[ARVADOS] created: 2.1.0-729-gcd454bdea
Git user
git at public.arvados.org
Mon Apr 26 13:41:02 UTC 2021
at cd454bdea077864ccb987b4c474b79b6e4d629fc (commit)
commit cd454bdea077864ccb987b4c474b79b6e4d629fc
Author: Tom Clegg <tom at curii.com>
Date: Mon Apr 26 09:40:46 2021 -0400
17284: Redact RailsAPI host:port in error messages.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/lib/controller/handler_test.go b/lib/controller/handler_test.go
index 935208fc4..2911a4f03 100644
--- a/lib/controller/handler_test.go
+++ b/lib/controller/handler_test.go
@@ -344,3 +344,19 @@ func (s *HandlerSuite) TestGetObjects(c *check.C) {
s.CheckObjectType(c, "/arvados/v1/"+url, arvadostest.AdminToken, skippedFields)
}
}
+
+func (s *HandlerSuite) TestRedactRailsAPIHostFromErrors(c *check.C) {
+ req := httptest.NewRequest("GET", "https://0.0.0.0:1/arvados/v1/collections/zzzzz-4zz18-abcdefghijklmno", nil)
+ req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
+ resp := httptest.NewRecorder()
+ s.handler.ServeHTTP(resp, req)
+ c.Check(resp.Code, check.Equals, http.StatusNotFound)
+ var jresp struct {
+ Errors []string
+ }
+ c.Log(resp.Body.String())
+ c.Assert(json.NewDecoder(resp.Body).Decode(&jresp), check.IsNil)
+ c.Assert(jresp.Errors, check.HasLen, 1)
+ c.Check(jresp.Errors[0], check.Matches, `.*//railsapi\.internal/arvados/v1/collections/.*: 404 Not Found.*`)
+ c.Check(jresp.Errors[0], check.Not(check.Matches), `(?ms).*127.0.0.1.*`)
+}
diff --git a/lib/controller/localdb/conn.go b/lib/controller/localdb/conn.go
index 04f85cb5a..a90deded5 100644
--- a/lib/controller/localdb/conn.go
+++ b/lib/controller/localdb/conn.go
@@ -24,6 +24,7 @@ type Conn struct {
func NewConn(cluster *arvados.Cluster) *Conn {
railsProxy := railsproxy.NewConn(cluster)
+ railsProxy.RedactHostInErrors = true
var conn Conn
conn = Conn{
cluster: cluster,
diff --git a/lib/controller/rpc/conn.go b/lib/controller/rpc/conn.go
index 61d20de78..19e2d32d2 100644
--- a/lib/controller/rpc/conn.go
+++ b/lib/controller/rpc/conn.go
@@ -39,7 +39,9 @@ func PassthroughTokenProvider(ctx context.Context) ([]string, error) {
}
type Conn struct {
- SendHeader http.Header
+ SendHeader http.Header
+ RedactHostInErrors bool
+
clusterID string
httpClient http.Client
baseURL url.URL
@@ -148,7 +150,21 @@ func (conn *Conn) requestAndDecode(ctx context.Context, dst interface{}, ep arva
path = strings.Replace(path, "/{uuid}", "/"+uuid, 1)
delete(params, "uuid")
}
- return aClient.RequestAndDecodeContext(ctx, dst, ep.Method, path, body, params)
+ err = aClient.RequestAndDecodeContext(ctx, dst, ep.Method, path, body, params)
+ if err != nil && conn.RedactHostInErrors {
+ redacted := strings.Replace(err.Error(), conn.baseURL.String(), "//railsapi.internal", -1)
+ if strings.HasPrefix(redacted, "request failed: ") {
+ redacted = strings.Replace(redacted, "request failed: ", "", -1)
+ }
+ if redacted != err.Error() {
+ if err, ok := err.(httpStatusError); ok {
+ return wrapHTTPStatusError(err, redacted)
+ } else {
+ return errors.New(redacted)
+ }
+ }
+ }
+ return err
}
func (conn *Conn) BaseURL() url.URL {
@@ -629,3 +645,26 @@ func (conn *Conn) UserAuthenticate(ctx context.Context, options arvados.UserAuth
err := conn.requestAndDecode(ctx, &resp, ep, nil, options)
return resp, err
}
+
+// httpStatusError is an error with an HTTP status code that can be
+// propagated by lib/controller/router, etc.
+type httpStatusError interface {
+ error
+ HTTPStatus() int
+}
+
+// wrappedHTTPStatusError is used to augment/replace an error message
+// while preserving the HTTP status code indicated by the original
+// error.
+type wrappedHTTPStatusError struct {
+ httpStatusError
+ message string
+}
+
+func wrapHTTPStatusError(err httpStatusError, message string) httpStatusError {
+ return wrappedHTTPStatusError{err, message}
+}
+
+func (err wrappedHTTPStatusError) Error() string {
+ return err.message
+}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list