X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/07b765184292a503111416ef0df168282350ce2e..08e0784f8dea70c66d21933df198bd1539355071:/services/keep-web/s3.go

diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index 6ea9bf9f7a..f98efd8fdf 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -2,18 +2,21 @@
 //
 // SPDX-License-Identifier: AGPL-3.0
 
-package main
+package keepweb
 
 import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/json"
 	"encoding/xml"
 	"errors"
 	"fmt"
 	"hash"
 	"io"
+	"mime"
 	"net/http"
+	"net/textproto"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -220,8 +223,8 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
 	}
 
 	client := (&arvados.Client{
-		APIHost:  h.Config.cluster.Services.Controller.ExternalURL.Host,
-		Insecure: h.Config.cluster.TLS.Insecure,
+		APIHost:  h.Cluster.Services.Controller.ExternalURL.Host,
+		Insecure: h.Cluster.TLS.Insecure,
 	}).WithRequestID(r.Header.Get("X-Request-Id"))
 	var aca arvados.APIClientAuthorization
 	var secret string
@@ -229,7 +232,7 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
 	if len(key) == 27 && key[5:12] == "-gj3su-" {
 		// Access key is the UUID of an Arvados token, secret
 		// key is the secret part.
-		ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Config.cluster.SystemRootToken)
+		ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Cluster.SystemRootToken)
 		err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/"+key, nil, nil)
 		secret = aca.APIToken
 	} else {
@@ -307,34 +310,25 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 		return false
 	}
 
-	var err error
-	var fs arvados.CustomFileSystem
-	if r.Method == http.MethodGet || r.Method == http.MethodHead {
-		// Use a single session (cached FileSystem) across
-		// multiple read requests.
-		fs, err = h.Config.Cache.GetSession(token)
-		if err != nil {
-			s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusInternalServerError)
-			return true
-		}
-	} else {
+	fs, sess, tokenUser, err := h.Cache.GetSession(token)
+	if err != nil {
+		s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusInternalServerError)
+		return true
+	}
+	readfs := fs
+	if writeMethod[r.Method] {
 		// Create a FileSystem for this request, to avoid
 		// exposing incomplete write operations to concurrent
 		// requests.
-		_, kc, client, release, err := h.getClients(r.Header.Get("X-Request-Id"), token)
-		if err != nil {
-			s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusInternalServerError)
-			return true
-		}
-		defer release()
-		fs = client.SiteFileSystem(kc)
-		fs.ForwardSlashNameSubstitution(h.Config.cluster.Collections.ForwardSlashNameSubstitution)
+		client := sess.client.WithRequestID(r.Header.Get("X-Request-Id"))
+		fs = client.SiteFileSystem(sess.keepclient)
+		fs.ForwardSlashNameSubstitution(h.Cluster.Collections.ForwardSlashNameSubstitution)
 	}
 
 	var objectNameGiven bool
 	var bucketName string
 	fspath := "/by_id"
-	if id := parseCollectionIDFromDNSName(r.Host); id != "" {
+	if id := arvados.CollectionIDFromDNSName(r.Host); id != "" {
 		fspath += "/" + id
 		bucketName = id
 		objectNameGiven = strings.Count(strings.TrimSuffix(r.URL.Path, "/"), "/") > 0
@@ -357,7 +351,7 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 			w.Header().Set("Content-Type", "application/xml")
 			io.WriteString(w, xml.Header)
 			fmt.Fprintln(w, `<LocationConstraint><LocationConstraint xmlns="http://s3.amazonaws.com/doc/2006-03-01/">`+
-				h.Config.cluster.ClusterID+
+				h.Cluster.ClusterID+
 				`</LocationConstraint></LocationConstraint>`)
 		} else if reRawQueryIndicatesAPI.MatchString(r.URL.RawQuery) {
 			// GetBucketWebsite ("GET /bucketid/?website"), GetBucketTagging, etc.
@@ -377,6 +371,11 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 		if r.Method == "HEAD" && !objectNameGiven {
 			// HeadBucket
 			if err == nil && fi.IsDir() {
+				err = setFileInfoHeaders(w.Header(), fs, fspath)
+				if err != nil {
+					s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusBadGateway)
+					return true
+				}
 				w.WriteHeader(http.StatusOK)
 			} else if os.IsNotExist(err) {
 				s3ErrorResponse(w, NoSuchBucket, "The specified bucket does not exist.", r.URL.Path, http.StatusNotFound)
@@ -385,7 +384,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 			}
 			return true
 		}
-		if err == nil && fi.IsDir() && objectNameGiven && strings.HasSuffix(fspath, "/") && h.Config.cluster.Collections.S3FolderObjects {
+		if err == nil && fi.IsDir() && objectNameGiven && strings.HasSuffix(fspath, "/") && h.Cluster.Collections.S3FolderObjects {
+			err = setFileInfoHeaders(w.Header(), fs, fspath)
+			if err != nil {
+				s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusBadGateway)
+				return true
+			}
 			w.Header().Set("Content-Type", "application/x-directory")
 			w.WriteHeader(http.StatusOK)
 			return true
@@ -396,9 +400,21 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 			s3ErrorResponse(w, NoSuchKey, "The specified key does not exist.", r.URL.Path, http.StatusNotFound)
 			return true
 		}
+
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return true
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, fs, fspath, nil, tokenUser)
+
 		// shallow copy r, and change URL path
 		r := *r
 		r.URL.Path = fspath
+		err = setFileInfoHeaders(w.Header(), fs, fspath)
+		if err != nil {
+			s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusBadGateway)
+			return true
+		}
 		http.FileServer(fs).ServeHTTP(w, &r)
 		return true
 	case r.Method == http.MethodPut:
@@ -413,7 +429,7 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 		}
 		var objectIsDir bool
 		if strings.HasSuffix(fspath, "/") {
-			if !h.Config.cluster.Collections.S3FolderObjects {
+			if !h.Cluster.Collections.S3FolderObjects {
 				s3ErrorResponse(w, InvalidArgument, "invalid object name: trailing slash", r.URL.Path, http.StatusBadRequest)
 				return true
 			}
@@ -455,7 +471,7 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 					return true
 				}
 				err = fs.Mkdir(dir, 0755)
-				if err == arvados.ErrInvalidArgument {
+				if errors.Is(err, arvados.ErrInvalidArgument) || errors.Is(err, arvados.ErrInvalidOperation) {
 					// Cannot create a directory
 					// here.
 					err = fmt.Errorf("mkdir %q failed: %w", dir, err)
@@ -479,6 +495,13 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 				return true
 			}
 			defer f.Close()
+
+			if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+				http.Error(w, "Not permitted", http.StatusForbidden)
+				return true
+			}
+			h.logUploadOrDownload(r, sess.arvadosclient, fs, fspath, nil, tokenUser)
+
 			_, err = io.Copy(f, r.Body)
 			if err != nil {
 				err = fmt.Errorf("write to %q failed: %w", r.URL.Path, err)
@@ -492,14 +515,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 				return true
 			}
 		}
-		err = fs.Sync()
+		err = h.syncCollection(fs, readfs, fspath)
 		if err != nil {
 			err = fmt.Errorf("sync failed: %w", err)
 			s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusInternalServerError)
 			return true
 		}
-		// Ensure a subsequent read operation will see the changes.
-		h.Config.Cache.ResetSession(token)
 		w.WriteHeader(http.StatusOK)
 		return true
 	case r.Method == http.MethodDelete:
@@ -546,14 +567,12 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 			s3ErrorResponse(w, InvalidArgument, err.Error(), r.URL.Path, http.StatusBadRequest)
 			return true
 		}
-		err = fs.Sync()
+		err = h.syncCollection(fs, readfs, fspath)
 		if err != nil {
 			err = fmt.Errorf("sync failed: %w", err)
 			s3ErrorResponse(w, InternalError, err.Error(), r.URL.Path, http.StatusInternalServerError)
 			return true
 		}
-		// Ensure a subsequent read operation will see the changes.
-		h.Config.Cache.ResetSession(token)
 		w.WriteHeader(http.StatusNoContent)
 		return true
 	default:
@@ -562,6 +581,88 @@ func (h *handler) serveS3(w http.ResponseWriter, r *http.Request) bool {
 	}
 }
 
