X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ce4ece370e62774f1e3ef797c714529603943f41..6dfa03b4c6211d265e15a4982831edd59eadf3af:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index 43ce57904c..1f1f509860 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: AGPL-3.0 -package main +package keepweb import ( "encoding/json" @@ -23,7 +23,6 @@ import ( "git.arvados.org/arvados.git/sdk/go/arvadosclient" "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/ctxlog" - "git.arvados.org/arvados.git/sdk/go/health" "git.arvados.org/arvados.git/sdk/go/httpserver" "git.arvados.org/arvados.git/sdk/go/keepclient" "github.com/sirupsen/logrus" @@ -31,34 +30,11 @@ import ( ) type handler struct { - Config *Config - MetricsAPI http.Handler - clientPool *arvadosclient.ClientPool - setupOnce sync.Once - healthHandler http.Handler - webdavLS webdav.LockSystem -} - -// parseCollectionIDFromDNSName returns a UUID or PDH if s begins with -// a UUID or URL-encoded PDH; otherwise "". -func parseCollectionIDFromDNSName(s string) string { - // Strip domain. - if i := strings.IndexRune(s, '.'); i >= 0 { - s = s[:i] - } - // Names like {uuid}--collections.example.com serve the same - // purpose as {uuid}.collections.example.com but can reduce - // cost/effort of using [additional] wildcard certificates. - if i := strings.Index(s, "--"); i >= 0 { - s = s[:i] - } - if arvadosclient.UUIDMatch(s) { - return s - } - if pdh := strings.Replace(s, "-", "+", 1); arvadosclient.PDHMatch(pdh) { - return pdh - } - return "" + Cache cache + Cluster *arvados.Cluster + clientPool *arvadosclient.ClientPool + setupOnce sync.Once + webdavLS webdav.LockSystem } var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+") @@ -81,16 +57,10 @@ func parseCollectionIDFromURL(s string) string { func (h *handler) setup() { // Errors will be handled at the client pool. - arv, _ := arvados.NewClientFromConfig(h.Config.cluster) + arv, _ := arvados.NewClientFromConfig(h.Cluster) h.clientPool = arvadosclient.MakeClientPoolWith(arv) - keepclient.RefreshServiceDiscoveryOnSIGHUP() - keepclient.DefaultBlockCache.MaxBlocks = h.Config.cluster.Collections.WebDAVCache.MaxBlockEntries - - h.healthHandler = &health.Handler{ - Token: h.Config.cluster.ManagementToken, - Prefix: "/_health/", - } + keepclient.DefaultBlockCache.MaxBlocks = h.Cluster.Collections.WebDAVCache.MaxBlockEntries // Even though we don't accept LOCK requests, every webdav // handler must have a non-nil LockSystem. @@ -195,6 +165,16 @@ func stripDefaultPort(host string) string { } } +// CheckHealth implements service.Handler. +func (h *handler) CheckHealth() error { + return nil +} + +// Done implements service.Handler. +func (h *handler) Done() <-chan struct{} { + return nil +} + // ServeHTTP implements http.Handler. func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { h.setupOnce.Do(h.setup) @@ -205,11 +185,6 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { w := httpserver.WrapResponseWriter(wOrig) - if strings.HasPrefix(r.URL.Path, "/_health/") && r.Method == "GET" { - h.healthHandler.ServeHTTP(w, r) - return - } - if method := r.Header.Get("Access-Control-Request-Method"); method != "" && r.Method == "OPTIONS" { if !browserMethod[method] && !webdavMethod[method] { w.WriteHeader(http.StatusMethodNotAllowed) @@ -250,10 +225,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { var pathToken bool var attachment bool var useSiteFS bool - credentialsOK := h.Config.cluster.Collections.TrustAllContent + credentialsOK := h.Cluster.Collections.TrustAllContent reasonNotAcceptingCredentials := "" - if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host) { + if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Cluster.Services.WebDAVDownload.ExternalURL.Host) { credentialsOK = true attachment = true } else if r.FormValue("disposition") == "attachment" { @@ -262,18 +237,15 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { if !credentialsOK { reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false", - r.Host, h.Config.cluster.Services.WebDAVDownload.ExternalURL) + r.Host, h.Cluster.Services.WebDAVDownload.ExternalURL) } - if collectionID = parseCollectionIDFromDNSName(r.Host); collectionID != "" { + if collectionID = arvados.CollectionIDFromDNSName(r.Host); collectionID != "" { // http://ID.collections.example/PATH... credentialsOK = true } else if r.URL.Path == "/status.json" { h.serveStatus(w, r) return - } else if strings.HasPrefix(r.URL.Path, "/metrics") { - h.MetricsAPI.ServeHTTP(w, r) - return } else if siteFSDir[pathParts[0]] { useSiteFS = true } else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") { @@ -365,8 +337,8 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { if tokens == nil { tokens = reqTokens - if h.Config.cluster.Users.AnonymousUserToken != "" { - tokens = append(tokens, h.Config.cluster.Users.AnonymousUserToken) + if h.Cluster.Users.AnonymousUserToken != "" { + tokens = append(tokens, h.Cluster.Users.AnonymousUserToken) } } @@ -402,7 +374,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { tokenResult := make(map[string]int) for _, arv.ApiToken = range tokens { var err error - collection, err = h.Config.Cache.Get(arv, collectionID, forceReload) + collection, err = h.Cache.Get(arv, collectionID, forceReload) if err == nil { // Success break @@ -439,16 +411,44 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } } // The client's token was invalid (e.g., expired), or - // the client didn't even provide one. Propagate the - // 401 to encourage the client to use a [different] - // token. + // the client didn't even provide one. Redirect to + // workbench2's login-and-redirect-to-download url if + // this is a browser navigation request. (The redirect + // flow can't preserve the original method if it's not + // GET, and doesn't make sense if the UA is a + // command-line tool, is trying to load an inline + // image, etc.; in these cases, there's nothing we can + // do, so return 401 unauthorized.) + // + // Note Sec-Fetch-Mode is sent by all non-EOL + // browsers, except Safari. + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode // // TODO(TC): This response would be confusing to // someone trying (anonymously) to download public // data that has been deleted. Allow a referrer to // provide this context somehow? - w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") - http.Error(w, unauthorizedMessage, http.StatusUnauthorized) + if r.Method == http.MethodGet && r.Header.Get("Sec-Fetch-Mode") == "navigate" { + target := url.URL(h.Cluster.Services.Workbench2.ExternalURL) + redirkey := "redirectToPreview" + if attachment { + redirkey = "redirectToDownload" + } + callback := "/c=" + collectionID + "/" + strings.Join(targetPath, "/") + // target.RawQuery = url.Values{redirkey: + // {target}}.Encode() would be the obvious + // thing to do here, but wb2 doesn't decode + // this as a query param -- it takes + // everything after "${redirkey}=" as the + // target URL. If we encode "/" as "%2F" etc., + // the redirect won't work. + target.RawQuery = redirkey + "=" + callback + w.Header().Add("Location", target.String()) + w.WriteHeader(http.StatusSeeOther) + } else { + w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") + http.Error(w, unauthorizedMessage, http.StatusUnauthorized) + } return } @@ -485,15 +485,16 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } // Check configured permission - _, sess, err := h.Config.Cache.GetSession(arv.ApiToken) - tokenUser, err = h.Config.Cache.GetTokenUser(arv.ApiToken) - if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) { - http.Error(w, "Not permitted", http.StatusForbidden) - return - } - h.LogUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + _, sess, err := h.Cache.GetSession(arv.ApiToken) + tokenUser, err = h.Cache.GetTokenUser(arv.ApiToken) if webdavMethod[r.Method] { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + if writeMethod[r.Method] { // Save the collection only if/when all // webdav->filesystem operations succeed -- @@ -503,7 +504,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { ResponseWriter: w, logger: ctxlog.FromContext(r.Context()), update: func() error { - return h.Config.Cache.Update(client, *collection, writefs) + return h.Cache.Update(client, *collection, writefs) }} } h := webdav.Handler{ @@ -548,6 +549,12 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else if stat.IsDir() { h.serveDirectory(w, r, collection.Name, fs, openPath, true) } else { + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) + return + } + h.logUploadOrDownload(r, sess.arvadosclient, nil, strings.Join(targetPath, "/"), collection, tokenUser) + http.ServeContent(w, r, basename, stat.ModTime(), f) if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && w.WroteStatus() == http.StatusOK { // If we wrote fewer bytes than expected, it's @@ -594,12 +601,12 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s return } - fs, sess, err := h.Config.Cache.GetSession(tokens[0]) + fs, sess, err := h.Cache.GetSession(tokens[0]) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - fs.ForwardSlashNameSubstitution(h.Config.cluster.Collections.ForwardSlashNameSubstitution) + fs.ForwardSlashNameSubstitution(h.Cluster.Collections.ForwardSlashNameSubstitution) f, err := fs.Open(r.URL.Path) if os.IsNotExist(err) { http.Error(w, err.Error(), http.StatusNotFound) @@ -618,12 +625,12 @@ func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []s return } - tokenUser, err := h.Config.Cache.GetTokenUser(tokens[0]) - if !h.UserPermittedToUploadOrDownload(r.Method, tokenUser) { + tokenUser, err := h.Cache.GetTokenUser(tokens[0]) + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { http.Error(w, "Not