Commit aed96aca authored by Kirill Smelkov's avatar Kirill Smelkov

X Clarify errors from askAuthBackend

parent 902684ec
...@@ -9,7 +9,6 @@ package main ...@@ -9,7 +9,6 @@ package main
import ( import (
"bufio" "bufio"
"errors"
"fmt" "fmt"
"io" "io"
"log" "log"
...@@ -67,6 +66,7 @@ func authRefreshEntry(u *upstream, project string) { ...@@ -67,6 +66,7 @@ func authRefreshEntry(u *upstream, project string) {
break // no need to further refresh break // no need to further refresh
} }
// clear cache entry if it is not used
log.Printf("AUTH refresh - %v #hit: %v", project, auth.Nhit) log.Printf("AUTH refresh - %v #hit: %v", project, auth.Nhit)
if auth.Nhit == 0 { // not used - we can remove and stop refreshing if auth.Nhit == 0 { // not used - we can remove and stop refreshing
log.Printf("AUTH - removing %v", project) log.Printf("AUTH - removing %v", project)
...@@ -77,14 +77,7 @@ func authRefreshEntry(u *upstream, project string) { ...@@ -77,14 +77,7 @@ func authRefreshEntry(u *upstream, project string) {
log.Printf("AUTH - refreshing %v", project) log.Printf("AUTH - refreshing %v", project)
// XXX what if it stucks? // XXX what if it stucks?
authReply, err := askAuthBackend(u, project) authReply := askAuthBackend(u, project)
log.Printf("<- err: %v", err)
if err != nil {
// an error -> delete entry from cache and be done with
// refreshing XXX lock, unify with ^^^
delete(authCache, project)
break
}
// XXX lock // XXX lock
auth.AuthReply = authReply auth.AuthReply = authReply
...@@ -96,8 +89,6 @@ func authRefreshEntry(u *upstream, project string) { ...@@ -96,8 +89,6 @@ func authRefreshEntry(u *upstream, project string) {
// Ask auth backend about whether download is ok for a project. // Ask auth backend about whether download is ok for a project.
// Authorization is approved if AuthReply.RepoPath != "" on return // Authorization is approved if AuthReply.RepoPath != "" on return
// In case of errors, diagnostic is emitted to AuthReply.RawReply XXX not only diagnostic // In case of errors, diagnostic is emitted to AuthReply.RawReply XXX not only diagnostic
var ErrAuthFailed = errors.New("authorization failed")
func askAuthBackend(u *upstream, project string) AuthReply { func askAuthBackend(u *upstream, project string) AuthReply {
authReply := AuthReply{ authReply := AuthReply{
RawReply: httptest.NewRecorder(), RawReply: httptest.NewRecorder(),
...@@ -110,34 +101,32 @@ func askAuthBackend(u *upstream, project string) AuthReply { ...@@ -110,34 +101,32 @@ func askAuthBackend(u *upstream, project string) AuthReply {
project+".git/info/refs?service=git-upload-pack", nil) project+".git/info/refs?service=git-upload-pack", nil)
if err != nil { if err != nil {
fail500(authReply.RawReply, "GET git-upload-pack", err) fail500(authReply.RawReply, "GET git-upload-pack", err)
return authReply, err return authReply
} }
// prepare everything and go through preAuthorizeHandler() that will send // prepare everything and go through preAuthorizeHandler() that will send
// request to auth backend and analyze/parse the reply into r.authorizationResponse // request to auth backend and analyze/parse the reply into r.authorizationResponse
// it also logs/emits output in case of errors - we do not have to do it here
r := &gitRequest{ r := &gitRequest{
Request: reqDownloadAccess, Request: reqDownloadAccess,
u: u, u: u,
} }
err = ErrAuthFailed
preAuthorizeHandler( preAuthorizeHandler(
func(w http.ResponseWriter, r *gitRequest) { func(w http.ResponseWriter, r *gitRequest) {
// XXX
// if we ever get to this point - auth handler approved // if we ever get to this point - auth handler approved
// access and thus it is ok to download // access and thus it is ok to download
err = nil
// propagate authorizationResponse back
authReply.authorizationResponse = r.authorizationResponse authReply.authorizationResponse = r.authorizationResponse
}, "")(authReply.RawReply, r) }, "")(authReply.RawReply, r)
return authReply, err return authReply
} }
// Verify that download access is ok or not. // Verify that download access is ok or not.
// first we try to see authCache; if information is not there -> ask auth backend // first we try to see authCache; if information is not there -> ask auth backend
// download is ok if AuthReply.RepoPath != ""
// XXX return -> *AuthReply ? // XXX return -> *AuthReply ?
func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) (AuthReply, error) { func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) AuthReply {
// XXX lock authCache // XXX lock authCache
auth, ok := authCache[project] auth, ok := authCache[project]
if ok { if ok {
...@@ -146,20 +135,17 @@ func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) (A ...@@ -146,20 +135,17 @@ func verifyDownloadAccess(w http.ResponseWriter, u *upstream, project string) (A
// project, // project,
// time.Since(time.Unix(auth.Tauth, 0)), // time.Since(time.Unix(auth.Tauth, 0)),
// auth.Nhit) // auth.Nhit)
return auth.AuthReply, nil return auth.AuthReply
} }
authReply, err := askAuthBackend(u, project) authReply := askAuthBackend(u, project)
if err != nil {
return authReply, err
}
// XXX lock // XXX lock
// store in cache and start cache entry refresher // store in cache and start cache entry refresher
authCache[project] = &AuthCacheEntry{authReply, time.Now().Unix(), 0} authCache[project] = &AuthCacheEntry{authReply, time.Now().Unix(), 0}
go authRefreshEntry(u, project) go authRefreshEntry(u, project)
return authReply, nil return authReply
} }
// HTTP handler for `.../raw/<ref>/path` // HTTP handler for `.../raw/<ref>/path`
...@@ -182,11 +168,7 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) { ...@@ -182,11 +168,7 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
refpath = refpath[4:] // strip 'raw/...' refpath = refpath[4:] // strip 'raw/...'
// Query download access auth for this project // Query download access auth for this project
authReply, err := verifyDownloadAccess(w, r.u, project) authReply := verifyDownloadAccess(w, r.u, project)
if err != nil {
fail500(w, "verifyDownloadAccess", err)
return
}
if authReply.RepoPath == "" { if authReply.RepoPath == "" {
// access denied - copy auth reply to client in full - // access denied - copy auth reply to client in full -
// there are HTTP code and other headers / body relevant for // there are HTTP code and other headers / body relevant for
...@@ -203,16 +185,6 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) { ...@@ -203,16 +185,6 @@ func handleGetBlobRaw(w http.ResponseWriter, r *gitRequest) {
emitBlob(w, authReply.RepoPath, refpath) emitBlob(w, authReply.RepoPath, refpath)
} }
/*
Cache-Control: private
ETag: "4c10677531b44f555ebbdaff24a9b2d6"
X-Content-Type-Options: nosniff
Content-Disposition: inline
Content-Transfer-Encoding: binary
Content-Type: text/plain; charset=utf-8
*/
// Emit content of blob located at <ref>/path (jointly denoted as 'refpath') to output // Emit content of blob located at <ref>/path (jointly denoted as 'refpath') to output
func emitBlob(w http.ResponseWriter, repopath string, refpath string) { func emitBlob(w http.ResponseWriter, repopath string, refpath string) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment