Added an unlocking endpoint for admins to fix failed uploads.

ArtifactDB · May 20, 2024 · 3170de4 · 3170de4
1 parent 5f58f49
commit 3170de4
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "private": true,
   "name": "gypsum",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "type": "module",
   "description": "A small ArtifactDB API on Cloudflare Workers",
   "main": "src/index.js",

diff --git a/src/index.js b/src/index.js
@@ -13,6 +13,7 @@ import * as auth from "./utils/permissions.js";
 import * as http from "./utils/http.js";
 import * as s3 from "./utils/s3.js";
 import * as read from "./read.js";
+import * as lock from "./lock.js";
 
 const router = IttyRouter();
 
@@ -84,6 +85,8 @@ router.post("/refresh/latest/:project/:asset", version.refreshLatestVersionHandl
 
 router.post("/refresh/usage/:project", quota.refreshQuotaUsageHandler);
 
+router.delete("/unlock/:project", lock.unlockProjectHandler);
+
 /*** Download ***/
 
 router.head("/file/:key", read.headFileHandler);

diff --git a/src/lock.js b/src/lock.js
@@ -0,0 +1,10 @@
+import * as auth from "./utils/permissions.js";
+import * as lock from "./utils/lock.js";
+
+export async function unlockProjectHandler(request, env, nonblockers) {
+    let token = auth.extractBearerToken(request);
+    await auth.checkAdminPermissions(token, env, nonblockers);
+    let project = decodeURIComponent(request.params.project);
+    await lock.unlockProject(project, env);
+    return new Response(null, { status: 200 });
+}
diff --git a/swagger.json b/swagger.json
@@ -564,6 +564,22 @@
             }
         },
 
+        "/unlock/{project}": {
+            "delete": {
+                "summary": "Unlock a project. This is occasionally necessary, e.g., due to an incomplete upload that was not properly aborted.",
+                "parameters": [
+                    { "$ref": "#/components/parameters/project" }
+                ],
+                "security": [ { "admin": [] } ],
+                "responses": {
+                    "200": { "description": "Successful removal of the lock. This is reported even if `project` does not exist or has no lock." },
+                    "401": { "$ref": "#/components/responses/401" },
+                    "403": { "$ref": "#/components/responses/403" }
+                },
+                "tags": [ "Refresh" ]
+            }
+        },
+
         "/file/{key}": {
             "get": {
                 "summary": "Download the file with the specified key in the bucket. This is a REST-based replacement for `get-object` from the AWS S3 API.",

diff --git a/tests/lock.test.js b/tests/lock.test.js
@@ -0,0 +1,48 @@
+import * as lock from "../src/utils/lock.js";
+import * as lckh from "../src/lock.js";
+import * as gh from "../src/utils/github.js";
+import * as setup from "./setup.js";
+import * as pkeys from "../src/utils/internal.js";
+
+beforeAll(async () => {
+    const env = getMiniflareBindings();
+    await setup.simpleMockProject(env);
+    let rigging = gh.enableTestRigging();
+    setup.mockGitHubIdentities(rigging);
+})
+
+test("unlockProjectHandler works correctly", async () => {
+    const env = getMiniflareBindings();
+
+    let req = new Request("http://localhost", {
+        method: "DELETE",
+        headers: { "Content-Type": "application/json" }
+    });
+    req.headers.set("Authorization", "Bearer " + setup.mockTokenAdmin);
+    req.params = { project: "test" };
+
+    // Unlocking works if it's not locked.
+    expect((await lckh.unlockProjectHandler(req, env, [])).status).toBe(200);
+    expect(await env.BOUND_BUCKET.head(pkeys.lock("test"))).toBeNull()
+
+    // Unlocking works if it's locked.
+    await lock.lockProject("test", "whee", "bar", "SESSION_KEY", env)
+    expect((await lckh.unlockProjectHandler(req, env, [])).status).toBe(200);
+    expect(await env.BOUND_BUCKET.head(pkeys.lock("test"))).toBeNull()
+
+    // Unlocking works if the project doesn't even exist.
+    req.params = { project: "test-does-not-exist" };
+    expect((await lckh.unlockProjectHandler(req, env, [])).status).toBe(200);
+})
+
+test("unlockProjectHandler works correctly if user is not authorized", async () => {
+    const env = getMiniflareBindings();
+    let req = new Request("http://localhost", {
+        method: "DELETE",
+        headers: { "Content-Type": "application/json" }
+    });
+    req.params = { project: "test" };
+    req.headers.set("Authorization", "Bearer " + setup.mockTokenUser);
+    await setup.expectError(lckh.unlockProjectHandler(req, env, []), "not an administrator");
+})
+