+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
package main
import (
+ "errors"
"log"
"net/http"
- "net/http/cgi"
"os"
+ "regexp"
"strings"
"sync"
"time"
"git.curoverse.com/arvados.git/sdk/go/arvadosclient"
+ "git.curoverse.com/arvados.git/sdk/go/auth"
+ "git.curoverse.com/arvados.git/sdk/go/httpserver"
)
-func newArvadosClient() interface{} {
- arv, err := arvadosclient.MakeArvadosClient()
- if err != nil {
- log.Println("MakeArvadosClient:", err)
- return nil
- }
- return &arv
-}
-
-var connectionPool = &sync.Pool{New: newArvadosClient}
-
-type spyingResponseWriter struct {
- http.ResponseWriter
- wroteStatus *int
-}
-
-func (w spyingResponseWriter) WriteHeader(s int) {
- *w.wroteStatus = s
- w.ResponseWriter.WriteHeader(s)
+type authHandler struct {
+ handler http.Handler
+ clientPool *arvadosclient.ClientPool
+ setupOnce sync.Once
}
-type authHandler struct {
- handler *cgi.Handler
+func (h *authHandler) setup() {
+ ac, err := arvadosclient.New(&theConfig.Client)
+ if err != nil {
+ log.Fatal(err)
+ }
+ h.clientPool = &arvadosclient.ClientPool{Prototype: ac}
}
func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
+ h.setupOnce.Do(h.setup)
+
var statusCode int
var statusText string
- var username, password string
+ var apiToken string
var repoName string
- var wroteStatus int
+ var validApiToken bool
+
+ w := httpserver.WrapResponseWriter(wOrig)
+
+ if r.Method == "OPTIONS" {
+ method := r.Header.Get("Access-Control-Request-Method")
+ if method != "GET" && method != "POST" {
+ w.WriteHeader(http.StatusMethodNotAllowed)
+ return
+ }
+ w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
+ w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+ w.Header().Set("Access-Control-Allow-Origin", "*")
+ w.Header().Set("Access-Control-Max-Age", "86400")
+ w.WriteHeader(http.StatusOK)
+ return
+ }
- w := spyingResponseWriter{wOrig, &wroteStatus}
+ if r.Header.Get("Origin") != "" {
+ // Allow simple cross-origin requests without user
+ // credentials ("user credentials" as defined by CORS,
+ // i.e., cookies, HTTP authentication, and client-side
+ // SSL certificates. See
+ // http://www.w3.org/TR/cors/#user-credentials).
+ w.Header().Set("Access-Control-Allow-Origin", "*")
+ }
defer func() {
- if wroteStatus == 0 {
- // Nobody has called WriteHeader yet: that must be our job.
+ if w.WroteStatus() == 0 {
+ // Nobody has called WriteHeader yet: that
+ // must be our job.
w.WriteHeader(statusCode)
- w.Write([]byte(statusText))
+ if statusCode >= 400 {
+ w.Write([]byte(statusText))
+ }
}
- log.Println(quoteStrings(r.RemoteAddr, username, password, wroteStatus, statusText, repoName, r.URL.Path)...)
+
+ // If the given password is a valid token, log the first 10 characters of the token.
+ // Otherwise: log the string <invalid> if a password is given, else an empty string.
+ passwordToLog := ""
+ if !validApiToken {
+ if len(apiToken) > 0 {
+ passwordToLog = "<invalid>"
+ }
+ } else {
+ passwordToLog = apiToken[0:10]
+ }
+
+ httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path)
}()
- // HTTP request username is logged, but unused. Password is an
- // Arvados API token.
