X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e2ed71e15de22c629b5b5e174aa351cce03ee381..42fff42165a0fa1602758a078746f8697f265f83:/lib/controller/federation/conn.go?ds=sidebyside

diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 05ea7769f1..6029056b25 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -69,6 +69,9 @@ func saltedTokenProvider(local backend, remoteID string) rpc.TokenProvider {
 				tokens = append(tokens, salted)
 			case auth.ErrSalted:
 				tokens = append(tokens, token)
+			case auth.ErrTokenFormat:
+				// pass through unmodified (assume it's an OIDC access token)
+				tokens = append(tokens, token)
 			case auth.ErrObsoleteToken:
 				ctx := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{token}})
 				aca, err := local.APIClientAuthorizationCurrent(ctx, arvados.GetOptions{})
@@ -79,6 +82,14 @@ func saltedTokenProvider(local backend, remoteID string) rpc.TokenProvider {
 				} else if err != nil {
 					return nil, err
 				}
+				if strings.HasPrefix(aca.UUID, remoteID) {
+					// We have it cached here, but
+					// the token belongs to the
+					// remote target itself, so
+					// pass it through unmodified.
+					tokens = append(tokens, token)
+					continue
+				}
 				salted, err := auth.SaltToken(aca.TokenV2(), remoteID)
 				if err != nil {
 					return nil, err
@@ -111,6 +122,13 @@ func (conn *Conn) chooseBackend(id string) backend {
 	}
 }
 
+func (conn *Conn) localOrLoginCluster() backend {
+	if conn.cluster.Login.LoginCluster != "" {
+		return conn.chooseBackend(conn.cluster.Login.LoginCluster)
+	}
+	return conn.local
+}
+
 // Call fn with the local backend; then, if fn returned 404, call fn
 // on the available remote backends (possibly concurrently) until one
 // succeeds.
@@ -196,9 +214,8 @@ func (conn *Conn) Login(ctx context.Context, options arvados.LoginOptions) (arva
 		return arvados.LoginResponse{
 			RedirectLocation: target.String(),
 		}, nil
-	} else {
-		return conn.local.Login(ctx, options)
 	}
+	return conn.local.Login(ctx, options)
 }
 
 func (conn *Conn) Logout(ctx context.Context, options arvados.LogoutOptions) (arvados.LogoutResponse, error) {
@@ -235,40 +252,39 @@ func (conn *Conn) CollectionGet(ctx context.Context, options arvados.GetOptions)
 			c.ManifestText = rewriteManifest(c.ManifestText, options.UUID[:5])
 		}
 		return c, err
-	} else {
-		// UUID is a PDH
-		first := make(chan arvados.Collection, 1)
-		err := conn.tryLocalThenRemotes(ctx, options.ForwardedFor, func(ctx context.Context, remoteID string, be backend) error {
-			remoteOpts := options
-			remoteOpts.ForwardedFor = conn.cluster.ClusterID + "-" + options.ForwardedFor
-			c, err := be.CollectionGet(ctx, remoteOpts)
-			if err != nil {
-				return err
-			}
-			// options.UUID is either hash+size or
-			// hash+size+hints; only hash+size need to
-			// match the computed PDH.
-			if pdh := arvados.PortableDataHash(c.ManifestText); pdh != options.UUID && !strings.HasPrefix(options.UUID, pdh+"+") {
-				err = httpErrorf(http.StatusBadGateway, "bad portable data hash %q received from remote %q (expected %q)", pdh, remoteID, options.UUID)
-				ctxlog.FromContext(ctx).Warn(err)
-				return err
-			}
-			if remoteID != "" {
-				c.ManifestText = rewriteManifest(c.ManifestText, remoteID)
-			}
-			select {
-			case first <- c:
-				return nil
-			default:
-				// lost race, return value doesn't matter
-				return nil
-			}
-		})
+	}
+	// UUID is a PDH
+	first := make(chan arvados.Collection, 1)
+	err := conn.tryLocalThenRemotes(ctx, options.ForwardedFor, func(ctx context.Context, remoteID string, be backend) error {
+		remoteOpts := options
+		remoteOpts.ForwardedFor = conn.cluster.ClusterID + "-" + options.ForwardedFor
+		c, err := be.CollectionGet(ctx, remoteOpts)
 		if err != nil {
-			return arvados.Collection{}, err
+			return err
+		}
+		// options.UUID is either hash+size or
+		// hash+size+hints; only hash+size need to
+		// match the computed PDH.
+		if pdh := arvados.PortableDataHash(c.ManifestText); pdh != options.UUID && !strings.HasPrefix(options.UUID, pdh+"+") {
+			err = httpErrorf(http.StatusBadGateway, "bad portable data hash %q received from remote %q (expected %q)", pdh, remoteID, options.UUID)
+			ctxlog.FromContext(ctx).Warn(err)
+			return err
+		}
+		if remoteID != "" {
+			c.ManifestText = rewriteManifest(c.ManifestText, remoteID)
+		}
+		select {
+		case first <- c:
+			return nil
+		default:
+			// lost race, return value doesn't matter
+			return nil
 		}
-		return <-first, nil
+	})
+	if err != nil {
+		return arvados.Collection{}, err
 	}
+	return <-first, nil
 }
 
