Merge branch '10690-config-dump' refs #10690

[arvados.git] / services / ws / permission.go

diff --git a/services/ws/permission.go b/services/ws/permission.go
index b2b962c7ce4f1662bace01daac24cb1035fc772f..e467e067205a765ef9bd097c5d95ceda65037abb 100644 (file)
--- a/services/ws/permission.go
+++ b/services/ws/permission.go
@@ -18,18 +18,23 @@ type permChecker interface {
        Check(uuid string) (bool, error)
 }
 
-func NewPermChecker(ac arvados.Client) permChecker {
+func newPermChecker(ac arvados.Client) permChecker {
        ac.AuthToken = ""
        return &cachingPermChecker{
                Client:     &ac,
-               cache:      make(map[string]time.Time),
+               cache:      make(map[string]cacheEnt),
                maxCurrent: 16,
        }
 }
 
+type cacheEnt struct {
+       time.Time
+       allowed bool
+}
+
 type cachingPermChecker struct {
        *arvados.Client
-       cache      map[string]time.Time
+       cache      map[string]cacheEnt
        maxCurrent int
 }
 
@@ -38,10 +43,14 @@ func (pc *cachingPermChecker) SetToken(token string) {
 }
 
 func (pc *cachingPermChecker) Check(uuid string) (bool, error) {
+       logger := logger(nil).
+               WithField("token", pc.Client.AuthToken).
+               WithField("uuid", uuid)
        pc.tidy()
-       if t, ok := pc.cache[uuid]; ok && time.Now().Sub(t) < maxPermCacheAge {
-               debugLogf("perm ok (cached): %+q %+q", pc.Client.AuthToken, uuid)
-               return true, nil
+       now := time.Now()
+       if perm, ok := pc.cache[uuid]; ok && now.Sub(perm.Time) < maxPermCacheAge {
+               logger.WithField("allowed", perm.allowed).Debug("cache hit")
+               return perm.allowed, nil
        }
        var buf map[string]interface{}
        path, err := pc.PathForUUID("get", uuid)
@@ -51,17 +60,24 @@ func (pc *cachingPermChecker) Check(uuid string) (bool, error) {
        err = pc.RequestAndDecode(&buf, "GET", path, nil, url.Values{
                "select": {`["uuid"]`},
        })
-       if err, ok := err.(arvados.TransactionError); ok && err.StatusCode == http.StatusNotFound {
-               debugLogf("perm err: %+q %+q: %s", pc.Client.AuthToken, uuid, err)
-               return false, nil
-       }
-       if err != nil {
-               debugLogf("perm !ok: %+q %+q", pc.Client.AuthToken, uuid)
+
+       var allowed bool
+       if err == nil {
+               allowed = true
+       } else if txErr, ok := err.(*arvados.TransactionError); ok && txErr.StatusCode == http.StatusNotFound {
+               allowed = false
+       } else if txErr.StatusCode == http.StatusForbidden {
+               // Some requests are expressly forbidden for reasons
+               // other than "you aren't allowed to know whether this
+               // UUID exists" (404).
+               allowed = false
+       } else {
+               logger.WithError(err).Error("lookup error")
                return false, err
        }
-       debugLogf("perm ok: %+q %+q", pc.Client.AuthToken, uuid)
-       pc.cache[uuid] = time.Now()
-       return true, nil
+       logger.WithField("allowed", allowed).Debug("cache miss")
+       pc.cache[uuid] = cacheEnt{Time: now, allowed: allowed}
+       return allowed, nil
 }
 
 func (pc *cachingPermChecker) tidy() {