using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; using Coscine.ApiCommons.Factories; using Coscine.ApiCommons.Utils; using Coscine.Configuration; using Coscine.Database.Model; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Newtonsoft.Json.Linq; using System; using System.Collections.Generic; using System.IdentityModel.Tokens.Jwt; using System.IO; using System.Linq; using System.Net.Http; using System.Net.Http.Headers; using System.Text.RegularExpressions; using System.Threading.Tasks; using System.Web; #region DupFinder Exclusion namespace Coscine.Api.Project.Controllers { [Authorize] public class DataSourceController : Controller { private readonly IConfiguration _configuration; private readonly JWTHandler _jwtHandler; // make to lazy property private static readonly HttpClient Client; private readonly Authenticator _authenticator; private readonly ResourceModel _resourceModel; private readonly ProjectModel _projectModel; static DataSourceController() { Client = new HttpClient { Timeout = TimeSpan.FromMinutes(30) }; } public DataSourceController() { _configuration = Program.Configuration; _jwtHandler = new JWTHandler(_configuration); _authenticator = new Authenticator(this, _configuration); _resourceModel = new ResourceModel(); _projectModel = new ProjectModel(); } // inferring a ../ (urlencoded) can manipulate the url. // However the constructed signature for s3 won't match and it will not be resolved. // This may be a problem for other provider! [HttpGet("[controller]/{resourceId}/{path}")] public async Task GetWaterButlerFolder(string resourceId, string path) { var user = _authenticator.GetUser(); if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); } var check = CheckResourceIdAndPath(resourceId, path, out Resource resource); if (check != null) { return check; } if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { return BadRequest("User does not have permission to the resource."); } var authHeader = BuildAuthHeader(resource); if (authHeader == null) { return BadRequest($"No provider for: \"{resource.Type.DisplayName}\"."); } else { // If the path is null, an empty string is added. string url = $"{_configuration.GetString("coscine/global/waterbutler_url")}{GetResourceTypeName(resource)}{path}"; var request = new HttpRequestMessage(HttpMethod.Get, url); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authHeader); // Thread safe according to msdn and HttpCompletionOption sets it to get only headers first. var response = await Client.SendAsync(request, HttpCompletionOption.ResponseHeadersRead); if (response.IsSuccessStatusCode) { if (response.Content.Headers.Contains("Content-Disposition")) { return File(await response.Content.ReadAsStreamAsync(), response.Content.Headers.GetValues("Content-Type").First()); } else { var data = JObject.Parse(await response.Content.ReadAsStringAsync())["data"]; return Ok(new WaterbutlerObject(path, data)); } } else { return FailedRequest(response, path); } } } // inferring a ../ (urlencoded) can manipulate the url. // However the constructed signature for s3 won't match and it will not be resolved. // This may be a problem for other provider! [HttpPut("[controller]/{resourceId}/{path}")] [DisableRequestSizeLimit] public async Task PutUploadFile(string resourceId, string path) { var user = _authenticator.GetUser(); if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); } var check = CheckResourceIdAndPath(resourceId, path, out Resource resource); if (check != null) { return check; } if(!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { return BadRequest("User does not have permission to the resource."); } var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) { return BadRequest($"No provider for: \"{resource.Type.DisplayName}\"."); } else { // If the path is null, an empty string is added. string url = $"{_configuration.GetString("coscine/global/waterbutler_url")}{GetResourceTypeName(resource)}/?kind=file&name={path}"; try { var response = await UploadFile(url, authHeader, Request.Body); if (response.IsSuccessStatusCode) { return NoContent(); } else { return FailedRequest(response, path); } } catch (Exception e) { Console.WriteLine(e); return BadRequest(e); } } } // inferring a ../ (urlencoded) can manipulate the url. // However the constructed signature for s3 won't match and it will not be resolved. // This may be a problem for other provider! [HttpPut("[controller]/{resourceId}/{path}/update")] [DisableRequestSizeLimit] public async