokens = append(tokens, h.Cluster.Users.AnonymousUserToken)
368                 }
369         }
370
371         if len(targetPath) > 0 && targetPath[0] == "_" {
372                 // If a collection has a directory called "t=foo" or
373                 // "_", it can be served at
374                 // //collections.example/_/t=foo/ or
375                 // //collections.example/_/_/ respectively:
376                 // //collections.example/t=foo/ won't work because
377                 // t=foo will be interpreted as a token "foo".
378                 targetPath = targetPath[1:]
379                 stripParts++
380         }
381
382         dirOpenMode := os.O_RDONLY
383         if writeMethod[r.Method] {
384                 dirOpenMode = os.O_RDWR
385         }
386
387         var tokenValid bool
388         var tokenScopeProblem bool
389         var token string
390         var tokenUser *arvados.User
391         var sessionFS arvados.CustomFileSystem
392         var session *cachedSession
393         var collectionDir arvados.File
394         for _, token = range tokens {
395                 var statusErr errorWithHTTPStatus
396                 fs, sess, user, err := h.Cache.GetSession(token)
397                 if errors.As(err, &statusErr) && statusErr.HTTPStatus() == http.StatusUnauthorized {
398                         // bad token
399                         continue
400                 } else if err != nil {
401                         http.Error(w, "cache error: "+err.Error(), http.StatusInternalServerError)
402                         return
403                 }
404                 if token != h.Cluster.Users.AnonymousUserToken {
405                         tokenValid = true
406                 }
407                 f, err := fs.OpenFile(fsprefix, dirOpenMode, 0)
408                 if errors.As(err, &statusErr) &&
409                         statusErr.HTTPStatus() == http.StatusForbidden &&
410                         token != h.Cluster.Users.AnonymousUserToken {
411                         // collection id is outside scope of supplied
412                         // token
413                         tokenScopeProblem = true
414                         sess.Release()
415                         continue
416                 } else if os.IsNotExist(err) {
417                         // collection does not exist or is not
418                         // readable using this token
419                         sess.Release()
420                         continue
421                 } else if err != nil {
422                         http.Error(w, err.Error(), http.StatusInternalServerError)
423                         sess.Release()
424                         return
425                 }
426                 defer f.Close()
427                 defer sess.Release()
428
429                 collectionDir, sessionFS, session, tokenUser = f, fs, sess, user
430                 break
431         }
432         if forceReload && collectionDir != nil {
433                 err := collectionDir.Sync()
434                 if err != nil {
435                         if he := errorWithHTTPStatus(nil); errors.As(err, &he) {
436                                 http.Error(w, err.Error(), he.HTTPStatus())
437                         } else {
438                                 http.Error(w, err.Error(), http.StatusInternalServerError)
439                         }
440                         return
441                 }
442         }
443         if session == nil {
444                 if pathToken {
445                         // The URL is a "secret sharing link" that
446                         // didn't work out.  Asking the client for
447                         // additional credentials would just be
448                         // confusing.
449                         http.Error(w, notFoundMessage, http.StatusNotFound)
450                         return
451                 }
452                 if tokenValid {
453                         // The client provided valid token(s), but the
454                         // collection was not found.
455                         http.Error(w, notFoundMessage, http.StatusNotFound)
456                         return
457                 }
458                 if tokenScopeProblem {
459                         // The client provided a valid token but
460                         // fetching a collection returned 401, which
461                         // means the token scope doesn't permit
462                         // fetching that collection.
463                         http.Error(w, notFoundMessage, http.StatusForbidden)
464                         return
465                 }
466                 // The client's token was invalid (e.g., expired), or
467                 // the client didn't even provide one.  Redirect to
468                 // workbench2's login-and-redirect-to-download url if
469                 // this is a browser navigation request. (The redirect
470                 // flow can't preserve the original method if it's not
471                 // GET, and doesn't make sense if the UA is a
472                 // command-line tool, is trying to load an inline
473                 // image, etc.; in these cases, there's nothing we can
474                 // do, so return 401 unauthorized.)
475                 //
476                 // Note Sec-Fetch-Mode is sent by all non-EOL
477                 // browsers, except Safari.
478                 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
479                 //
480                 // TODO(TC): This response would be confusing to
481                 // someone trying (anonymously) to download public
482                 // data that has been deleted.  Allow a referrer to
483                 // provide this context somehow?
484                 if r.Method == http.MethodGet && r.Header.Get("Sec-Fetch-Mode") == "navigate" {
485                         target := url.URL(h.Cluster.Services.Workbench2.ExternalURL)
486                         redirkey := "redirectToPreview"
487                         if attachment {
488                                 redirkey = "redirectToDownload"
489                         }
490                         callback := "/c=" + collectionID + "/" + strings.Join(targetPath, "/")
491                         // target.RawQuery = url.Values{redirkey:
492                         // {target}}.Encode() would be the obvious
493                         // thing to do here, but wb2 doesn't decode
494                         // this as a query param -- it takes
495                         // everything after "${redirkey}=" as the
496                         // target URL. If we encode "/" as "%2F" etc.,
497                         // the redirect won't work.
498                         target.RawQuery = redirkey + "=" + callback
499                         w.Header().Add("Location", target.String())
500                         w.WriteHeader(http.StatusSeeOther)
501                         return
502                 }
503                 if !credentialsOK {
504                         http.Error(w, fmt.Sprintf("Authorization tokens are not accepted here: %v, and no anonymous user token is configured.", reasonNotAcceptingCredentials), http.StatusUnauthorized)
505                         return
506                 }
507                 // If none of the above cases apply, suggest the
508                 // user-agent (which is either a non-browser agent
509                 // like wget, or a browser that can't redirect through
510                 // a login flow) prompt the user for credentials.
511                 w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
512                 http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
513                 return
514         }
515
516         if r.Method == http.MethodGet || r.Method == http.MethodHead {
517                 targetfnm := fsprefix + strings.Join(pathParts[stripParts:], "/")
518                 if fi, err := sessionFS.Stat(targetfnm); err == nil && fi.IsDir() {
519                         if !strings.HasSuffix(r.URL.Path, "/") {
520                                 h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK)
521                         } else {
522                                 h.serveDirectory(w, r, fi.Name(), sessionFS, targetfnm, !useSiteFS)
523                         }
524                         return
525                 }
526         }
527
528         var basename string
529         if len(targetPath) > 0 {
530                 basename = targetPath[len(targetPath)-1]
531         }
532         if arvadosclient.PDHMatch(collectionID) && writeMethod[r.Method] {
533                 http.Error(w, webdavfs.ErrReadOnly.Error(), http.StatusMethodNotAllowed)
534                 return
535         }
536         if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
537                 http.Error(w, "Not permitted", http.StatusForbidden)
538                 return
539         }
540         h.logUploadOrDownload(r, session.arvadosclient, sessionFS, fsprefix+strings.Join(targetPath, "/"), nil, tokenUser)
541
542         writing := writeMethod[r.Method]
543         locker := h.collectionLock(collectionID, writing)
544         defer locker.Unlock()
545
546         if writing {
547                 // Save the collection only if/when all
548                 // webdav->filesystem operations succeed --
549                 // and send a 500 error if the modified
550                 // collection can't be saved.
551                 //
552                 // Perform the write in a separate sitefs, so
553                 // concurrent read operations on the same
554                 // collection see the previous saved
555                 // state. After the write succeeds and the
556                 // collection record is updated, we reset the
557                 // session so the updates are visible in
558                 // subsequent read requests.
559                 client := session.client.WithRequestID(r.Header.Get("X-Request-Id"))
560                 sessionFS = client.SiteFileSystem(session.keepclient)
561                 writingDir, err := sessionFS.OpenFile(fsprefix, os.O_RDONLY, 0)
562                 if err != nil {
563                         http.Error(w, err.Error(), http.StatusInternalServerError)
564                         return
565                 }
566                 defer writingDir.Close()
567                 w = &updateOnSuccess{
568                         ResponseWriter: w,
569                         logger:         ctxlog.FromContext(r.Context()),
570                         update: func() error {
571                                 err := writingDir.Sync()
572                                 var te arvados.TransactionError
573                                 if errors.As(err, &te) {
574                                         err = te
575                                 }
576                                 if err != nil {
577                                         return err
578                                 }
579                                 // Sync the changes to the persistent
580                                 // sessionfs for this token.
581                                 snap, err := writingDir.Snapshot()
582                                 if err != nil {
583                                         return err
584                                 }
585                                 collectionDir.Splice(snap)
586                                 return nil
587                         }}
588         }
589         if r.Method == http.MethodGet {
590                 applyContentDispositionHdr(w, r, basename, attachment)
591         }
592         if webdavPrefix == "" {
593                 webdavPrefix = "/" + strings.Join(pathParts[:stripParts], "/")
594         }
595         wh := webdav.Handler{
596                 Prefix: webdavPrefix,
597                 FileSystem: &webdavfs.FS{
598                         FileSystem:    sessionFS,
599                         Prefix:        fsprefix,
600                         Writing:       writeMethod[r.Method],
601                         AlwaysReadEOF: r.Method == "PROPFIND",
602                 },
603                 LockSystem: webdavfs.NoLockSystem,
604                 Logger: func(r *http.Request, err error) {
605                         if err != nil && !os.IsNotExist(err) {
606                                 ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler")
607                         }
608                 },
609         }
610         wh.ServeHTTP(w, r)
611         if r.Method == http.MethodGet && w.WroteStatus() == http.StatusOK {
612                 wrote := int64(w.WroteBodyBytes())
613                 fnm := strings.Join(pathParts[stripParts:], "/")
614                 fi, err := wh.FileSystem.Stat(r.Context(), fnm)
615                 if err == nil && fi.Size() != wrote {
616                         var n int
617                         f, err := wh.FileSystem.OpenFile(r.Context(), fnm, os.O_RDONLY, 0)
618                         if err == nil {
619                                 n, err = f.Read(make([]byte, 1024))
620                                 f.Close()
621                         }
622                         ctxlog.FromContext(r.Context()).Errorf("stat.Size()==%d but only wrote %d bytes; read(1024) returns %d, %v", fi.Size(), wrote, n, err)
623                 }
624         }
625 }
626
627 var dirListingTemplate = `<!DOCTYPE HTML>
628 <HTML><HEAD>
629   <META name="robots" content="NOINDEX">
630   <TITLE>{{ .CollectionName }}</TITLE>
631   <STYLE type="text/css">
632     body {
633       margin: 1.5em;
634     }
635     pre {
636       background-color: #D9EDF7;
637       border-radius: .25em;
638       padding: .75em;
639       overflow: auto;
640     }
641     .footer p {
642       font-size: 82%;
643     }
644     ul {
645       padding: 0;
646     }
647     ul li {
648       font-family: monospace;
649       list-style: none;
650     }
651   </STYLE>
652 </HEAD>
653 <BODY>
654
655 <H1>{{ .CollectionName }}</H1>
656
657 <P>This collection of data files is being shared with you through
658 Arvados.  You can download individual files listed below.  To download
659 the entire directory tree with wget, try:</P>
660
661 <PRE>$ wget --mirror --no-parent --no-host --cut-dirs={{ .StripParts }} https://{{ .Request.Host }}{{ .Request.URL.Path }}</PRE>
662
663 <H2>File Listing</H2>
664
665 {{if .Files}}
666 <UL>
667 {{range .Files}}
668 {{if .IsDir }}
669   <LI>{{" " | printf "%15s  " | nbsp}}<A href="{{print "./" .Name}}/">{{.Name}}/</A></LI>
670 {{else}}
671   <LI>{{.Size | printf "%15d  " | nbsp}}<A href="{{print "./" .Name}}">{{.Name}}</A></LI>
672 {{end}}
673 {{end}}
674 </UL>
675 {{else}}
676 <P>(No files; this collection is empty.)</P>
677 {{end}}
678
679 <HR noshade>
680 <DIV class="footer">
681   <P>
682     About Arvados:
683     Arvados is a free and open source software bioinformatics platform.
684     To learn more, visit arvados.org.
685     Arvados is not responsible for the files listed on this page.
686   </P>
687 </DIV>
688
689 </BODY>
690 `
691
692 type fileListEnt struct {
693         Name  string
694         Size  int64
695         IsDir bool
696 }
697
698 func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collectionName string, fs http.FileSystem, base string, recurse bool) {
699         var files []fileListEnt
700         var walk func(string) error
701         if !strings.HasSuffix(base, "/") {
702                 base = base + "/"
703         }
704         walk = func(path string) error {
705                 dirname := base + path
706                 if dirname != "/" {
707                         dirname = strings.TrimSuffix(dirname, "/")
708                 }
709                 d, err := fs.Open(dirname)
710                 if err != nil {
711                         return err
712                 }
713                 ents, err := d.Readdir(-1)
714                 if err != nil {
715                         return err
716                 }
717                 for _, ent := range ents {
718                         if recurse && ent.IsDir() {
719                                 err = walk(path + ent.Name() + "/")
720                                 if err != nil {
721                                         return err
722                                 }
723                         } else {
724                                 files = append(files, fileListEnt{
725                                         Name:  path + ent.Name(),
726                                         Size:  ent.Size(),
727                                         IsDir: ent.IsDir(),
728                                 })
729                         }
730                 }
731                 return nil
732         }
733         if err := walk(""); err != nil {
734                 http.Error(w, "error getting directory listing: "+err.Error(), http.StatusInternalServerError)
735                 return
736         }
737
738         funcs := template.FuncMap{
739                 "nbsp": func(s string) template.HTML {
740                         return template.HTML(strings.Replace(s, " ", "&nbsp;", -1))
741                 },
742         }
743         tmpl, err := template.New("dir").Funcs(funcs).Parse(dirListingTemplate)
744         if err != nil {
745                 http.Error(w, "error parsing template: "+err.Error(), http.StatusInternalServerError)
746                 return
747         }
748         sort.Slice(files, func(i, j int) bool {
749                 return files[i].Name < files[j].Name
750         })
751         w.WriteHeader(http.StatusOK)
752         tmpl.Execute(w, map[string]interface{}{
753                 "CollectionName": collectionName,
754                 "Files":          files,
755                 "Request":        r,
756                 "StripParts":     strings.Count(strings.TrimRight(r.URL.Path, "/"), "/"),
757         })
758 }
759
760 func applyContentDispositionHdr(w http.ResponseWriter, r *http.Request, filename string, isAttachment bool) {
761         disposition := "inline"
762         if isAttachment {
763                 disposition = "attachment"
764         }
765         if strings.ContainsRune(r.RequestURI, '?') {
766                 // Help the UA realize that the filename is just
767                 // "filename.txt", not
768                 // "filename.txt?disposition=attachment".
769                 //
770                 // TODO(TC): Follow advice at RFC 6266 appendix D
771                 disposition += "; filename=" + strconv.QuoteToASCII(filename)
772         }
773         if disposition != "inline" {
774                 w.Header().Set("Content-Disposition", disposition)
775         }
776 }
777
778 func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, location string, credentialsOK bool) {
779         if formTokens, haveFormTokens := r.Form["api_token"]; haveFormTokens {
780                 if !credentialsOK {
781                         // It is not safe to copy the provided token
782                         // into a cookie unless the current vhost
783                         // (origin) serves only a single collection or
784                         // we are in TrustAllContent mode.
785                         http.Error(w, "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)", http.StatusBadRequest)
786                         return
787                 }
788
789                 // The HttpOnly flag is necessary to prevent
790                 // JavaScript code (included in, or loaded by, a page
791                 // in the collection being served) from employing the
792                 // user's token beyond reading other files in the same
793                 // domain, i.e., same collection.
794                 //
795                 // The 303 redirect is necessary in the case of a GET
796                 // request to avoid exposing the token in the Location
797                 // bar, and in the case of a POST request to avoid
798                 // raising warnings when the user refreshes the
799                 // resulting page.
800                 for _, tok := range formTokens {
801                         if tok == "" {
802                                 continue
803                         }
804                         http.SetCookie(w, &http.Cookie{
805                                 Name:     "arvados_api_token",
806                                 Value:    auth.EncodeTokenCookie([]byte(tok)),
807                                 Path:     "/",
808                                 HttpOnly: true,
809                                 SameSite: http.SameSiteLaxMode,
810                         })
811                         break
812                 }
813         }
814
815         // Propagate query parameters (except api_token) from
816         // the original request.
817         redirQuery := r.URL.Query()
818         redirQuery.Del("api_token")
819
820         u := r.URL
821         if location != "" {
822                 newu, err := u.Parse(location)
823                 if err != nil {
824                         http.Error(w, "error resolving redirect target: "+err.Error(), http.StatusInternalServerError)
825                         return
826                 }
827                 u = newu
828         }
829         redir := (&url.URL{
830                 Scheme:   r.URL.Scheme,
831                 Host:     r.Host,
832                 Path:     u.Path,
833                 RawQuery: redirQuery.Encode(),
834         }).String()
835
836         w.Header().Add("Location", redir)
837         w.WriteHeader(http.StatusSeeOther)
838         io.WriteString(w, `<A href="`)
839         io.WriteString(w, html.EscapeString(redir))
840         io.WriteString(w, `">Continue</A>`)
841 }
842
843 func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
844         var permitDownload bool
845         var permitUpload bool
846         if tokenUser != nil && tokenUser.IsAdmin {
847                 permitUpload = h.Cluster.Collections.WebDAVPermission.Admin.Upload
848                 permitDownload = h.Cluster.Collections.WebDAVPermission.Admin.Download
849         } else {
850                 permitUpload = h.Cluster.Collections.WebDAVPermission.User.Upload
851                 permitDownload = h.Cluster.Collections.WebDAVPermission.User.Download
852         }
853         if (method == "PUT" || method == "POST") && !permitUpload {
854                 // Disallow operations that upload new files.
855                 // Permit webdav operations that move existing files around.
856                 return false
857         } else if method == "GET" && !permitDownload {
858                 // Disallow downloading file contents.
859                 // Permit webdav operations like PROPFIND that retrieve metadata
860                 // but not file contents.
861                 return false
862         }
863         return true
864 }
865
866 func (h *handler) logUploadOrDownload(
867         r *http.Request,
868         client *arvadosclient.ArvadosClient,
869         fs arvados.CustomFileSystem,
870         filepath string,
871         collection *arvados.Collection,
872         user *arvados.User) {
873
874         log := ctxlog.FromContext(r.Context())
875         props := make(map[string]string)
876         props["reqPath"] = r.URL.Path
877         var useruuid string
878         if user != nil {
879                 log = log.WithField("user_uuid", user.UUID).
880                         WithField("user_full_name", user.FullName)
881                 useruuid = user.UUID
882         } else {
883                 useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Cluster.ClusterID)
884         }
885         if collection == nil && fs != nil {
886                 collection, filepath = h.determineCollection(fs, filepath)
887         }
888         if collection != nil {
889                 log = log.WithField("collection_file_path", filepath)
890                 props["collection_file_path"] = filepath
891                 // h.determineCollection populates the collection_uuid
892                 // prop with the PDH, if this collection is being
893                 // accessed via PDH. For logging, we use a different
894                 // field depending on whether it's a UUID or PDH.
