X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3ad999b1f769ef53d1bf069a5981db959b33b9d4..8a2035547ad8bf6abad6a4a03bb0b59211a00932:/services/keepproxy/keepproxy.go diff --git a/services/keepproxy/keepproxy.go b/services/keepproxy/keepproxy.go index 3d1b447625..0c0c08fe4d 100644 --- a/services/keepproxy/keepproxy.go +++ b/services/keepproxy/keepproxy.go @@ -10,7 +10,6 @@ import ( "fmt" "io" "io/ioutil" - "log" "net" "net/http" "os" @@ -25,12 +24,16 @@ import ( "git.curoverse.com/arvados.git/sdk/go/arvadosclient" "git.curoverse.com/arvados.git/sdk/go/config" "git.curoverse.com/arvados.git/sdk/go/health" + "git.curoverse.com/arvados.git/sdk/go/httpserver" "git.curoverse.com/arvados.git/sdk/go/keepclient" + log "github.com/Sirupsen/logrus" "github.com/coreos/go-systemd/daemon" "github.com/ghodss/yaml" "github.com/gorilla/mux" ) +var version = "dev" + type Config struct { Client arvados.Client Listen string @@ -55,7 +58,13 @@ var ( router http.Handler ) +const rfc3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00" + func main() { + log.SetFormatter(&log.JSONFormatter{ + TimestampFormat: rfc3339NanoFixed, + }) + cfg := DefaultConfig() flagset := flag.NewFlagSet("keepproxy", flag.ExitOnError) @@ -74,8 +83,15 @@ func main() { const defaultCfgPath = "/etc/arvados/keepproxy/keepproxy.yml" flagset.StringVar(&cfgPath, "config", defaultCfgPath, "Configuration file `path`") dumpConfig := flagset.Bool("dump-config", false, "write current configuration to stdout and exit") + getVersion := flagset.Bool("version", false, "Print version information and exit.") flagset.Parse(os.Args[1:]) + // Print version information if requested + if *getVersion { + fmt.Printf("keepproxy %s\n", version) + return + } + err := config.LoadFile(cfg, cfgPath) if err != nil { h := os.Getenv("ARVADOS_API_HOST") @@ -99,6 +115,8 @@ func main() { log.Fatal(config.DumpAndExit(cfg)) } + log.Printf("keepproxy %s started", version) + arv, err := arvadosclient.New(&cfg.Client) if err != nil { log.Fatalf("Error setting up arvados client %s", err.Error()) @@ -164,7 +182,7 @@ func main() { // Start serving requests. router = MakeRESTRouter(!cfg.DisableGet, !cfg.DisablePut, kc, time.Duration(cfg.Timeout), cfg.ManagementToken) - http.Serve(listener, router) + http.Serve(listener, httpserver.AddRequestIDs(httpserver.LogRequests(router))) log.Println("shutting down") } @@ -214,31 +232,43 @@ func GetRemoteAddress(req *http.Request) string { } func CheckAuthorizationHeader(kc *keepclient.KeepClient, cache *ApiTokenCache, req *http.Request) (pass bool, tok string) { - var auth string - if auth = req.Header.Get("Authorization"); auth == "" { + parts := strings.SplitN(req.Header.Get("Authorization"), " ", 2) + if len(parts) < 2 || !(parts[0] == "OAuth2" || parts[0] == "Bearer") || len(parts[1]) == 0 { return false, "" } + tok = parts[1] - _, err := fmt.Sscanf(auth, "OAuth2 %s", &tok) - if err != nil { - // Scanning error - return false, "" + // Tokens are validated differently depending on what kind of + // operation is being performed. For example, tokens in + // collection-sharing links permit GET requests, but not + // PUT requests. + var op string + if req.Method == "GET" || req.Method == "HEAD" { + op = "read" + } else { + op = "write" } - if cache.RecallToken(tok) { + if cache.RecallToken(op + ":" + tok) { // Valid in the cache, short circuit return true, tok } + var err error arv := *kc.Arvados arv.ApiToken = tok - if err := arv.Call("HEAD", "users", "", "current", nil, nil); err != nil { + if op == "read" { + err = arv.Call("HEAD", "keep_services", "", "accessible", nil, nil) + } else { + err = arv.Call("HEAD", "users", "", "current", nil, nil) + } + if err != nil { log.Printf("%s: CheckAuthorizationHeader error: %v", GetRemoteAddress(req), err) return false, "" } // Success! Update cache - cache.RememberToken(tok) + cache.RememberToken(op + ":" + tok) return true, tok } @@ -596,7 +626,8 @@ func (h *proxyHandler) makeKeepClient(req *http.Request) *keepclient.KeepClient Timeout: h.timeout, Transport: h.transport, }, - proto: req.Proto, + proto: req.Proto, + requestID: req.Header.Get("X-Request-Id"), } return &kc }