- username, password, ok := BasicAuth(r)
- if !ok || username == "" || password == "" {
+ creds := auth.NewCredentialsFromHTTPRequest(r)
+ if len(creds.Tokens) == 0 {
statusCode, statusText = http.StatusUnauthorized, "no credentials provided"
- w.Header().Add("WWW-Authenticate", "basic")
+ w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"")
return
}
+ apiToken = creds.Tokens[0]
// Access to paths "/foo/bar.git/*" and "/foo/bar/.git/*" are
// protected by the permissions on the repository named
// "foo/bar".
pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2)
if len(pathParts) != 2 {
- statusCode, statusText = http.StatusBadRequest, "bad request"
+ statusCode, statusText = http.StatusNotFound, "not found"
return
}
repoName = pathParts[0]
repoName = strings.TrimRight(repoName, "/")
- arv, ok := connectionPool.Get().(*arvadosclient.ArvadosClient)
- if !ok || arv == nil {
- statusCode, statusText = http.StatusInternalServerError, "connection pool failed"
+ arv := h.clientPool.Get()
+ if arv == nil {
+ statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error()
return
}
- defer connectionPool.Put(arv)
+ defer h.clientPool.Put(arv)
// Ask API server whether the repository is readable using
// this token (by trying to read it!)
- arv.ApiToken = password
- reposFound := arvadosclient.Dict{}
- if err := arv.List("repositories", arvadosclient.Dict{
- "filters": [][]string{[]string{"name", "=", repoName}},
- }, &reposFound); err != nil {
+ arv.ApiToken = apiToken
+ repoUUID, err := h.lookupRepo(arv, repoName)
+ if err != nil {
statusCode, statusText = http.StatusInternalServerError, err.Error()
return
}
- if avail, ok := reposFound["items_available"].(float64); !ok {
- statusCode, statusText = http.StatusInternalServerError, "bad list response from API"
- return
- } else if avail < 1 {
+ validApiToken = true
+ if repoUUID == "" {
statusCode, statusText = http.StatusNotFound, "not found"
return
- } else if avail > 1 {
- statusCode, statusText = http.StatusInternalServerError, "name collision"
- return
}
- repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string)
-
isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack")
if !isWrite {
statusText = "read"
"/" + repoName + "/.git",
}
for _, dir := range tryDirs {
- if fileInfo, err := os.Stat(theConfig.Root + dir); err != nil {
+ if fileInfo, err := os.Stat(theConfig.RepoRoot + dir); err != nil {
if !os.IsNotExist(err) {
statusCode, statusText = http.StatusInternalServerError, err.Error()
return
}
if rewrittenPath == "" {
log.Println("WARNING:", repoUUID,
- "git directory not found in", theConfig.Root, tryDirs)
+ "git directory not found in", theConfig.RepoRoot, tryDirs)
// We say "content not found" to disambiguate from the
// earlier "API says that repo does not exist" error.
statusCode, statusText = http.StatusNotFound, "content not found"
}
r.URL.Path = rewrittenPath
- handlerCopy := *h.handler
- handlerCopy.Env = append(handlerCopy.Env, "REMOTE_USER="+r.RemoteAddr) // Should be username
- handlerCopy.ServeHTTP(&w, r)
+ h.handler.ServeHTTP(w, r)
}
-var escaper = strings.NewReplacer("\"", "\\\"", "\\", "\\\\", "\n", "\\n")
+var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`)
-// Transform strings so they are safer to write in logs (e.g.,
-// 'foo"bar' becomes '"foo\"bar"'). Non-string args are left alone.
-func quoteStrings(args ...interface{}) []interface{} {
- for i, arg := range args {
- if s, ok := arg.(string); ok {
- args[i] = "\"" + escaper.Replace(s) + "\""
- }
+func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) {
+ reposFound := arvadosclient.Dict{}
+ var column string
+ if uuidRegexp.MatchString(repoName) {
+ column = "uuid"
+ } else {
+ column = "name"
+ }
+ err := arv.List("repositories", arvadosclient.Dict{
+ "filters": [][]string{{column, "=", repoName}},
+ }, &reposFound)
+ if err != nil {
+ return "", err
+ } else if avail, ok := reposFound["items_available"].(float64); !ok {
+ return "", errors.New("bad list response from API")
+ } else if avail < 1 {
+ return "", nil
+ } else if avail > 1 {
+ return "", errors.New("name collision")
}
- return args
+ return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil
}