X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/195deb7adedb1e2756076c4bd4ecbb90358148d9..daf902070467a6a48bd0c9a8b147b8c27e0720c3:/services/keep-web/handler.go

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 4222e3822e..ef61b06873 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -10,26 +10,29 @@ import (
 	"html"
 	"html/template"
 	"io"
-	"log"
 	"net/http"
 	"net/url"
 	"os"
+	"path/filepath"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 
-	"git.curoverse.com/arvados.git/sdk/go/arvados"
-	"git.curoverse.com/arvados.git/sdk/go/arvadosclient"
-	"git.curoverse.com/arvados.git/sdk/go/auth"
-	"git.curoverse.com/arvados.git/sdk/go/health"
-	"git.curoverse.com/arvados.git/sdk/go/httpserver"
-	"git.curoverse.com/arvados.git/sdk/go/keepclient"
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/arvadosclient"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/ctxlog"
+	"git.arvados.org/arvados.git/sdk/go/health"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
+	"git.arvados.org/arvados.git/sdk/go/keepclient"
+	"github.com/sirupsen/logrus"
 	"golang.org/x/net/webdav"
 )
 
 type handler struct {
 	Config        *Config
+	MetricsAPI    http.Handler
 	clientPool    *arvadosclient.ClientPool
 	setupOnce     sync.Once
 	healthHandler http.Handler
@@ -60,6 +63,9 @@ func parseCollectionIDFromDNSName(s string) string {
 
 var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+")
 
+var notFoundMessage = "404 Not found\r\n\r\nThe requested path was not found, or you do not have permission to access it.\r"
+var unauthorizedMessage = "401 Unauthorized\r\n\r\nA valid Arvados token must be provided to access this resource.\r"
+
 // parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a
 // PDH (even if it is a PDH with "+" replaced by " " or "-");
 // otherwise "".
@@ -74,12 +80,15 @@ func parseCollectionIDFromURL(s string) string {
 }
 
 func (h *handler) setup() {
-	h.clientPool = arvadosclient.MakeClientPool()
+	// Errors will be handled at the client pool.
+	arv, _ := arvados.NewClientFromConfig(h.Config.cluster)
+	h.clientPool = arvadosclient.MakeClientPoolWith(arv)
 
 	keepclient.RefreshServiceDiscoveryOnSIGHUP()
+	keepclient.DefaultBlockCache.MaxBlocks = h.Config.cluster.Collections.WebDAVCache.MaxBlockEntries
 
 	h.healthHandler = &health.Handler{
-		Token:  h.Config.ManagementToken,
+		Token:  h.Config.cluster.ManagementToken,
 		Prefix: "/_health/",
 	}
 
@@ -89,12 +98,7 @@ func (h *handler) setup() {
 }
 
 func (h *handler) serveStatus(w http.ResponseWriter, r *http.Request) {
-	status := struct {
-		cacheStats
-	}{
-		cacheStats: h.Config.Cache.Stats(),
-	}
-	json.NewEncoder(w).Encode(status)
+	json.NewEncoder(w).Encode(struct{ Version string }{version})
 }
 
 // updateOnSuccess wraps httpserver.ResponseWriter. If the handler
@@ -104,18 +108,19 @@ func (h *handler) serveStatus(w http.ResponseWriter, r *http.Request) {
 // are ignored (all response writes return the update error).
 type updateOnSuccess struct {
 	httpserver.ResponseWriter
+	logger     logrus.FieldLogger
 	update     func() error
 	sentHeader bool
 	err        error
 }
 
 func (uos *updateOnSuccess) Write(p []byte) (int, error) {
-	if uos.err != nil {
-		return 0, uos.err
-	}
 	if !uos.sentHeader {
 		uos.WriteHeader(http.StatusOK)
 	}
+	if uos.err != nil {
+		return 0, uos.err
+	}
 	return uos.ResponseWriter.Write(p)
 }
 
@@ -128,7 +133,7 @@ func (uos *updateOnSuccess) WriteHeader(code int) {
 				if err, ok := uos.err.(*arvados.TransactionError); ok {
 					code = err.StatusCode
 				}
-				log.Printf("update() changes response to HTTP %d: %T %q", code, uos.err, uos.err)
+				uos.logger.WithError(uos.err).Errorf("update() returned error type %T, changing response to HTTP %d", uos.err, code)
 				http.Error(uos.ResponseWriter, uos.err.Error(), code)
 				return
 			}
@@ -138,58 +143,67 @@ func (uos *updateOnSuccess) WriteHeader(code int) {
 }
 
 var (
+	corsAllowHeadersHeader = strings.Join([]string{
+		"Authorization", "Content-Type", "Range",
+		// WebDAV request headers:
+		"Depth", "Destination", "If", "Lock-Token", "Overwrite", "Timeout",
+	}, ", ")
 	writeMethod = map[string]bool{
-		"COPY":   true,
-		"DELETE": true,
-		"MKCOL":  true,
-		"MOVE":   true,
-		"PUT":    true,
-		"RMCOL":  true,
+		"COPY":      true,
+		"DELETE":    true,
+		"LOCK":      true,
+		"MKCOL":     true,
+		"MOVE":      true,
+		"PROPPATCH": true,
+		"PUT":       true,
+		"RMCOL":     true,
+		"UNLOCK":    true,
 	}
 	webdavMethod = map[string]bool{
-		"COPY":     true,
-		"DELETE":   true,
-		"MKCOL":    true,
-		"MOVE":     true,
-		"OPTIONS":  true,
-		"PROPFIND": true,
-		"PUT":      true,
-		"RMCOL":    true,
+		"COPY":      true,
+		"DELETE":    true,
+		"LOCK":      true,
+		"MKCOL":     true,
+		"MOVE":      true,
+		"OPTIONS":   true,
+		"PROPFIND":  true,
+		"PROPPATCH": true,
+		"PUT":       true,
+		"RMCOL":     true,
+		"UNLOCK":    true,
 	}
 	browserMethod = map[string]bool{
 		"GET":  true,
 		"HEAD": true,
 		"POST": true,
 	}
+	// top-level dirs to serve with siteFS
+	siteFSDir = map[string]bool{
+		"":      true, // root directory
+		"by_id": true,
+		"users": true,
+	}
 )
 
+func stripDefaultPort(host string) string {
+	// Will consider port 80 and port 443 to be the same vhost.  I think that's fine.
+	u := &url.URL{Host: host}
+	if p := u.Port(); p == "80" || p == "443" {
+		return strings.ToLower(u.Hostname())
+	} else {
+		return strings.ToLower(host)
+	}
+}
+
 // ServeHTTP implements http.Handler.
 func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	h.setupOnce.Do(h.setup)
 
-	var statusCode = 0
-	var statusText string
-
-	remoteAddr := r.RemoteAddr
-	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-		remoteAddr = xff + "," + remoteAddr
+	if xfp := r.Header.Get("X-Forwarded-Proto"); xfp != "" && xfp != "http" {
+		r.URL.Scheme = xfp
 	}
 
 	w := httpserver.WrapResponseWriter(wOrig)
-	defer func() {
-		if statusCode == 0 {
-			statusCode = w.WroteStatus()
-		} else if w.WroteStatus() == 0 {
-			w.WriteHeader(statusCode)
-		} else if w.WroteStatus() != statusCode {
-			httpserver.Log(r.RemoteAddr, "WARNING",
-				fmt.Sprintf("Our status changed from %d to %d after we sent headers", w.WroteStatus(), statusCode))
-		}
-		if statusText == "" {
-			statusText = http.StatusText(statusCode)
-		}
-		httpserver.Log(remoteAddr, statusCode, statusText, w.WroteBodyBytes(), r.Method, r.Host, r.URL.Path, r.URL.RawQuery)
-	}()
 
 	if strings.HasPrefix(r.URL.Path, "/_health/") && r.Method == "GET" {
 		h.healthHandler.ServeHTTP(w, r)
@@ -198,19 +212,18 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 
 	if method := r.Header.Get("Access-Control-Request-Method"); method != "" && r.Method == "OPTIONS" {
 		if !browserMethod[method] && !webdavMethod[method] {
-			statusCode = http.StatusMethodNotAllowed
+			w.WriteHeader(http.StatusMethodNotAllowed)
 			return
 		}
-		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, Range")
-		w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PUT, RMCOL")
+		w.Header().Set("Access-Control-Allow-Headers", corsAllowHeadersHeader)
+		w.Header().Set("Access-Control-Allow-Methods", "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Max-Age", "86400")
-		statusCode = http.StatusOK
 		return
 	}
 
 	if !browserMethod[r.Method] && !webdavMethod[r.Method] {
-		statusCode, statusText = http.StatusMethodNotAllowed, r.Method
+		w.WriteHeader(http.StatusMethodNotAllowed)
 		return
 	}
 
