X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/29c5c69ef3c9ceadbea3085f2268bb5ed8496c04..fd2b6e7da193847a9c649d8d19a2831c2e419961:/services/arv-git-httpd/auth_handler.go diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go index fccb0c9576..13706ae3e8 100644 --- a/services/arv-git-httpd/auth_handler.go +++ b/services/arv-git-httpd/auth_handler.go @@ -1,44 +1,94 @@ +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: AGPL-3.0 + package main import ( + "errors" "log" "net/http" "os" + "regexp" "strings" + "sync" "time" - "git.curoverse.com/arvados.git/sdk/go/arvadosclient" - "git.curoverse.com/arvados.git/sdk/go/auth" - "git.curoverse.com/arvados.git/sdk/go/httpserver" + "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/arvadosclient" + "git.arvados.org/arvados.git/sdk/go/auth" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) -var clientPool = arvadosclient.MakeClientPool() - type authHandler struct { - handler http.Handler + handler http.Handler + clientPool *arvadosclient.ClientPool + cluster *arvados.Cluster + setupOnce sync.Once +} + +func (h *authHandler) setup() { + client, err := arvados.NewClientFromConfig(h.cluster) + if err != nil { + log.Fatal(err) + } + + ac, err := arvadosclient.New(client) + if err != nil { + log.Fatalf("Error setting up arvados client prototype %v", err) + } + + h.clientPool = &arvadosclient.ClientPool{Prototype: ac} } func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { + h.setupOnce.Do(h.setup) + var statusCode int var statusText string var apiToken string var repoName string - var validApiToken bool + var validAPIToken bool w := httpserver.WrapResponseWriter(wOrig) + if r.Method == "OPTIONS" { + method := r.Header.Get("Access-Control-Request-Method") + if method != "GET" && method != "POST" { + w.WriteHeader(http.StatusMethodNotAllowed) + return + } + w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type") + w.Header().Set("Access-Control-Allow-Methods", "GET, POST") + w.Header().Set("Access-Control-Allow-Origin", "*") + w.Header().Set("Access-Control-Max-Age", "86400") + w.WriteHeader(http.StatusOK) + return + } + + if r.Header.Get("Origin") != "" { + // Allow simple cross-origin requests without user + // credentials ("user credentials" as defined by CORS, + // i.e., cookies, HTTP authentication, and client-side + // SSL certificates. See + // http://www.w3.org/TR/cors/#user-credentials). + w.Header().Set("Access-Control-Allow-Origin", "*") + } + defer func() { if w.WroteStatus() == 0 { // Nobody has called WriteHeader yet: that // must be our job. w.WriteHeader(statusCode) - w.Write([]byte(statusText)) + if statusCode >= 400 { + w.Write([]byte(statusText)) + } } // If the given password is a valid token, log the first 10 characters of the token. // Otherwise: log the string if a password is given, else an empty string. passwordToLog := "" - if !validApiToken { + if !validAPIToken { if len(apiToken) > 0 { passwordToLog = "" } @@ -49,7 +99,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path) }() - creds := auth.NewCredentialsFromHTTPRequest(r) + creds := auth.CredentialsFromRequest(r) if len(creds.Tokens) == 0 { statusCode, statusText = http.StatusUnauthorized, "no credentials provided" w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"") @@ -62,43 +112,33 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // "foo/bar". pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2) if len(pathParts) != 2 { - statusCode, statusText = http.StatusBadRequest, "bad request" + statusCode, statusText = http.StatusNotFound, "not found" return } repoName = pathParts[0] repoName = strings.TrimRight(repoName, "/") - arv := clientPool.Get() + arv := h.clientPool.Get() if arv == nil { - statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+clientPool.Err().Error() + statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error() return } - defer clientPool.Put(arv) + defer h.clientPool.Put(arv) // Ask API server whether the repository is readable using // this token (by trying to read it!) arv.ApiToken = apiToken - reposFound := arvadosclient.Dict{} - if err := arv.List("repositories", arvadosclient.Dict{ - "filters": [][]string{{"name", "=", repoName}}, - }, &reposFound); err != nil { + repoUUID, err := h.lookupRepo(arv, repoName) + if err != nil { statusCode, statusText = http.StatusInternalServerError, err.Error() return } - validApiToken = true - if avail, ok := reposFound["items_available"].(float64); !ok { - statusCode, statusText = http.StatusInternalServerError, "bad list response from API" - return - } else if avail < 1 { + validAPIToken = true + if repoUUID == "" { statusCode, statusText = http.StatusNotFound, "not found" return - } else if avail > 1 { - statusCode, statusText = http.StatusInternalServerError, "name collision" - return } - repoUUID := reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string) - isWrite := strings.HasSuffix(r.URL.Path, "/git-receive-pack") if !isWrite { statusText = "read" @@ -129,7 +169,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { "/" + repoName + "/.git", } for _, dir := range tryDirs { - if fileInfo, err := os.Stat(theConfig.Root + dir); err != nil { + if fileInfo, err := os.Stat(h.cluster.Git.Repositories + dir); err != nil { if !os.IsNotExist(err) { statusCode, statusText = http.StatusInternalServerError, err.Error() return @@ -141,7 +181,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } if rewrittenPath == "" { log.Println("WARNING:", repoUUID, - "git directory not found in", theConfig.Root, tryDirs) + "git directory not found in", h.cluster.Git.Repositories, tryDirs) // We say "content not found" to disambiguate from the // earlier "API says that repo does not exist" error. statusCode, statusText = http.StatusNotFound, "content not found" @@ -149,5 +189,30 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } r.URL.Path = rewrittenPath - h.handler.ServeHTTP(&w, r) + h.handler.ServeHTTP(w, r) +} + +var uuidRegexp = regexp.MustCompile(`^[0-9a-z]{5}-s0uqq-[0-9a-z]{15}$`) + +func (h *authHandler) lookupRepo(arv *arvadosclient.ArvadosClient, repoName string) (string, error) { + reposFound := arvadosclient.Dict{} + var column string + if uuidRegexp.MatchString(repoName) { + column = "uuid" + } else { + column = "name" + } + err := arv.List("repositories", arvadosclient.Dict{ + "filters": [][]string{{column, "=", repoName}}, + }, &reposFound) + if err != nil { + return "", err + } else if avail, ok := reposFound["items_available"].(float64); !ok { + return "", errors.New("bad list response from API") + } else if avail < 1 { + return "", nil + } else if avail > 1 { + return "", errors.New("name collision") + } + return reposFound["items"].([]interface{})[0].(map[string]interface{})["uuid"].(string), nil }