"encoding/json"
"fmt"
"io/ioutil"
- "log"
"net/http"
+ "strings"
"git.curoverse.com/arvados.git/sdk/go/auth"
"git.curoverse.com/arvados.git/sdk/go/httpserver"
return false
}
- defer req.Body.Close()
+ if req.Header.Get("Content-Type") != "application/json" {
+ httpserver.Error(w, "Expected Content-Type: application/json, got "+req.Header.Get("Content-Type"), http.StatusBadRequest)
+ return true
+ }
+
+ originalBody := req.Body
+ defer originalBody.Close()
var request map[string]interface{}
err := json.NewDecoder(req.Body).Decode(&request)
+ if err != nil {
+ httpserver.Error(w, err.Error(), http.StatusBadRequest)
+ return true
+ }
+
+ crString, ok := request["container_request"].(string)
+ if ok {
+ var crJson map[string]interface{}
+ err := json.Unmarshal([]byte(crString), &crJson)
+ if err != nil {
+ httpserver.Error(w, err.Error(), http.StatusBadRequest)
+ return true
+ }
+
+ request["container_request"] = crJson
+ }
containerRequest, ok := request["container_request"].(map[string]interface{})
if !ok {
- log.Printf("wah wah")
- return false
+ // Use toplevel object as the container_request object
+ containerRequest = request
}
// If runtime_token is not set, create a new token
if _, ok := containerRequest["runtime_token"]; !ok {
- log.Printf("ok %v", ok)
-
// First make sure supplied token is valid.
creds := auth.NewCredentials()
creds.LoadTokensFromHTTPRequest(req)
}
if len(currentUser.Authorization.Scopes) != 1 || currentUser.Authorization.Scopes[0] != "all" {
- return false
+ httpserver.Error(w, "Token scope is not [all]", http.StatusForbidden)
+ return true
}
- newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
- if err != nil {
- httpserver.Error(w, err.Error(), http.StatusForbidden)
- return true
+ // Must be home cluster for this authorization
+ if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
+ newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
+ if err != nil {
+ httpserver.Error(w, err.Error(), http.StatusForbidden)
+ return true
+ }
+ containerRequest["runtime_token"] = newtok.TokenV2()
}
- containerRequest["runtime_token"] = newtok.TokenV2()
}
newbody, err := json.Marshal(request)