@@ -224,86 +237,118 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Access-Control-Expose-Headers", "Content-Range")
 	}
 
-	arv := h.clientPool.Get()
-	if arv == nil {
-		statusCode, statusText = http.StatusInternalServerError, "Pool failed: "+h.clientPool.Err().Error()
+	if h.serveS3(w, r) {
 		return
 	}
-	defer h.clientPool.Put(arv)
 
 	pathParts := strings.Split(r.URL.Path[1:], "/")
 
 	var stripParts int
-	var targetID string
+	var collectionID string
 	var tokens []string
 	var reqTokens []string
 	var pathToken bool
 	var attachment bool
-	credentialsOK := h.Config.TrustAllContent
+	var useSiteFS bool
+	credentialsOK := h.Config.cluster.Collections.TrustAllContent
+	reasonNotAcceptingCredentials := ""
 
-	if r.Host != "" && r.Host == h.Config.AttachmentOnlyHost {
+	if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host) {
 		credentialsOK = true
 		attachment = true
 	} else if r.FormValue("disposition") == "attachment" {
 		attachment = true
 	}
 
-	if targetID = parseCollectionIDFromDNSName(r.Host); targetID != "" {
+	if !credentialsOK {
+		reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false",
+			r.Host, h.Config.cluster.Services.WebDAVDownload.ExternalURL)
+	}
+
+	if collectionID = parseCollectionIDFromDNSName(r.Host); collectionID != "" {
 		// http://ID.collections.example/PATH...
 		credentialsOK = true
 	} else if r.URL.Path == "/status.json" {
 		h.serveStatus(w, r)
 		return
+	} else if strings.HasPrefix(r.URL.Path, "/metrics") {
+		h.MetricsAPI.ServeHTTP(w, r)
+		return
+	} else if siteFSDir[pathParts[0]] {
+		useSiteFS = true
 	} else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") {
 		// /c=ID[/PATH...]
-		targetID = parseCollectionIDFromURL(pathParts[0][2:])
+		collectionID = parseCollectionIDFromURL(pathParts[0][2:])
 		stripParts = 1
 	} else if len(pathParts) >= 2 && pathParts[0] == "collections" {
 		if len(pathParts) >= 4 && pathParts[1] == "download" {
 			// /collections/download/ID/TOKEN/PATH...
-			targetID = parseCollectionIDFromURL(pathParts[2])
+			collectionID = parseCollectionIDFromURL(pathParts[2])
 			tokens = []string{pathParts[3]}
 			stripParts = 4
 			pathToken = true
 		} else {
 			// /collections/ID/PATH...
-			targetID = parseCollectionIDFromURL(pathParts[1])
-			tokens = h.Config.AnonymousTokens
+			collectionID = parseCollectionIDFromURL(pathParts[1])
 			stripParts = 2
+			// This path is only meant to work for public
+			// data. Tokens provided with the request are
+			// ignored.
+			credentialsOK = false
+			reasonNotAcceptingCredentials = "the '/collections/UUID/PATH' form only works for public data"
 		}
 	}
 
-	if targetID == "" {
-		statusCode = http.StatusNotFound
+	if collectionID == "" && !useSiteFS {
+		http.Error(w, notFoundMessage, http.StatusNotFound)
 		return
 	}
 
