[ARVADOS] created: ff15e4e93e8c45239f653d495f7c76cfe4239337

[git at public.curoverse.com]

        at  ff15e4e93e8c45239f653d495f7c76cfe4239337 (commit)


commit ff15e4e93e8c45239f653d495f7c76cfe4239337
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Tue Jul 8 09:18:07 2014 -0400

    Keepproxy use client-supplied token when forwarding GET and PUT requests.

diff --git a/services/keep/src/arvados.org/keepproxy/keepproxy.go b/services/keep/src/arvados.org/keepproxy/keepproxy.go
index e3a2ce9..367854b 100644
--- a/services/keep/src/arvados.org/keepproxy/keepproxy.go
+++ b/services/keep/src/arvados.org/keepproxy/keepproxy.go
@@ -193,35 +193,34 @@ func GetRemoteAddress(req *http.Request) string {
 	return req.RemoteAddr
 }
 
-func CheckAuthorizationHeader(kc keepclient.KeepClient, cache *ApiTokenCache, req *http.Request) bool {
+func CheckAuthorizationHeader(kc keepclient.KeepClient, cache *ApiTokenCache, req *http.Request) (pass bool, tok string) {
 	var auth string
 	if auth = req.Header.Get("Authorization"); auth == "" {
-		return false
+		return false, ""
 	}
 
-	var tok string
 	_, err := fmt.Sscanf(auth, "OAuth2 %s", &tok)
 	if err != nil {
 		// Scanning error
-		return false
+		return false, ""
 	}
 
 	if cache.RecallToken(tok) {
 		// Valid in the cache, short circut
-		return true
+		return true, tok
 	}
 
 	arv := *kc.Arvados
 	arv.ApiToken = tok
 	if err := arv.Call("HEAD", "users", "", "current", nil, nil); err != nil {
 		log.Printf("%s: CheckAuthorizationHeader error: %v", GetRemoteAddress(req), err)
-		return false
+		return false, ""
 	}
 
 	// Success!  Update cache
 	cache.RememberToken(tok)
 
-	return true
+	return true, tok
 }
 
 type GetBlockHandler struct {
@@ -281,11 +280,18 @@ func (this GetBlockHandler) ServeHTTP(resp http.ResponseWriter, req *http.Reques
 
 	log.Printf("%s: %s %s", GetRemoteAddress(req), req.Method, hash)
 
-	if !CheckAuthorizationHeader(kc, this.ApiTokenCache, req) {
+	var pass bool
+	var tok string
+	if pass, tok = CheckAuthorizationHeader(kc, this.ApiTokenCache, req); !pass {
 		http.Error(resp, "Missing or invalid Authorization header", http.StatusForbidden)
 		return
 	}
 
+	// Copy ArvadosClient struct and use the client's API token
+	arvclient := *kc.Arvados
+	arvclient.ApiToken = tok
+	kc.Arvados = &arvclient
+
 	var reader io.ReadCloser
 	var err error
 	var blocklen int64
@@ -356,11 +362,18 @@ func (this PutBlockHandler) ServeHTTP(resp http.ResponseWriter, req *http.Reques
 		return
 	}
 
-	if !CheckAuthorizationHeader(kc, this.ApiTokenCache, req) {
+	var pass bool
+	var tok string
+	if pass, tok = CheckAuthorizationHeader(kc, this.ApiTokenCache, req); !pass {
 		http.Error(resp, "Missing or invalid Authorization header", http.StatusForbidden)
 		return
 	}
 
+	// Copy ArvadosClient struct and use the client's API token
+	arvclient := *kc.Arvados
+	arvclient.ApiToken = tok
+	kc.Arvados = &arvclient
+
 	// Check if the client specified the number of replicas
 	if req.Header.Get("X-Keep-Desired-Replicas") != "" {
 		var r int

-----------------------------------------------------------------------


hooks/post-receive
--