X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e8d1a643cdbc3a5f4c0e5c745da58d9f7e1248d8..bd387cabd3fb58e8456f38ba54bb4af0be6500bb:/services/keep-web/handler.go diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go index 915924e288..bc62a2a39a 100644 --- a/services/keep-web/handler.go +++ b/services/keep-web/handler.go @@ -2,17 +2,18 @@ // // SPDX-License-Identifier: AGPL-3.0 -package main +package keepweb import ( "encoding/json" + "errors" + "fmt" "html" "html/template" "io" "net/http" "net/url" "os" - "path/filepath" "sort" "strconv" "strings" @@ -22,7 +23,6 @@ import ( "git.arvados.org/arvados.git/sdk/go/arvadosclient" "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/ctxlog" - "git.arvados.org/arvados.git/sdk/go/health" "git.arvados.org/arvados.git/sdk/go/httpserver" "git.arvados.org/arvados.git/sdk/go/keepclient" "github.com/sirupsen/logrus" @@ -30,38 +30,17 @@ import ( ) type handler struct { - Config *Config - MetricsAPI http.Handler - clientPool *arvadosclient.ClientPool - setupOnce sync.Once - healthHandler http.Handler - webdavLS webdav.LockSystem -} - -// parseCollectionIDFromDNSName returns a UUID or PDH if s begins with -// a UUID or URL-encoded PDH; otherwise "". -func parseCollectionIDFromDNSName(s string) string { - // Strip domain. - if i := strings.IndexRune(s, '.'); i >= 0 { - s = s[:i] - } - // Names like {uuid}--collections.example.com serve the same - // purpose as {uuid}.collections.example.com but can reduce - // cost/effort of using [additional] wildcard certificates. - if i := strings.Index(s, "--"); i >= 0 { - s = s[:i] - } - if arvadosclient.UUIDMatch(s) { - return s - } - if pdh := strings.Replace(s, "-", "+", 1); arvadosclient.PDHMatch(pdh) { - return pdh - } - return "" + Cache cache + Cluster *arvados.Cluster + setupOnce sync.Once + webdavLS webdav.LockSystem } var urlPDHDecoder = strings.NewReplacer(" ", "+", "-", "+") +var notFoundMessage = "Not Found" +var unauthorizedMessage = "401 Unauthorized\r\n\r\nA valid Arvados token must be provided to access this resource.\r\n" + // parseCollectionIDFromURL returns a UUID or PDH if s is a UUID or a // PDH (even if it is a PDH with "+" replaced by " " or "-"); // otherwise "". @@ -76,17 +55,7 @@ func parseCollectionIDFromURL(s string) string { } func (h *handler) setup() { - // Errors will be handled at the client pool. - arv, _ := arvados.NewClientFromConfig(h.Config.cluster) - h.clientPool = arvadosclient.MakeClientPoolWith(arv) - - keepclient.RefreshServiceDiscoveryOnSIGHUP() - keepclient.DefaultBlockCache.MaxBlocks = h.Config.cluster.Collections.WebDAVCache.MaxBlockEntries - - h.healthHandler = &health.Handler{ - Token: h.Config.cluster.ManagementToken, - Prefix: "/_health/", - } + keepclient.DefaultBlockCache.MaxBlocks = h.Cluster.Collections.WebDAVCache.MaxBlockEntries // Even though we don't accept LOCK requests, every webdav // handler must have a non-nil LockSystem. @@ -99,9 +68,10 @@ func (h *handler) serveStatus(w http.ResponseWriter, r *http.Request) { // updateOnSuccess wraps httpserver.ResponseWriter. If the handler // sends an HTTP header indicating success, updateOnSuccess first -// calls the provided update func. If the update func fails, a 500 -// response is sent, and the status code and body sent by the handler -// are ignored (all response writes return the update error). +// calls the provided update func. If the update func fails, an error +// response is sent (using the error's HTTP status or 500 if none), +// and the status code and body sent by the handler are ignored (all +// response writes return the update error). type updateOnSuccess struct { httpserver.ResponseWriter logger logrus.FieldLogger @@ -126,10 +96,11 @@ func (uos *updateOnSuccess) WriteHeader(code int) { if code >= 200 && code < 400 { if uos.err = uos.update(); uos.err != nil { code := http.StatusInternalServerError - if err, ok := uos.err.(*arvados.TransactionError); ok { - code = err.StatusCode + var he interface{ HTTPStatus() int } + if errors.As(uos.err, &he) { + code = he.HTTPStatus() } - uos.logger.WithError(uos.err).Errorf("update() returned error type %T, changing response to HTTP %d", uos.err, code) + uos.logger.WithError(uos.err).Errorf("update() returned %T error, changing response to HTTP %d", uos.err, code) http.Error(uos.ResponseWriter, uos.err.Error(), code) return } @@ -181,25 +152,36 @@ var ( } ) +func stripDefaultPort(host string) string { + // Will consider port 80 and port 443 to be the same vhost. I think that's fine. + u := &url.URL{Host: host} + if p := u.Port(); p == "80" || p == "443" { + return strings.ToLower(u.Hostname()) + } else { + return strings.ToLower(host) + } +} + +// CheckHealth implements service.Handler. +func (h *handler) CheckHealth() error { + return nil +} + +// Done implements service.Handler. +func (h *handler) Done() <-chan struct{} { + return nil +} + // ServeHTTP implements http.Handler. func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { h.setupOnce.Do(h.setup) - remoteAddr := r.RemoteAddr - if xff := r.Header.Get("X-Forwarded-For"); xff != "" { - remoteAddr = xff + "," + remoteAddr - } if xfp := r.Header.Get("X-Forwarded-Proto"); xfp != "" && xfp != "http" { r.URL.Scheme = xfp } w := httpserver.WrapResponseWriter(wOrig) - if strings.HasPrefix(r.URL.Path, "/_health/") && r.Method == "GET" { - h.healthHandler.ServeHTTP(w, r) - return - } - if method := r.Header.Get("Access-Control-Request-Method"); method != "" && r.Method == "OPTIONS" { if !browserMethod[method] && !webdavMethod[method] { w.WriteHeader(http.StatusMethodNotAllowed) @@ -240,24 +222,27 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { var pathToken bool var attachment bool var useSiteFS bool - credentialsOK := h.Config.cluster.Collections.TrustAllContent + credentialsOK := h.Cluster.Collections.TrustAllContent + reasonNotAcceptingCredentials := "" - if r.Host != "" && r.Host == h.Config.cluster.Services.WebDAVDownload.ExternalURL.Host { + if r.Host != "" && stripDefaultPort(r.Host) == stripDefaultPort(h.Cluster.Services.WebDAVDownload.ExternalURL.Host) { credentialsOK = true attachment = true } else if r.FormValue("disposition") == "attachment" { attachment = true } - if collectionID = parseCollectionIDFromDNSName(r.Host); collectionID != "" { + if !credentialsOK { + reasonNotAcceptingCredentials = fmt.Sprintf("vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false", + r.Host, h.Cluster.Services.WebDAVDownload.ExternalURL) + } + + if collectionID = arvados.CollectionIDFromDNSName(r.Host); collectionID != "" { // http://ID.collections.example/PATH... credentialsOK = true } else if r.URL.Path == "/status.json" { h.serveStatus(w, r) return - } else if strings.HasPrefix(r.URL.Path, "/metrics") { - h.MetricsAPI.ServeHTTP(w, r) - return } else if siteFSDir[pathParts[0]] { useSiteFS = true } else if len(pathParts) >= 1 && strings.HasPrefix(pathParts[0], "c=") { @@ -279,14 +264,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { // data. Tokens provided with the request are // ignored. credentialsOK = false + reasonNotAcceptingCredentials = "the '/collections/UUID/PATH' form only works for public data" } } - if collectionID == "" && !useSiteFS { - w.WriteHeader(http.StatusNotFound) - return - } - forceReload := false if cc := r.Header.Get("Cache-Control"); strings.Contains(cc, "no-cache") || strings.Contains(cc, "must-revalidate") { forceReload = true @@ -297,36 +278,36 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { } formToken := r.FormValue("api_token") - if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" { - // The client provided an explicit token in the POST - // body. The Origin header indicates this *might* be - // an AJAX request, in which case redirect-with-cookie - // won't work: we should just serve the content in the - // POST response. This is safe because: - // - // * We're supplying an attachment, not inline - // content, so we don't need to convert the POST to - // a GET and avoid the "really resubmit form?" - // problem. + origin := r.Header.Get("Origin") + cors := origin != "" && !strings.HasSuffix(origin, "://"+r.Host) + safeAjax := cors && (r.Method == http.MethodGet || r.Method == http.MethodHead) + safeAttachment := attachment && r.URL.Query().Get("api_token") == "" + if formToken == "" { + // No token to use or redact. + } else if safeAjax || safeAttachment { + // If this is a cross-origin request, the URL won't + // appear in the browser's address bar, so + // substituting a clipboard-safe URL is pointless. + // Redirect-with-cookie wouldn't work anyway, because + // it's not safe to allow third-party use of our + // cookie. // - // * The token isn't embedded in the URL, so we don't - // need to worry about bookmarks and copy/paste. + // If we're supplying an attachment, we don't need to + // convert POST to GET to avoid the "really resubmit + // form?" problem, so provided the token isn't + // embedded in the URL, there's no reason to do + // redirect-with-cookie in this case either. reqTokens = append(reqTokens, formToken) - } else if formToken != "" && browserMethod[r.Method] { - // The client provided an explicit token in the query - // string, or a form in POST body. We must put the - // token in an HttpOnly cookie, and redirect to the - // same URL with the query param redacted and method = - // GET. + } else if browserMethod[r.Method] { + // If this is a page view, and the client provided a + // token via query string or POST body, we must put + // the token in an HttpOnly cookie, and redirect to an + // equivalent URL with the query param redacted and + // method = GET. h.seeOtherWithCookie(w, r, "", credentialsOK) return } - if useSiteFS { - h.serveSiteFS(w, r, reqTokens, credentialsOK, attachment) - return - } - targetPath := pathParts[stripParts:] if tokens == nil && len(targetPath) > 0 && strings.HasPrefix(targetPath[0], "t=") { // http://ID.example/t=TOKEN/PATH... @@ -341,8 +322,39 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { stripParts++ } + fsprefix := "" + if useSiteFS { + if writeMethod[r.Method] { + http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed) + return + } + if len(reqTokens) == 0 { + w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") + http.Error(w, unauthorizedMessage, http.StatusUnauthorized) + return + } + tokens = reqTokens + } else if collectionID == "" { + http.Error(w, notFoundMessage, http.StatusNotFound) + return + } else { + fsprefix = "by_id/" + collectionID + "/" + } + if tokens == nil { - tokens = append(reqTokens, h.Config.cluster.Users.AnonymousUserToken) + tokens = reqTokens + if h.Cluster.Users.AnonymousUserToken != "" { + tokens = append(tokens, h.Cluster.Users.AnonymousUserToken) + } + } + + if tokens == nil { + if !credentialsOK { + http.Error(w, fmt.Sprintf("Authorization tokens are not accepted here: %v, and no anonymous user token is configured.", reasonNotAcceptingCredentials), http.StatusUnauthorized) + } else { + http.Error(w, fmt.Sprintf("No authorization token in request, and no anonymous user token is configured."), http.StatusUnauthorized) + } + return } if len(targetPath) > 0 && targetPath[0] == "_" { @@ -356,239 +368,221 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) { stripParts++ } - arv := h.clientPool.Get() - if arv == nil { - http.Error(w, "client pool error: "+h.clientPool.Err().Error(), http.StatusInternalServerError) - return - } - defer h.clientPool.Put(arv) - - var collection *arvados.Collection - tokenResult := make(map[string]int) - for _, arv.ApiToken = range tokens { - var err error - collection, err = h.Config.Cache.Get(arv, collectionID, forceReload) - if err == nil { - // Success - break + dirOpenMode := os.O_RDONLY + if writeMethod[r.Method] { + dirOpenMode = os.O_RDWR + } + + validToken := make(map[string]bool) + var token string + var tokenUser *arvados.User + var sessionFS arvados.CustomFileSystem + var session *cachedSession + var collectionDir arvados.File + for _, token = range tokens { + var statusErr interface{ HTTPStatus() int } + fs, sess, user, err := h.Cache.GetSession(token) + if