+	forceReload := false
+	if cc := r.Header.Get("Cache-Control"); strings.Contains(cc, "no-cache") || strings.Contains(cc, "must-revalidate") {
+		forceReload = true
+	}
+
+	if credentialsOK {
+		reqTokens = auth.CredentialsFromRequest(r).Tokens
+	}
+
 	formToken := r.FormValue("api_token")
-	if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" {
-		// The client provided an explicit token in the POST
-		// body. The Origin header indicates this *might* be
-		// an AJAX request, in which case redirect-with-cookie
-		// won't work: we should just serve the content in the
-		// POST response. This is safe because:
+	origin := r.Header.Get("Origin")
+	cors := origin != "" && !strings.HasSuffix(origin, "://"+r.Host)
+	safeAjax := cors && (r.Method == http.MethodGet || r.Method == http.MethodHead)
+	safeAttachment := attachment && r.URL.Query().Get("api_token") == ""
+	if formToken == "" {
+		// No token to use or redact.
+	} else if safeAjax || safeAttachment {
+		// If this is a cross-origin request, the URL won't
+		// appear in the browser's address bar, so
+		// substituting a clipboard-safe URL is pointless.
+		// Redirect-with-cookie wouldn't work anyway, because
+		// it's not safe to allow third-party use of our
+		// cookie.
 		//
-		// * We're supplying an attachment, not inline
-		//   content, so we don't need to convert the POST to
-		//   a GET and avoid the "really resubmit form?"
-		//   problem.
-		//
-		// * The token isn't embedded in the URL, so we don't
-		//   need to worry about bookmarks and copy/paste.
-		tokens = append(tokens, formToken)
-	} else if formToken != "" && browserMethod[r.Method] {
-		// The client provided an explicit token in the query
-		// string, or a form in POST body. We must put the
-		// token in an HttpOnly cookie, and redirect to the
-		// same URL with the query param redacted and method =
-		// GET.
+		// If we're supplying an attachment, we don't need to
+		// convert POST to GET to avoid the "really resubmit
+		// form?" problem, so provided the token isn't
+		// embedded in the URL, there's no reason to do
+		// redirect-with-cookie in this case either.
+		reqTokens = append(reqTokens, formToken)
+	} else if browserMethod[r.Method] {
+		// If this is a page view, and the client provided a
+		// token via query string or POST body, we must put
+		// the token in an HttpOnly cookie, and redirect to an
+		// equivalent URL with the query param redacted and
+		// method = GET.
 		h.seeOtherWithCookie(w, r, "", credentialsOK)
 		return
 	}
 
+	if useSiteFS {
+		h.serveSiteFS(w, r, reqTokens, credentialsOK, attachment)
+		return
+	}
+
 	targetPath := pathParts[stripParts:]
 	if tokens == nil && len(targetPath) > 0 && strings.HasPrefix(targetPath[0], "t=") {
 		// http://ID.example/t=TOKEN/PATH...
@@ -319,10 +364,19 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 
 	if tokens == nil {
-		if credentialsOK {
-			reqTokens = auth.NewCredentialsFromHTTPRequest(r).Tokens
+		tokens = reqTokens
+		if h.Config.cluster.Users.AnonymousUserToken != "" {
+			tokens = append(tokens, h.Config.cluster.Users.AnonymousUserToken)
 		}
-		tokens = append(reqTokens, h.Config.AnonymousTokens...)
+	}
+
+	if tokens == nil {
+		if !credentialsOK {
+			http.Error(w, fmt.Sprintf("Authorization tokens are not accepted here: %v, and no anonymous user token is configured.", reasonNotAcceptingCredentials), http.StatusUnauthorized)
+		} else {
+			http.Error(w, fmt.Sprintf("No authorization token in request, and no anonymous user token is configured."), http.StatusUnauthorized)
+		}
+		return
 	}
 
 	if len(targetPath) > 0 && targetPath[0] == "_" {
@@ -336,16 +390,19 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		stripParts++
 	}
 
-	forceReload := false
-	if cc := r.Header.Get("Cache-Control"); strings.Contains(cc, "no-cache") || strings.Contains(cc, "must-revalidate") {
-		forceReload = true
+	arv := h.clientPool.Get()
+	if arv == nil {
+		http.Error(w, "client pool error: "+h.clientPool.Err().Error(), http.StatusInternalServerError)
+		return
 	}
+	defer h.clientPool.Put(arv)
 
 	var collection *arvados.Collection
+	var tokenUser *arvados.User
 	tokenResult := make(map[string]int)
 	for _, arv.ApiToken = range tokens {
 		var err error
-		collection, err = h.Config.Cache.Get(arv, targetID, forceReload)
+		collection, err = h.Config.Cache.Get(arv, collectionID, forceReload)
 		if err == nil {
 			// Success
 			break
@@ -360,7 +417,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 			}
 		}
 		// Something more serious is wrong
-		statusCode, statusText = http.StatusInternalServerError, err.Error()
+		http.Error(w, "cache error: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 	if collection == nil {
@@ -370,14 +427,14 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 			// for additional credentials would just be
 			// confusing), or we don't even accept
 			// credentials at this path.
-			statusCode = http.StatusNotFound
+			http.Error(w, notFoundMessage, http.StatusNotFound)
 			return
 		}
 		for _, t := range reqTokens {
 			if tokenResult[t] == 404 {
 				// The client provided valid token(s), but the
 				// collection was not found.
-				statusCode = http.StatusNotFound
+				http.Error(w, notFoundMessage, http.StatusNotFound)
 				return
 			}
 		}
@@ -391,15 +448,16 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		// data that has been deleted.  Allow a referrer to
 		// provide this context somehow?
 		w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
-		statusCode = http.StatusUnauthorized
+		http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
 		return
 	}
 
