[ARVADOS] updated: bdc9139d17c184a58e5088270f2ce6ba361fb8a7

git at public.curoverse.com git at public.curoverse.com
Tue May 6 11:17:34 EDT 2014


Summary of changes:
 services/keep/src/keep/keep.go |   30 ++++++++++++++++++------------
 1 files changed, 18 insertions(+), 12 deletions(-)

       via  bdc9139d17c184a58e5088270f2ce6ba361fb8a7 (commit)
      from  7c8bfeb8d19db4f27b5fb5fd78e0afa3b7d07a89 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit bdc9139d17c184a58e5088270f2ce6ba361fb8a7
Author: Tim Pierce <twp at curoverse.com>
Date:   Tue May 6 11:16:19 2014 -0400

    Check GET permissions in the HTTP handler.
    
    Move the check for the permission signature to the HTTP handler, so the
    back end can still call GetBlock without having to move permissions all
    the way down the stack. Refs #2328

diff --git a/services/keep/src/keep/keep.go b/services/keep/src/keep/keep.go
index d98965c..6619a80 100644
--- a/services/keep/src/keep/keep.go
+++ b/services/keep/src/keep/keep.go
@@ -200,13 +200,14 @@ func FindKeepVolumes() []string {
 func GetBlockHandler(w http.ResponseWriter, req *http.Request) {
 	hash := mux.Vars(req)["hash"]
 
-	// Find an API token, if present.
-	var api_token string
-	if auth, ok := req.Header["Authorization"]; ok {
-		if strings.StartsWith(auth[0], "OAuth ") {
-			api_token = auth[0][6:]
+	// If permission checking is in effect, verify this
+	// request's permission signature.
+	if PermissionSecret != nil {
+		if !VerifySignature(hash, GetApiToken(req)) {
+			http.Error(w, PermissionError.Error(), 401)
 		}
 	}
+
 	block, err := GetBlock(hash)
 	if err != nil {
 		http.Error(w, err.Error(), 404)
@@ -342,13 +343,6 @@ func GetVolumeStatus(volume string) *VolumeStatus {
 }
 
 func GetBlock(hash string) ([]byte, error) {
-	// Check the permission signature of this request if necessary.
-	if PermissionSecret != nil {
-		if !VerifySignature(hash) {
-			return nil, PermissionError
-		}
-	}
-
 	// Attempt to read the requested hash from a keep volume.
 	for _, vol := range KeepVM.Volumes() {
 		if buf, err := vol.Get(hash); err != nil {
@@ -494,3 +488,15 @@ func IsValidLocator(loc string) bool {
 	log.Printf("IsValidLocator: %s\n", err)
 	return false
 }
+
+// GetApiToken returns the OAuth token from the Authorization
+// header of a HTTP request, or an empty string if no matching
+// token is found.
+func GetApiToken(req *http.Request) string {
+	if auth, ok := req.Header["Authorization"]; ok {
+		if strings.HasPrefix(auth[0], "OAuth ") {
+			return auth[0][6:]
+		}
+	}
+	return ""
+}

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list