X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/834ba51d22fa93297e66c60c3eb51cc1cf05fccc..daf902070467a6a48bd0c9a8b147b8c27e0720c3:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index ba91146647..ef61b06873 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -487,13 +487,14 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // Check configured permission _, sess, err := h.Config.Cache.GetSession(arv.ApiToken) tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken) - if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) { - http.Error(w, "Not permitted", http.StatusForbidden) - return - } - h.LogUploadOrDownload(r, sess.arvadosclient, collection, tokenUser) if webdavMethod[r.Method] { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + if writeMethod[r.Method] { // Save the collection only if/when all // webdav->filesystem operations succeed -- @@ -548,6 +549,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else if stat.IsDir() { h.serveDirectory(w, r, collection.Name, fs, openPath, true) } else { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + http.ServeContent(w, r, basename, stat.ModTime(), f) if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK { // If we wrote fewer bytes than expected, it's @@ -619,11 +626,11 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s } tokenUser, err := h.Config.Cache.GetTokenUser(tokens[0]) - if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { http.Error(w, "Not permitted", http.StatusForbidden) return } - h.LogUploadOrDownload(r, sess.arvadosclient, nil, tokenUser) + h.logUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser) if r.Method == "GET" { _, basename := filepath.Split(r.URL.Path) @@ -856,18 +863,15 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc io.WriteString(w, `">Continue`) } -func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { - if tokenUser == nil { - return false - } +func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { var permitDownload bool var permitUpload bool - if tokenUser.IsAdmin { - permitUpload = h.Config.cluster.Collections.KeepWebPermission.Admin.Upload - permitDownload = h.Config.cluster.Collections.KeepWebPermission.Admin.Download + if tokenUser != nil && tokenUser.IsAdmin { + permitUpload = h.Config.cluster.Collections.WebDAVPermission.Admin.Upload + permitDownload = h.Config.cluster.Collections.WebDAVPermission.Admin.Download } else { - permitUpload = h.Config.cluster.Collections.KeepWebPermission.User.Upload - permitDownload = h.Config.cluster.Collections.KeepWebPermission.User.Download + permitUpload = h.Config.cluster.Collections.WebDAVPermission.User.Upload + permitDownload = h.Config.cluster.Collections.WebDAVPermission.User.Download } if (method == "PUT" || method == "POST") && !permitUpload { // Disallow operations that upload new files. @@ -882,39 +886,101 @@ func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arva return true } -func (h *handler) LogUploadOrDownload(r *http.Request, client *arvadosclient.ArvadosClient, collection *arvados.Collection, user *arvados.User) { +func (h *handler) logUploadOrDownload( + r *http.Request, + client *arvadosclient.ArvadosClient, + fs arvados.CustomFileSystem, + filepath string, + collection *arvados.Collection, + user *arvados.User) { + log := ctxlog.FromContext(r.Context()) props := make(map[string]string) props["reqPath"] = r.URL.Path + var useruuid string if user != nil { log = log.WithField("user_uuid", user.UUID). - WithField("full_name", user.FullName) + WithField("user_full_name", user.FullName) + useruuid = user.UUID + } else { + useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Config.cluster.ClusterID) + } + if collection == nil && fs != nil { + collection, filepath = h.determineCollection(fs, filepath) } if collection != nil { - log = log.WithField("collection_uuid", collection.UUID) + log = log.WithField("collection_uuid", collection.UUID). + WithField("collection_file_path", filepath) props["collection_uuid"] = collection.UUID + props["collection_file_path"] = filepath + // h.determineCollection populates the collection_uuid prop with the PDH, if + // this collection is being accessed via PDH. In that case, blank the + // collection_uuid field so that consumers of the log entries can rely on it + // being a UUID, or blank. The PDH remains available via the + // portable_data_hash property. + if props["collection_uuid"] == collection.PortableDataHash { + props["collection_uuid"] = "" + } } if r.Method == "PUT" || r.Method == "POST" { log.Info("File upload") - go func() { - lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, - "event_type": "file_upload", - "properties": props}} - client.Create("logs", lr, nil) - }() + if h.Config.cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_upload", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create upload log event on API server") + } + }() + } } else if r.Method == "GET" { - if collection != nil { + if collection != nil && collection.PortableDataHash != "" { log = log.WithField("portable_data_hash", collection.PortableDataHash) props["portable_data_hash"] = collection.PortableDataHash } log.Info("File download") - go func() { - lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, - "event_type": "file_download", - "properties": props}} - client.Create("logs", lr, nil) - }() + if h.Config.cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_download", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create download log event on API server") + } + }() + } + } +} + +func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) { + segments := strings.Split(path, "/") + var i int + for i = 0; i < len(segments); i++ { + dir := append([]string{}, segments[0:i]...) + dir = append(dir, ".arvados#collection") + f, err := fs.OpenFile(strings.Join(dir, "/"), os.O_RDONLY, 0) + if f != nil { + defer f.Close() + } + if err != nil { + if !os.IsNotExist(err) { + return nil, "" + } + continue + } + // err is nil so we found it. + decoder := json.NewDecoder(f) + var collection arvados.Collection + err = decoder.Decode(&collection) + if err != nil { + return nil, "" + } + return &collection, strings.Join(segments[i:], "/") } + return nil, "" }