incusd/images: Fix image access through secret

In a clustered environment, we may need to forward the image download request to another server. This happens in cases where an image isn't locally available. That operation happens after secret validation and so after having invalidated the secret. The target server will validate the secret again, so we must ensure it's still considered valid. For that reason our check already allowed canceled but not expired operations, giving a 5s time window to perform any follow up requests before the token is fully expired. Unfortunately the token cancelation code would then be called again and fail as the operation was already canceled. The fix is simply to only call the cancelation code if the operation hasn't been canceled yet. Signed-off-by: Stéphane Graber <[email protected]>
stgraber · Sep 24, 2024 · 02e32e3 · 02e32e3
1 parent 1250e03
commit 02e32e3
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/cmd/incusd/images.go b/cmd/incusd/images.go
@@ -2915,10 +2915,13 @@ func imageValidSecret(s *state.State, r *http.Request, projectName string, finge
 		}
 
 		if opSecret == secret {
-			// Token is single-use, so cancel it now.
-			err = operationCancel(s, r, projectName, op)
-			if err != nil {
-				return nil, fmt.Errorf("Failed to cancel operation %q: %w", op.ID, err)
+			// Check if the operation is currently running (we allow access while expired).
+			if op.Status == api.Running.String() {
+				// Token is single-use, so cancel it now.
+				err = operationCancel(s, r, projectName, op)
+				if err != nil {
+					return nil, fmt.Errorf("Failed to cancel operation %q: %w", op.ID, err)
+				}
 			}
 
 			return op, nil