permitted", http.StatusForbidden) return } - h.LogUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser) + h.logUploadOrDownload(r, sess.arvadosclient, fs, r.URL.Path, nil, tokenUser) if r.Method == "GET" { _, basename := filepath.Split(r.URL.Path) @@ -856,18 +863,15 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc io.WriteString(w, `">Continue`) } -func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { - if tokenUser == nil { - return false - } +func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { var permitDownload bool var permitUpload bool - if tokenUser.IsAdmin { - permitUpload = h.Config.cluster.Collections.KeepWebPermission.Admin.Upload - permitDownload = h.Config.cluster.Collections.KeepWebPermission.Admin.Download + if tokenUser != nil && tokenUser.IsAdmin { + permitUpload = h.Cluster.Collections.WebDAVPermission.Admin.Upload + permitDownload = h.Cluster.Collections.WebDAVPermission.Admin.Download } else { - permitUpload = h.Config.cluster.Collections.KeepWebPermission.User.Upload - permitDownload = h.Config.cluster.Collections.KeepWebPermission.User.Download + permitUpload = h.Cluster.Collections.WebDAVPermission.User.Upload + permitDownload = h.Cluster.Collections.WebDAVPermission.User.Download } if (method == "PUT" || method == "POST") && !permitUpload { // Disallow operations that upload new files. @@ -882,7 +886,7 @@ func (h *handler) UserPermittedToUploadOrDownload(method string, tokenUser *arva return true } -func (h *handler) LogUploadOrDownload( +func (h *handler) logUploadOrDownload( r *http.Request, client *arvadosclient.ArvadosClient, fs arvados.CustomFileSystem, @@ -893,61 +897,90 @@ func (h *handler) LogUploadOrDownload( log := ctxlog.FromContext(r.Context()) props := make(map[string]string) props["reqPath"] = r.URL.Path + var useruuid string if user != nil { log = log.WithField("user_uuid", user.UUID). WithField("user_full_name", user.FullName) + useruuid = user.UUID + } else { + useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Cluster.ClusterID) } if collection == nil && fs != nil { - collection, filepath = h.DetermineCollection(fs, filepath) + collection, filepath = h.determineCollection(fs, filepath) } if collection != nil { log = log.WithField("collection_uuid", collection.UUID). WithField("collection_file_path", filepath) props["collection_uuid"] = collection.UUID props["collection_file_path"] = filepath + // h.determineCollection populates the collection_uuid prop with the PDH, if + // this collection is being accessed via PDH. In that case, blank the + // collection_uuid field so that consumers of the log entries can rely on it + // being a UUID, or blank. The PDH remains available via the + // portable_data_hash property. + if props["collection_uuid"] == collection.PortableDataHash { + props["collection_uuid"] = "" + } } if r.Method == "PUT" || r.Method == "POST" { log.Info("File upload") - go func() { - lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, - "event_type": "file_upload", - "properties": props}} - client.Create("logs", lr, nil) - }() + if h.Cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_upload", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create upload log event on API server") + } + }() + } } else if r.Method == "GET" { if collection != nil && collection.PortableDataHash != "" { log = log.WithField("portable_data_hash", collection.PortableDataHash) props["portable_data_hash"] = collection.PortableDataHash } log.Info("File download") - go func() { - lr := arvadosclient.Dict{"log": arvadosclient.Dict{ - "object_uuid": user.UUID, - "event_type": "file_download", - "properties": props}} - client.Create("logs", lr, nil) - }() + if h.Cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_download", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create download log event on API server") + } + }() + } } } -func (h *handler) DetermineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) { +func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) { segments := strings.Split(path, "/") var i int - for i = len(segments) - 1; i >= 0; i-- { + for i = 0; i < len(segments); i++ { dir := append([]string{}, segments[0:i]...) dir = append(dir, ".arvados#collection") f, err := fs.OpenFile(strings.Join(dir, "/"), os.O_RDONLY, 0) - if err == nil { - decoder := json.NewDecoder(f) - var collection arvados.Collection - err = decoder.Decode(&collection) - if err != nil { + if f != nil { + defer f.Close() + } + if err != nil { + if !os.IsNotExist(err) { return nil, "" } - return &collection, strings.Join(segments[i:], "/") + continue + } + // err is nil so we found it. + decoder := json.NewDecoder(f) + var collection arvados.Collection + err = decoder.Decode(&collection) + if err != nil { + return nil, "" } - f.Close() + return &collection, strings.Join(segments[i:], "/") } return nil, "" }