[ARVADOS] updated: 748e1bba296d4d05252d0fbd9f75764234d9166d
Git user
git at public.curoverse.com
Mon Nov 14 15:34:44 EST 2016
Summary of changes:
services/ws/handler.go | 2 +-
services/ws/permission.go | 78 +++++++++++++++++++++++++++++++++++++++++++++
services/ws/proxy_client.go | 41 ------------------------
services/ws/session_v0.go | 11 ++++---
4 files changed, 85 insertions(+), 47 deletions(-)
create mode 100644 services/ws/permission.go
delete mode 100644 services/ws/proxy_client.go
via 748e1bba296d4d05252d0fbd9f75764234d9166d (commit)
via 0770b0ece2046cb33f598ff67168f4d08e2d0c87 (commit)
from d07dbb66a0e06d07a1b6159d6121d924a06dbb58 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 748e1bba296d4d05252d0fbd9f75764234d9166d
Author: Tom Clegg <tom at curoverse.com>
Date: Mon Nov 14 15:34:40 2016 -0500
8460: Check permissions on event target instead of log entry.
diff --git a/services/ws/session_v0.go b/services/ws/session_v0.go
index 257e985..3b24a7f 100644
--- a/services/ws/session_v0.go
+++ b/services/ws/session_v0.go
@@ -58,7 +58,7 @@ func (sess *sessionV0) EventMessage(e *event) ([]byte, error) {
return nil, nil
}
- ok, err := sess.permChecker.Check(detail.UUID)
+ ok, err := sess.permChecker.Check(detail.ObjectUUID)
if err != nil || !ok {
return nil, err
}
commit 0770b0ece2046cb33f598ff67168f4d08e2d0c87
Author: Tom Clegg <tom at curoverse.com>
Date: Mon Nov 14 15:30:47 2016 -0500
8460: Cache permissions.
diff --git a/services/ws/handler.go b/services/ws/handler.go
index d42b137c..e2aa6ca 100644
--- a/services/ws/handler.go
+++ b/services/ws/handler.go
@@ -72,7 +72,7 @@ func (h *handler) Handle(ws wsConn, events <-chan *event) {
for e := range queue {
if e == nil {
ws.SetWriteDeadline(time.Now().Add(h.PingTimeout))
- _, err := ws.Write([]byte("{}\n"))
+ _, err := ws.Write([]byte("{}"))
if err != nil {
sess.debugLogf("handler: write {}: %s", err)
stop <- err
diff --git a/services/ws/permission.go b/services/ws/permission.go
new file mode 100644
index 0000000..b2b962c
--- /dev/null
+++ b/services/ws/permission.go
@@ -0,0 +1,78 @@
+package main
+
+import (
+ "net/http"
+ "net/url"
+ "time"
+
+ "git.curoverse.com/arvados.git/sdk/go/arvados"
+)
+
+const (
+ maxPermCacheAge = time.Hour
+ minPermCacheAge = 5 * time.Minute
+)
+
+type permChecker interface {
+ SetToken(token string)
+ Check(uuid string) (bool, error)
+}
+
+func NewPermChecker(ac arvados.Client) permChecker {
+ ac.AuthToken = ""
+ return &cachingPermChecker{
+ Client: &ac,
+ cache: make(map[string]time.Time),
+ maxCurrent: 16,
+ }
+}
+
+type cachingPermChecker struct {
+ *arvados.Client
+ cache map[string]time.Time
+ maxCurrent int
+}
+
+func (pc *cachingPermChecker) SetToken(token string) {
+ pc.Client.AuthToken = token
+}
+
+func (pc *cachingPermChecker) Check(uuid string) (bool, error) {
+ pc.tidy()
+ if t, ok := pc.cache[uuid]; ok && time.Now().Sub(t) < maxPermCacheAge {
+ debugLogf("perm ok (cached): %+q %+q", pc.Client.AuthToken, uuid)
+ return true, nil
+ }
+ var buf map[string]interface{}
+ path, err := pc.PathForUUID("get", uuid)
