X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7141824bb60871253bcb3cd04dc7b2df00188b7d..f41534fcdfa95c282a04d64158f8a7d850637768:/services/keep-web/handler.go

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 94b59ebd41..97ec95e3aa 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -6,6 +6,7 @@ package main
 
 import (
 	"encoding/json"
+	"fmt"
 	"html"
 	"html/template"
 	"io"
@@ -184,6 +185,16 @@ var (
 	}
 )
 
+func stripDefaultPort(host string) string {
+	// Will consider port 80 and port 443 to be the same vhost.  I think that's fine.
+	u := &url.URL{Host: host}
+	if p := u.Port(); p == "80" || p == "443" {
+		return strings.ToLower(u.Hostname())
+	} else {
+		return strings.ToLower(host)
+	}
+}
+
 // ServeHTTP implements http.Handler.
 func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	h.setupOnce.Do(h.setup)
@@ -240,14 +251,20 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	var attachment bool
 	var useSiteFS bool
 	credentialsOK := h.Config.cluster.Collections.TrustAllContent
+	reasonNotAcceptingCredentials := ""
 
-	if r.Host != "" && r.Host == h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host {
+	if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host) {
 		credentialsOK = true
 		attachment = true
 	} else if r.FormValue("disposition") == "attachment" {
 		attachment = true
 	}
 
+	if !credentialsOK {
+		reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false",
+			r.Host, h.Config.cluster.Services.WebDAVDownload.ExternalURL)
+	}
+
 	if collectionID = parseCollectionIDFromDNSName(r.Host); collectionID != "" {
 		// http://ID.collections.example/PATH...
 		credentialsOK = true
@@ -278,6 +295,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 			// data. Tokens provided with the request are
 			// ignored.
 			credentialsOK = false
+			reasonNotAcceptingCredentials = "the '/collections/UUID/PATH' form only works for public data"
 		}
 	}
 
@@ -346,7 +364,19 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 
 	if tokens == nil {
-		tokens = append(reqTokens, h.Config.cluster.Users.AnonymousUserToken)
+		tokens = reqTokens
+		if h.Config.cluster.Users.AnonymousUserToken != "" {
+			tokens = append(tokens, h.Config.cluster.Users.AnonymousUserToken)
+		}
+	}
+
+	if tokens == nil {
+		if !credentialsOK {
+			http.Error(w, fmt.Sprintf("Authorization tokens are not accepted here: %v, and no anonymous user token is configured.", reasonNotAcceptingCredentials), http.StatusUnauthorized)
+		} else {
+			http.Error(w, fmt.Sprintf("No authorization token in request, and no anonymous user token is configured."), http.StatusUnauthorized)
+		}
+		return
 	}
 
 	if len(targetPath) > 0 && targetPath[0] == "_" {
@@ -368,6 +398,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	defer h.clientPool.Put(arv)
 
 	var collection *arvados.Collection
+	var tokenUser *arvados.User
 	tokenResult := make(map[string]int)
 	for _, arv.ApiToken = range tokens {
 		var err error
@@ -453,7 +484,17 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Check configured permission
+	_, sess, err := h.Config.Cache.GetSession(arv.ApiToken)
+	tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken)
+
 	if webdavMethod[r.Method] {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		if writeMethod[r.Method] {
 			// Save the collection only if/when all
 			// webdav->filesystem operations succeed --
@@ -508,6 +549,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	} else if stat.IsDir() {
 		h.serveDirectory(w, r, collection.Name, fs, openPath, true)
 	} else {
+		if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+			http.Error(w, "Not permitted", http.StatusForbidden)
+			return
+		}
+		h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser)
+
 		http.ServeContent(w, r, basename, stat.ModTime(), f)
 		if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK {
 			// If we wrote fewer bytes than expected, it's
@@ -553,7 +600,8 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s
 		http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed)
 		return
 	}
-	fs, err := h.Config.Cache.GetSession(tokens[0])
+
+	fs, sess, err := h.Config.Cache.GetSession(tokens[0])
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -576,6 +624,14 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s
 		}
 		return
 	}
+
+	tokenUser, err := h.Config.Cache.GetTokenUser(tokens[0])
+	if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) {
+		http.Error(w, "Not permitted", http.StatusForbidden)
+		return
+	}
+	h.logUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser)
+
 	if r.Method == "GET" {
 		_, basename := filepath.Split(r.URL.Path)
 		applyContentDispositionHdr(w, r, basename, attachment)
@@ -806,3 +862,117 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 	io.WriteString(w, html.EscapeString(redir))
 	io.WriteString(w, `">Continue</A>`)
 }
+
+func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool {
+	var permitDownload bool
+	var permitUpload bool
+	if tokenUser != nil && tokenUser.IsAdmin {
+		permitUpload = h.Config.cluster.Collections.WebDAVPermission.Admin.Upload
+		permitDownload = h.Config.cluster.Collections.WebDAVPermission.Admin.Download
+	} else {
+		permitUpload = h.Config.cluster.Collections.WebDAVPermission.User.Upload
+		permitDownload = h.Config.cluster.Collections.WebDAVPermission.User.Download
+	}
+	if (method == "PUT" || method == "POST") && !permitUpload {
+		// Disallow operations that upload new files.
+		// Permit webdav operations that move existing files around.
+		return false
+	} else if method == "GET" && !permitDownload {
+		// Disallow downloading file contents.
+		// Permit webdav operations like PROPFIND that retrieve metadata
+		// but not file contents.
+		return false
+	}
+	return true
+}
+
+func (h *handler) logUploadOrDownload(
+	r *http.Request,
+	client *arvadosclient.ArvadosClient,
+	fs arvados.CustomFileSystem,
+	filepath string,
+	collection *arvados.Collection,
+	user *arvados.User) {
+
+	log := ctxlog.FromContext(r.Context())
+	props := make(map[string]string)
+	props["reqPath"] = r.URL.Path
+	var useruuid string
+	if user != nil {
+		log = log.WithField("user_uuid", user.UUID).
+			WithField("user_full_name", user.FullName)
+		useruuid = user.UUID
+	} else {
+		useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Config.cluster.ClusterID)
+	}
+	if collection == nil && fs != nil {
+		collection, filepath = h.determineCollection(fs, filepath)
+	}
+	if collection != nil {
+		log = log.WithField("collection_uuid", collection.UUID).
+			WithField("collection_file_path", filepath)
+		props["collection_uuid"] = collection.UUID
+		props["collection_file_path"] = filepath
+	}
+	if r.Method == "PUT" || r.Method == "POST" {
+		log.Info("File upload")
+		if h.Config.cluster.Collections.WebDAVLogEvents {
+			go func() {
+				lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+					"object_uuid": useruuid,
+					"event_type":  "file_upload",
+					"properties":  props}}
+				err := client.Create("logs", lr, nil)
+				if err != nil {
+					log.WithError(err).Error("Failed to create upload log event on API server")
+				}
+			}()
+		}
+	} else if r.Method == "GET" {
+		if collection != nil && collection.PortableDataHash != "" {
+			log = log.WithField("portable_data_hash", collection.PortableDataHash)
+			props["portable_data_hash"] = collection.PortableDataHash
+		}
+		log.Info("File download")
+		if h.Config.cluster.Collections.WebDAVLogEvents {
+			go func() {
+				lr := arvadosclient.Dict{"log": arvadosclient.Dict{
+					"object_uuid": useruuid,
+					"event_type":  "file_download",
+					"properties":  props}}
+				err := client.Create("logs", lr, nil)
+				if err != nil {
+					log.WithError(err).Error("Failed to create download log event on API server")
+				}
+			}()
+		}
+	}
+}
+
+func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) {
+	segments := strings.Split(path, "/")
+	var i int
+	for i = 0; i < len(segments); i++ {
+		dir := append([]string{}, segments[0:i]...)
+		dir = append(dir, ".arvados#collection")
+		f, err := fs.OpenFile(strings.Join(dir, "/"), os.O_RDONLY, 0)
+		if f != nil {
+			defer f.Close()
+		}
+		if err != nil {
+			if !os.IsNotExist(err) {
+				return nil, ""
+			}
+			continue
+		}
+		// err is nil so we found it.
+		decoder := json.NewDecoder(f)
+		var collection arvados.Collection
+		err = decoder.Decode(&collection)
+		if err != nil {
+			return nil, ""
+		}
+		return &collection, strings.Join(segments[i:], "/")
+	}
+	return nil, ""
+}