origin_serve

package
v0.0.0-...-44018a4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 15, 2026 License: Apache-2.0 Imports: 51 Imported by: 0

Documentation

Overview

Package origin_serve provides checksum computation and caching for origin servers.

Security: All checksum operations use os.Root (Go 1.24+) to prevent symlink traversal attacks that could escape the storage directory. The os.Root type provides a secure filesystem view that prevents access to files outside the designated root directory, similar to a chroot jail but implemented at the Go runtime level without requiring special system privileges.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetAuthConfig 

func GetAuthConfig() *authConfig

GetAuthConfig returns the global auth config

func InitAuthConfig 

func InitAuthConfig(ctx context.Context, egrp *errgroup.Group, exports []server_utils.OriginExport) error

InitAuthConfig initializes the global auth config

func InitializeChecksummer 

func InitializeChecksummer()

InitializeChecksummer initializes the global checksummer

func InitializeHandlers 

func InitializeHandlers(ctx context.Context, exports []server_utils.OriginExport) error

InitializeHandlers initializes the WebDAV handlers for each export

func RegisterHandlers 

func RegisterHandlers(engine *gin.Engine, directorEnabled bool) error

RegisterHandlers registers the HTTP handlers with the Gin engine. When the director is also running in the same server, handlers are registered under /api/v1.0/origin/<prefix> so the director can distinguish between its routing and the origin's file serving. Otherwise, handlers are registered directly at the federation prefix for standalone origins.

func ResetHandlers 

func ResetHandlers()

ResetHandlers resets the handler state (for testing)

func ShutdownAuthConfig 

func ShutdownAuthConfig()

ShutdownAuthConfig stops the auth config's background processes

Types

type AuthError 

type AuthError struct {
	Code    int
	Message string
	Path    string
	User    string
	Issuer  string
	// contains filtered or unexported fields
}

AuthError represents an authorization error with optional context

func NewAuthError 

func NewAuthError(code int, message string, path string) *AuthError

NewAuthError creates a new authorization error

func (*AuthError) Error 

func (ae *AuthError) Error() string

Error implements the error interface

func (*AuthError) WithCause 

func (ae *AuthError) WithCause(err error) *AuthError

WithCause adds the underlying error cause

func (*AuthError) WithIssuer 

func (ae *AuthError) WithIssuer(issuer string) *AuthError

WithIssuer adds issuer information to the error

func (*AuthError) WithUser 

func (ae *AuthError) WithUser(user string) *AuthError

WithUser adds user information to the error

type ChecksumType 

type ChecksumType string

ChecksumType represents the type of checksum 

const (
	ChecksumTypeMD5    ChecksumType = "md5"
	ChecksumTypeSHA1   ChecksumType = "sha1"
	ChecksumTypeCRC32  ChecksumType = "crc32"
	ChecksumTypeCRC32C ChecksumType = "crc32c"
)

type Checksummer 

type Checksummer interface {
	GetChecksum(root *os.Root, filename string, checksumType ChecksumType) (string, error)
}

Checksummer is an interface for fetching and computing checksums Uses os.Root to ensure all file operations stay within the root directory

func GetChecksummer 

func GetChecksummer() Checksummer

GetChecksummer returns the global checksummer

type ErrorHandler 

type ErrorHandler struct {
	// contains filtered or unexported fields
}

ErrorHandler manages consistent error handling and HTTP status code mapping

func NewErrorHandler 

func NewErrorHandler() *ErrorHandler

NewErrorHandler creates a new error handler

func (*ErrorHandler) LogError 

func (eh *ErrorHandler) LogError(operation string, err error, args ...interface{})

LogError logs an error with appropriate context

func (*ErrorHandler) MapToHTTPStatus 

func (eh *ErrorHandler) MapToHTTPStatus(err error) int

MapToHTTPStatus maps an error to an HTTP status code using proper error type checking

type Mapfile 

type Mapfile struct {
	Rules []MapfileRule `json:"-"`
	// contains filtered or unexported fields
}