 func (conn *Conn) CollectionList(ctx context.Context, options arvados.ListOptions) (arvados.CollectionList, error) {
@@ -323,6 +339,108 @@ func (conn *Conn) ContainerUnlock(ctx context.Context, options arvados.GetOption
 	return conn.chooseBackend(options.UUID).ContainerUnlock(ctx, options)
 }
 
+func (conn *Conn) ContainerSSH(ctx context.Context, options arvados.ContainerSSHOptions) (arvados.ContainerSSHConnection, error) {
+	return conn.chooseBackend(options.UUID).ContainerSSH(ctx, options)
+}
+
+func (conn *Conn) ContainerRequestList(ctx context.Context, options arvados.ListOptions) (arvados.ContainerRequestList, error) {
+	return conn.generated_ContainerRequestList(ctx, options)
+}
+
+func (conn *Conn) ContainerRequestCreate(ctx context.Context, options arvados.CreateOptions) (arvados.ContainerRequest, error) {
+	be := conn.chooseBackend(options.ClusterID)
+	if be == conn.local {
+		return be.ContainerRequestCreate(ctx, options)
+	}
+	if _, ok := options.Attrs["runtime_token"]; !ok {
+		// If runtime_token is not set, create a new token
+		aca, err := conn.local.APIClientAuthorizationCurrent(ctx, arvados.GetOptions{})
+		if err != nil {
+			// This should probably be StatusUnauthorized
+			// (need to update test in
+			// lib/controller/federation_test.go):
+			// When RoR is out of the picture this should be:
+			// return arvados.ContainerRequest{}, httpErrorf(http.StatusUnauthorized, "%w", err)
+			return arvados.ContainerRequest{}, httpErrorf(http.StatusForbidden, "%s", "invalid API token")
+		}
+		user, err := conn.local.UserGetCurrent(ctx, arvados.GetOptions{})
+		if err != nil {
+			return arvados.ContainerRequest{}, err
+		}
+		if len(aca.Scopes) == 0 || aca.Scopes[0] != "all" {
+			return arvados.ContainerRequest{}, httpErrorf(http.StatusForbidden, "token scope is not [all]")
+		}
+		if strings.HasPrefix(aca.UUID, conn.cluster.ClusterID) {
+			// Local user, submitting to a remote cluster.
+			// Create a new time-limited token.
+			local, ok := conn.local.(*localdb.Conn)
+			if !ok {
+				return arvados.ContainerRequest{}, httpErrorf(http.StatusInternalServerError, "bug: local backend is a %T, not a *localdb.Conn", conn.local)
+			}
+			aca, err = local.CreateAPIClientAuthorization(ctx, conn.cluster.SystemRootToken, rpc.UserSessionAuthInfo{UserUUID: user.UUID,
+				ExpiresAt: time.Now().UTC().Add(conn.cluster.Collections.BlobSigningTTL.Duration())})
+			if err != nil {
+				return arvados.ContainerRequest{}, err
+			}
+			options.Attrs["runtime_token"] = aca.TokenV2()
+		} else {
+			// Remote user. Container request will use the
+			// current token, minus the trailing portion
+			// (optional container uuid).
+			options.Attrs["runtime_token"] = aca.TokenV2()
+		}
+	}
+	return be.ContainerRequestCreate(ctx, options)
+}
+
+func (conn *Conn) ContainerRequestUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.ContainerRequest, error) {
+	return conn.chooseBackend(options.UUID).ContainerRequestUpdate(ctx, options)
+}
+
+func (conn *Conn) ContainerRequestGet(ctx context.Context, options arvados.GetOptions) (arvados.ContainerRequest, error) {
+	return conn.chooseBackend(options.UUID).ContainerRequestGet(ctx, options)
+}
+
+func (conn *Conn) ContainerRequestDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.ContainerRequest, error) {
+	return conn.chooseBackend(options.UUID).ContainerRequestDelete(ctx, options)
+}
+
+func (conn *Conn) GroupCreate(ctx context.Context, options arvados.CreateOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.ClusterID).GroupCreate(ctx, options)
+}
+
+func (conn *Conn) GroupUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.UUID).GroupUpdate(ctx, options)
+}
+
+func (conn *Conn) GroupGet(ctx context.Context, options arvados.GetOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.UUID).GroupGet(ctx, options)
+}
+
+func (conn *Conn) GroupList(ctx context.Context, options arvados.ListOptions) (arvados.GroupList, error) {
+	return conn.generated_GroupList(ctx, options)
+}
+
+func (conn *Conn) GroupContents(ctx context.Context, options arvados.GroupContentsOptions) (arvados.ObjectList, error) {
+	return conn.chooseBackend(options.UUID).GroupContents(ctx, options)
+}
+
+func (conn *Conn) GroupShared(ctx context.Context, options arvados.ListOptions) (arvados.GroupList, error) {
+	return conn.chooseBackend(options.ClusterID).GroupShared(ctx, options)
+}
+
+func (conn *Conn) GroupDelete(ctx context.Context, options arvados.DeleteOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.UUID).GroupDelete(ctx, options)
+}
+
+func (conn *Conn) GroupTrash(ctx context.Context, options arvados.DeleteOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.UUID).GroupTrash(ctx, options)
+}
+
+func (conn *Conn) GroupUntrash(ctx context.Context, options arvados.UntrashOptions) (arvados.Group, error) {
+	return conn.chooseBackend(options.UUID).GroupUntrash(ctx, options)
+}
+
 func (conn *Conn) SpecimenList(ctx context.Context, options arvados.ListOptions) (arvados.SpecimenList, error) {
 	return conn.generated_SpecimenList(ctx, options)
 }
@@ -353,6 +471,7 @@ var userAttrsCachedFromLoginCluster = map[string]bool{
 	"modified_at": true,
 	"prefs":       true,
 	"username":    true,
+	"kind":        true,
 
