X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1f1991b4824272e9b5a4b37eee6931e6519f8bdf..0bcf6869ed21baf852ed9278413a93df6b002b43:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index c947a6efcd..11d0d96b29 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -1,7 +1,6 @@ package main import ( - "flag" "fmt" "html" "io" @@ -12,6 +11,7 @@ import ( "regexp" "strconv" "strings" + "sync" "git.curoverse.com/arvados.git/sdk/go/arvadosclient" "git.curoverse.com/arvados.git/sdk/go/auth" @@ -19,23 +19,14 @@ import ( "git.curoverse.com/arvados.git/sdk/go/keepclient" ) -type handler struct{} - -var ( - clientPool = arvadosclient.MakeClientPool() - trustAllContent = false - attachmentOnlyHost = "" -) - -func init() { - flag.StringVar(&attachmentOnlyHost, "attachment-only-host", "", - "Accept credentials, and add \"Content-Disposition: attachment\" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.") - flag.BoolVar(&trustAllContent, "trust-all-content", false, - "Serve non-public content from a single origin. Dangerous: read docs before using!") +type handler struct { + Config *Config + clientPool *arvadosclient.ClientPool + setupOnce sync.Once } -// return a UUID or PDH if s begins with a UUID or URL-encoded PDH; -// otherwise return "". +// parseCollectionIDFromDNSName returns a UUID or PDH if s begins with +// a UUID or URL-encoded PDH; otherwise "". func parseCollectionIDFromDNSName(s string) string { // Strip domain. if i := strings.IndexRune(s, '.'); i >= 0 { @@ -58,8 +49,9 @@ func parseCollectionIDFromDNSName(s string) string { var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+") -// return a UUID or PDH if s is a UUID or a PDH (even if it is a PDH -// with "+" replaced by " " or "-"); otherwise return "". +// parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a +// PDH (even if it is a PDH with "+" replaced by " " or "-"); +// otherwise "". func parseCollectionIDFromURL(s string) string { if arvadosclient.UUIDMatch(s) { return s @@ -70,7 +62,14 @@ func parseCollectionIDFromURL(s string) string { return "" } +func (h *handler) setup() { + h.clientPool = arvadosclient.MakeClientPool() +} + +// ServeHTTP implements http.Handler. func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { + h.setupOnce.Do(h.setup) + var statusCode = 0 var statusText string @@ -101,17 +100,20 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } if r.Header.Get("Origin") != "" { - // Allow simple cross-origin requests, without - // credentials. + // Allow simple cross-origin requests without user + // credentials ("user credentials" as defined by CORS, + // i.e., cookies, HTTP authentication, and client-side + // SSL certificates. See + // http://www.w3.org/TR/cors/#user-credentials). w.Header().Set("Access-Control-Allow-Origin", "*") } - arv := clientPool.Get() + arv := h.clientPool.Get() if arv == nil { - statusCode, statusText = http.StatusInternalServerError, "Pool failed: "+clientPool.Err().Error() + statusCode, statusText = http.StatusInternalServerError, "Pool failed: "+h.clientPool.Err().Error() return } - defer clientPool.Put(arv) + defer h.clientPool.Put(arv) pathParts := strings.Split(r.URL.Path[1:], "/") @@ -121,9 +123,9 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { var reqTokens []string var pathToken bool var attachment bool - credentialsOK := trustAllContent + credentialsOK := h.Config.TrustAllContent - if r.Host != "" && r.Host == attachmentOnlyHost { + if r.Host != "" && r.Host == h.Config.AttachmentOnlyHost { credentialsOK = true attachment = true } else if r.FormValue("disposition") == "attachment" { @@ -148,7 +150,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else { // /collections/ID/PATH... targetID = pathParts[1] - tokens = anonymousTokens + tokens = h.Config.AnonymousTokens targetPath = pathParts[2:] } } else { @@ -183,7 +185,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // It is not safe to copy the provided token // into a cookie unless the current vhost // (origin) serves only a single collection or - // we are in trustAllContent mode. + // we are in TrustAllContent mode. statusCode = http.StatusBadRequest return } @@ -243,7 +245,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { if credentialsOK { reqTokens = auth.NewCredentialsFromHTTPRequest(r).Tokens } - tokens = append(reqTokens, anonymousTokens...) + tokens = append(reqTokens, h.Config.AnonymousTokens...) } if len(targetPath) > 0 && targetPath[0] == "_" { @@ -317,6 +319,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { statusCode, statusText = http.StatusInternalServerError, err.Error() return } + if kc.Client != nil && kc.Client.Transport != nil { + // Workaround for https://dev.arvados.org/issues/9005 + if t, ok := kc.Client.Transport.(*http.Transport); ok { + defer t.CloseIdleConnections() + } + } rdr, err := kc.CollectionFileReader(collection, filename) if os.IsNotExist(err) { statusCode = http.StatusNotFound