Mapfile represents the complete mapfile configuration

func NewMapfile 

func NewMapfile(filePath string) *Mapfile

NewMapfile creates a new mapfile loader

func (*Mapfile) ApplyRule 

func (m *Mapfile) ApplyRule(rule MapfileRule, userClaim, groupClaims []string, requestPath string) string

ApplyRule applies a mapfile rule to determine the mapped username Returns the mapped username if the rule matches, empty string if no match

func (*Mapfile) IsStale 

func (m *Mapfile) IsStale() bool

IsStale checks if the mapfile has been modified on disk

func (*Mapfile) Load 

func (m *Mapfile) Load() error

Load reads and parses the mapfile from disk

func (*Mapfile) MapUsername 

func (m *Mapfile) MapUsername(userClaim string, groupClaims []string, requestPath string) string

MapUsername applies mapfile rules to determine the mapped username

type MapfileRule 

type MapfileRule struct {
	Sub      *string `json:"sub"`
	Username *string `json:"username"`
	Path     *string `json:"path"`
	Group    *string `json:"group"`
	Result   string  `json:"result"`
	Ignore   *bool   `json:"ignore"`
	Comment  *string `json:"comment"`
}

MapfileRule represents a single rule in the mapfile for username mapping

type NotFoundError 

type NotFoundError struct {
	ResourceType string
	ResourcePath string
}

NotFoundError is a specialized error for missing resources

func NewNotFoundError 

func NewNotFoundError(resourceType, resourcePath string) *NotFoundError

NewNotFoundError creates a new not found error

func (*NotFoundError) Error 

func (nfe *NotFoundError) Error() string

Error implements the error interface

func (*NotFoundError) HTTPStatus 

func (nfe *NotFoundError) HTTPStatus() int

HTTPStatus returns the appropriate HTTP status code

type OperationError 

type OperationError struct {
	Operation   string
	Path        string
	HTTPStatus  int
	Message     string
	Recoverable bool
	// contains filtered or unexported fields
}

OperationError represents a file operation error with recovery hints

func NewOperationError 

func NewOperationError(operation, path string, err error) *OperationError

NewOperationError creates a new operation error

func (*OperationError) Error 

func (oe *OperationError) Error() string

Error implements the error interface

func (*OperationError) String 

func (oe *OperationError) String() string

String returns a detailed error description

type PermissionDeniedError 

type PermissionDeniedError struct {
	Resource string
	Action   string
	Reason   string
}

PermissionDeniedError is a specialized authorization error

func NewPermissionDeniedError 

func NewPermissionDeniedError(resource, action, reason string) *PermissionDeniedError

NewPermissionDeniedError creates a new permission denied error

func (*PermissionDeniedError) Error 

func (pde *PermissionDeniedError) Error() string

Error implements the error interface

func (*PermissionDeniedError) HTTPStatus 

func (pde *PermissionDeniedError) HTTPStatus() int

HTTPStatus returns the appropriate HTTP status code

type ResourceExhaustedError 

type ResourceExhaustedError struct {
	ResourceType string
	Message      string
}

ResourceExhaustedError represents resource limit violations

func NewResourceExhaustedError 

func NewResourceExhaustedError(resourceType, message string) *ResourceExhaustedError

NewResourceExhaustedError creates a new resource exhausted error

func (*ResourceExhaustedError) Error 

func (ree *ResourceExhaustedError) Error() string

Error implements the error interface

func (*ResourceExhaustedError) HTTPStatus 

func (ree *ResourceExhaustedError) HTTPStatus() int

HTTPStatus returns the appropriate HTTP status code

type TokenValidationError 

type TokenValidationError struct {
	Reason   string
	Issuer   string
	Subject  string
	Code     int
	Details  string
	Verified bool // Whether the token signature was verified before extracting metadata
}

TokenValidationError represents token validation failures

func NewTokenValidationError 

func NewTokenValidationError(reason string) *TokenValidationError

NewTokenValidationError creates a new token validation error

func (*TokenValidationError) Error 

func (tve *TokenValidationError) Error() string

Error implements the error interface

func (*TokenValidationError) String 

func (tve *TokenValidationError) String() string

String returns a detailed error description

func (*TokenValidationError) WithDetails 

func (tve *TokenValidationError) WithDetails(details string) *TokenValidationError

WithDetails adds additional context details

func (*TokenValidationError) WithIssuer 

func (tve *TokenValidationError) WithIssuer(issuer string) *TokenValidationError

WithIssuer adds issuer information

func (*TokenValidationError) WithSubject 

func (tve *TokenValidationError) WithSubject(subject string) *TokenValidationError

WithSubject adds subject information

func (*TokenValidationError) WithVerified 

func (tve *TokenValidationError) WithVerified(verified bool) *TokenValidationError

WithVerified marks whether the token was cryptographically verified before extracting metadata

type UserInfo 

type UserInfo struct {
	User        string
	Groups      []string
	MappedUser  string
	RequestPath string
}

UserInfo represents extracted user and group information from a token

type UserMapper 

type UserMapper struct {
	// contains filtered or unexported fields
}

UserMapper handles username and group extraction from tokens with optional mapfile support

func NewUserMapper 

func NewUserMapper(usernameClaim, groupsClaim, mapfilePath, defaultUser, unauthenticatedUser string) *UserMapper

NewUserMapper creates a new user mapper usernameClaim: token claim to use for username (default: "sub") groupsClaim: token claim to use for groups (default: "wlcg.groups") mapfilePath: optional path to mapfile for username mapping defaultUser: fallback username when mapfile is enabled but no rule matches; 

set to empty string to reject unmatched tokens.

unauthenticatedUser: username for token-less or invalid-token requests; 

set to empty string to reject such requests.

func (*UserMapper) ExtractUserInfo 

func (um *UserMapper) ExtractUserInfo(tokenClaims map[string]interface{}, requestPath string) *UserInfo

ExtractUserInfo extracts user and group information from token claims

func (*UserMapper) MapTokenToUser 

func (um *UserMapper) MapTokenToUser(tokenStr string) *userInfo

MapTokenToUser parses a JWT token and extracts user/group information with optional mapfile mapping The token is parsed without verification (assumes it was already verified upstream) Returns a userInfo struct suitable for caching with token authorization information

func (*UserMapper) RefreshMapfile 

func (um *UserMapper) RefreshMapfile() error

RefreshMapfile reloads the mapfile if it has changed on disk

func (*UserMapper) Shutdown 

func (um *UserMapper) Shutdown()

Shutdown stops the periodic refresh goroutine and cleans up resources

func (*UserMapper) StartPeriodicRefresh 

func (um *UserMapper) StartPeriodicRefresh(interval time.Duration)

StartPeriodicRefresh starts a goroutine that periodically checks and reloads the mapfile if it has been modified on disk. The refresh interval is controlled by the provided interval parameter.

The goroutine will run until the UserMapper's context is cancelled (typically on server shutdown via Shutdown() method).

type XattrChecksummer 

type XattrChecksummer struct{}

XattrChecksummer uses extended attributes to store and retrieve checksums

func (*XattrChecksummer) GetChecksum 

func (xc *XattrChecksummer) GetChecksum(root *os.Root, filename string, checksumType ChecksumType) (string, error)

GetChecksum retrieves or computes the checksum for a file Uses the provided os.Root to ensure all file operations stay within the root directory

func (*XattrChecksummer) GetChecksumRFC3230 

func (xc *XattrChecksummer) GetChecksumRFC3230(root *os.Root, filename string, checksumType ChecksumType) (string, error)

GetChecksumRFC3230 retrieves the checksum in RFC 3230 format (algorithm=value) MD5 and SHA1 are base64-encoded, CRC32 is hex-encoded Uses the provided os.Root to ensure all file operations stay within the root directory

func (*XattrChecksummer) GetChecksumsRFC3230 

func (xc *XattrChecksummer) GetChecksumsRFC3230(root *os.Root, filename string, types []ChecksumType) ([]string, error)

GetChecksumsRFC3230 returns a list of RFC 3230 digest strings for requested types. If any requested checksum is missing or stale, computes all requested plus defaults and stores. Uses the provided os.Root to ensure all file operations stay within the root directory

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.