[ARVADOS] updated: 1.1.4-598-g70138209b

Git user git at public.curoverse.com
Thu Jul 12 16:52:59 EDT 2018


Summary of changes:
 lib/controller/handler.go           | 17 +++++++++++++++++
 sdk/python/tests/nginx.conf         | 24 ++++++++++++++++++++----
 sdk/python/tests/run_test_server.py | 19 ++++++++++++-------
 services/keep-web/cache.go          |  2 +-
 services/keep-web/cadaver_test.go   |  2 +-
 services/keep-web/handler.go        |  4 ++++
 services/keep-web/handler_test.go   |  2 +-
 7 files changed, 56 insertions(+), 14 deletions(-)

       via  70138209b3dcb1d6d54f6cd2aa2e279c4441ecda (commit)
       via  bc603ec9d2ec299c3bc05d005c54015bd6072b17 (commit)
       via  85f0a03adeacbe31b12f435509d2ed7931093bf7 (commit)
       via  751cd3892cbcf7ecb65ec416dba52ee84a2fee2a (commit)
      from  02d7f4e820b65d83a5e3709dc14b6d72b9f5ab49 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 70138209b3dcb1d6d54f6cd2aa2e279c4441ecda
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Thu Jul 12 16:50:59 2018 -0400

    13497: Avoid misdirecting POST to GET when request has double slash.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/lib/controller/handler.go b/lib/controller/handler.go
index 30994130d..a1a69a88e 100644
--- a/lib/controller/handler.go
+++ b/lib/controller/handler.go
@@ -30,6 +30,20 @@ type Handler struct {
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	h.setupOnce.Do(h.setup)
+	if req.Method != "GET" && req.Method != "HEAD" {
+		// http.ServeMux returns 301 with a cleaned path if
+		// the incoming request has a double slash. Some
+		// clients (including the Go standard library) change
+		// the request method to GET when following a 301
+		// redirect if the original method was not HEAD
+		// (RFC7231 6.4.2 specifically allows this in the case
+		// of POST). Thus "POST //foo" gets misdirected to
+		// "GET /foo". To avoid this, eliminate double slashes
+		// before passing the request to ServeMux.
+		for strings.Contains(req.URL.Path, "//") {
+			req.URL.Path = strings.Replace(req.URL.Path, "//", "/", -1)
+		}
+	}
 	h.handlerStack.ServeHTTP(w, req)
 }
 
diff --git a/services/keep-web/cache.go b/services/keep-web/cache.go
index 9ee99903c..59e8de3bc 100644
--- a/services/keep-web/cache.go
+++ b/services/keep-web/cache.go
@@ -99,7 +99,7 @@ func (c *cache) Update(client *arvados.Client, coll arvados.Collection, fs arvad
 	}
 	var updated arvados.Collection
 	defer c.pdhs.Remove(coll.UUID)
-	err := client.RequestAndDecode(&updated, "PATCH", "/arvados/v1/collections/"+coll.UUID, client.UpdateBody(coll), nil)
+	err := client.RequestAndDecode(&updated, "PATCH", "arvados/v1/collections/"+coll.UUID, client.UpdateBody(coll), nil)
 	if err == nil {
 		c.collections.Add(client.AuthToken+"\000"+coll.PortableDataHash, &cachedCollection{
 			expire:     time.Now().Add(time.Duration(c.TTL)),
diff --git a/services/keep-web/cadaver_test.go b/services/keep-web/cadaver_test.go
index 3814a459d..0e2f17c35 100644
--- a/services/keep-web/cadaver_test.go
+++ b/services/keep-web/cadaver_test.go
@@ -74,7 +74,7 @@ func (s *IntegrationSuite) testCadaver(c *check.C, password string, pathFunc fun
 	var newCollection arvados.Collection
 	arv := arvados.NewClientFromEnv()
 	arv.AuthToken = arvadostest.ActiveToken
-	err = arv.RequestAndDecode(&newCollection, "POST", "/arvados/v1/collections", bytes.NewBufferString(url.Values{"collection": {"{}"}}.Encode()), nil)
+	err = arv.RequestAndDecode(&newCollection, "POST", "arvados/v1/collections", bytes.NewBufferString(url.Values{"collection": {"{}"}}.Encode()), nil)
 	c.Assert(err, check.IsNil)
 
 	readPath, writePath, pdhPath := pathFunc(newCollection)

commit bc603ec9d2ec299c3bc05d005c54015bd6072b17
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Thu Jul 12 16:43:37 2018 -0400

    13497: Use X-Forwarded-Proto as scheme for keep-web redirect URLs.
    
    This avoids relying on the downstream proxy to rewrite redirects.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/sdk/python/tests/run_test_server.py b/sdk/python/tests/run_test_server.py
index 36d2477d1..6e99f23d7 100644
--- a/sdk/python/tests/run_test_server.py
+++ b/sdk/python/tests/run_test_server.py
@@ -174,7 +174,7 @@ def find_available_port():
     sock.close()
     return port
 
-def _wait_until_port_listens(port, timeout=10):
+def _wait_until_port_listens(port, timeout=10, warn=True):
     """Wait for a process to start listening on the given port.
 
     If nothing listens on the port within the specified timeout (given
@@ -196,11 +196,13 @@ def _wait_until_port_listens(port, timeout=10):
         except subprocess.CalledProcessError:
             time.sleep(0.1)
             continue
-        return
-    print(
-        "WARNING: Nothing is listening on port {} (waited {} seconds).".
-        format(port, timeout),
-        file=sys.stderr)
+        return True
+    if warn:
+        print(
+            "WARNING: Nothing is listening on port {} (waited {} seconds).".
+            format(port, timeout),
+            file=sys.stderr)
+    return False
 
 def _logfilename(label):
     """Set up a labelled log file, and return a path to write logs to.
@@ -376,6 +378,10 @@ def reset():
         headers={'Authorization': 'OAuth2 {}'.format(token)})
     os.environ['ARVADOS_API_HOST_INSECURE'] = 'true'
     os.environ['ARVADOS_API_TOKEN'] = token
+    if _wait_until_port_listens(_getport('controller-ssl'), timeout=0.5, warn=False):
+        os.environ['ARVADOS_API_HOST'] = '0.0.0.0:'+str(_getport('controller-ssl'))
+    else:
+        os.environ['ARVADOS_API_HOST'] = existing_api_host
 
 def stop(force=False):
     """Stop the API server, if one is running.
diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 517ec1a2a..7d17be6e7 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -183,6 +183,9 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
 		remoteAddr = xff + "," + remoteAddr
 	}
+	if xfp := r.Header.Get("X-Forwarded-Proto"); xfp != "" && xfp != "http" {
+		r.URL.Scheme = xfp
+	}
 
 	w := httpserver.WrapResponseWriter(wOrig)
 	defer func() {
@@ -773,6 +776,7 @@ func (h *handler) seeOtherWithCookie(w http.ResponseWriter, r *http.Request, loc
 		u = newu
 	}
 	redir := (&url.URL{
+		Scheme:   r.URL.Scheme,
 		Host:     r.Host,
 		Path:     u.Path,
 		RawQuery: redirQuery.Encode(),
diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go
index f86f81bfa..206bf6f43 100644
--- a/services/keep-web/handler_test.go
+++ b/services/keep-web/handler_test.go
@@ -513,7 +513,7 @@ func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, ho
 	if resp.Code != http.StatusSeeOther {
 		return resp
 	}
-	c.Check(resp.Body.String(), check.Matches, `.*href="//`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
+	c.Check(resp.Body.String(), check.Matches, `.*href="http://`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
 	cookies := (&http.Response{Header: resp.Header()}).Cookies()
 
 	u, _ = u.Parse(resp.Header().Get("Location"))

commit 85f0a03adeacbe31b12f435509d2ed7931093bf7
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Thu Jul 12 14:09:59 2018 -0400

    13497: Fix Rails redirect targets.
    
    Rails relies on the X-Forwarded-Proto request header, so we need to
    set that in the test suite's Nginx config, like we do in the install
    guide.
    
    Also tidy up needlessly divergent proxy directives in Nginx test
    config.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/lib/controller/handler.go b/lib/controller/handler.go
index 92ded6301..30994130d 100644
--- a/lib/controller/handler.go
+++ b/lib/controller/handler.go
@@ -94,6 +94,9 @@ func (h *Handler) proxyRailsAPI(w http.ResponseWriter, reqIn *http.Request) {
 		xff = xffIn + "," + xff
 	}
 	hdrOut.Set("X-Forwarded-For", xff)
+	if hdrOut.Get("X-Forwarded-Proto") == "" {
+		hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme)
+	}
 	hdrOut.Add("Via", reqIn.Proto+" arvados-controller")
 
 	ctx := reqIn.Context()
diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf
index ce1929fdf..a247e40c0 100644
--- a/sdk/python/tests/nginx.conf
+++ b/sdk/python/tests/nginx.conf
@@ -19,6 +19,10 @@ http {
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
       proxy_pass http://arv-git-http;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
   upstream keepproxy {
@@ -31,6 +35,10 @@ http {
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
       proxy_pass http://keepproxy;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
   upstream keep-web {
@@ -43,8 +51,10 @@ http {
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
       proxy_pass http://keep-web;
-      proxy_set_header Host $request_host:{{KEEPWEBPORT}};
+      proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
   server {
@@ -54,9 +64,10 @@ http {
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
       proxy_pass http://keep-web;
-      proxy_set_header Host download:{{KEEPWEBPORT}};
+      proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_redirect //download:{{KEEPWEBPORT}}/ https://$host:{{KEEPWEBDLSSLPORT}}/;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
   upstream ws {
@@ -71,8 +82,10 @@ http {
       proxy_pass http://ws;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
-      proxy_set_header Host $request_host:{{WSPORT}};
+      proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
   upstream controller {
@@ -85,7 +98,10 @@ http {
     ssl_certificate_key "{{SSLKEY}}";
     location  / {
       proxy_pass http://controller;
+      proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
     }
   }
 }

commit 751cd3892cbcf7ecb65ec416dba52ee84a2fee2a
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Thu Jul 12 11:06:45 2018 -0400

    13497: Fix bypassing controller in test suite after calling reset().
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/sdk/python/tests/run_test_server.py b/sdk/python/tests/run_test_server.py
index f7ca6daf6..36d2477d1 100644
--- a/sdk/python/tests/run_test_server.py
+++ b/sdk/python/tests/run_test_server.py
@@ -375,7 +375,6 @@ def reset():
         'POST',
         headers={'Authorization': 'OAuth2 {}'.format(token)})
     os.environ['ARVADOS_API_HOST_INSECURE'] = 'true'
-    os.environ['ARVADOS_API_HOST'] = existing_api_host
     os.environ['ARVADOS_API_TOKEN'] = token
 
 def stop(force=False):

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list