X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/de619aa99c6f022da45840ffd62085683a33a0d0..a5cf4e0ea356a7ee06f67fe159484fe20cd8a184:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index 6a7dc5dbac..863b91a7e1 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -25,7 +25,7 @@ import ( "git.curoverse.com/arvados.git/sdk/go/health" "git.curoverse.com/arvados.git/sdk/go/httpserver" "git.curoverse.com/arvados.git/sdk/go/keepclient" - log "github.com/Sirupsen/logrus" + log "github.com/sirupsen/logrus" "golang.org/x/net/webdav" ) @@ -81,7 +81,7 @@ func (h *handler) setup() { keepclient.RefreshServiceDiscoveryOnSIGHUP() h.healthHandler = &health.Handler{ - Token: h.Config.ManagementToken, + Token: h.Config.cluster.ManagementToken, Prefix: "/_health/", } @@ -249,9 +249,9 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { var pathToken bool var attachment bool var useSiteFS bool - credentialsOK := h.Config.TrustAllContent + credentialsOK := h.Config.cluster.Collections.TrustAllContent - if r.Host != "" && r.Host == h.Config.AttachmentOnlyHost { + if r.Host != "" && r.Host == h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host { credentialsOK = true attachment = true } else if r.FormValue("disposition") == "attachment" { @@ -283,8 +283,11 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } else { // /collections/ID/PATH... collectionID = parseCollectionIDFromURL(pathParts[1]) - tokens = h.Config.AnonymousTokens stripParts = 2 + // This path is only meant to work for public + // data. Tokens provided with the request are + // ignored. + credentialsOK = false } } @@ -298,6 +301,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { forceReload = true } + if credentialsOK { + reqTokens = auth.CredentialsFromRequest(r).Tokens + } + formToken := r.FormValue("api_token") if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" { // The client provided an explicit token in the POST @@ -313,7 +320,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // // * The token isn't embedded in the URL, so we don't // need to worry about bookmarks and copy/paste. - tokens = append(tokens, formToken) + reqTokens = append(reqTokens, formToken) } else if formToken != "" && browserMethod[r.Method] { // The client provided an explicit token in the query // string, or a form in POST body. We must put the @@ -325,10 +332,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } if useSiteFS { - if tokens == nil { - tokens = auth.CredentialsFromRequest(r).Tokens - } - h.serveSiteFS(w, r, tokens, credentialsOK, attachment) + h.serveSiteFS(w, r, reqTokens, credentialsOK, attachment) return } @@ -347,10 +351,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } if tokens == nil { - if credentialsOK { - reqTokens = auth.CredentialsFromRequest(r).Tokens - } - tokens = append(reqTokens, h.Config.AnonymousTokens...) + tokens = append(reqTokens, h.Config.cluster.Users.AnonymousUserToken) } if len(targetPath) > 0 && targetPath[0] == "_" {