X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/289d2cf581b59632369087388f6163f3979c5e86..aa541480ba27f2dfec85cbe4f07c07743bb901b2:/services/arv-git-httpd/auth_handler.go diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index b7373b5c1e..3b3032afda 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -5,9 +5,11 @@ package main import ( + "errors" "log" "net/http" "os" + "regexp" "strings" "sync" "time" @@ -29,7 +31,6 @@ func (h *authHandler) setup() { log.Fatal(err) } h.clientPool = &arvadosclient.ClientPool{Prototype: ac} - log.Printf("%+v", h.clientPool.Prototype) } func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { @@ -71,7 +72,9 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Nobody has called WriteHeader yet: that // must be our job. w.WriteHeader(statusCode) - w.Write([]byte(statusText)) + if statusCode >= 400 { + w.Write([]byte(statusText)) + } } // If the given password is a valid token, log the first 10 characters of the token. @@ -88,7 +91,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path) }() - creds := auth.NewCredentialsFromHTTPRequest(r) + creds := auth.CredentialsFromRequest(r) if len(creds.Tokens) == 0 { statusCode, statusText = http.StatusUnauthorized, "no credentials provided" w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"") @@ -117,27 +120,17 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Ask API server whether the repository is readable using // this token (by trying to read it!) arv.ApiToken = apiToken - reposFound := arvadosclient.Dict{} - if err := arv.List("repositories", arvadosclient.Dict{ - "filters": [][]string{{"name", "=", repoName}}, - }, &reposFound); err != nil { + repoUUID, err := h.lookupRepo(arv, repoName) + if err != nil { statusCode, statusText = http.StatusInternalServerError, err.Error() return } validApiToken = true - if avail, ok := reposFound["items_available"].(float64); !ok { - statusCode, statusText = http.StatusInternalServerError, "bad list response from API" - return - } else if avail < 1 { + if repoUUID == "" { statusCode, statusText = http.StatusNotFound, "not found" return - } else if avail > 1 { - statusCode, statusText = http.StatusInternalServerError, "name collision" - return } - repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) - isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack") if !isWrite { statusText = "read" @@ -188,5 +181,30 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } r.URL.Path = rewrittenPath - h.handler.ServeHTTP(&w, r) + h.handler.ServeHTTP(w, r) +} + +var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`) + +func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) { + reposFound := arvadosclient.Dict{} + var column string + if uuidRegexp.MatchString(repoName) { + column = "uuid" + } else { + column = "name" + } + err := arv.List("repositories", arvadosclient.Dict{ + "filters": [][]string{{column, "=", repoName}}, + }, &reposFound) + if err != nil { + return "", err + } else if avail, ok := reposFound["items_available"].(float64); !ok { + return "", errors.New("bad list response from API") + } else if avail < 1 { + return "", nil + } else if avail > 1 { + return "", errors.New("name collision") + } + return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil }