X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/967821ec0ac00aef677f943e709ea079ebc30f78..508f13840841afc5938f7210a999ff58f002b29d:/lib/controller/handler.go diff --git a/lib/controller/handler.go b/lib/controller/handler.go index ab6c72735e..d524195e44 100644 --- a/lib/controller/handler.go +++ b/lib/controller/handler.go @@ -5,113 +5,153 @@ package controller import ( + "bytes" "context" + "database/sql" + "errors" + "fmt" "io" - "net" "net/http" "net/url" - "regexp" "strings" "sync" "time" + "git.curoverse.com/arvados.git/lib/config" + "git.curoverse.com/arvados.git/lib/controller/railsproxy" + "git.curoverse.com/arvados.git/lib/controller/router" "git.curoverse.com/arvados.git/sdk/go/arvados" "git.curoverse.com/arvados.git/sdk/go/health" "git.curoverse.com/arvados.git/sdk/go/httpserver" + _ "github.com/lib/pq" ) type Handler struct { - Cluster *arvados.Cluster - NodeProfile *arvados.NodeProfile - - setupOnce sync.Once - handlerStack http.Handler - proxyClient *arvados.Client + Cluster *arvados.Cluster + + setupOnce sync.Once + handlerStack http.Handler + proxy *proxy + secureClient *http.Client + insecureClient *http.Client + pgdb *sql.DB + pgdbMtx sync.Mutex } func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { h.setupOnce.Do(h.setup) + if req.Method != "GET" && req.Method != "HEAD" { + // http.ServeMux returns 301 with a cleaned path if + // the incoming request has a double slash. Some + // clients (including the Go standard library) change + // the request method to GET when following a 301 + // redirect if the original method was not HEAD + // (RFC7231 6.4.2 specifically allows this in the case + // of POST). Thus "POST //foo" gets misdirected to + // "GET /foo". To avoid this, eliminate double slashes + // before passing the request to ServeMux. + for strings.Contains(req.URL.Path, "//") { + req.URL.Path = strings.Replace(req.URL.Path, "//", "/", -1) + } + } + if h.Cluster.API.RequestTimeout > 0 { + ctx, cancel := context.WithDeadline(req.Context(), time.Now().Add(time.Duration(h.Cluster.API.RequestTimeout))) + req = req.WithContext(ctx) + defer cancel() + } + h.handlerStack.ServeHTTP(w, req) } func (h *Handler) CheckHealth() error { h.setupOnce.Do(h.setup) - _, err := findRailsAPI(h.Cluster, h.NodeProfile) + _, _, err := railsproxy.FindRailsAPI(h.Cluster) return err } +func neverRedirect(*http.Request, []*http.Request) error { return http.ErrUseLastResponse } + func (h *Handler) setup() { mux := http.NewServeMux() mux.Handle("/_health/", &health.Handler{ Token: h.Cluster.ManagementToken, Prefix: "/_health/", + Routes: health.Routes{"ping": func() error { _, err := h.db(&http.Request{}); return err }}, }) + + mux.Handle("/arvados/v1/config", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var buf bytes.Buffer + err := config.ExportJSON(&buf, h.Cluster) + if err != nil { + httpserver.Error(w, err.Error(), http.StatusInternalServerError) + return + } + w.Header().Set("Content-Type", "application/json") + io.Copy(w, &buf) + })) + + if h.Cluster.EnableBetaController14287 { + rtr := router.New(h.Cluster) + mux.Handle("/arvados/v1/collections", rtr) + mux.Handle("/arvados/v1/collections/", rtr) + } + hs := http.NotFoundHandler() hs = prepend(hs, h.proxyRailsAPI) - hs = prepend(hs, h.proxyRemoteCluster) + hs = h.setupProxyRemoteCluster(hs) mux.Handle("/", hs) h.handlerStack = mux -} -// headers that shouldn't be forwarded when proxying. See -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers -var dropHeaders = map[string]bool{ - "Connection": true, - "Keep-Alive": true, - "Proxy-Authenticate": true, - "Proxy-Authorization": true, - "TE": true, - "Trailer": true, - "Transfer-Encoding": true, - "Upgrade": true, -} + sc := *arvados.DefaultSecureClient + sc.CheckRedirect = neverRedirect + h.secureClient = &sc -type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler) + ic := *arvados.InsecureHTTPClient + ic.CheckRedirect = neverRedirect + h.insecureClient = &ic -func prepend(next http.Handler, middleware middlewareFunc) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - middleware(w, req, next) - }) + h.proxy = &proxy{ + Name: "arvados-controller", + } } -var wfRe = regexp.MustCompile(`^/arvados/v1/workflows/([0-9a-z]{5})-[^/]+$`) +var errDBConnection = errors.New("database connection error") -func (h *Handler) proxyRemoteCluster(w http.ResponseWriter, req *http.Request, next http.Handler) { - m := wfRe.FindStringSubmatch(req.URL.Path) - if len(m) < 2 || m[1] == h.Cluster.ClusterID { - next.ServeHTTP(w, req) - return - } - remoteID := m[1] - remote, ok := h.Cluster.RemoteClusters[remoteID] - if !ok { - httpserver.Error(w, "no proxy available for cluster "+remoteID, http.StatusNotFound) - return +func (h *Handler) db(req *http.Request) (*sql.DB, error) { + h.pgdbMtx.Lock() + defer h.pgdbMtx.Unlock() + if h.pgdb != nil { + return h.pgdb, nil } - scheme := remote.Scheme - if scheme == "" { - scheme = "https" + + db, err := sql.Open("postgres", h.Cluster.PostgreSQL.Connection.String()) + if err != nil { + httpserver.Logger(req).WithError(err).Error("postgresql connect failed") + return nil, errDBConnection } - urlOut := &url.URL{ - Scheme: scheme, - Host: remote.Host, - Path: req.URL.Path, - RawPath: req.URL.RawPath, - RawQuery: req.URL.RawQuery, + if p := h.Cluster.PostgreSQL.ConnectionPool; p > 0 { + db.SetMaxOpenConns(p) } - err := h.saltAuthToken(req, remoteID) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusBadRequest) - return + if err := db.Ping(); err != nil { + httpserver.Logger(req).WithError(err).Error("postgresql connect succeeded but ping failed") + return nil, errDBConnection } - h.proxy(w, req, urlOut) + h.pgdb = db + return db, nil } -func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) { - urlOut, err := findRailsAPI(h.Cluster, h.NodeProfile) +type middlewareFunc func(http.ResponseWriter, *http.Request, http.Handler) + +func prepend(next http.Handler, middleware middlewareFunc) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + middleware(w, req, next) + }) +} + +func (h *Handler) localClusterRequest(req *http.Request) (*http.Response, error) { + urlOut, insecure, err := railsproxy.FindRailsAPI(h.Cluster) if err != nil { - httpserver.Error(w, err.Error(), http.StatusInternalServerError) - return + return nil, err } urlOut = &url.URL{ Scheme: urlOut.Scheme, @@ -120,70 +160,34 @@ func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next h RawPath: req.URL.RawPath, RawQuery: req.URL.RawQuery, } - h.proxy(w, req, urlOut) -} - -func (h *Handler) proxy(w http.ResponseWriter, reqIn *http.Request, urlOut *url.URL) { - // Copy headers from incoming request, then add/replace proxy - // headers like Via and X-Forwarded-For. - hdrOut := http.Header{} - for k, v := range reqIn.Header { - if !dropHeaders[k] { - hdrOut[k] = v - } - } - xff := reqIn.RemoteAddr - if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" { - xff = xffIn + "," + xff - } - hdrOut.Set("X-Forwarded-For", xff) - hdrOut.Add("Via", reqIn.Proto+" arvados-controller") - - ctx := reqIn.Context() - if timeout := h.Cluster.HTTPRequestTimeout; timeout > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithDeadline(ctx, time.Now().Add(time.Duration(timeout))) - defer cancel() + client := h.secureClient + if insecure { + client = h.insecureClient } + return h.proxy.Do(req, urlOut, client) +} - reqOut := (&http.Request{ - Method: reqIn.Method, - URL: urlOut, - Header: hdrOut, - Body: reqIn.Body, - }).WithContext(ctx) - resp, err := arvados.InsecureHTTPClient.Do(reqOut) - if err != nil { - httpserver.Error(w, err.Error(), http.StatusInternalServerError) - return - } - for k, v := range resp.Header { - for _, v := range v { - w.Header().Add(k, v) - } - } - w.WriteHeader(resp.StatusCode) - n, err := io.Copy(w, resp.Body) +func (h *Handler) proxyRailsAPI(w http.ResponseWriter, req *http.Request, next http.Handler) { + resp, err := h.localClusterRequest(req) + n, err := h.proxy.ForwardResponse(w, resp, err) if err != nil { - httpserver.Logger(reqIn).WithError(err).WithField("bytesCopied", n).Error("error copying response body") + httpserver.Logger(req).WithError(err).WithField("bytesCopied", n).Error("error copying response body") } } -// For now, findRailsAPI always uses the rails API running on this -// node. -func findRailsAPI(cluster *arvados.Cluster, np *arvados.NodeProfile) (*url.URL, error) { - hostport := np.RailsAPI.Listen - if len(hostport) > 1 && hostport[0] == ':' && strings.TrimRight(hostport[1:], "0123456789") == "" { - // ":12345" => connect to indicated port on localhost - hostport = "localhost" + hostport - } else if _, _, err := net.SplitHostPort(hostport); err == nil { - // "[::1]:12345" => connect to indicated address & port - } else { - return nil, err +// Use a localhost entry from Services.RailsAPI.InternalURLs if one is +// present, otherwise choose an arbitrary entry. +func findRailsAPI(cluster *arvados.Cluster) (*url.URL, bool, error) { + var best *url.URL + for target := range cluster.Services.RailsAPI.InternalURLs { + target := url.URL(target) + best = &target + if strings.HasPrefix(target.Host, "localhost:") || strings.HasPrefix(target.Host, "127.0.0.1:") || strings.HasPrefix(target.Host, "[::1]:") { + break + } } - proto := "http" - if np.RailsAPI.TLS { - proto = "https" + if best == nil { + return nil, false, fmt.Errorf("Services.RailsAPI.InternalURLs is empty") } - return url.Parse(proto + "://" + hostport) + return best, cluster.TLS.Insecure, nil }