Project

General

Profile

Actions

Bug #17598

closed

[keep-web] should be tolerant of superfluous :443's in the arvados config

Added by Ward Vandewege over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

With a config like this:

      WebDAVDownload:
        ExternalURL: https://download.xxxx1.arvadosapi.com:443

keep-web does a literal comparison of ExternalURL.Host with a http.Request.Host in `services/keep-web/handler.go` line 251, and the superfluous :443 in the config trips that up, which causes it to go into "turtle mode" and fall back to the anonymous token. In the normal (i.e. no anonymous access) case, that breaks all downloads with a 401, for example it makes viewing collection contents in WB2 fail.

keep-web should handle the special cases of :443 and :80 correctly. (also :https and :http)

two other lessons learned that need to be fixed:

  1. if AnonymousUserToken is empty, don't add it to 'tokens' in handler.go:349 (this is #17597)
  2. if a token was provided but not used (credentialsOK is false on line 295), it should log a warning saying that it is refusing to accept credentials, give some indication why, and (if applicable) indicate it will fall back to trying AnonymousUserToken

Subtasks 1 (0 open1 closed)

Task #17599: Review 17598-keep-web-urlResolvedPeter Amstutz04/29/2021Actions
Actions #1

Updated by Ward Vandewege over 3 years ago

  • Status changed from New to In Progress
Actions #2

Updated by Ward Vandewege over 3 years ago

  • Status changed from In Progress to New
  • Subject changed from [keep-web to [keep-web] should be tolerant of superfluous :443's in the arvados config
Actions #3

Updated by Ward Vandewege over 3 years ago

  • Description updated (diff)
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #6

Updated by Tom Clegg over 3 years ago

  • Description updated (diff)
Actions #7

Updated by Peter Amstutz over 3 years ago

  • Assigned To set to Peter Amstutz
  • Status changed from New to In Progress
Actions #8

Updated by Peter Amstutz over 3 years ago

17598-keep-web-url @ arvados|d48cff711af8255f3b2b69506b54a283c1aab776

  • Remove :80 and :443 before doing comparison. This does mean it will treat :80 and :443 as the same vhost. This seems fine.
  • Handle the case of "no anonymous user token" better
  • Improve error response when an access token is being deliberately ignored by keep-web
  • Update tests.

developer-run-tests: #2443

Actions #9

Updated by Tom Clegg over 3 years ago

StripDefaultPort()
  • should be unexported stripDefaultPort (even though this is package main)
  • will do weird things if host is like [::1]:443 ... there is some code in net/url we could make use of here, like
    u := &url.URL{Host: host}
    if p := u.Port(); p == "80" || p == "443" {
      return u.Hostname()
    } else {
      return host
    }
    

The vhost explanation says "...did not match either Services.WebDAV or Services.WebDAVDownload" which (I think) will be confusing when it does in fact match Services.WebDAV url but doesn't contain a collection ID (cf parseCollectionIDFromDNSName).

Maybe this?

Authorization tokens are not accepted here: vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false

Actions #10

Updated by Peter Amstutz over 3 years ago

Tom Clegg wrote:

StripDefaultPort()
  • should be unexported stripDefaultPort (even though this is package main)

Fixed.

  • will do weird things if host is like [::1]:443 ... there is some code in net/url we could make use of here, like [...]

Oh, I completely forgot about IPv6 addresses. Fixed.

The vhost explanation says "...did not match either Services.WebDAV or Services.WebDAVDownload" which (I think) will be confusing when it does in fact match Services.WebDAV url but doesn't contain a collection ID (cf parseCollectionIDFromDNSName).

Maybe this?

Authorization tokens are not accepted here: vhost %q does not specify a single collection ID or match Services.WebDAVDownload.ExternalURL %q, and Collections.TrustAllContent is false

Updated message.

17598-keep-web-url @ arvados|c736087b86da2353965e5722a38cff5e7d891fd2

developer-run-tests: #2444

Actions #11

Updated by Tom Clegg over 3 years ago

LGTM, thanks!

Actions #12

Updated by Peter Amstutz over 3 years ago

  • Status changed from In Progress to Resolved
Actions #13

Updated by Peter Amstutz over 3 years ago

  • Status changed from Resolved to Feedback

Needs to also account for case because domain names are not supposed to be case sensitive

Actions #15

Updated by Tom Clegg over 3 years ago

LGTM, thanks!

Actions #16

Updated by Peter Amstutz over 3 years ago

  • Status changed from Feedback to Resolved
Actions #17

Updated by Peter Amstutz over 3 years ago

  • Release set to 38
Actions

Also available in: Atom PDF