Task PutUpdateFile(string resourceId, string path) { var user = _authenticator.GetUser(); if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); } var check = CheckResourceIdAndPath(resourceId, path, out Resource resource); if (check != null) { return check; } if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { return BadRequest("User does not have permission to the resource."); } var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) { return BadRequest($"No provider for: \"{resource.Type.DisplayName}\"."); } else { // If the path is null, an empty string is added. string url = $"{_configuration.GetString("coscine/global/waterbutler_url")}{GetResourceTypeName(resource)}/{path}?kind=file"; try { var response = await UploadFile(url, authHeader, Request.Body); if (response.IsSuccessStatusCode) { return NoContent(); } else { return FailedRequest(response, path); } } catch (Exception e) { Console.WriteLine(e); return BadRequest(e); } } } private string GetResourceTypeName(Resource resource) { if (resource.Type.DisplayName.ToLower().Equals("s3")) { return "rds"; } else { return resource.Type.DisplayName.ToLower(); } } private string GetResourceTypeName(JToken resource) { if (resource["type"]["displayName"].ToString().ToLower().Equals("s3")) { return "rds"; } else { return resource["type"]["displayName"].ToString().ToLower(); } } public async Task UploadFile(string url, string authHeader, Stream stream) { var request = new HttpRequestMessage(HttpMethod.Put, url); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authHeader); request.Content = new StreamContent(stream); return await Client.SendAsync(request, HttpCompletionOption.ResponseHeadersRead); } [HttpDelete("[controller]/{resourceId}/{path}")] public async Task Delete(string resourceId, string path) { var user = _authenticator.GetUser(); if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); } var check = CheckResourceIdAndPath(resourceId, path, out Resource resource); if (check != null) { return check; } if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { return BadRequest("User does not have permission to the resource."); } var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) { return BadRequest($"No provider for: \"{resource.Type.DisplayName}\"."); } else { // If the path is null, an empty string is added. string url = $"{_configuration.GetString("coscine/global/waterbutler_url")}{GetResourceTypeName(resource)}{path}"; var request = new HttpRequestMessage(HttpMethod.Delete, url); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authHeader); // Thread safe according to msdn and HttpCompletionOption sets it to get only headers first. try { var response = await Client.SendAsync(request, HttpCompletionOption.ResponseHeadersRead); if (response.IsSuccessStatusCode) { return NoContent(); } else { return FailedRequest(response, path); } } catch (Exception e) { Console.WriteLine(e); return BadRequest(e); } } } [HttpPost("[controller]/validate")] public async Task IsResourceValid() { var path = "/"; JToken resource = ObjectFactory.DeserializeFromStream(Request.Body); string authHeader = null; if (resource["type"]["displayName"].ToString().ToLower() == "s3") { S3ResourceType s3ResourceType = new S3ResourceType(); s3ResourceType.BucketName = resource["resourceTypeOption"]["BucketName"].ToString(); s3ResourceType.AccessKey = resource["resourceTypeOption"]["AccessKey"].ToString(); s3ResourceType.SecretKey = resource["resourceTypeOption"]["SecretKey"].ToString(); authHeader = BuildS3AuthHeader(s3ResourceType); } else if (resource["type"]["displayName"].ToString().ToLower() == "gitlab") { GitlabResourceType gitlabResourceType = new GitlabResourceType { RepositoryNumber = (int)resource["resourceTypeOption"]["RepositoryNumber"], RepositoryUrl = resource["resourceTypeOption"]["RepositoryUrl"].ToString(), Token = resource["resourceTypeOption"]["Token"].ToString() }; authHeader = BuildGitlabAuthHeader(gitlabResourceType); } if (authHeader == null) { return BadRequest($"No provider for: \"{resource["type"]["displayName"].ToString()}\"."); } else { // If the path is null, an empty string is added. string url = $"{_configuration.GetString("coscine/global/waterbutler_url")}{GetResourceTypeName(resource)}{path}"; var request = new HttpRequestMessage(HttpMethod.Get, url); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authHeader); // Thread safe according to msdn and HttpCompletionOption sets it to get only headers first. var response = await