errors.As(err, &statusErr) && statusErr.HTTPStatus() == http.StatusUnauthorized { + // bad token + continue + } else if err != nil { + http.Error(w, "cache error: "+err.Error(), http.StatusInternalServerError) + return + } + f, err := fs.OpenFile(fsprefix, dirOpenMode, 0) + if errors.As(err, &statusErr) && statusErr.HTTPStatus() == http.StatusForbidden { + // collection id is outside token scope + validToken[token] = true + continue + } + validToken[token] = true + if os.IsNotExist(err) { + // collection does not exist or is not + // readable using this token + continue + } else if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return } - if srvErr, ok := err.(arvadosclient.APIServerError); ok { - switch srvErr.HttpStatusCode { - case 404, 401: - // Token broken or insufficient to - // retrieve collection - tokenResult[arv.ApiToken] = srvErr.HttpStatusCode - continue + defer f.Close() + + collectionDir, sessionFS, session, tokenUser = f, fs, sess, user + break + } + if forceReload { + err := collectionDir.Sync() + if err != nil { + var statusErr interface{ HTTPStatus() int } + if errors.As(err, &statusErr) { + http.Error(w, err.Error(), statusErr.HTTPStatus()) + } else { + http.Error(w, err.Error(), http.StatusInternalServerError) } + return } - // Something more serious is wrong - http.Error(w, "cache error: "+err.Error(), http.StatusInternalServerError) - return } - if collection == nil { + if session == nil { if pathToken || !credentialsOK { // Either the URL is a "secret sharing link" // that didn't work out (and asking the client // for additional credentials would just be // confusing), or we don't even accept // credentials at this path. - w.WriteHeader(http.StatusNotFound) + http.Error(w, notFoundMessage, http.StatusNotFound) return } for _, t := range reqTokens { - if tokenResult[t] == 404 { - // The client provided valid token(s), but the - // collection was not found. - w.WriteHeader(http.StatusNotFound) + if validToken[t] { + // The client provided valid token(s), + // but the collection was not found. + http.Error(w, notFoundMessage, http.StatusNotFound) return } } // The client's token was invalid (e.g., expired), or - // the client didn't even provide one. Propagate the - // 401 to encourage the client to use a [different] - // token. + // the client didn't even provide one. Redirect to + // workbench2's login-and-redirect-to-download url if + // this is a browser navigation request. (The redirect + // flow can't preserve the original method if it's not + // GET, and doesn't make sense if the UA is a + // command-line tool, is trying to load an inline + // image, etc.; in these cases, there's nothing we can + // do, so return 401 unauthorized.) + // + // Note Sec-Fetch-Mode is sent by all non-EOL + // browsers, except Safari. + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode // // TODO(TC): This response would be confusing to // someone trying (anonymously) to download public // data that has been deleted. Allow a referrer to // provide this context somehow? - w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") - w.WriteHeader(http.StatusUnauthorized) + if r.Method == http.MethodGet && r.Header.Get("Sec-Fetch-Mode") == "navigate" { + target := url.URL(h.Cluster.Services.Workbench2.ExternalURL) + redirkey := "redirectToPreview" + if attachment { + redirkey = "redirectToDownload" + } + callback := "/c=" + collectionID + "/" + strings.Join(targetPath, "/") + // target.RawQuery = url.Values{redirkey: + // {target}}.Encode() would be the obvious + // thing to do here, but wb2 doesn't decode + // this as a query param -- it takes + // everything after "${redirkey}=" as the + // target URL. If we encode "/" as "%2F" etc., + // the redirect won't work. + target.RawQuery = redirkey + "=" + callback + w.Header().Add("Location", target.String()) + w.WriteHeader(http.StatusSeeOther) + } else { + w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") + http.Error(w, unauthorizedMessage, http.StatusUnauthorized) + } return } - kc, err := keepclient.MakeKeepClient(arv) - if