X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a95f899d7ac84f29b3d019aa410d265bb40833e5..1b8106da867aafbe6e4653485d5e644faee4c35d:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index 6f5f66ae0e..8dee88d485 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -1,7 +1,6 @@ package main import ( - "flag" "fmt" "html" "io" @@ -9,9 +8,11 @@ import ( "net/http" "net/url" "os" - "regexp" + "path" "strconv" "strings" + "sync" + "time" "git.curoverse.com/arvados.git/sdk/go/arvadosclient" "git.curoverse.com/arvados.git/sdk/go/auth" @@ -19,23 +20,14 @@ import ( "git.curoverse.com/arvados.git/sdk/go/keepclient" ) -type handler struct{} - -var ( - clientPool = arvadosclient.MakeClientPool() - trustAllContent = false - attachmentOnlyHost = "" -) - -func init() { - flag.StringVar(&attachmentOnlyHost, "attachment-only-host", "", - "Accept credentials, and add \"Content-Disposition: attachment\" response headers, for requests at this hostname:port. Prohibiting inline display makes it possible to serve untrusted and non-public content from a single origin, i.e., without wildcard DNS or SSL.") - flag.BoolVar(&trustAllContent, "trust-all-content", false, - "Serve non-public content from a single origin. Dangerous: read docs before using!") +type handler struct { + Config *Config + clientPool *arvadosclient.ClientPool + setupOnce sync.Once } -// return a UUID or PDH if s begins with a UUID or URL-encoded PDH; -// otherwise return "". +// parseCollectionIDFromDNSName returns a UUID or PDH if s begins with +// a UUID or URL-encoded PDH; otherwise "". func parseCollectionIDFromDNSName(s string) string { // Strip domain. if i := strings.IndexRune(s, '.'); i >= 0 { @@ -58,8 +50,9 @@ func parseCollectionIDFromDNSName(s string) string { var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+") -// return a UUID or PDH if s is a UUID or a PDH (even if it is a PDH -// with "+" replaced by " " or "-"); otherwise return "". +// parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a +// PDH (even if it is a PDH with "+" replaced by " " or "-"); +// otherwise "". func parseCollectionIDFromURL(s string) string { if arvadosclient.UUIDMatch(s) { return s @@ -70,7 +63,14 @@ func parseCollectionIDFromURL(s string) string { return "" } +func (h *handler) setup() { + h.clientPool = arvadosclient.MakeClientPool() +} + +// ServeHTTP implements http.Handler. func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { + h.setupOnce.Do(h.setup) + var statusCode = 0 var statusText string @@ -109,12 +109,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w.Header().Set("Access-Control-Allow-Origin", "*") } - arv := clientPool.Get() + arv := h.clientPool.Get() if arv == nil { - statusCode, statusText = http.StatusInternalServerError, "Pool failed: "+clientPool.Err().Error() + statusCode, statusText = http.StatusInternalServerError, "Pool failed: "+h.clientPool.Err().Error() return } - defer clientPool.Put(arv) + defer h.clientPool.Put(arv) pathParts := strings.Split(r.URL.Path[1:], "/") @@ -124,9 +124,9 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { var reqTokens []string var pathToken bool var attachment bool - credentialsOK := trustAllContent + credentialsOK := h.Config.TrustAllContent - if r.Host != "" && r.Host == attachmentOnlyHost { + if r.Host != "" && r.Host == h.Config.AttachmentOnlyHost { credentialsOK = true attachment = true } else if r.FormValue("disposition") == "attachment" { @@ -151,7 +151,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else { // /collections/ID/PATH... targetID = pathParts[1] - tokens = anonymousTokens + tokens = h.Config.AnonymousTokens targetPath = pathParts[2:] } } else { @@ -186,7 +186,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // It is not safe to copy the provided token // into a cookie unless the current vhost // (origin) serves only a single collection or - // we are in trustAllContent mode. + // we are in TrustAllContent mode. statusCode = http.StatusBadRequest return } @@ -246,7 +246,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { if credentialsOK { reqTokens = auth.NewCredentialsFromHTTPRequest(r).Tokens } - tokens = append(reqTokens, anonymousTokens...) + tokens = append(reqTokens, h.Config.AnonymousTokens...) } if len(targetPath) > 0 && targetPath[0] == "_" { @@ -347,40 +347,18 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", t) } } - if rdr, ok := rdr.(keepclient.ReadCloserWithLen); ok { + if rdr, ok := rdr.(keepclient.Reader); ok { w.Header().Set("Content-Length", fmt.Sprintf("%d", rdr.Len())) } applyContentDispositionHdr(w, r, filename[basenamePos:], attachment) - rangeRdr, statusCode := applyRangeHdr(w, r, rdr) - - w.WriteHeader(statusCode) - _, err = io.Copy(w, rangeRdr) - if err != nil { - statusCode, statusText = http.StatusBadGateway, err.Error() - } -} -var rangeRe = regexp.MustCompile(`^bytes=0-([0-9]*)$`) - -func applyRangeHdr(w http.ResponseWriter, r *http.Request, rdr keepclient.ReadCloserWithLen) (io.Reader, int) { - w.Header().Set("Accept-Ranges", "bytes") - hdr := r.Header.Get("Range") - fields := rangeRe.FindStringSubmatch(hdr) - if fields == nil { - return rdr, http.StatusOK - } - rangeEnd, err := strconv.ParseInt(fields[1], 10, 64) + modstr, _ := collection["modified_at"].(string) + modtime, err := time.Parse(time.RFC3339Nano, modstr) if err != nil { - // Empty or too big for int64 == send entire content - return rdr, http.StatusOK - } - if uint64(rangeEnd) >= rdr.Len() { - return rdr, http.StatusOK + modtime = time.Now() } - w.Header().Set("Content-Length", fmt.Sprintf("%d", rangeEnd+1)) - w.Header().Set("Content-Range", fmt.Sprintf("bytes %d-%d/%d", 0, rangeEnd, rdr.Len())) - return &io.LimitedReader{R: rdr, N: rangeEnd + 1}, http.StatusPartialContent + http.ServeContent(w, r, path.Base(filename), modtime, rdr) } func applyContentDispositionHdr(w http.ResponseWriter, r *http.Request, filename string, isAttachment bool) {