X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/83974ae9df4060f7aaa6bba61997404a2a7405b2..8d3aec7a9485d0bec6b672d0b9097e02a1ceea09:/services/keep-web/handler_test.go?ds=sidebyside diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go index 0f7d507879..4a76276392 100644 --- a/services/keep-web/handler_test.go +++ b/services/keep-web/handler_test.go @@ -18,6 +18,7 @@ import ( "path/filepath" "regexp" "strings" + "sync" "time" "git.arvados.org/arvados.git/lib/config" @@ -83,7 +84,7 @@ func (s *UnitSuite) TestCORSPreflight(c *check.C) { c.Check(resp.Body.String(), check.Equals, "") c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*") c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK") - c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range, Depth, Destination, If, Lock-Token, Overwrite, Timeout") + c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range, Depth, Destination, If, Lock-Token, Overwrite, Timeout, Cache-Control") // Check preflight for a disallowed request resp = httptest.NewRecorder() @@ -93,6 +94,120 @@ func (s *UnitSuite) TestCORSPreflight(c *check.C) { c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed) } +func (s *UnitSuite) TestWebdavPrefixAndSource(c *check.C) { + for _, trial := range []struct { + method string + path string + prefix string + source string + notFound bool + seeOther bool + }{ + { + method: "PROPFIND", + path: "/", + }, + { + method: "PROPFIND", + path: "/dir1", + }, + { + method: "PROPFIND", + path: "/dir1/", + }, + { + method: "PROPFIND", + path: "/dir1/foo", + prefix: "/dir1", + source: "/dir1", + }, + { + method: "PROPFIND", + path: "/prefix/dir1/foo", + prefix: "/prefix/", + source: "", + }, + { + method: "PROPFIND", + path: "/prefix/dir1/foo", + prefix: "/prefix", + source: "", + }, + { + method: "PROPFIND", + path: "/prefix/dir1/foo", + prefix: "/prefix/", + source: "/", + }, + { + method: "PROPFIND", + path: "/prefix/foo", + prefix: "/prefix/", + source: "/dir1/", + }, + { + method: "GET", + path: "/prefix/foo", + prefix: "/prefix/", + source: "/dir1/", + }, + { + method: "PROPFIND", + path: "/prefix/", + prefix: "/prefix", + source: "/dir1", + }, + { + method: "PROPFIND", + path: "/prefix", + prefix: "/prefix", + source: "/dir1/", + }, + { + method: "GET", + path: "/prefix", + prefix: "/prefix", + source: "/dir1", + seeOther: true, + }, + { + method: "PROPFIND", + path: "/dir1/foo", + prefix: "", + source: "/dir1", + notFound: true, + }, + } { + c.Logf("trial %+v", trial) + u := mustParseURL("http://" + arvadostest.FooBarDirCollection + ".keep-web.example" + trial.path) + req := &http.Request{ + Method: trial.method, + Host: u.Host, + URL: u, + RequestURI: u.RequestURI(), + Header: http.Header{ + "Authorization": {"Bearer " + arvadostest.ActiveTokenV2}, + "X-Webdav-Prefix": {trial.prefix}, + "X-Webdav-Source": {trial.source}, + }, + Body: ioutil.NopCloser(bytes.NewReader(nil)), + } + + resp := httptest.NewRecorder() + s.handler.ServeHTTP(resp, req) + if trial.notFound { + c.Check(resp.Code, check.Equals, http.StatusNotFound) + } else if trial.method == "PROPFIND" { + c.Check(resp.Code, check.Equals, http.StatusMultiStatus) + c.Check(resp.Body.String(), check.Matches, `(?ms).*>\n?$`) + } else if trial.seeOther { + c.Check(resp.Code, check.Equals, http.StatusSeeOther) + } else { + c.Check(resp.Code, check.Equals, http.StatusOK) + } + } +} + func (s *UnitSuite) TestEmptyResponse(c *check.C) { for _, trial := range []struct { dataExists bool @@ -443,7 +558,7 @@ func (s *IntegrationSuite) TestCollectionSharingToken(c *check.C) { nil, "", http.StatusNotFound, - notFoundMessage+"\n", + regexp.QuoteMeta(notFoundMessage+"\n"), ) } @@ -456,7 +571,7 @@ func (s *IntegrationSuite) TestSingleOriginSecretLinkBadToken(c *check.C) { nil, "", http.StatusNotFound, - notFoundMessage+"\n", + regexp.QuoteMeta(notFoundMessage+"\n"), ) } @@ -519,7 +634,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) http.Header{"Sec-Fetch-Mode": {"cors"}}, "", http.StatusUnauthorized, - unauthorizedMessage+"\n", + regexp.QuoteMeta(unauthorizedMessage+"\n"), ) s.testVhostRedirectTokenToCookie(c, "GET", s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo", @@ -527,10 +642,65 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) nil, "", http.StatusUnauthorized, - unauthorizedMessage+"\n", + regexp.QuoteMeta(unauthorizedMessage+"\n"), ) } +func (s *IntegrationSuite) TestVhostRedirectWithNoCache(c *check.C) { + resp := s.testVhostRedirectTokenToCookie(c, "GET", + arvadostest.FooCollection+".example.com/foo", + "?api_token=thisisabogustoken", + http.Header{ + "Sec-Fetch-Mode": {"navigate"}, + "Cache-Control": {"no-cache"}, + }, + "", + http.StatusSeeOther, + "", + ) + u, err := url.Parse(resp.Header().Get("Location")) + c.Assert(err, check.IsNil) + c.Logf("redirected to %s", u) + c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host) + c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo") + c.Check(u.Query().Get("redirectToDownload"), check.Equals, "") +} + +func (s *IntegrationSuite) TestNoTokenWorkbench2LoginFlow(c *check.C) { + for _, trial := range []struct { + anonToken bool + cacheControl string + }{ + {}, + {cacheControl: "no-cache"}, + {anonToken: true}, + {anonToken: true, cacheControl: "no-cache"}, + } { + c.Logf("trial: %+v", trial) + + if trial.anonToken { + s.handler.Cluster.Users.AnonymousUserToken = arvadostest.AnonymousToken + } else { + s.handler.Cluster.Users.AnonymousUserToken = "" + } + req, err := http.NewRequest("GET", "http://"+arvadostest.FooCollection+".example.com/foo", nil) + c.Assert(err, check.IsNil) + req.Header.Set("Sec-Fetch-Mode", "navigate") + if trial.cacheControl != "" { + req.Header.Set("Cache-Control", trial.cacheControl) + } + resp := httptest.NewRecorder() + s.handler.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusSeeOther) + u, err := url.Parse(resp.Header().Get("Location")) + c.Assert(err, check.IsNil) + c.Logf("redirected to %q", u) + c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host) + c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo") + c.Check(u.Query().Get("redirectToDownload"), check.Equals, "") + } +} + func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check.C) { s.testVhostRedirectTokenToCookie(c, "GET", "example.com/c="+arvadostest.FooCollection+"/foo", @@ -538,7 +708,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check nil, "", http.StatusBadRequest, - "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n", + regexp.QuoteMeta("cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n"), ) } @@ -613,7 +783,7 @@ func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *chec nil, "", http.StatusBadRequest, - "cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n", + regexp.QuoteMeta("cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n"), ) resp := s.testVhostRedirectTokenToCookie(c, "GET", @@ -645,7 +815,7 @@ func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie404(c *check.C) http.Header{"Content-Type": {"application/x-www-form-urlencoded"}}, url.Values{"api_token": {arvadostest.SpectatorToken}}.Encode(), http.StatusNotFound, - notFoundMessage+"\n", + regexp.QuoteMeta(notFoundMessage+"\n"), ) } @@ -668,8 +838,8 @@ func (s *IntegrationSuite) TestAnonymousTokenError(c *check.C) { "", nil, "", - http.StatusNotFound, - notFoundMessage+"\n", + http.StatusUnauthorized, + "Authorization tokens are not accepted here: .*\n", ) } @@ -806,7 +976,7 @@ func (s *IntegrationSuite) TestXHRNoRedirect(c *check.C) { c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*") } -func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString string, reqHeader http.Header, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder { +func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString string, reqHeader http.Header, reqBody string, expectStatus int, matchRespBody string) *httptest.ResponseRecorder { if reqHeader == nil { reqHeader = http.Header{} } @@ -824,7 +994,7 @@ func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, ho resp := httptest.NewRecorder() defer func() { c.Check(resp.Code, check.Equals, expectStatus) - c.Check(resp.Body.String(), check.Equals, expectRespBody) + c.Check(resp.Body.String(), check.Matches, matchRespBody) }() s.handler.ServeHTTP(resp, req) @@ -1038,11 +1208,7 @@ func (s *IntegrationSuite) testDirectoryListing(c *check.C) { c.Check(req.URL.Path, check.Equals, trial.redirect, comment) } if trial.expect == nil { - if s.handler.Cluster.Users.AnonymousUserToken == "" { - c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) - } else { - c.Check(resp.Code, check.Equals, http.StatusNotFound, comment) - } + c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) } else { c.Check(resp.Code, check.Equals, http.StatusOK, comment) for _, e := range trial.expect { @@ -1063,11 +1229,7 @@ func (s *IntegrationSuite) testDirectoryListing(c *check.C) { resp = httptest.NewRecorder() s.handler.ServeHTTP(resp, req) if trial.expect == nil { - if s.handler.Cluster.Users.AnonymousUserToken == "" { - c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) - } else { - c.Check(resp.Code, check.Equals, http.StatusNotFound, comment) - } + c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) } else { c.Check(resp.Code, check.Equals, http.StatusOK, comment) } @@ -1083,11 +1245,7 @@ func (s *IntegrationSuite) testDirectoryListing(c *check.C) { resp = httptest.NewRecorder() s.handler.ServeHTTP(resp, req) if trial.expect == nil { - if s.handler.Cluster.Users.AnonymousUserToken == "" { - c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) - } else { - c.Check(resp.Code, check.Equals, http.StatusNotFound, comment) - } + c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment) } else { c.Check(resp.Code, check.Equals, http.StatusMultiStatus, comment) for _, e := range trial.expect { @@ -1467,3 +1625,72 @@ func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) { } } } + +func (s *IntegrationSuite) TestConcurrentWrites(c *check.C) { + s.handler.Cluster.Collections.WebDAVCache.TTL = arvados.Duration(time.Second * 2) + lockTidyInterval = time.Second + client := arvados.NewClientFromEnv() + client.AuthToken = arvadostest.ActiveTokenV2 + // Start small, and increase concurrency (2^2, 4^2, ...) + // only until hitting failure. Avoids unnecessarily long + // failure reports. + for n := 2; n < 16 && !c.Failed(); n = n * 2 { + c.Logf("%s: n=%d", c.TestName(), n) + + var coll arvados.Collection + err := client.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, nil) + c.Assert(err, check.IsNil) + defer client.RequestAndDecode(&coll, "DELETE", "arvados/v1/collections/"+coll.UUID, nil, nil) + + var wg sync.WaitGroup + for i := 0; i < n && !c.Failed(); i++ { + i := i + wg.Add(1) + go func() { + defer wg.Done() + u := mustParseURL(fmt.Sprintf("http://%s.collections.example.com/i=%d", coll.UUID, i)) + resp := httptest.NewRecorder() + req, err := http.NewRequest("MKCOL", u.String(), nil) + c.Assert(err, check.IsNil) + req.Header.Set("Authorization", "Bearer "+client.AuthToken) + s.handler.ServeHTTP(resp, req) + c.Assert(resp.Code, check.Equals, http.StatusCreated) + for j := 0; j < n && !c.Failed(); j++ { + j := j + wg.Add(1) + go func() { + defer wg.Done() + content := fmt.Sprintf("i=%d/j=%d", i, j) + u := mustParseURL("http://" + coll.UUID + ".collections.example.com/" + content) + + resp := httptest.NewRecorder() + req, err := http.NewRequest("PUT", u.String(), strings.NewReader(content)) + c.Assert(err, check.IsNil) + req.Header.Set("Authorization", "Bearer "+client.AuthToken) + s.handler.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusCreated) + + time.Sleep(time.Second) + resp = httptest.NewRecorder() + req, err = http.NewRequest("GET", u.String(), nil) + c.Assert(err, check.IsNil) + req.Header.Set("Authorization", "Bearer "+client.AuthToken) + s.handler.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusOK) + c.Check(resp.Body.String(), check.Equals, content) + }() + } + }() + } + wg.Wait() + for i := 0; i < n; i++ { + u := mustParseURL(fmt.Sprintf("http://%s.collections.example.com/i=%d", coll.UUID, i)) + resp := httptest.NewRecorder() + req, err := http.NewRequest("PROPFIND", u.String(), &bytes.Buffer{}) + c.Assert(err, check.IsNil) + req.Header.Set("Authorization", "Bearer "+client.AuthToken) + s.handler.ServeHTTP(resp, req) + c.Assert(resp.Code, check.Equals, http.StatusMultiStatus) + } + } +}