Story #17109

Support keep-web URLs with collection the domain name

Added by Peter Amstutz 11 months ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Workbench2
Target version:
Start date:
01/13/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

WebDAV supports URLs where the collection uuid/PDH is embedded in the DNS name rather than the path, for example:

    Services:
      WebDAV:
        ExternalURL: https://*.collections.ClusterID.example.com/

or
    Services:
      WebDAV:
        ExternalURL: https://*--collections.ClusterID.example.com/

This is documented in https://doc.arvados.org/v2.1/api/keep-web-urls.html

This configuration needs to be supported in Workbench 2 for "inline" browser links like opening a file from Keep in a browser new tab, or displaying an image from Keep inline.


Subtasks

Task #17237: Review 17109-keepweb-webdav-urlsResolvedPeter Amstutz

Task #17263: Review 17109-keepweb-urls-samesite-docResolvedPeter Amstutz


Related issues

Blocked by Arvados - Feature #17011: Add keep-web wildcard DNS to saltResolved11/25/2020

Associated revisions

Revision 00f3ff11
Added by Lucas Di Pentima 9 months ago

Merge branch '17109-keepweb-webdav-urls'
Refs #17109

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision e68d8abe
Added by Lucas Di Pentima 9 months ago

Merge branch '17109-keepweb-urls-pdh-support'
Refs #17109

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

Revision 3576206e
Added by Lucas Di Pentima 9 months ago

Merge branch '17109-keepweb-urls-samesite-doc'
Closes #17109

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <>

History

#1 Updated by Peter Amstutz 11 months ago

#2 Updated by Peter Amstutz 11 months ago

  • Description updated (diff)

#3 Updated by Peter Amstutz 11 months ago

  • Target version set to 2021-01-06 Sprint

#4 Updated by Peter Amstutz 10 months ago

  • Target version changed from 2021-01-06 Sprint to 2021-01-20 Sprint

#5 Updated by Peter Amstutz 9 months ago

  • Category set to Workbench2

#6 Updated by Lucas Di Pentima 9 months ago

  • Assigned To set to Lucas Di Pentima

#7 Updated by Peter Amstutz 9 months ago

  • Description updated (diff)

#8 Updated by Lucas Di Pentima 9 months ago

  • Status changed from New to In Progress

#9 Updated by Lucas Di Pentima 9 months ago

Updates at arvados-workbench2|10dcb972 - branch 17109-keepweb-webdav-urls
Test runs: Changes:
  • Fixes inline file url handling/building
  • Adds tests
  • Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.

#10 Updated by Peter Amstutz 9 months ago

From chat:

The inline image link behaves in some confusing ways because of "SameSite" cookie policies and the keep-web redirect.

If you link to the image from workbench2 hosted on the same "site", then it is a same-site request and keep-web can set cookies.

If you link to the image from workbench2 hosted on a different "site", then it is a cross-site request and keep-web cannot set cookies.

If you navigate to the image with "open in new tab", the "Lax" policy permits setting cookies because you are navigating to a new page.

When doing development or testing and run workbench2 on your workstation, it will be "localhost" (or whatever) which is not the same site as the zzzzz.arvadosapi.com.

Add some text to https://doc.arvados.org/main/api/keep-web-urls.html explaining that workbench2 and keep-web shouldn't have the same "origin" but they should have the same "site" as explained here:

https://web.dev/samesite-cookies-explained/#explicitly-state-cookie-usage-with-the-samesite-attribute

Documentation of cookie policies:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

#11 Updated by Peter Amstutz 9 months ago

Lucas Di Pentima wrote:

Updates at arvados-workbench2|10dcb972 - branch 17109-keepweb-webdav-urls
Test runs: Changes:
  • Fixes inline file url handling/building
  • Adds tests
  • Bonus: further stabilizes integration tests by adding additional guards. Tested 5 times without issues on Jenkins & many more locally without problems.

This LGTM.

Once this deploys let's do some testing to confirm that it does actually work the way we want it to when wb2 is on the "same site" as keep-web.

Also asking for a doc branch that covers information in note-10.

#12 Updated by Lucas Di Pentima 9 months ago

Documentation updates at f64f557db - branch 17109-keepweb-urls-samesite-doc

  • Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.

#13 Updated by Lucas Di Pentima 9 months ago

WB2 updates at arvados-workbench2|5f40f3d3 - branch 17109-keepweb-urls-pdh-support
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/245/

  • Adds support for building keep-web urls with PDHs.
  • Adds/updates tests.

#14 Updated by Peter Amstutz 9 months ago

Lucas Di Pentima wrote:

Documentation updates at f64f557db - branch 17109-keepweb-urls-samesite-doc

  • Adds a couple of notes about keep-web preview URLs having to be on the same site as Workbench.

"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2

The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.

#15 Updated by Lucas Di Pentima 9 months ago

  • Target version changed from 2021-01-20 Sprint to 2021-02-03 Sprint

#16 Updated by Peter Amstutz 9 months ago

Lucas Di Pentima wrote:

WB2 updates at arvados-workbench2|5f40f3d3 - branch 17109-keepweb-urls-pdh-support
Test run: https://ci.arvados.org/view/Developer/job/developer-tests-workbench2/245/

  • Adds support for building keep-web urls with PDHs.
  • Adds/updates tests.

This LGTM.

#17 Updated by Lucas Di Pentima 9 months ago

Peter Amstutz wrote:

"Site" has a really specific technical meaning for cookies that we need to call out, that's the point of this documentation update. I dug in and this seems to be the relevant RFC:

https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03#section-5.2

The explanation should also describe the behavior: if a token is passed to keep-web in the URL, it will return a redirect including a cookie with token (so it is no longer exposed) but if keep-web is not on the "same site" as workbench, the cookie will be ignored and not sent back, resulting in the browser trying to perform unauthenticated access on the collection.

Updated the documentation at 5727f6452

#18 Updated by Peter Amstutz 9 months ago

Just one comment:

"specially" in "specially when rendering inline content" is a typo, the word you want is "especially"

Rest LGTM.

#19 Updated by Anonymous 9 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF