projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
14345: Use "." placeholder to persist empty directories.
[arvados.git] / lib / controller / fed_containers.go
diff --git a/lib/controller/fed_containers.go b/lib/controller/fed_containers.go
index 32ae25fc4b87dd26c128d8d4e2a52edd382c0a3c..5c5501d22c73767f87f74d5b5439927c4c4282bb 100644 (file)
--- a/lib/controller/fed_containers.go
+++ b/lib/controller/fed_containers.go
@@ -9,8 +9,8 @@ import (
        "encoding/json"
        "fmt"
        "io/ioutil"
-       "log"
        "net/http"
+       "strings"
 
        "git.curoverse.com/arvados.git/sdk/go/auth"
        "git.curoverse.com/arvados.git/sdk/go/httpserver"
@@ -30,20 +30,40 @@ func remoteContainerRequestCreate(
                return false
        }
 
-       defer req.Body.Close()
+       if req.Header.Get("Content-Type") != "application/json" {
+               httpserver.Error(w, "Expected Content-Type: application/json, got "+req.Header.Get("Content-Type"), http.StatusBadRequest)
+               return true
+       }
+
+       originalBody := req.Body
+       defer originalBody.Close()
        var request map[string]interface{}
        err := json.NewDecoder(req.Body).Decode(&request)
+       if err != nil {
+               httpserver.Error(w, err.Error(), http.StatusBadRequest)
+               return true
+       }
+
+       crString, ok := request["container_request"].(string)
+       if ok {
+               var crJson map[string]interface{}
+               err := json.Unmarshal([]byte(crString), &crJson)
+               if err != nil {
+                       httpserver.Error(w, err.Error(), http.StatusBadRequest)
+                       return true
+               }
+
+               request["container_request"] = crJson
+       }
 
        containerRequest, ok := request["container_request"].(map[string]interface{})
        if !ok {
-               log.Printf("wah wah")
-               return false
+               // Use toplevel object as the container_request object
+               containerRequest = request
        }
 
        // If runtime_token is not set, create a new token
        if _, ok := containerRequest["runtime_token"]; !ok {
-               log.Printf("ok %v", ok)
-
                // First make sure supplied token is valid.
                creds := auth.NewCredentials()
                creds.LoadTokensFromHTTPRequest(req)
@@ -55,15 +75,19 @@ func remoteContainerRequestCreate(
                }
 
                if len(currentUser.Authorization.Scopes) != 1 || currentUser.Authorization.Scopes[0] != "all" {
-                       return false
+                       httpserver.Error(w, "Token scope is not [all]", http.StatusForbidden)
+                       return true
                }
 
-               newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
-               if err != nil {
-                       httpserver.Error(w, err.Error(), http.StatusForbidden)
-                       return true
+               // Must be home cluster for this authorization
+               if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
+                       newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
+                       if err != nil {
+                               httpserver.Error(w, err.Error(), http.StatusForbidden)
+                               return true
+                       }
+                       containerRequest["runtime_token"] = newtok.TokenV2()
                }
-               containerRequest["runtime_token"] = newtok.TokenV2()
        }
 
        newbody, err := json.Marshal(request)