 	"etag":                    false,
 	"full_name":               false,
@@ -427,7 +546,7 @@ func (conn *Conn) batchUpdateUsers(ctx context.Context,
 }
 
 func (conn *Conn) UserList(ctx context.Context, options arvados.ListOptions) (arvados.UserList, error) {
-	if id := conn.cluster.Login.LoginCluster; id != "" && id != conn.cluster.ClusterID && !options.NoFederation {
+	if id := conn.cluster.Login.LoginCluster; id != "" && id != conn.cluster.ClusterID && !options.BypassFederation {
 		resp, err := conn.chooseBackend(id).UserList(ctx, options)
 		if err != nil {
 			return resp, err
@@ -437,9 +556,8 @@ func (conn *Conn) UserList(ctx context.Context, options arvados.ListOptions) (ar
 			return arvados.UserList{}, err
 		}
 		return resp, nil
-	} else {
-		return conn.generated_UserList(ctx, options)
 	}
+	return conn.generated_UserList(ctx, options)
 }
 
 func (conn *Conn) UserCreate(ctx context.Context, options arvados.CreateOptions) (arvados.User, error) {
@@ -447,10 +565,21 @@ func (conn *Conn) UserCreate(ctx context.Context, options arvados.CreateOptions)
 }
 
 func (conn *Conn) UserUpdate(ctx context.Context, options arvados.UpdateOptions) (arvados.User, error) {
-	if options.NoFederation {
+	if options.BypassFederation {
 		return conn.local.UserUpdate(ctx, options)
 	}
-	return conn.chooseBackend(options.UUID).UserUpdate(ctx, options)
+	resp, err := conn.chooseBackend(options.UUID).UserUpdate(ctx, options)
+	if err != nil {
+		return resp, err
+	}
+	if !strings.HasPrefix(options.UUID, conn.cluster.ClusterID) {
+		// Copy the updated user record to the local cluster
+		err = conn.batchUpdateUsers(ctx, arvados.ListOptions{}, []arvados.User{resp})
+		if err != nil {
+			return arvados.User{}, err
+		}
+	}
+	return resp, err
 }
 
 func (conn *Conn) UserUpdateUUID(ctx context.Context, options arvados.UpdateUUIDOptions) (arvados.User, error) {
@@ -462,23 +591,58 @@ func (conn *Conn) UserMerge(ctx context.Context, options arvados.UserMergeOption
 }
 
 func (conn *Conn) UserActivate(ctx context.Context, options arvados.UserActivateOptions) (arvados.User, error) {
-	return conn.chooseBackend(options.UUID).UserActivate(ctx, options)
+	return conn.localOrLoginCluster().UserActivate(ctx, options)
 }
 
 func (conn *Conn) UserSetup(ctx context.Context, options arvados.UserSetupOptions) (map[string]interface{}, error) {
-	return conn.chooseBackend(options.UUID).UserSetup(ctx, options)
+	upstream := conn.localOrLoginCluster()
+	if upstream != conn.local {
+		// When LoginCluster is in effect, and we're setting
+		// up a remote user, and we want to give that user
+		// access to a local VM, we can't include the VM in
+		// the setup call, because the remote cluster won't
+		// recognize it.
+
+		// Similarly, if we want to create a git repo,
+		// it should be created on the local cluster,
+		// not the remote one.
+
+		upstreamOptions := options
+		upstreamOptions.VMUUID = ""
+		upstreamOptions.RepoName = ""
+
+		ret, err := upstream.UserSetup(ctx, upstreamOptions)
+		if err != nil {
+			return ret, err
+		}
+	}
+
+	return conn.local.UserSetup(ctx, options)
 }
 
 func (conn *Conn) UserUnsetup(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
-	return conn.chooseBackend(options.UUID).UserUnsetup(ctx, options)
+	return conn.localOrLoginCluster().UserUnsetup(ctx, options)
 }
 
 func (conn *Conn) UserGet(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
-	return conn.chooseBackend(options.UUID).UserGet(ctx, options)
+	resp, err := conn.chooseBackend(options.UUID).UserGet(ctx, options)
+	if err != nil {
+		return resp, err
+	}
+	if options.UUID != resp.UUID {
+		return arvados.User{}, httpErrorf(http.StatusBadGateway, "Had requested %v but response was for %v", options.UUID, resp.UUID)
+	}
+	if options.UUID[:5] != conn.cluster.ClusterID {
+		err = conn.batchUpdateUsers(ctx, arvados.ListOptions{Select: options.Select}, []arvados.User{resp})
+		if err != nil {
+			return arvados.User{}, err
+		}
+	}
+	return resp, nil
 }
 
 func (conn *Conn) UserGetCurrent(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
-	return conn.chooseBackend(options.UUID).UserGetCurrent(ctx, options)
+	return conn.local.UserGetCurrent(ctx, options)
 }
 
 func (conn *Conn) UserGetSystem(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
@@ -493,6 +657,10 @@ func (conn *Conn) UserBatchUpdate(ctx context.Context, options arvados.UserBatch
 	return conn.local.UserBatchUpdate(ctx, options)
 }
 
+func (conn *Conn) UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return conn.local.UserAuthenticate(ctx, options)
+}
+
 func (conn *Conn) APIClientAuthorizationCurrent(ctx context.Context, options arvados.GetOptions) (arvados.APIClientAuthorization, error) {
 	return conn.chooseBackend(options.UUID).APIClientAuthorizationCurrent(ctx, options)
 }
@@ -510,7 +678,6 @@ func (notFoundError) Error() string   { return "not found" }
 func errStatus(err error) int {
 	if httpErr, ok := err.(interface{ HTTPStatus() int }); ok {
 		return httpErr.HTTPStatus()
-	} else {
-		return http.StatusInternalServerError
 	}
+	return http.StatusInternalServerError
 }