X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a14150968c57cffebb79d6ef85e1944111bc1257..88bb9b9fc4392f4a3514ae59e3ffd454d3ce90a8:/lib/controller/rpc/conn.go diff --git a/lib/controller/rpc/conn.go b/lib/controller/rpc/conn.go index e07eaf40af..c9c0ac308c 100644 --- a/lib/controller/rpc/conn.go +++ b/lib/controller/rpc/conn.go @@ -5,23 +5,39 @@ package rpc import ( + "bufio" + "bytes" "context" "crypto/tls" "encoding/json" + "errors" "fmt" "io" + "io/ioutil" "net" "net/http" "net/url" + "strconv" "strings" "time" - "git.curoverse.com/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/arvados" + "git.arvados.org/arvados.git/sdk/go/auth" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) type TokenProvider func(context.Context) ([]string, error) +func PassthroughTokenProvider(ctx context.Context) ([]string, error) { + incoming, ok := auth.FromContext(ctx) + if !ok { + return nil, errors.New("no token provided") + } + return incoming.Tokens, nil +} + type Conn struct { + SendHeader http.Header clusterID string httpClient http.Client baseURL url.URL @@ -51,8 +67,11 @@ func NewConn(clusterID string, url *url.URL, insecure bool, tp TokenProvider) *C } } return &Conn{ - clusterID: clusterID, - httpClient: http.Client{Transport: transport}, + clusterID: clusterID, + httpClient: http.Client{ + CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, + Transport: transport, + }, baseURL: *url, tokenProvider: tp, } @@ -60,9 +79,10 @@ func NewConn(clusterID string, url *url.URL, insecure bool, tp TokenProvider) *C func (conn *Conn) requestAndDecode(ctx context.Context, dst interface{}, ep arvados.APIEndpoint, body io.Reader, opts interface{}) error { aClient := arvados.Client{ - Client: &conn.httpClient, - Scheme: conn.baseURL.Scheme, - APIHost: conn.baseURL.Host, + Client: &conn.httpClient, + Scheme: conn.baseURL.Scheme, + APIHost: conn.baseURL.Host, + SendHeader: conn.SendHeader, } tokens, err := conn.tokenProvider(ctx) if err != nil { @@ -85,32 +105,78 @@ func (conn *Conn) requestAndDecode(ctx context.Context, dst interface{}, ep arva return fmt.Errorf("%T: requestAndDecode: Marshal opts: %s", conn, err) } var params map[string]interface{} - err = json.Unmarshal(j, ¶ms) + dec := json.NewDecoder(bytes.NewBuffer(j)) + dec.UseNumber() + err = dec.Decode(¶ms) if err != nil { - return fmt.Errorf("%T: requestAndDecode: Unmarshal opts: %s", conn, err) + return fmt.Errorf("%T: requestAndDecode: Decode opts: %s", conn, err) } if attrs, ok := params["attrs"]; ok && ep.AttrsKey != "" { params[ep.AttrsKey] = attrs delete(params, "attrs") } - if limit, ok := params["limit"].(float64); ok && limit < 0 { - // Negative limit means "not specified" here, but some - // servers/versions do not accept that, so we need to - // remove it entirely. - delete(params, "limit") + if limitStr, ok := params["limit"]; ok { + if limit, err := strconv.ParseInt(string(limitStr.(json.Number)), 10, 64); err == nil && limit < 0 { + // Negative limit means "not specified" here, but some + // servers/versions do not accept that, so we need to + // remove it entirely. + delete(params, "limit") + } } if len(tokens) > 1 { params["reader_tokens"] = tokens[1:] } path := ep.Path - if strings.Contains(ep.Path, "/:uuid") { + if strings.Contains(ep.Path, "/{uuid}") { uuid, _ := params["uuid"].(string) - path = strings.Replace(path, "/:uuid", "/"+uuid, 1) + path = strings.Replace(path, "/{uuid}", "/"+uuid, 1) delete(params, "uuid") } return aClient.RequestAndDecodeContext(ctx, dst, ep.Method, path, body, params) } +func (conn *Conn) BaseURL() url.URL { + return conn.baseURL +} + +func (conn *Conn) ConfigGet(ctx context.Context) (json.RawMessage, error) { + ep := arvados.EndpointConfigGet + var resp json.RawMessage + err := conn.requestAndDecode(ctx, &resp, ep, nil, nil) + return resp, err +} + +func (conn *Conn) Login(ctx context.Context, options arvados.LoginOptions) (arvados.LoginResponse, error) { + ep := arvados.EndpointLogin + var resp arvados.LoginResponse + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + resp.RedirectLocation = conn.relativeToBaseURL(resp.RedirectLocation) + return resp, err +} + +func (conn *Conn) Logout(ctx context.Context, options arvados.LogoutOptions) (arvados.LogoutResponse, error) { + ep := arvados.EndpointLogout + var resp arvados.LogoutResponse + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + resp.RedirectLocation = conn.relativeToBaseURL(resp.RedirectLocation) + return resp, err +} + +// If the given location is a valid URL and its origin is the same as +// conn.baseURL, return it as a relative URL. Otherwise, return it +// unmodified. +func (conn *Conn) relativeToBaseURL(location string) string { + u, err := url.Parse(location) + if err == nil && u.Scheme == conn.baseURL.Scheme && strings.ToLower(u.Host) == strings.ToLower(conn.baseURL.Host) { + u.Opaque = "" + u.Scheme = "" + u.User = nil + u.Host = "" + return u.String() + } + return location +} + func (conn *Conn) CollectionCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Collection, error) { ep := arvados.EndpointCollectionCreate var resp arvados.Collection @@ -223,6 +289,89 @@ func (conn *Conn) ContainerUnlock(ctx context.Context, options arvados.GetOption return resp, err } +// ContainerSSH returns a connection to the out-of-band SSH server for +// a running container. If the returned error is nil, the caller is +// responsible for closing sshconn.Conn. +func (conn *Conn) ContainerSSH(ctx context.Context, options arvados.ContainerSSHOptions) (sshconn arvados.ContainerSSHConnection, err error) { + addr := conn.baseURL.Host + if strings.Index(addr, ":") < 1 || (strings.Contains(addr, "::") && addr[0] != '[') { + // hostname or ::1 or 1::1 + addr = net.JoinHostPort(addr, "https") + } + insecure := false + if tlsconf := conn.httpClient.Transport.(*http.Transport).TLSClientConfig; tlsconf != nil && tlsconf.InsecureSkipVerify { + insecure = true + } + netconn, err := tls.Dial("tcp", addr, &tls.Config{InsecureSkipVerify: insecure}) + if err != nil { + err = fmt.Errorf("tls.Dial: %w", err) + return + } + defer func() { + if err != nil { + netconn.Close() + } + }() + bufr := bufio.NewReader(netconn) + bufw := bufio.NewWriter(netconn) + + u, err := conn.baseURL.Parse("/" + strings.Replace(arvados.EndpointContainerSSH.Path, "{uuid}", options.UUID, -1)) + if err != nil { + err = fmt.Errorf("tls.Dial: %w", err) + return + } + u.RawQuery = url.Values{ + "detach_keys": {options.DetachKeys}, + "login_username": {options.LoginUsername}, + }.Encode() + tokens, err := conn.tokenProvider(ctx) + if err != nil { + return + } else if len(tokens) < 1 { + err = httpserver.ErrorWithStatus(errors.New("unauthorized"), http.StatusUnauthorized) + return + } + bufw.WriteString("GET " + u.String() + " HTTP/1.1\r\n") + bufw.WriteString("Authorization: Bearer " + tokens[0] + "\r\n") + bufw.WriteString("Host: " + u.Host + "\r\n") + bufw.WriteString("Upgrade: ssh\r\n") + bufw.WriteString("\r\n") + bufw.Flush() + resp, err := http.ReadResponse(bufr, &http.Request{Method: "GET"}) + if err != nil { + err = fmt.Errorf("http.ReadResponse: %w", err) + return + } + if resp.StatusCode != http.StatusSwitchingProtocols { + defer resp.Body.Close() + body, _ := ioutil.ReadAll(resp.Body) + var message string + var errDoc httpserver.ErrorResponse + if err := json.Unmarshal(body, &errDoc); err == nil { + message = strings.Join(errDoc.Errors, "; ") + } else { + message = fmt.Sprintf("%q", body) + } + err = fmt.Errorf("server did not provide a tunnel: %s (HTTP %d)", message, resp.StatusCode) + return + } + if strings.ToLower(resp.Header.Get("Upgrade")) != "ssh" || + strings.ToLower(resp.Header.Get("Connection")) != "upgrade" { + err = fmt.Errorf("bad response from server: Upgrade %q Connection %q", resp.Header.Get("Upgrade"), resp.Header.Get("Connection")) + return + } + sshconn.Conn = netconn + sshconn.Bufrw = &bufio.ReadWriter{Reader: bufr, Writer: bufw} + return +} + +func (conn *Conn) ContainerRequestList(ctx context.Context, options arvados.ListOptions) (arvados.ContainerRequestList, error) { + ep := arvados.EndpointContainerRequestList + var resp arvados.ContainerRequestList + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} + func (conn *Conn) SpecimenCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Specimen, error) { ep := arvados.EndpointSpecimenCreate var resp arvados.Specimen @@ -258,9 +407,116 @@ func (conn *Conn) SpecimenDelete(ctx context.Context, options arvados.DeleteOpti return resp, err } +func (conn *Conn) UserCreate(ctx context.Context, options arvados.CreateOptions) (arvados.User, error) { + ep := arvados.EndpointUserCreate + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.User, error) { + ep := arvados.EndpointUserUpdate + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserUpdateUUID(ctx context.Context, options arvados.UpdateUUIDOptions) (arvados.User, error) { + ep := arvados.EndpointUserUpdateUUID + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserMerge(ctx context.Context, options arvados.UserMergeOptions) (arvados.User, error) { + ep := arvados.EndpointUserMerge + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserActivate(ctx context.Context, options arvados.UserActivateOptions) (arvados.User, error) { + ep := arvados.EndpointUserActivate + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserSetup(ctx context.Context, options arvados.UserSetupOptions) (map[string]interface{}, error) { + ep := arvados.EndpointUserSetup + var resp map[string]interface{} + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserUnsetup(ctx context.Context, options arvados.GetOptions) (arvados.User, error) { + ep := arvados.EndpointUserUnsetup + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserGet(ctx context.Context, options arvados.GetOptions) (arvados.User, error) { + ep := arvados.EndpointUserGet + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserGetCurrent(ctx context.Context, options arvados.GetOptions) (arvados.User, error) { + ep := arvados.EndpointUserGetCurrent + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserGetSystem(ctx context.Context, options arvados.GetOptions) (arvados.User, error) { + ep := arvados.EndpointUserGetSystem + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserList(ctx context.Context, options arvados.ListOptions) (arvados.UserList, error) { + ep := arvados.EndpointUserList + var resp arvados.UserList + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} +func (conn *Conn) UserDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.User, error) { + ep := arvados.EndpointUserDelete + var resp arvados.User + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} + func (conn *Conn) APIClientAuthorizationCurrent(ctx context.Context, options arvados.GetOptions) (arvados.APIClientAuthorization, error) { ep := arvados.EndpointAPIClientAuthorizationCurrent var resp arvados.APIClientAuthorization err := conn.requestAndDecode(ctx, &resp, ep, nil, options) return resp, err } + +type UserSessionAuthInfo struct { + Email string `json:"email"` + AlternateEmails []string `json:"alternate_emails"` + FirstName string `json:"first_name"` + LastName string `json:"last_name"` + Username string `json:"username"` +} + +type UserSessionCreateOptions struct { + AuthInfo UserSessionAuthInfo `json:"auth_info"` + ReturnTo string `json:"return_to"` +} + +func (conn *Conn) UserSessionCreate(ctx context.Context, options UserSessionCreateOptions) (arvados.LoginResponse, error) { + ep := arvados.APIEndpoint{Method: "POST", Path: "auth/controller/callback"} + var resp arvados.LoginResponse + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} + +func (conn *Conn) UserBatchUpdate(ctx context.Context, options arvados.UserBatchUpdateOptions) (arvados.UserList, error) { + ep := arvados.EndpointUserBatchUpdate + var resp arvados.UserList + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +} + +func (conn *Conn) UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + ep := arvados.EndpointUserAuthenticate + var resp arvados.APIClientAuthorization + err := conn.requestAndDecode(ctx, &resp, ep, nil, options) + return resp, err +}