+ if err != nil {
+ return false, err
+ }
+ err = pc.RequestAndDecode(&buf, "GET", path, nil, url.Values{
+ "select": {`["uuid"]`},
+ })
+ if err, ok := err.(arvados.TransactionError); ok && err.StatusCode == http.StatusNotFound {
+ debugLogf("perm err: %+q %+q: %s", pc.Client.AuthToken, uuid, err)
+ return false, nil
+ }
+ if err != nil {
+ debugLogf("perm !ok: %+q %+q", pc.Client.AuthToken, uuid)
+ return false, err
+ }
+ debugLogf("perm ok: %+q %+q", pc.Client.AuthToken, uuid)
+ pc.cache[uuid] = time.Now()
+ return true, nil
+}
+
+func (pc *cachingPermChecker) tidy() {
+ if len(pc.cache) <= pc.maxCurrent*2 {
+ return
+ }
+ tooOld := time.Now().Add(-minPermCacheAge)
+ for uuid, t := range pc.cache {
+ if t.Before(tooOld) {
+ delete(pc.cache, uuid)
+ }
+ }
+ pc.maxCurrent = len(pc.cache)
+}
diff --git a/services/ws/proxy_client.go b/services/ws/proxy_client.go
deleted file mode 100644
index 28be2e2..0000000
--- a/services/ws/proxy_client.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package main
-
-import (
- "net/http"
- "net/url"
-
- "git.curoverse.com/arvados.git/sdk/go/arvados"
-)
-
-type proxyClient struct {
- *arvados.Client
-}
-
-func NewProxyClient(ac arvados.Client) *proxyClient {
- ac.AuthToken = ""
- return &proxyClient{
- Client: &ac,
- }
-}
-
-func (pc *proxyClient) SetToken(token string) {
- pc.Client.AuthToken = token
-}
-
-func (pc *proxyClient) CheckReadPermission(uuid string) (bool, error) {
- var buf map[string]interface{}
- path, err := pc.PathForUUID("get", uuid)
- if err != nil {
- return false, err
- }
- err = pc.RequestAndDecode(&buf, "GET", path, nil, url.Values{
- "select": {`["uuid"]`},
- })
- if err, ok := err.(arvados.TransactionError); ok && err.StatusCode == http.StatusNotFound {
- return false, nil
- }
- if err != nil {
- return false, err
- }
- return true, nil
-}
diff --git a/services/ws/session_v0.go b/services/ws/session_v0.go
index 15efc1d..257e985 100644
--- a/services/ws/session_v0.go
+++ b/services/ws/session_v0.go
@@ -16,7 +16,7 @@ var (
type sessionV0 struct {
ws wsConn
- proxyClient *proxyClient
+ permChecker permChecker
subscribed map[string]bool
mtx sync.Mutex
setupOnce sync.Once
@@ -25,7 +25,7 @@ type sessionV0 struct {
func NewSessionV0(ws wsConn, ac arvados.Client) (session, error) {
sess := &sessionV0{
ws: ws,
- proxyClient: NewProxyClient(ac),
+ permChecker: NewPermChecker(ac),
subscribed: make(map[string]bool),
}
@@ -35,8 +35,8 @@ func NewSessionV0(ws wsConn, ac arvados.Client) (session, error) {
return nil, err
}
token := ws.Request().Form.Get("api_token")
- sess.proxyClient.SetToken(token)
- sess.debugLogf("handlerV0: token = %+q", token)
+ sess.permChecker.SetToken(token)
+ sess.debugLogf("token = %+q", token)
return sess, nil
}
@@ -57,7 +57,8 @@ func (sess *sessionV0) EventMessage(e *event) ([]byte, error) {
if detail == nil {
return nil, nil
}
- ok, err := sess.proxyClient.CheckReadPermission(detail.UUID)
+
+ ok, err := sess.permChecker.Check(detail.UUID)
if err != nil || !ok {
return nil, err
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list