X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3959d7afff8bb3c3b8da9eb7d178919275180f2a..e67d0f5d43c56f78694ea4a5f93acec5c93cd0fb:/services/arv-git-httpd/auth_handler.go

diff --git a/services/arv-git-httpd/auth_handler.go b/services/arv-git-httpd/auth_handler.go
index 74635488f2..b7373b5c1e 100644
--- a/services/arv-git-httpd/auth_handler.go
+++ b/services/arv-git-httpd/auth_handler.go
@@ -1,100 +1,122 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
 package main
 
 import (
 	"log"
 	"net/http"
-	"net/http/cgi"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
 	"git.curoverse.com/arvados.git/sdk/go/arvadosclient"
+	"git.curoverse.com/arvados.git/sdk/go/auth"
+	"git.curoverse.com/arvados.git/sdk/go/httpserver"
 )
 
-func newArvadosClient() interface{} {
-	arv, err := arvadosclient.MakeArvadosClient()
-	if err != nil {
-		log.Println("MakeArvadosClient:", err)
-		return nil
-	}
-	return &arv
-}
-
-var connectionPool = &sync.Pool{New: newArvadosClient}
-
-type spyingResponseWriter struct {
-	http.ResponseWriter
-	wroteStatus *int
-}
-
-func (w spyingResponseWriter) WriteHeader(s int) {
-	*w.wroteStatus = s
-	w.ResponseWriter.WriteHeader(s)
+type authHandler struct {
+	handler    http.Handler
+	clientPool *arvadosclient.ClientPool
+	setupOnce  sync.Once
 }
 
-type authHandler struct {
-	handler *cgi.Handler
+func (h *authHandler) setup() {
+	ac, err := arvadosclient.New(&theConfig.Client)
+	if err != nil {
+		log.Fatal(err)
+	}
+	h.clientPool = &arvadosclient.ClientPool{Prototype: ac}
+	log.Printf("%+v", h.clientPool.Prototype)
 }
 
 func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
+	h.setupOnce.Do(h.setup)
+
 	var statusCode int
 	var statusText string
-	var username, password string
+	var apiToken string
 	var repoName string
-	var wroteStatus int
+	var validApiToken bool
 
-	w := spyingResponseWriter{wOrig, &wroteStatus}
+	w := httpserver.WrapResponseWriter(wOrig)
+
+	if r.Method == "OPTIONS" {
+		method := r.Header.Get("Access-Control-Request-Method")
+		if method != "GET" && method != "POST" {
+			w.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
+		w.Header().Set("Access-Control-Allow-Methods", "GET, POST")
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+		w.Header().Set("Access-Control-Max-Age", "86400")
+		w.WriteHeader(http.StatusOK)
+		return
+	}
+
+	if r.Header.Get("Origin") != "" {
+		// Allow simple cross-origin requests without user
+		// credentials ("user credentials" as defined by CORS,
+		// i.e., cookies, HTTP authentication, and client-side
+		// SSL certificates. See
+		// http://www.w3.org/TR/cors/#user-credentials).
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	}
 
 	defer func() {
-		if wroteStatus == 0 {
-			// Nobody has called WriteHeader yet: that must be our job.
+		if w.WroteStatus() == 0 {
+			// Nobody has called WriteHeader yet: that
+			// must be our job.
 			w.WriteHeader(statusCode)
 			w.Write([]byte(statusText))
 		}
 
+		// If the given password is a valid token, log the first 10 characters of the token.
+		// Otherwise: log the string <invalid> if a password is given, else an empty string.
 		passwordToLog := ""
-		if statusCode == 401 || strings.Contains(statusText, "Unauthorized") {
-			if len(password) > 0 {
+		if !validApiToken {
+			if len(apiToken) > 0 {
 				passwordToLog = "<invalid>"
 			}
 		} else {
-			passwordToLog = password[0:10]
+			passwordToLog = apiToken[0:10]
 		}
 
-		log.Println(quoteStrings(r.RemoteAddr, username, passwordToLog, wroteStatus, statusText, repoName, r.Method, r.URL.Path)...)
+		httpserver.Log(r.RemoteAddr, passwordToLog, w.WroteStatus(), statusText, repoName, r.Method, r.URL.Path)
 	}()
 
-	// HTTP request username is logged, but unused. Password is an
-	// Arvados API token.
-	username, password, ok := BasicAuth(r)
-	if !ok || username == "" || password == "" {
+	creds := auth.NewCredentialsFromHTTPRequest(r)
+	if len(creds.Tokens) == 0 {
 		statusCode, statusText = http.StatusUnauthorized, "no credentials provided"
 		w.Header().Add("WWW-Authenticate", "Basic realm=\"git\"")
 		return
 	}
+	apiToken = creds.Tokens[0]
 
 	// Access to paths "/foo/bar.git/*" and "/foo/bar/.git/*" are
 	// protected by the permissions on the repository named
 	// "foo/bar".
 	pathParts := strings.SplitN(r.URL.Path[1:], ".git/", 2)
 	if len(pathParts) != 2 {
-		statusCode, statusText = http.StatusBadRequest, "bad request"
+		statusCode, statusText = http.StatusNotFound, "not found"
 		return
 	}
 	repoName = pathParts[0]
 	repoName = strings.TrimRight(repoName, "/")
 
-	arv, ok := connectionPool.Get().(*arvadosclient.ArvadosClient)
-	if !ok || arv == nil {
-		statusCode, statusText = http.StatusInternalServerError, "connection pool failed"
+	arv := h.clientPool.Get()
+	if arv == nil {
+		statusCode, statusText = http.StatusInternalServerError, "connection pool failed: "+h.clientPool.Err().Error()
 		return
 	}
-	defer connectionPool.Put(arv)
+	defer h.clientPool.Put(arv)
 
 	// Ask API server whether the repository is readable using
 	// this token (by trying to read it!)
-	arv.ApiToken = password
+	arv.ApiToken = apiToken
 	reposFound := arvadosclient.Dict{}
 	if err := arv.List("repositories", arvadosclient.Dict{
 		"filters": [][]string{{"name", "=", repoName}},
@@ -102,6 +124,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		statusCode, statusText = http.StatusInternalServerError, err.Error()
 		return
 	}
+	validApiToken = true
 	if avail, ok := reposFound["items_available"].(float64); !ok {
 		statusCode, statusText = http.StatusInternalServerError, "bad list response from API"
 		return
@@ -145,7 +168,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		"/" + repoName + "/.git",
 	}
 	for _, dir := range tryDirs {
-		if fileInfo, err := os.Stat(theConfig.Root + dir); err != nil {
+		if fileInfo, err := os.Stat(theConfig.RepoRoot + dir); err != nil {
 			if !os.IsNotExist(err) {
 				statusCode, statusText = http.StatusInternalServerError, err.Error()
 				return
@@ -157,7 +180,7 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 	if rewrittenPath == "" {
 		log.Println("WARNING:", repoUUID,
-			"git directory not found in", theConfig.Root, tryDirs)
+			"git directory not found in", theConfig.RepoRoot, tryDirs)
 		// We say "content not found" to disambiguate from the
 		// earlier "API says that repo does not exist" error.
 		statusCode, statusText = http.StatusNotFound, "content not found"
@@ -165,20 +188,5 @@ func (h *authHandler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 	r.URL.Path = rewrittenPath
 
-	handlerCopy := *h.handler
-	handlerCopy.Env = append(handlerCopy.Env, "REMOTE_USER="+r.RemoteAddr) // Should be username
-	handlerCopy.ServeHTTP(&w, r)
-}
-
-var escaper = strings.NewReplacer("\"", "\\\"", "\\", "\\\\", "\n", "\\n")
-
-// Transform strings so they are safer to write in logs (e.g.,
-// 'foo"bar' becomes '"foo\"bar"'). Non-string args are left alone.
-func quoteStrings(args ...interface{}) []interface{} {
-	for i, arg := range args {
-		if s, ok := arg.(string); ok {
-			args[i] = "\"" + escaper.Replace(s) + "\""
-		}
-	}
-	return args
+	h.handler.ServeHTTP(&w, r)
 }