X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/409d130ddcc4b76def5fa8d61d2584725c61152a..aba81749d2477043232b82300c0ce15548b61888:/services/ws/permission.go diff --git a/services/ws/permission.go b/services/ws/permission.go index e467e06720..f71ca61167 100644 --- a/services/ws/permission.go +++ b/services/ws/permission.go @@ -1,11 +1,17 @@ -package main +// Copyright (C) The Arvados Authors. All rights reserved. +// +// SPDX-License-Identifier: AGPL-3.0 + +package ws import ( + "context" "net/http" "net/url" "time" - "git.curoverse.com/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/ctxlog" ) const ( @@ -15,13 +21,13 @@ const ( type permChecker interface { SetToken(token string) - Check(uuid string) (bool, error) + Check(ctx context.Context, uuid string) (bool, error) } -func newPermChecker(ac arvados.Client) permChecker { - ac.AuthToken = "" +func newPermChecker(ac *arvados.Client) permChecker { return &cachingPermChecker{ - Client: &ac, + ac: ac, + token: "-", cache: make(map[string]cacheEnt), maxCurrent: 16, } @@ -33,18 +39,28 @@ type cacheEnt struct { } type cachingPermChecker struct { - *arvados.Client + ac *arvados.Client + token string cache map[string]cacheEnt maxCurrent int + + nChecks uint64 + nMisses uint64 + nInvalid uint64 } func (pc *cachingPermChecker) SetToken(token string) { - pc.Client.AuthToken = token + if pc.token == token { + return + } + pc.token = token + pc.cache = make(map[string]cacheEnt) } -func (pc *cachingPermChecker) Check(uuid string) (bool, error) { - logger := logger(nil). - WithField("token", pc.Client.AuthToken). +func (pc *cachingPermChecker) Check(ctx context.Context, uuid string) (bool, error) { + pc.nChecks++ + logger := ctxlog.FromContext(ctx). + WithField("token", pc.token). WithField("uuid", uuid) pc.tidy() now := time.Now() @@ -52,26 +68,32 @@ func (pc *cachingPermChecker) Check(uuid string) (bool, error) { logger.WithField("allowed", perm.allowed).Debug("cache hit") return perm.allowed, nil } - var buf map[string]interface{} - path, err := pc.PathForUUID("get", uuid) + + path, err := pc.ac.PathForUUID("get", uuid) if err != nil { + pc.nInvalid++ return false, err } - err = pc.RequestAndDecode(&buf, "GET", path, nil, url.Values{ - "select": {`["uuid"]`}, + + pc.nMisses++ + ctx = arvados.ContextWithAuthorization(ctx, "Bearer "+pc.token) + ctx, cancel := context.WithDeadline(ctx, time.Now().Add(time.Minute)) + defer cancel() + var buf map[string]interface{} + err = pc.ac.RequestAndDecodeContext(ctx, &buf, "GET", path, nil, url.Values{ + "include_trash": {"true"}, + "select": {`["uuid"]`}, }) var allowed bool if err == nil { allowed = true - } else if txErr, ok := err.(*arvados.TransactionError); ok && txErr.StatusCode == http.StatusNotFound { - allowed = false - } else if txErr.StatusCode == http.StatusForbidden { - // Some requests are expressly forbidden for reasons - // other than "you aren't allowed to know whether this - // UUID exists" (404). + } else if txErr, ok := err.(*arvados.TransactionError); ok && pc.isNotAllowed(txErr.StatusCode) { allowed = false } else { + // If "context deadline exceeded", "client + // disconnected", HTTP 5xx, network error, etc., don't + // cache the result. logger.WithError(err).Error("lookup error") return false, err } @@ -80,6 +102,15 @@ func (pc *cachingPermChecker) Check(uuid string) (bool, error) { return allowed, nil } +func (pc *cachingPermChecker) isNotAllowed(status int) bool { + switch status { + case http.StatusForbidden, http.StatusUnauthorized, http.StatusNotFound: + return true + default: + return false + } +} + func (pc *cachingPermChecker) tidy() { if len(pc.cache) <= pc.maxCurrent*2 { return