 	kc, err := keepclient.MakeKeepClient(arv)
 	if err != nil {
-		statusCode, statusText = http.StatusInternalServerError, err.Error()
+		http.Error(w, "error setting up keep client: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
+	kc.RequestID = r.Header.Get("X-Request-Id")
 
 	var basename string
 	if len(targetPath) > 0 {
@@ -407,24 +465,36 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 	applyContentDispositionHdr(w, r, basename, attachment)
 
-	client := &arvados.Client{
+	client := (&arvados.Client{
 		APIHost:   arv.ApiServer,
 		AuthToken: arv.ApiToken,
 		Insecure:  arv.ApiInsecure,
-	}
+	}).WithRequestID(r.Header.Get("X-Request-Id"))
+
 	fs, err := collection.FileSystem(client, kc)
 	if err != nil {
-		statusCode, statusText = http.StatusInternalServerError, err.Error()
+		http.Error(w, "error creating collection filesystem: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	targetIsPDH := arvadosclient.PDHMatch(targetID)
-	if targetIsPDH && writeMethod[r.Method] {
-		statusCode, statusText = http.StatusMethodNotAllowed, errReadOnly.Error()
+	writefs, writeOK := fs.(arvados.CollectionFileSystem)
+	targetIsPDH := arvadosclient.PDHMatch(collectionID)
+	if (targetIsPDH || !writeOK) && writeMethod[r.Method] {
+		http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed)
 		return
 	}
 
+	// Check configured permission
+	_, sess, err := h.Config.Cache.GetSession(arv.ApiToken)
+	tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken)
+
 	if webdavMethod[r.Method] {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		if writeMethod[r.Method] {
 			// Save the collection only if/when all
 			// webdav->filesystem operations succeed --
@@ -432,20 +502,22 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 			// collection can't be saved.
 			w = &updateOnSuccess{
 				ResponseWriter: w,
+				logger:         ctxlog.FromContext(r.Context()),
 				update: func() error {
-					return h.Config.Cache.Update(client, *collection, fs)
+					return h.Config.Cache.Update(client, *collection, writefs)
 				}}
 		}
 		h := webdav.Handler{
 			Prefix: "/" + strings.Join(pathParts[:stripParts], "/"),
 			FileSystem: &webdavFS{
-				collfs:  fs,
-				writing: writeMethod[r.Method],
+				collfs:        fs,
+				writing:       writeMethod[r.Method],
+				alwaysReadEOF: r.Method == "PROPFIND",
 			},
 			LockSystem: h.webdavLS,
 			Logger: func(_ *http.Request, err error) {
 				if err != nil {
-					log.Printf("error from webdav handler: %q", err)
+					ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler")
 				}
 			},
 		}
@@ -454,15 +526,20 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 
 	openPath := "/" + strings.Join(targetPath, "/")
-	if f, err := fs.Open(openPath); os.IsNotExist(err) {
+	f, err := fs.Open(openPath)
+	if os.IsNotExist(err) {
 		// Requested non-existent path
-		statusCode = http.StatusNotFound
+		http.Error(w, notFoundMessage, http.StatusNotFound)
+		return
 	} else if err != nil {
 		// Some other (unexpected) error
-		statusCode, statusText = http.StatusInternalServerError, err.Error()
-	} else if stat, err := f.Stat(); err != nil {
+		http.Error(w, "open: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+	defer f.Close()
+	if stat, err := f.Stat(); err != nil {
 		// Can't get Size/IsDir (shouldn't happen with a collectionFS!)
-		statusCode, statusText = http.StatusInternalServerError, err.Error()
+		http.Error(w, "stat: "+err.Error(), http.StatusInternalServerError)
 	} else if stat.IsDir() && !strings.HasSuffix(r.URL.Path, "/") {
 		// If client requests ".../dirname", redirect to
 		// ".../dirname/". This way, relative links in the
@@ -470,26 +547,116 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		// "dirname/fnm".
 		h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK)
 	} else if stat.IsDir() {
-		h.serveDirectory(w, r, collection.Name, fs, openPath, stripParts)
+		h.serveDirectory(w, r, collection.Name, fs, openPath, true)
 	} else {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		http.ServeContent(w, r, basename, stat.ModTime(), f)
-		if r.Header.Get("Range") == "" && int64(w.WroteBodyBytes()) != stat.Size() {
+		if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK {
 			// If we wrote fewer bytes than expected, it's
 			// too late to change the real response code
 			// or send an error message to the client, but
 			// at least we can try to put some useful
 			// debugging info in the logs.
 			n, err := f.Read(make([]byte, 1024))
-			statusCode, statusText = http.StatusInternalServerError, fmt.Sprintf("f.Size()==%d but only wrote %d bytes; read(1024) returns %d, %s", stat.Size(), w.WroteBodyBytes(), n, err)
+			ctxlog.FromContext(r.Context()).Errorf("stat.Size()==%d but only wrote %d bytes; read(1024) returns %d, %v", stat.Size(), wrote, n, err)
+		}
+	}
+}
+
+func (h *handler) getClients(reqID, token string) (arv *arvadosclient.ArvadosClient, kc *keepclient.KeepClient, client *arvados.Client, release func(), err error) {
+	arv = h.clientPool.Get()
+	if arv == nil {
+		err = h.clientPool.Err()
+		return
+	}
+	release = func() { h.clientPool.Put(arv) }
+	arv.ApiToken = token
+	kc, err = keepclient.MakeKeepClient(arv)
+	if err != nil {
+		release()
+		return
+	}
+	kc.RequestID = reqID
+	client = (&arvados.Client{
+		APIHost:   arv.ApiServer,
+		AuthToken: arv.ApiToken,
+		Insecure:  arv.ApiInsecure,
+	}).WithRequestID(reqID)
+	return
+}
 
+func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []string, credentialsOK, attachment bool) {
+	if len(tokens) == 0 {
+		w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
+		http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
+		return
+	}
+	if writeMethod[r.Method] {
+		http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed)
+		return
+	}
+
+	fs, sess, err := h.Config.Cache.GetSession(tokens[0])
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	fs.ForwardSlashNameSubstitution(h.Config.cluster.Collections.ForwardSlashNameSubstitution)
+	f, err := fs.Open(r.URL.Path)
+	if os.IsNotExist(err) {
+		http.Error(w, err.Error(), http.StatusNotFound)
+		return
+	} else if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	defer f.Close()
+	if fi, err := f.Stat(); err == nil && fi.IsDir() && r.Method == "GET" {
+		if !strings.HasSuffix(r.URL.Path, "/") {
+			h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK)
+		} else {
+			h.serveDirectory(w, r, fi.Name(), fs, r.URL.Path, false)
 		}
+		return
 	}
+
+	tokenUser, err := h.Config.Cache.GetTokenUser(tokens[0])
+	if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+		http.Error(w, "Not permitted", http.StatusForbidden)
+		return
+	}
+	h.logUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser)
+
+	if r.Method == "GET" {
+		_, basename := filepath.Split(r.URL.Path)
+		applyContentDispositionHdr(w, r, basename, attachment)
+	}
+	wh := webdav.Handler{
+		Prefix: "/",
+		FileSystem: &webdavFS{
+			collfs:        fs,
+			writing:       writeMethod[r.Method],
+			alwaysReadEOF: r.Method == "PROPFIND",
+		},
+		LockSystem: h.webdavLS,
+		Logger: func(_ *http.Request, err error) {
+			if err != nil {
+				ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler")
+			}
+		},
+	}
+	wh.ServeHTTP(w, r)
 }
 
 var dirListingTemplate = `<!DOCTYPE HTML>
 <HTML><HEAD>
   <META name="robots" content="NOINDEX">
-  <TITLE>{{ .Collection.Name }}</TITLE>
+  <TITLE>{{ .CollectionName }}</TITLE>
   <STYLE type="text/css">
     body {
       margin: 1.5em;
@@ -513,19 +680,26 @@ var dirListingTemplate = `<!DOCTYPE HTML>
   </STYLE>
 </HEAD>
 <BODY>
+
 <H1>{{ .CollectionName }}</H1>
 
 <P>This collection of data files is being shared with you through
 Arvados.  You can download individual files listed below.  To download
-the entire collection with wget, try:</P>
+the entire directory tree with wget, try:</P>
 
-<PRE>$ wget --mirror --no-parent --no-host --cut-dirs={{ .StripParts }} https://{{ .Request.Host }}{{ .Request.URL }}</PRE>
+<PRE>$ wget --mirror --no-parent --no-host --cut-dirs={{ .StripParts }} https://{{ .Request.Host }}{{ .Request.URL.Path }}</PRE>
 
 <H2>File Listing</H2>
 
 {{if .Files}}
 <UL>
-{{range .Files}}  <LI>{{.Size | printf "%15d  " | nbsp}}<A href="{{.Name}}">{{.Name}}</A></LI>{{end}}
+{{range .Files}}
+{{if .IsDir }}
+  <LI>{{" " | printf "%15s  " | nbsp}}<A href="{{print "./" .Name}}/">{{.Name}}/</A></LI>
+{{else}}
+  <LI>{{.Size | printf "%15d  " | nbsp}}<A href="{{print "./" .Name}}">{{.Name}}</A></LI>
+{{end}}
+{{end}}
 </UL>
 {{else}}
 <P>(No files; this collection is empty.)</P>
@@ -545,11 +719,12 @@ the entire collection with wget, try:</P>
 `
 
 type fileListEnt struct {
-	Name string
-	Size int64
+	Name  string
+	Size  int64
+	IsDir bool
 }
 
-func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collectionName string, fs http.FileSystem, base string, stripParts int) {
+func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collectionName string, fs http.FileSystem, base string, recurse bool) {
 	var files []fileListEnt
 	var walk func(string) error
 	if !strings.HasSuffix(base, "/") {
@@ -569,22 +744,23 @@ func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collect
 			return err
 		}
 		for _, ent := range ents {
-			if ent.IsDir() {
+			if recurse && ent.IsDir() {
 				err = walk(path + ent.Name() + "/")
 				if err != nil {
 					return err
 				}
 			} else {
 				files = append(files, fileListEnt{
-					Name: path + ent.Name(),
-					Size: ent.Size(),
+					Name:  path + ent.Name(),
+					Size:  ent.Size(),
+					IsDir: ent.IsDir(),
 				})
 			}
 		}
 		return nil
 	}
 	if err := walk(""); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "error getting directory listing: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 
@@ -595,7 +771,7 @@ func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collect
 	}
 	tmpl, err := template.New("dir").Funcs(funcs).Parse(dirListingTemplate)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		http.Error(w, "error parsing template: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
 	sort.Slice(files, func(i, j int) bool {
@@ -606,7 +782,7 @@ func (h *handler) serveDirectory(w http.ResponseWriter, r *http.Request, collect
 		"CollectionName": collectionName,
 		"Files":          files,
 		"Request":        r,
-		"StripParts":     stripParts,
+		"StripParts":     strings.Count(strings.TrimRight(r.URL.Path, "/"), "/"),
 	})
 }
 
@@ -635,7 +811,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 			// into a cookie unless the current vhost
 			// (origin) serves only a single collection or
 			// we are in TrustAllContent mode.
-			w.WriteHeader(http.StatusBadRequest)
+			http.Error(w, "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)", http.StatusBadRequest)
 			return
 		}
 
@@ -655,6 +831,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 			Value:    auth.EncodeTokenCookie([]byte(formToken)),
 			Path:     "/",
 			HttpOnly: true,
+			SameSite: http.SameSiteLaxMode,
 		})
 	}
 
@@ -667,12 +844,13 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 	if location != "" {
 		newu, err := u.Parse(location)
 		if err != nil {
-			w.WriteHeader(http.StatusInternalServerError)
+			http.Error(w, "error resolving redirect target: "+err.Error(), http.StatusInternalServerError)
 			return
 		}
 		u = newu
 	}
 	redir := (&url.URL{
+		Scheme:   r.URL.Scheme,
 		Host:     r.Host,
 		Path:     u.Path,
 		RawQuery: redirQuery.Encode(),
@@ -684,3 +862,125 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 	io.WriteString(w, html.EscapeString(redir))
 	io.WriteString(w, `">Continue</A>`)
 }
+
+func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
+	var permitDownload bool
+	var permitUpload bool
+	if tokenUser != nil && tokenUser.IsAdmin {
+		permitUpload = h.Config.cluster.Collections.WebDAVPermission.Admin.Upload
+		permitDownload = h.Config.cluster.Collections.WebDAVPermission.Admin.Download
+	} else {
+		permitUpload = h.Config.cluster.Collections.WebDAVPermission.User.Upload
+		permitDownload = h.Config.cluster.Collections.WebDAVPermission.User.Download
+	}
+	if (method == "PUT" || method == "POST") && !permitUpload {
+		// Disallow operations that upload new files.
+		// Permit webdav operations that move existing files around.
+		return false
+	} else if method == "GET" && !permitDownload {
+		// Disallow downloading file contents.
+		// Permit webdav operations like PROPFIND that retrieve metadata
+		// but not file contents.
+		return false
+	}
+	return true
+}
+
+func (h *handler) logUploadOrDownload(
+	r *http.Request,
+	client *arvadosclient.ArvadosClient,
+	fs arvados.CustomFileSystem,
+	filepath string,
+	collection *arvados.Collection,
+	user *arvados.User) {
+
+	log := ctxlog.FromContext(r.Context())
+	props := make(map[string]string)
+	props["reqPath"] = r.URL.Path
+	var useruuid string
+	if user != nil {
+		log = log.WithField("user_uuid", user.UUID).
+			WithField("user_full_name", user.FullName)
+		useruuid = user.UUID
+	} else {
+		useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Config.cluster.ClusterID)
+	}
+	if collection == nil && fs != nil {
+		collection, filepath = h.determineCollection(fs, filepath)
+	}
+	if collection != nil {
+		log = log.WithField("collection_uuid", collection.UUID).
+			WithField("collection_file_path", filepath)
+		props["collection_uuid"] = collection.UUID
+		props["collection_file_path"] = filepath
+		// h.determineCollection populates the collection_uuid prop with the PDH, if
+		// this collection is being accessed via PDH. In that case, blank the
+		// collection_uuid field so that consumers of the log entries can rely on it
+		// being a UUID, or blank. The PDH remains available via the
+		// portable_data_hash property.
+		if props["collection_uuid"] == collection.PortableDataHash {
+			props["collection_uuid"] = ""
+		}
+	}
+	if r.Method == "PUT" || r.Method == "POST" {
+		log.Info("File upload")
+		if h.Config.cluster.Collections.WebDAVLogEvents {
+			go func() {
+				lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+					"object_uuid": useruuid,
+					"event_type":  "file_upload",
+					"properties":  props}}
+				err := client.Create("logs", lr, nil)
+				if err != nil {
+					log.WithError(err).Error("Failed to create upload log event on API server")
+				}
+			}()
+		}
+	} else if r.Method == "GET" {
+		if collection != nil && collection.PortableDataHash != "" {
+			log = log.WithField("portable_data_hash", collection.PortableDataHash)
+			props["portable_data_hash"] = collection.PortableDataHash
+		}
+		log.Info("File download")
+		if h.Config.cluster.Collections.WebDAVLogEvents {
+			go func() {
+				lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+					"object_uuid": useruuid,
+					"event_type":  "file_download",
+					"properties":  props}}
+				err := client.Create("logs", lr, nil)
+				if err != nil {
+					log.WithError(err).Error("Failed to create download log event on API server")
+				}
+			}()
+		}
+	}
+}
+
+func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
+	segments := strings.Split(path, "/")
+	var i int
+	for i = 0; i < len(segments); i++ {
+		dir := append([]string{}, segments[0:i]...)
+		dir = append(dir, ".arvados#collection")
+		f, err := fs.OpenFile(strings.Join(dir, "/"), os.O_RDONLY, 0)
+		if f != nil {
+			defer f.Close()
+		}
+		if err != nil {
+			if !os.IsNotExist(err) {
+				return nil, ""
+			}
+			continue
+		}
+		// err is nil so we found it.
+		decoder := json.NewDecoder(f)
+		var collection arvados.Collection
+		err = decoder.Decode(&collection)
+		if err != nil {
+			return nil, ""
+		}
+		return &collection, strings.Join(segments[i:], "/")
+	}
+	return nil, ""
+}