895                 if len(collection.UUID) > 32 {
896                         log = log.WithField("portable_data_hash", collection.UUID)
897                         props["portable_data_hash"] = collection.UUID
898                 } else {
899                         log = log.WithField("collection_uuid", collection.UUID)
900                         props["collection_uuid"] = collection.UUID
901                 }
902         }
903         if r.Method == "PUT" || r.Method == "POST" {
904                 log.Info("File upload")
905                 if h.Cluster.Collections.WebDAVLogEvents {
906                         go func() {
907                                 lr := arvadosclient.Dict{"log": arvadosclient.Dict{
908                                         "object_uuid": useruuid,
909                                         "event_type":  "file_upload",
910                                         "properties":  props}}
911                                 err := client.Create("logs", lr, nil)
912                                 if err != nil {
913                                         log.WithError(err).Error("Failed to create upload log event on API server")
914                                 }
915                         }()
916                 }
917         } else if r.Method == "GET" {
918                 if collection != nil && collection.PortableDataHash != "" {
919                         log = log.WithField("portable_data_hash", collection.PortableDataHash)
920                         props["portable_data_hash"] = collection.PortableDataHash
921                 }
922                 log.Info("File download")
923                 if h.Cluster.Collections.WebDAVLogEvents {
924                         go func() {
925                                 lr := arvadosclient.Dict{"log": arvadosclient.Dict{
926                                         "object_uuid": useruuid,
927                                         "event_type":  "file_download",
928                                         "properties":  props}}
929                                 err := client.Create("logs", lr, nil)
930                                 if err != nil {
931                                         log.WithError(err).Error("Failed to create download log event on API server")
932                                 }
933                         }()
934                 }
935         }
936 }
937
938 func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
939         target := strings.TrimSuffix(path, "/")
940         for cut := len(target); cut >= 0; cut = strings.LastIndexByte(target, '/') {
941                 target = target[:cut]
942                 fi, err := fs.Stat(target)
943                 if os.IsNotExist(err) {
944                         // creating a new file/dir, or download
945                         // destined to fail
946                         continue
947                 } else if err != nil {
948                         return nil, ""
949                 }
950                 switch src := fi.Sys().(type) {
951                 case *arvados.Collection:
952                         return src, strings.TrimPrefix(path[len(target):], "/")
953                 case *arvados.Group:
954                         return nil, ""
955                 default:
956                         if _, ok := src.(error); ok {
957                                 return nil, ""
958                         }
959                 }
960         }
961         return nil, ""
962 }
963
964 var lockTidyInterval = time.Minute * 10
965
966 // Lock the specified collection for reading or writing. Caller must
967 // call Unlock() on the returned Locker when the operation is
968 // finished.
969 func (h *handler) collectionLock(collectionID string, writing bool) sync.Locker {
970         h.lockMtx.Lock()
971         defer h.lockMtx.Unlock()
972         if time.Since(h.lockTidied) > lockTidyInterval {
973                 // Periodically delete all locks that aren't in use.
974                 h.lockTidied = time.Now()
975                 for id, locker := range h.lock {
976                         if locker.TryLock() {
977                                 locker.Unlock()
978                                 delete(h.lock, id)
979                         }
980                 }
981         }
982         locker := h.lock[collectionID]
983         if locker == nil {
984                 locker = new(sync.RWMutex)
985                 if h.lock == nil {
986                         h.lock = map[string]*sync.RWMutex{}
987                 }
988                 h.lock[collectionID] = locker
989         }
990         if writing {
991                 locker.Lock()
992                 return locker
993         } else {
994                 locker.RLock()
995                 return locker.RLocker()
996         }
997 }
998
999 func ServeCORSPreflight(w http.ResponseWriter, header http.Header) bool {
1000         method := header.Get("Access-Control-Request-Method")
1001         if method == "" {
1002                 return false
1003         }
1004         if !browserMethod[method] && !webdavMethod[method] {
1005                 w.WriteHeader(http.StatusMethodNotAllowed)
1006                 return true
1007         }
1008         w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
1009         w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
1010         w.Header().Set("Access-Control-Allow-Origin", "*")
1011         w.Header().Set("Access-Control-Max-Age", "86400")
1012         return true
1013 }