X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/060d38d627bd1e51dd2b3c6e7de9af6aa7d7b6f3..eb1c9afa9a92c1506e5d4d1161b6e74d919e8f00:/services/arv-git-httpd/auth_handler.go?ds=sidebyside diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index 7a2841f49a..b4dc58b24f 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -5,9 +5,11 @@ package main import ( + "errors" "log" "net/http" "os" + "regexp" "strings" "sync" "time" @@ -29,7 +31,6 @@ func (h *authHandler) setup() { log.Fatal(err) } h.clientPool = &arvadosclient.ClientPool{Prototype: ac} - log.Printf("%+v", h.clientPool.Prototype) } func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { @@ -43,12 +44,37 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w := httpserver.WrapResponseWriter(wOrig) + if r.Method == "OPTIONS" { + method := r.Header.Get("Access-Control-Request-Method") + if method != "GET" && method != "POST" { + w.WriteHeader(http.StatusMethodNotAllowed) + return + } + w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type") + w.Header().Set("Access-Control-Allow-Methods", "GET, POST") + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Max-Age", "86400") + w.WriteHeader(http.StatusOK) + return + } + + if r.Header.Get("Origin") != "" { + // Allow simple cross-origin requests without user + // credentials ("user credentials" as defined by CORS, + // i.e., cookies, HTTP authentication, and client-side + // SSL certificates. See + // http://www.w3.org/TR/cors/#user-credentials). + w.Header().Set("Access-Control-Allow-Origin", "*") + } + defer func() { if w.WroteStatus() == 0 { // Nobody has called WriteHeader yet: that // must be our job. w.WriteHeader(statusCode) - w.Write([]byte(statusText)) + if statusCode >= 400 { + w.Write([]byte(statusText)) + } } // If the given password is a valid token, log the first 10 characters of the token. @@ -78,7 +104,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // "foo/bar". pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2) if len(pathParts) != 2 { - statusCode, statusText = http.StatusBadRequest, "bad request" + statusCode, statusText = http.StatusNotFound, "not found" return } repoName = pathParts[0] @@ -94,27 +120,17 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Ask API server whether the repository is readable using // this token (by trying to read it!) arv.ApiToken = apiToken - reposFound := arvadosclient.Dict{} - if err := arv.List("repositories", arvadosclient.Dict{ - "filters": [][]string{{"name", "=", repoName}}, - }, &reposFound); err != nil { + repoUUID, err := h.lookupRepo(arv, repoName) + if err != nil { statusCode, statusText = http.StatusInternalServerError, err.Error() return } validApiToken = true - if avail, ok := reposFound["items_available"].(float64); !ok { - statusCode, statusText = http.StatusInternalServerError, "bad list response from API" - return - } else if avail < 1 { + if repoUUID == "" { statusCode, statusText = http.StatusNotFound, "not found" return - } else if avail > 1 { - statusCode, statusText = http.StatusInternalServerError, "name collision" - return } - repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) - isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack") if !isWrite { statusText = "read" @@ -165,5 +181,30 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } r.URL.Path = rewrittenPath - h.handler.ServeHTTP(&w, r) + h.handler.ServeHTTP(w, r) +} + +var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`) + +func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) { + reposFound := arvadosclient.Dict{} + var column string + if uuidRegexp.MatchString(repoName) { + column = "uuid" + } else { + column = "name" + } + err := arv.List("repositories", arvadosclient.Dict{ + "filters": [][]string{{column, "=", repoName}}, + }, &reposFound) + if err != nil { + return "", err + } else if avail, ok := reposFound["items_available"].(float64); !ok { + return "", errors.New("bad list response from API") + } else if avail < 1 { + return "", nil + } else if avail > 1 { + return "", errors.New("name collision") + } + return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil }