X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1f5a673014724c3444404658e65e32a6f9c562f3..0eb72b526bf8bbb011551ecf019f604e17a534f1:/services/arv-git-httpd/auth_handler.go diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index f91ed3f8c0..7a2841f49a 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -1,68 +1,77 @@ +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: AGPL-3.0 + package main import ( "log" "net/http" - "net/http/cgi" "os" "strings" "sync" "time" "git.curoverse.com/arvados.git/sdk/go/arvadosclient" + "git.curoverse.com/arvados.git/sdk/go/auth" + "git.curoverse.com/arvados.git/sdk/go/httpserver" ) -func newArvadosClient() interface{} { - arv, err := arvadosclient.MakeArvadosClient() - if err != nil { - log.Println("MakeArvadosClient:", err) - return nil - } - return &arv -} - -var connectionPool = &sync.Pool{New: newArvadosClient} - -type spyingResponseWriter struct { - http.ResponseWriter - wroteStatus *int -} - -func (w spyingResponseWriter) WriteHeader(s int) { - *w.wroteStatus = s - w.ResponseWriter.WriteHeader(s) +type authHandler struct { + handler http.Handler + clientPool *arvadosclient.ClientPool + setupOnce sync.Once } -type authHandler struct { - handler *cgi.Handler +func (h *authHandler) setup() { + ac, err := arvadosclient.New(&theConfig.Client) + if err != nil { + log.Fatal(err) + } + h.clientPool = &arvadosclient.ClientPool{Prototype: ac} + log.Printf("%+v", h.clientPool.Prototype) } func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { + h.setupOnce.Do(h.setup) + var statusCode int var statusText string - var username, password string + var apiToken string var repoName string - var wroteStatus int + var validApiToken bool - w := spyingResponseWriter{wOrig, &wroteStatus} + w := httpserver.WrapResponseWriter(wOrig) defer func() { - if wroteStatus == 0 { - // Nobody has called WriteHeader yet: that must be our job. + if w.WroteStatus() == 0 { + // Nobody has called WriteHeader yet: that + // must be our job. w.WriteHeader(statusCode) w.Write([]byte(statusText)) } - log.Println(quoteStrings(r.RemoteAddr, username, password, wroteStatus, statusText, repoName, r.URL.Path)...) + + // If the given password is a valid token, log the first 10 characters of the token. + // Otherwise: log the string if a password is given, else an empty string. + passwordToLog := "" + if !validApiToken { + if len(apiToken) > 0 { + passwordToLog = "" + } + } else { + passwordToLog = apiToken[0:10] + } + + httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path) }() - // HTTP request username is logged, but unused. Password is an - // Arvados API token. - username, password, ok := BasicAuth(r) - if !ok || username == "" || password == "" { + creds := auth.NewCredentialsFromHTTPRequest(r) + if len(creds.Tokens) == 0 { statusCode, statusText = http.StatusUnauthorized, "no credentials provided" - w.Header().Add("WWW-Authenticate", "basic") + w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"") return } + apiToken = creds.Tokens[0] // Access to paths "/foo/bar.git/*" and "/foo/bar/.git/*" are // protected by the permissions on the repository named @@ -75,48 +84,24 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { repoName = pathParts[0] repoName = strings.TrimRight(repoName, "/") - // Regardless of whether the client asked for "/foo.git" or - // "/foo/.git", we choose whichever variant exists in our repo - // root. If neither exists, we won't even bother checking - // authentication. - rewrittenPath := "" - tryDirs := []string{ - "/" + repoName + ".git", - "/" + repoName + "/.git", - } - for _, dir := range tryDirs { - if fileInfo, err := os.Stat(theConfig.Root + dir); err != nil { - if !os.IsNotExist(err) { - statusCode, statusText = http.StatusInternalServerError, err.Error() - return - } - } else if fileInfo.IsDir() { - rewrittenPath = dir + "/" + pathParts[1] - break - } - } - if rewrittenPath == "" { - statusCode, statusText = http.StatusNotFound, "not found" - return - } - r.URL.Path = rewrittenPath - - arv, ok := connectionPool.Get().(*arvadosclient.ArvadosClient) - if !ok || arv == nil { - statusCode, statusText = http.StatusInternalServerError, "connection pool failed" + arv := h.clientPool.Get() + if arv == nil { + statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error() return } - defer connectionPool.Put(arv) + defer h.clientPool.Put(arv) - // Ask API server whether the repository is readable using this token (by trying to read it!) - arv.ApiToken = password + // Ask API server whether the repository is readable using + // this token (by trying to read it!) + arv.ApiToken = apiToken reposFound := arvadosclient.Dict{} if err := arv.List("repositories", arvadosclient.Dict{ - "filters": [][]string{[]string{"name", "=", repoName}}, + "filters": [][]string{{"name", "=", repoName}}, }, &reposFound); err != nil { statusCode, statusText = http.StatusInternalServerError, err.Error() return } + validApiToken = true if avail, ok := reposFound["items_available"].(float64); !ok { statusCode, statusText = http.StatusInternalServerError, "bad list response from API" return @@ -127,12 +112,14 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { statusCode, statusText = http.StatusInternalServerError, "name collision" return } + + repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) + isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack") if !isWrite { statusText = "read" } else { - uuid := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) - err := arv.Update("repositories", uuid, arvadosclient.Dict{ + err := arv.Update("repositories", repoUUID, arvadosclient.Dict{ "repository": arvadosclient.Dict{ "modified_at": time.Now().String(), }, @@ -143,20 +130,40 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } statusText = "write" } - handlerCopy := *h.handler - handlerCopy.Env = append(handlerCopy.Env, "REMOTE_USER="+r.RemoteAddr) // Should be username - handlerCopy.ServeHTTP(&w, r) -} - -var escaper = strings.NewReplacer("\"", "\\\"", "\\", "\\\\", "\n", "\\n") -// Transform strings so they are safer to write in logs (e.g., -// 'foo"bar' becomes '"foo\"bar"'). Non-string args are left alone. -func quoteStrings(args ...interface{}) []interface{} { - for i, arg := range args { - if s, ok := arg.(string); ok { - args[i] = "\"" + escaper.Replace(s) + "\"" + // Regardless of whether the client asked for "/foo.git" or + // "/foo/.git", we choose whichever variant exists in our repo + // root, and we try {uuid}.git and {uuid}/.git first. If none + // of these exist, we 404 even though the API told us the repo + // _should_ exist (presumably this means the repo was just + // created, and gitolite sync hasn't run yet). + rewrittenPath := "" + tryDirs := []string{ + "/" + repoUUID + ".git", + "/" + repoUUID + "/.git", + "/" + repoName + ".git", + "/" + repoName + "/.git", + } + for _, dir := range tryDirs { + if fileInfo, err := os.Stat(theConfig.RepoRoot + dir); err != nil { + if !os.IsNotExist(err) { + statusCode, statusText = http.StatusInternalServerError, err.Error() + return + } + } else if fileInfo.IsDir() { + rewrittenPath = dir + "/" + pathParts[1] + break } } - return args + if rewrittenPath == "" { + log.Println("WARNING:", repoUUID, + "git directory not found in", theConfig.RepoRoot, tryDirs) + // We say "content not found" to disambiguate from the + // earlier "API says that repo does not exist" error. + statusCode, statusText = http.StatusNotFound, "content not found" + return + } + r.URL.Path = rewrittenPath + + h.handler.ServeHTTP(&w, r) }