X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/060d38d627bd1e51dd2b3c6e7de9af6aa7d7b6f3..82a9595a6a35c648fff62c2497d858f1ab062578:/services/arv-git-httpd/auth_handler.go diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index 7a2841f49a..fa03756301 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -5,31 +5,40 @@ package main import ( + "errors" "log" "net/http" "os" + "regexp" "strings" "sync" "time" - "git.curoverse.com/arvados.git/sdk/go/arvadosclient" - "git.curoverse.com/arvados.git/sdk/go/auth" - "git.curoverse.com/arvados.git/sdk/go/httpserver" + "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/arvadosclient" + "git.arvados.org/arvados.git/sdk/go/auth" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) type authHandler struct { handler http.Handler clientPool *arvadosclient.ClientPool + cluster *arvados.Cluster setupOnce sync.Once } func (h *authHandler) setup() { - ac, err := arvadosclient.New(&theConfig.Client) + client, err := arvados.NewClientFromConfig(h.cluster) if err != nil { log.Fatal(err) } + + ac, err := arvadosclient.New(client) + if err != nil { + log.Fatalf("Error setting up arvados client prototype %v", err) + } + h.clientPool = &arvadosclient.ClientPool{Prototype: ac} - log.Printf("%+v", h.clientPool.Prototype) } func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { @@ -43,12 +52,37 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w := httpserver.WrapResponseWriter(wOrig) + if r.Method == "OPTIONS" { + method := r.Header.Get("Access-Control-Request-Method") + if method != "GET" && method != "POST" { + w.WriteHeader(http.StatusMethodNotAllowed) + return + } + w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type") + w.Header().Set("Access-Control-Allow-Methods", "GET, POST") + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Max-Age", "86400") + w.WriteHeader(http.StatusOK) + return + } + + if r.Header.Get("Origin") != "" { + // Allow simple cross-origin requests without user + // credentials ("user credentials" as defined by CORS, + // i.e., cookies, HTTP authentication, and client-side + // SSL certificates. See + // http://www.w3.org/TR/cors/#user-credentials). + w.Header().Set("Access-Control-Allow-Origin", "*") + } + defer func() { if w.WroteStatus() == 0 { // Nobody has called WriteHeader yet: that // must be our job. w.WriteHeader(statusCode) - w.Write([]byte(statusText)) + if statusCode >= 400 { + w.Write([]byte(statusText)) + } } // If the given password is a valid token, log the first 10 characters of the token. @@ -65,7 +99,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path) }() - creds := auth.NewCredentialsFromHTTPRequest(r) + creds := auth.CredentialsFromRequest(r) if len(creds.Tokens) == 0 { statusCode, statusText = http.StatusUnauthorized, "no credentials provided" w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"") @@ -78,7 +112,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // "foo/bar". pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2) if len(pathParts) != 2 { - statusCode, statusText = http.StatusBadRequest, "bad request" + statusCode, statusText = http.StatusNotFound, "not found" return } repoName = pathParts[0] @@ -94,27 +128,17 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Ask API server whether the repository is readable using // this token (by trying to read it!) arv.ApiToken = apiToken - reposFound := arvadosclient.Dict{} - if err := arv.List("repositories", arvadosclient.Dict{ - "filters": [][]string{{"name", "=", repoName}}, - }, &reposFound); err != nil { + repoUUID, err := h.lookupRepo(arv, repoName) + if err != nil { statusCode, statusText = http.StatusInternalServerError, err.Error() return } validApiToken = true - if avail, ok := reposFound["items_available"].(float64); !ok { - statusCode, statusText = http.StatusInternalServerError, "bad list response from API" - return - } else if avail < 1 { + if repoUUID == "" { statusCode, statusText = http.StatusNotFound, "not found" return - } else if avail > 1 { - statusCode, statusText = http.StatusInternalServerError, "name collision" - return } - repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) - isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack") if !isWrite { statusText = "read" @@ -145,7 +169,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { "/" + repoName + "/.git", } for _, dir := range tryDirs { - if fileInfo, err := os.Stat(theConfig.RepoRoot + dir); err != nil { + if fileInfo, err := os.Stat(h.cluster.Git.Repositories + dir); err != nil { if !os.IsNotExist(err) { statusCode, statusText = http.StatusInternalServerError, err.Error() return @@ -157,7 +181,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } if rewrittenPath == "" { log.Println("WARNING:", repoUUID, - "git directory not found in", theConfig.RepoRoot, tryDirs) + "git directory not found in", h.cluster.Git.Repositories, tryDirs) // We say "content not found" to disambiguate from the // earlier "API says that repo does not exist" error. statusCode, statusText = http.StatusNotFound, "content not found" @@ -165,5 +189,30 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } r.URL.Path = rewrittenPath - h.handler.ServeHTTP(&w, r) + h.handler.ServeHTTP(w, r) +} + +var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`) + +func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) { + reposFound := arvadosclient.Dict{} + var column string + if uuidRegexp.MatchString(repoName) { + column = "uuid" + } else { + column = "name" + } + err := arv.List("repositories", arvadosclient.Dict{ + "filters": [][]string{{column, "=", repoName}}, + }, &reposFound) + if err != nil { + return "", err + } else if avail, ok := reposFound["items_available"].(float64); !ok { + return "", errors.New("bad list response from API") + } else if avail < 1 { + return "", nil + } else if avail > 1 { + return "", errors.New("name collision") + } + return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil }