X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/967821ec0ac00aef677f943e709ea079ebc30f78..2ea729f97166cb5fda4a6ca0818f0a0ab15388ab:/lib/controller/handler.go diff --git a/lib/controller/handler.go b/lib/controller/handler.go index ab6c72735e..53125ae554 100644 --- a/lib/controller/handler.go +++ b/lib/controller/handler.go @@ -6,11 +6,11 @@ package controller import ( "context" - "io" + "database/sql" + "errors" "net" "net/http" "net/url" - "regexp" "strings" "sync" "time" @@ -18,28 +18,55 @@ import ( "git.curoverse.com/arvados.git/sdk/go/arvados" "git.curoverse.com/arvados.git/sdk/go/health" "git.curoverse.com/arvados.git/sdk/go/httpserver" + _ "github.com/lib/pq" ) type Handler struct { Cluster *arvados.Cluster NodeProfile *arvados.NodeProfile - setupOnce sync.Once - handlerStack http.Handler - proxyClient *arvados.Client + setupOnce sync.Once + handlerStack http.Handler + proxy *proxy + secureClient *http.Client + insecureClient *http.Client + pgdb *sql.DB + pgdbMtx sync.Mutex } func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { h.setupOnce.Do(h.setup) + if req.Method != "GET" && req.Method != "HEAD" { + // http.ServeMux returns 301 with a cleaned path if + // the incoming request has a double slash. Some + // clients (including the Go standard library) change + // the request method to GET when following a 301 + // redirect if the original method was not HEAD + // (RFC7231 6.4.2 specifically allows this in the case + // of POST). Thus "POST //foo" gets misdirected to + // "GET /foo". To avoid this, eliminate double slashes + // before passing the request to ServeMux. + for strings.Contains(req.URL.Path, "//") { + req.URL.Path = strings.Replace(req.URL.Path, "//", "/", -1) + } + } + if h.Cluster.HTTPRequestTimeout > 0 { + ctx, cancel := context.WithDeadline(req.Context(), time.Now().Add(time.Duration(h.Cluster.HTTPRequestTimeout))) + req = req.WithContext(ctx) + defer cancel() + } + h.handlerStack.ServeHTTP(w, req) } func (h *Handler) CheckHealth() error { h.setupOnce.Do(h.setup) - _, err := findRailsAPI(h.Cluster, h.NodeProfile) + _, _, err := findRailsAPI(h.Cluster, h.NodeProfile) return err } +func neverRedirect(*http.Request, []*http.Request) error { return http.ErrUseLastResponse } + func (h *Handler) setup() { mux := http.NewServeMux() mux.Handle("/_health/", &health.Handler{ @@ -48,70 +75,60 @@ func (h *Handler) setup() { }) hs := http.NotFoundHandler() hs = prepend(hs, h.proxyRailsAPI) - hs = prepend(hs, h.proxyRemoteCluster) + hs = h.setupProxyRemoteCluster(hs) mux.Handle("/", hs) h.handlerStack = mux -} -// headers that shouldn't be forwarded when proxying. See -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers -var dropHeaders = map[string]bool{ - "Connection": true, - "Keep-Alive": true, - "Proxy-Authenticate": true, - "Proxy-Authorization": true, - "TE": true, - "Trailer": true, - "Transfer-Encoding": true, - "Upgrade": true, -} + sc := *arvados.DefaultSecureClient + sc.CheckRedirect = neverRedirect + h.secureClient = &sc -type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler) + ic := *arvados.InsecureHTTPClient + ic.CheckRedirect = neverRedirect + h.insecureClient = &ic -func prepend(next http.Handler, middleware middlewareFunc) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - middleware(w, req, next) - }) + h.proxy = &proxy{ + Name: "arvados-controller", + } } -var wfRe = regexp.MustCompile(`^/arvados/v1/workflows/([0-9a-z]{5})-[^/]+$`) +var errDBConnection = errors.New("database connection error") -func (h *Handler) proxyRemoteCluster(w http.ResponseWriter, req *http.Request, next http.Handler) { - m := wfRe.FindStringSubmatch(req.URL.Path) - if len(m) < 2 || m[1] == h.Cluster.ClusterID { - next.ServeHTTP(w, req) - return +func (h *Handler) db(req *http.Request) (*sql.DB, error) { + h.pgdbMtx.Lock() + defer h.pgdbMtx.Unlock() + if h.pgdb != nil { + return h.pgdb, nil } - remoteID := m[1] - remote, ok := h.Cluster.RemoteClusters[remoteID] - if !ok { - httpserver.Error(w, "no proxy available for cluster "+remoteID, http.StatusNotFound) - return + + db, err := sql.Open("postgres", h.Cluster.PostgreSQL.Connection.String()) + if err != nil { + httpserver.Logger(req).WithError(err).Error("postgresql connect failed") + return nil, errDBConnection } - scheme := remote.Scheme - if scheme == "" { - scheme = "https" + if p := h.Cluster.PostgreSQL.ConnectionPool; p > 0 { + db.SetMaxOpenConns(p) } - urlOut := &url.URL{ - Scheme: scheme, - Host: remote.Host, - Path: req.URL.Path, - RawPath: req.URL.RawPath, - RawQuery: req.URL.RawQuery, - } - err := h.saltAuthToken(req, remoteID) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusBadRequest) - return + if err := db.Ping(); err != nil { + httpserver.Logger(req).WithError(err).Error("postgresql connect succeeded but ping failed") + return nil, errDBConnection } - h.proxy(w, req, urlOut) + h.pgdb = db + return db, nil } -func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) { - urlOut, err := findRailsAPI(h.Cluster, h.NodeProfile) +type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler) + +func prepend(next http.Handler, middleware middlewareFunc) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + middleware(w, req, next) + }) +} + +func (h *Handler) localClusterRequest(req *http.Request) (*http.Response, error) { + urlOut, insecure, err := findRailsAPI(h.Cluster, h.NodeProfile) if err != nil { - httpserver.Error(w, err.Error(), http.StatusInternalServerError) - return + return nil, err } urlOut = &url.URL{ Scheme: urlOut.Scheme, @@ -120,58 +137,24 @@ func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next h RawPath: req.URL.RawPath, RawQuery: req.URL.RawQuery, } - h.proxy(w, req, urlOut) -} - -func (h *Handler) proxy(w http.ResponseWriter, reqIn *http.Request, urlOut *url.URL) { - // Copy headers from incoming request, then add/replace proxy - // headers like Via and X-Forwarded-For. - hdrOut := http.Header{} - for k, v := range reqIn.Header { - if !dropHeaders[k] { - hdrOut[k] = v - } - } - xff := reqIn.RemoteAddr - if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" { - xff = xffIn + "," + xff - } - hdrOut.Set("X-Forwarded-For", xff) - hdrOut.Add("Via", reqIn.Proto+" arvados-controller") - - ctx := reqIn.Context() - if timeout := h.Cluster.HTTPRequestTimeout; timeout > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithDeadline(ctx, time.Now().Add(time.Duration(timeout))) - defer cancel() + client := h.secureClient + if insecure { + client = h.insecureClient } + return h.proxy.Do(req, urlOut, client) +} - reqOut := (&http.Request{ - Method: reqIn.Method, - URL: urlOut, - Header: hdrOut, - Body: reqIn.Body, - }).WithContext(ctx) - resp, err := arvados.InsecureHTTPClient.Do(reqOut) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusInternalServerError) - return - } - for k, v := range resp.Header { - for _, v := range v { - w.Header().Add(k, v) - } - } - w.WriteHeader(resp.StatusCode) - n, err := io.Copy(w, resp.Body) +func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) { + resp, err := h.localClusterRequest(req) + n, err := h.proxy.ForwardResponse(w, resp, err) if err != nil { - httpserver.Logger(reqIn).WithError(err).WithField("bytesCopied", n).Error("error copying response body") + httpserver.Logger(req).WithError(err).WithField("bytesCopied", n).Error("error copying response body") } } // For now, findRailsAPI always uses the rails API running on this // node. -func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, error) { +func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, bool, error) { hostport := np.RailsAPI.Listen if len(hostport) > 1 && hostport[0] == ':' && strings.TrimRight(hostport[1:], "0123456789") == "" { // ":12345" => connect to indicated port on localhost @@ -179,11 +162,12 @@ func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, } else if _, _, err := net.SplitHostPort(hostport); err == nil { // "[::1]:12345" => connect to indicated address & port } else { - return nil, err + return nil, false, err } proto := "http" if np.RailsAPI.TLS { proto = "https" } - return url.Parse(proto + "://" + hostport) + url, err := url.Parse(proto + "://" + hostport) + return url, np.RailsAPI.Insecure, err }