X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0f668000c8cacec50804cb0019dbe7d7dc1d2b36..0c0f18dfbcdcf552889258b76563315fbe2eb060:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index ddbc9b1553..847329f331 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -9,8 +9,9 @@ import ( "net/http" "net/url" "os" + "regexp" + "strconv" "strings" - "time" "git.curoverse.com/arvados.git/sdk/go/arvadosclient" "git.curoverse.com/arvados.git/sdk/go/auth" @@ -23,20 +24,19 @@ type handler struct{} var ( clientPool = arvadosclient.MakeClientPool() trustAllContent = false - anonymousTokens []string attachmentOnlyHost = "" ) func init() { - flag.BoolVar(&trustAllContent, "trust-all-content", false, - "Serve non-public content from a single origin. Dangerous: read docs before using!") flag.StringVar(&attachmentOnlyHost, "attachment-only-host", "", "Accept credentials, and add \"Content-Disposition: attachment\" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.") + flag.BoolVar(&trustAllContent, "trust-all-content", false, + "Serve non-public content from a single origin. Dangerous: read docs before using!") } // return a UUID or PDH if s begins with a UUID or URL-encoded PDH; // otherwise return "". -func parseCollectionIdFromDNSName(s string) string { +func parseCollectionIDFromDNSName(s string) string { // Strip domain. if i := strings.IndexRune(s, '.'); i >= 0 { s = s[:i] @@ -60,7 +60,7 @@ var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+") // return a UUID or PDH if s is a UUID or a PDH (even if it is a PDH // with "+" replaced by " " or "-"); otherwise return "". -func parseCollectionIdFromURL(s string) string { +func parseCollectionIDFromURL(s string) string { if arvadosclient.UUIDMatch(s) { return s } @@ -109,7 +109,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { pathParts := strings.Split(r.URL.Path[1:], "/") - var targetId string + var targetID string var targetPath []string var tokens []string var reqTokens []string @@ -124,24 +124,24 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { attachment = true } - if targetId = parseCollectionIdFromDNSName(r.Host); targetId != "" { + if targetID = parseCollectionIDFromDNSName(r.Host); targetID != "" { // http://ID.collections.example/PATH... credentialsOK = true targetPath = pathParts } else if len(pathParts) >= 2 && strings.HasPrefix(pathParts[0], "c=") { // /c=ID/PATH... - targetId = parseCollectionIdFromURL(pathParts[0][2:]) + targetID = parseCollectionIDFromURL(pathParts[0][2:]) targetPath = pathParts[1:] } else if len(pathParts) >= 3 && pathParts[0] == "collections" { if len(pathParts) >= 5 && pathParts[1] == "download" { // /collections/download/ID/TOKEN/PATH... - targetId = pathParts[2] + targetID = pathParts[2] tokens = []string{pathParts[3]} targetPath = pathParts[4:] pathToken = true } else { // /collections/ID/PATH... - targetId = pathParts[1] + targetID = pathParts[1] tokens = anonymousTokens targetPath = pathParts[2:] } @@ -181,10 +181,19 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { Name: "arvados_api_token", Value: auth.EncodeTokenCookie([]byte(t)), Path: "/", - Expires: time.Now().AddDate(10, 0, 0), HttpOnly: true, }) - redir := (&url.URL{Host: r.Host, Path: r.URL.Path}).String() + + // Propagate query parameters (except api_token) from + // the original request. + redirQuery := r.URL.Query() + redirQuery.Del("api_token") + + redir := (&url.URL{ + Host: r.Host, + Path: r.URL.Path, + RawQuery: redirQuery.Encode(), + }).String() w.Header().Add("Location", redir) statusCode, statusText = http.StatusSeeOther, redir @@ -228,7 +237,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { collection := make(map[string]interface{}) found := false for _, arv.ApiToken = range tokens { - err := arv.Get("collections", targetId, nil, &collection) + err := arv.Get("collections", targetID, nil, &collection) if err == nil { // Success found = true @@ -295,8 +304,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } defer rdr.Close() - // One or both of these can be -1 if not found: basenamePos := strings.LastIndex(filename, "/") + if basenamePos < 0 { + basenamePos = 0 + } extPos := strings.LastIndex(filename, ".") if extPos > basenamePos { // Now extPos is safely >= 0. @@ -304,14 +315,56 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", t) } } - w.Header().Set("Content-Length", fmt.Sprintf("%d", rdr.Len())) - if attachment { - w.Header().Set("Content-Disposition", "attachment") + if rdr, ok := rdr.(keepclient.ReadCloserWithLen); ok { + w.Header().Set("Content-Length", fmt.Sprintf("%d", rdr.Len())) } - w.WriteHeader(http.StatusOK) - _, err = io.Copy(w, rdr) + applyContentDispositionHdr(w, r, filename[basenamePos:], attachment) + rangeRdr, statusCode := applyRangeHdr(w, r, rdr) + + w.WriteHeader(statusCode) + _, err = io.Copy(w, rangeRdr) if err != nil { statusCode, statusText = http.StatusBadGateway, err.Error() } } + +var rangeRe = regexp.MustCompile(`^bytes=0-([0-9]*)$`) + +func applyRangeHdr(w http.ResponseWriter, r *http.Request, rdr keepclient.ReadCloserWithLen) (io.Reader, int) { + w.Header().Set("Accept-Ranges", "bytes") + hdr := r.Header.Get("Range") + fields := rangeRe.FindStringSubmatch(hdr) + if fields == nil { + return rdr, http.StatusOK + } + rangeEnd, err := strconv.ParseInt(fields[1], 10, 64) + if err != nil { + // Empty or too big for int64 == send entire content + return rdr, http.StatusOK + } + if uint64(rangeEnd) >= rdr.Len() { + return rdr, http.StatusOK + } + w.Header().Set("Content-Length", fmt.Sprintf("%d", rangeEnd+1)) + w.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", 0, rangeEnd, rdr.Len())) + return &io.LimitedReader{R: rdr, N: rangeEnd + 1}, http.StatusPartialContent +} + +func applyContentDispositionHdr(w http.ResponseWriter, r *http.Request, filename string, isAttachment bool) { + disposition := "inline" + if isAttachment { + disposition = "attachment" + } + if strings.ContainsRune(r.RequestURI, '?') { + // Help the UA realize that the filename is just + // "filename.txt", not + // "filename.txt?disposition=attachment". + // + // TODO(TC): Follow advice at RFC 6266 appendix D + disposition += "; filename=" + strconv.QuoteToASCII(filename) + } + if disposition != "inline" { + w.Header().Set("Content-Disposition", disposition) + } +}