+// Save modifications to the indicated collection in srcfs, then (if
+// successful) ensure they are also reflected in dstfs.
+func (h *handler) syncCollection(srcfs, dstfs arvados.CustomFileSystem, path string) error {
+	coll, _ := h.determineCollection(srcfs, path)
+	if coll == nil || coll.UUID == "" {
+		return errors.New("could not determine collection to sync")
+	}
+	d, err := srcfs.OpenFile("by_id/"+coll.UUID, os.O_RDWR, 0777)
+	if err != nil {
+		return err
+	}
+	defer d.Close()
+	err = d.Sync()
+	if err != nil {
+		return err
+	}
+	snap, err := d.Snapshot()
+	if err != nil {
+		return err
+	}
+	dstd, err := dstfs.OpenFile("by_id/"+coll.UUID, os.O_RDWR, 0777)
+	if err != nil {
+		return err
+	}
+	defer dstd.Close()
+	return dstd.Splice(snap)
+}
+
+func setFileInfoHeaders(header http.Header, fs arvados.CustomFileSystem, path string) error {
+	maybeEncode := func(s string) string {
+		for _, c := range s {
+			if c > '\u007f' || c < ' ' {
+				return mime.BEncoding.Encode("UTF-8", s)
+			}
+		}
+		return s
+	}
+	path = strings.TrimSuffix(path, "/")
+	var props map[string]interface{}
+	for {
+		fi, err := fs.Stat(path)
+		if err != nil {
+			return err
+		}
+		switch src := fi.Sys().(type) {
+		case *arvados.Collection:
+			props = src.Properties
+		case *arvados.Group:
+			props = src.Properties
+		default:
+			if err, ok := src.(error); ok {
+				return err
+			}
+			// Try parent
+			cut := strings.LastIndexByte(path, '/')
+			if cut < 0 {
+				return nil
+			}
+			path = path[:cut]
+			continue
+		}
+		break
+	}
+	for k, v := range props {
+		if !validMIMEHeaderKey(k) {
+			continue
+		}
+		k = "x-amz-meta-" + k
+		if s, ok := v.(string); ok {
+			header.Set(k, maybeEncode(s))
+		} else if j, err := json.Marshal(v); err == nil {
+			header.Set(k, maybeEncode(string(j)))
+		}
+	}
+	return nil
+}
+
+func validMIMEHeaderKey(k string) bool {
+	check := "z-" + k
+	return check != textproto.CanonicalMIMEHeaderKey(check)
+}
+
 // Call fn on the given path (directory) and its contents, in
 // lexicographic order.
 //
@@ -732,7 +833,7 @@ func (h *handler) s3list(bucket string, w http.ResponseWriter, r *http.Request,
 		if path < params.marker || path < params.prefix || path <= params.startAfter {
 			return nil
 		}
-		if fi.IsDir() && !h.Config.cluster.Collections.S3FolderObjects {
+		if fi.IsDir() && !h.Cluster.Collections.S3FolderObjects {
 			// Note we don't add anything to
 			// commonPrefixes here even if delimiter is
 			// "/". We descend into the directory, and