Client.SendAsync(request, HttpCompletionOption.ResponseHeadersRead); if (response.IsSuccessStatusCode) { if (response.Content.Headers.Contains("Content-Disposition")) { return File(await response.Content.ReadAsStreamAsync(), response.Content.Headers.GetValues("Content-Type").First()); } else { var data = JObject.Parse(await response.Content.ReadAsStringAsync())["data"]; return Ok(new WaterbutlerObject(path, data)); } } else { return FailedRequest(response, path); } } } private IActionResult FailedRequest(HttpResponseMessage response, string path) { if (response.StatusCode == System.Net.HttpStatusCode.NotFound) { return NotFound($"Could not find object for: \"{path}\"."); } else if (response.StatusCode == System.Net.HttpStatusCode.Forbidden) { return Forbid("Not allowed to access the datasource."); } else { return BadRequest($"Error in communication with waterbutler: {response.StatusCode}"); } } private IActionResult CheckResourceIdAndPath(string resourceId, string path, out Resource resource) { resource = null; if (string.IsNullOrWhiteSpace(path)) { return BadRequest($"Your path \"{path}\" is empty."); } Regex rgx = new Regex(@"^[0-9a-zA-Z_\-/. ]+$"); if (!rgx.IsMatch(path)) { return BadRequest($"Your path \"{path}\" contains bad chars. Only {@"^[0-9a-zA-Z_\-./ ]+"} are allowed as chars."); } if (!Guid.TryParse(resourceId, out Guid resourceGuid)) { return BadRequest($"{resourceId} is not a guid."); } try { resource = _resourceModel.GetById(resourceGuid); if (resource == null) { return NotFound($"Could not find resource with id: {resourceId}"); } } catch (Exception) { return NotFound($"Could not find resource with id: {resourceId}"); } if (resource.Type == null) { ResourceTypeModel resourceTypeModel = new ResourceTypeModel(); resource.Type = resourceTypeModel.GetById(resource.TypeId); } // All good return null; } private string BuildWaterbutlerPayload(Dictionary auth, Dictionary credentials, Dictionary settings) { var data = new Dictionary { { "auth", auth }, { "credentials", credentials }, { "settings", settings }, { "callback_url", "rwth-aachen.de" } }; var payload = new JwtPayload { { "data", data } }; return _jwtHandler.GenerateJwtToken(payload); } private string BuildAuthHeader(Resource resource, IEnumerable exclude = null) { if (exclude != null && exclude.Contains(resource.Type.DisplayName.ToLower())) { return null; } string authHeader = null; if (resource.Type.DisplayName.ToLower() == "rds") { RDSResourceTypeModel rdsResourceTypeModel = new RDSResourceTypeModel(); var rdsResourceType = rdsResourceTypeModel.GetById(resource.ResourceTypeOptionId.Value); authHeader = BuildRdsAuthHeader(rdsResourceType); } else if (resource.Type.DisplayName.ToLower() == "s3") { S3ResourceTypeModel s3ResourceTypeModel = new S3ResourceTypeModel(); var s3ResourceType = s3ResourceTypeModel.GetById(resource.ResourceTypeOptionId.Value); authHeader = BuildS3AuthHeader(s3ResourceType); } else if (resource.Type.DisplayName.ToLower() == "gitlab") { GitlabResourceTypeModel gitlabResourceTypeModel = new GitlabResourceTypeModel(); var gitlabResourceType = gitlabResourceTypeModel.GetById(resource.ResourceTypeOptionId.Value); authHeader = BuildGitlabAuthHeader(gitlabResourceType); } return authHeader; } private string BuildRdsAuthHeader(RDSResourceType rdsResourceType) { var auth = new Dictionary(); var credentials = new Dictionary { { "access_key", _configuration.GetStringAndWait("coscine/global/buckets/accessKey") }, { "secret_key", _configuration.GetStringAndWait("coscine/global/buckets/secretKey") } }; var settings = new Dictionary { { "bucket", rdsResourceType.BucketName } }; return BuildWaterbutlerPayload(auth, credentials, settings); } private string BuildS3AuthHeader(S3ResourceType s3ResourceType) { var auth = new Dictionary(); var credentials = new Dictionary { { "access_key", s3ResourceType.AccessKey }, { "secret_key", s3ResourceType.SecretKey } }; var settings = new Dictionary { { "bucket", s3ResourceType.BucketName } }; return BuildWaterbutlerPayload(auth, credentials, settings); } private string BuildGitlabAuthHeader(GitlabResourceType gitlabResourceType) { var auth = new Dictionary(); var credentials = new Dictionary { { "token", gitlabResourceType.Token } }; var settings = new Dictionary { { "owner", "Tester"}, { "repo", gitlabResourceType.RepositoryUrl}, { "repo_id", gitlabResourceType.RepositoryNumber.ToString()}, { "host", "https://git.rwth-aachen.de"} }; return BuildWaterbutlerPayload(auth, credentials, settings); } } } #endregion