X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0c888bcc93b559339c8abbce784bdcc44746bca2..38c4ce8bd5aefed6784d457ed3caf28f279d6de4:/services/keepproxy/keepproxy.go

diff --git a/services/keepproxy/keepproxy.go b/services/keepproxy/keepproxy.go
index 145b39d4c3..b6c8bd66aa 100644
--- a/services/keepproxy/keepproxy.go
+++ b/services/keepproxy/keepproxy.go
@@ -182,7 +182,7 @@ func main() {
 
 	// Start serving requests.
 	router = MakeRESTRouter(!cfg.DisableGet, !cfg.DisablePut, kc, time.Duration(cfg.Timeout), cfg.ManagementToken)
-	http.Serve(listener, httpserver.AddRequestIDs(httpserver.LogRequests(router)))
+	http.Serve(listener, httpserver.AddRequestIDs(httpserver.LogRequests(nil, router)))
 
 	log.Println("shutting down")
 }
@@ -232,35 +232,56 @@ func GetRemoteAddress(req *http.Request) string {
 }
 
 func CheckAuthorizationHeader(kc *keepclient.KeepClient, cache *ApiTokenCache, req *http.Request) (pass bool, tok string) {
-	var auth string
-	if auth = req.Header.Get("Authorization"); auth == "" {
+	parts := strings.SplitN(req.Header.Get("Authorization"), " ", 2)
+	if len(parts) < 2 || !(parts[0] == "OAuth2" || parts[0] == "Bearer") || len(parts[1]) == 0 {
 		return false, ""
 	}
+	tok = parts[1]
 
-	_, err := fmt.Sscanf(auth, "OAuth2 %s", &tok)
-	if err != nil {
-		// Scanning error
-		return false, ""
+	// Tokens are validated differently depending on what kind of
+	// operation is being performed. For example, tokens in
+	// collection-sharing links permit GET requests, but not
+	// PUT requests.
+	var op string
+	if req.Method == "GET" || req.Method == "HEAD" {
+		op = "read"
+	} else {
+		op = "write"
 	}
 
-	if cache.RecallToken(tok) {
+	if cache.RecallToken(op + ":" + tok) {
 		// Valid in the cache, short circuit
 		return true, tok
 	}
 
+	var err error
 	arv := *kc.Arvados
 	arv.ApiToken = tok
-	if err := arv.Call("HEAD", "users", "", "current", nil, nil); err != nil {
+	arv.RequestID = req.Header.Get("X-Request-Id")
+	if op == "read" {
+		err = arv.Call("HEAD", "keep_services", "", "accessible", nil, nil)
+	} else {
+		err = arv.Call("HEAD", "users", "", "current", nil, nil)
+	}
+	if err != nil {
 		log.Printf("%s: CheckAuthorizationHeader error: %v", GetRemoteAddress(req), err)
 		return false, ""
 	}
 
 	// Success!  Update cache
-	cache.RememberToken(tok)
+	cache.RememberToken(op + ":" + tok)
 
 	return true, tok
 }
 
+// We need to make a private copy of the default http transport early
+// in initialization, then make copies of our private copy later. It
+// won't be safe to copy http.DefaultTransport itself later, because
+// its private mutexes might have already been used. (Without this,
+// the test suite sometimes panics "concurrent map writes" in
+// net/http.(*Transport).removeIdleConnLocked().)
+var defaultTransport = *(http.DefaultTransport.(*http.Transport))
+
 type proxyHandler struct {
 	http.Handler
 	*keepclient.KeepClient
@@ -274,7 +295,7 @@ type proxyHandler struct {
 func MakeRESTRouter(enable_get bool, enable_put bool, kc *keepclient.KeepClient, timeout time.Duration, mgmtToken string) http.Handler {
 	rest := mux.NewRouter()
 
-	transport := *(http.DefaultTransport.(*http.Transport))
+	transport := defaultTransport
 	transport.DialContext = (&net.Dialer{
 		Timeout:   keepclient.DefaultConnectTimeout,
 		KeepAlive: keepclient.DefaultKeepAlive,
@@ -466,6 +487,15 @@ func (h *proxyHandler) Put(resp http.ResponseWriter, req *http.Request) {
 
 	locatorIn := mux.Vars(req)["locator"]
 
+	// Check if the client specified storage classes
+	if req.Header.Get("X-Keep-Storage-Classes") != "" {
+		var scl []string
+		for _, sc := range strings.Split(req.Header.Get("X-Keep-Storage-Classes"), ",") {
+			scl = append(scl, strings.Trim(sc, " "))
+		}
+		kc.StorageClasses = scl
+	}
+
 	_, err = fmt.Sscanf(req.Header.Get("Content-Length"), "%d", &expectLength)
 	if err != nil || expectLength < 0 {
 		err = LengthRequiredError
@@ -509,13 +539,13 @@ func (h *proxyHandler) Put(resp http.ResponseWriter, req *http.Request) {
 
 	// Now try to put the block through
 	if locatorIn == "" {
-		if bytes, err := ioutil.ReadAll(req.Body); err != nil {
-			err = errors.New(fmt.Sprintf("Error reading request body: %s", err))
+		bytes, err2 := ioutil.ReadAll(req.Body)
+		if err2 != nil {
+			_ = errors.New(fmt.Sprintf("Error reading request body: %s", err2))
 			status = http.StatusInternalServerError
 			return
-		} else {
-			locatorOut, wroteReplicas, err = kc.PutB(bytes)
 		}
+		locatorOut, wroteReplicas, err = kc.PutB(bytes)
 	} else {
 		locatorOut, wroteReplicas, err = kc.PutHR(locatorIn, req.Body, expectLength)
 	}
@@ -609,13 +639,13 @@ func (h *proxyHandler) Index(resp http.ResponseWriter, req *http.Request) {
 
 func (h *proxyHandler) makeKeepClient(req *http.Request) *keepclient.KeepClient {
 	kc := *h.KeepClient
+	kc.RequestID = req.Header.Get("X-Request-Id")
 	kc.HTTPClient = &proxyClient{
 		client: &http.Client{
 			Timeout:   h.timeout,
 			Transport: h.transport,
 		},
-		proto:     req.Proto,
-		requestID: req.Header.Get("X-Request-Id"),
+		proto: req.Proto,
 	}
 	return &kc
 }