err != nil { - http.Error(w, "error setting up keep client: "+err.Error(), http.StatusInternalServerError) - return + if r.Method == http.MethodGet || r.Method == http.MethodHead { + targetfnm := fsprefix + strings.Join(pathParts[stripParts:], "/") + if fi, err := sessionFS.Stat(targetfnm); err == nil && fi.IsDir() { + if !strings.HasSuffix(r.URL.Path, "/") { + h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK) + } else { + h.serveDirectory(w, r, fi.Name(), sessionFS, targetfnm, !useSiteFS) + } + return + } } - kc.RequestID = r.Header.Get("X-Request-Id") var basename string if len(targetPath) > 0 { basename = targetPath[len(targetPath)-1] } - applyContentDispositionHdr(w, r, basename, attachment) - - client := (&arvados.Client{ - APIHost: arv.ApiServer, - AuthToken: arv.ApiToken, - Insecure: arv.ApiInsecure, - }).WithRequestID(r.Header.Get("X-Request-Id")) - - fs, err := collection.FileSystem(client, kc) - if err != nil { - http.Error(w, "error creating collection filesystem: "+err.Error(), http.StatusInternalServerError) - return - } - - writefs, writeOK := fs.(arvados.CollectionFileSystem) - targetIsPDH := arvadosclient.PDHMatch(collectionID) - if (targetIsPDH || !writeOK) && writeMethod[r.Method] { + if arvadosclient.PDHMatch(collectionID) && writeMethod[r.Method] { http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed) return } - - if webdavMethod[r.Method] { - if writeMethod[r.Method] { - // Save the collection only if/when all - // webdav->filesystem operations succeed -- - // and send a 500 error if the modified - // collection can't be saved. - w = &updateOnSuccess{ - ResponseWriter: w, - logger: ctxlog.FromContext(r.Context()), - update: func() error { - return h.Config.Cache.Update(client, *collection, writefs) - }} - } - h := webdav.Handler{ - Prefix: "/" + strings.Join(pathParts[:stripParts], "/"), - FileSystem: &webdavFS{ - collfs: fs, - writing: writeMethod[r.Method], - alwaysReadEOF: r.Method == "PROPFIND", - }, - LockSystem: h.webdavLS, - Logger: func(_ *http.Request, err error) { - if err != nil { - ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler") - } - }, - } - h.ServeHTTP(w, r) - return - } - - openPath := "/" + strings.Join(targetPath, "/") - if f, err := fs.Open(openPath); os.IsNotExist(err) { - // Requested non-existent path - w.WriteHeader(http.StatusNotFound) - } else if err != nil { - // Some other (unexpected) error - http.Error(w, "open: "+err.Error(), http.StatusInternalServerError) - } else if stat, err := f.Stat(); err != nil { - // Can't get Size/IsDir (shouldn't happen with a collectionFS!) - http.Error(w, "stat: "+err.Error(), http.StatusInternalServerError) - } else if stat.IsDir() && !strings.HasSuffix(r.URL.Path, "/") { - // If client requests ".../dirname", redirect to - // ".../dirname/". This way, relative links in the - // listing for "dirname" can always be "fnm", never - // "dirname/fnm". - h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK) - } else if stat.IsDir() { - h.serveDirectory(w, r, collection.Name, fs, openPath, true) - } else { - http.ServeContent(w, r, basename, stat.ModTime(), f) - if wrote := int64(w.WroteBodyBytes()); wrote != stat.Size() && r.Header.Get("Range") == "" { - // If we wrote fewer bytes than expected, it's - // too late to change the real response code - // or send an error message to the client, but - // at least we can try to put some useful - // debugging info in the logs. - n, err := f.Read(make([]byte, 1024)) - ctxlog.FromContext(r.Context()).Errorf("stat.Size()==%d but only wrote %d bytes; read(1024) returns %d, %s", stat.Size(), wrote, n, err) - - } - } -} - -func (h *handler) getClients(reqID, token string) (arv *arvadosclient.ArvadosClient, kc *keepclient.KeepClient, client *arvados.Client, release func(), err error) { - arv = h.clientPool.Get() - if arv == nil { - return nil, nil, nil, nil, err - } - release = func() { h.clientPool.Put(arv) } - arv.ApiToken = token - kc, err = keepclient.MakeKeepClient(arv) - if err != nil { - release() + if !h.userPermittedToUploadOrDownload(r.Method, tokenUser) { + http.Error(w, "Not permitted", http.StatusForbidden) return } - kc.RequestID = reqID - client = (&arvados.Client{ - APIHost: arv.ApiServer, - AuthToken: arv.ApiToken, - Insecure: arv.ApiInsecure, - }).WithRequestID(reqID) - return -} + h.logUploadOrDownload(r, session.arvadosclient, sessionFS, fsprefix+strings.Join(targetPath, "/"), nil, tokenUser) -func (h *handler) serveSiteFS(w http.ResponseWriter, r *http.Request, tokens []string, credentialsOK, attachment bool) { - if len(tokens) == 0 { - w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"") - http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) - return - } if writeMethod[r.Method] { - http.Error(w, errReadOnly.Error(), http.StatusMethodNotAllowed) - return - } - _, kc, client, release, err := h.getClients(r.Header.Get("X-Request-Id"), tokens[0]) - if err != nil { - http.Error(w, "Pool failed: "+h.clientPool.Err().Error(), http.StatusInternalServerError) - return - } - defer release() - - fs := client.SiteFileSystem(kc) - fs.ForwardSlashNameSubstitution(h.Config.cluster.Collections.ForwardSlashNameSubstitution) - f, err := fs.Open(r.URL.Path) - if os.IsNotExist(err) { - http.Error(w, err.Error(), http.StatusNotFound) - return - } else if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - defer f.Close() - if fi, err := f.Stat(); err == nil && fi.IsDir() && r.Method == "GET" { - if !strings.HasSuffix(r.URL.Path, "/") { - h.seeOtherWithCookie(w, r, r.URL.Path+"/", credentialsOK) - } else { - h.serveDirectory(w, r, fi.Name(), fs, r.URL.Path, false) + // Save the collection only if/when all + // webdav->filesystem operations succeed -- + // and send a 500 error if the modified + // collection can't be saved. + // + // Perform the write in a separate sitefs, so + // concurrent read operations on the same + // collection see the previous saved + // state. After the write succeeds and the + // collection record is updated, we reset the + // session so the updates are visible in + // subsequent read requests. + client := session.client.WithRequestID(r.Header.Get("X-Request-Id")) + sessionFS = client.SiteFileSystem(session.keepclient) + writingDir, err := sessionFS.OpenFile(fsprefix, os.O_RDONLY, 0) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return } - return + defer writingDir.Close() + w = &updateOnSuccess{ + ResponseWriter: w, + logger: ctxlog.FromContext(r.Context()), + update: func() error { + err := writingDir.Sync() + var te arvados.TransactionError + if errors.As(err, &te) { + err = te + } + if err != nil { + return err + } + // Sync the changes to the persistent + // sessionfs for this token. + snap, err := writingDir.Snapshot() + if err != nil { + return err + } + collectionDir.Splice(snap) + return nil + }} } - if r.Method == "GET" { - _, basename := filepath.Split(r.URL.Path) + if r.Method == http.MethodGet { applyContentDispositionHdr(w, r, basename, attachment) } wh := webdav.Handler{ - Prefix: "/", + Prefix: "/" + strings.Join(pathParts[:stripParts], "/"), FileSystem: &webdavFS{ - collfs: fs, + collfs: sessionFS, + prefix: fsprefix, writing: writeMethod[r.Method], alwaysReadEOF: r.Method == "PROPFIND", }, LockSystem: h.webdavLS, - Logger: func(_ *http.Request, err error) { + Logger: func(r *http.Request, err error) { if err != nil { ctxlog.FromContext(r.Context()).WithError(err).Error("error reported by webdav handler") } }, } wh.ServeHTTP(w, r) + if r.Method == http.MethodGet && w.WroteStatus() == http.StatusOK { + wrote := int64(w.WroteBodyBytes()) + fnm := strings.Join(pathParts[stripParts:], "/") + fi, err := wh.FileSystem.Stat(r.Context(), fnm) + if err == nil && fi.Size() != wrote { + var n int + f, err := wh.FileSystem.OpenFile(r.Context(), fnm, os.O_RDONLY, 0) + if err == nil { + n, err = f.Read(make([]byte, 1024)) + f.Close() + } + ctxlog.FromContext(r.Context()).Errorf("stat.Size()==%d but only wrote %d bytes; read(1024) returns %d, %v", fi.Size(), wrote, n, err) + } + } } var dirListingTemplate = ` @@ -769,6 +763,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc Value: auth.EncodeTokenCookie([]byte(formToken)), Path: "/", HttpOnly: true, + SameSite: http.SameSiteLaxMode, }) } @@ -799,3 +794,124 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc io.WriteString(w, html.EscapeString(redir)) io.WriteString(w, `">Continue`) } + +func (h *handler) userPermittedToUploadOrDownload(method string, tokenUser *arvados.User) bool { + var permitDownload bool + var permitUpload bool + if tokenUser != nil && tokenUser.IsAdmin { + permitUpload = h.Cluster.Collections.WebDAVPermission.Admin.Upload + permitDownload = h.Cluster.Collections.WebDAVPermission.Admin.Download + } else { + permitUpload = h.Cluster.Collections.WebDAVPermission.User.Upload + permitDownload = h.Cluster.Collections.WebDAVPermission.User.Download + } + if (method == "PUT" || method == "POST") && !permitUpload { + // Disallow operations that upload new files. + // Permit webdav operations that move existing files around. + return false + } else if method == "GET" && !permitDownload { + // Disallow downloading file contents. + // Permit webdav operations like PROPFIND that retrieve metadata + // but not file contents. + return false + } + return true +} + +func (h *handler) logUploadOrDownload( + r *http.Request, + client *arvadosclient.ArvadosClient, + fs arvados.CustomFileSystem, + filepath string, + collection *arvados.Collection, + user *arvados.User) { + + log := ctxlog.FromContext(r.Context()) + props := make(map[string]string) + props["reqPath"] = r.URL.Path + var useruuid string + if user != nil { + log = log.WithField("user_uuid", user.UUID). + WithField("user_full_name", user.FullName) + useruuid = user.UUID + } else { + useruuid = fmt.Sprintf("%s-tpzed-anonymouspublic", h.Cluster.ClusterID) + } + if collection == nil && fs != nil { + collection, filepath = h.determineCollection(fs, filepath) + } + if collection != nil { + log = log.WithField("collection_file_path", filepath) + props["collection_file_path"] = filepath + // h.determineCollection populates the collection_uuid + // prop with the PDH, if this collection is being + // accessed via PDH. For logging, we use a different + // field depending on whether it's a UUID or PDH. + if len(collection.UUID) > 32 { + log = log.WithField("portable_data_hash", collection.UUID) + props["portable_data_hash"] = collection.UUID + } else { + log = log.WithField("collection_uuid", collection.UUID) + props["collection_uuid"] = collection.UUID + } + } + if r.Method == "PUT" || r.Method == "POST" { + log.Info("File upload") + if h.Cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_upload", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create upload log event on API server") + } + }() + } + } else if r.Method == "GET" { + if collection != nil && collection.PortableDataHash != "" { + log = log.WithField("portable_data_hash", collection.PortableDataHash) + props["portable_data_hash"] = collection.PortableDataHash + } + log.Info("File download") + if h.Cluster.Collections.WebDAVLogEvents { + go func() { + lr := arvadosclient.Dict{"log": arvadosclient.Dict{ + "object_uuid": useruuid, + "event_type": "file_download", + "properties": props}} + err := client.Create("logs", lr, nil) + if err != nil { + log.WithError(err).Error("Failed to create download log event on API server") + } + }() + } + } +} + +func (h *handler) determineCollection(fs arvados.CustomFileSystem, path string) (*arvados.Collection, string) { + target := strings.TrimSuffix(path, "/") + for cut := len(target); cut >= 0; cut = strings.LastIndexByte(target, '/') { + target = target[:cut] + fi, err := fs.Stat(target) + if os.IsNotExist(err) { + // creating a new file/dir, or download + // destined to fail + continue + } else if err != nil { + return nil, "" + } + switch src := fi.Sys().(type) { + case *arvados.Collection: + return src, strings.TrimPrefix(path[len(target):], "/") + case *arvados.Group: + return nil, "" + default: + if _, ok := src.(error); ok { + return nil, "" + } + } + } + return nil, "" +}