diff --git a/cmd/cmd.go b/cmd/cmd.go index 97e821c7..fad06ffd 100644 --- a/cmd/cmd.go +++ b/cmd/cmd.go @@ -19,7 +19,6 @@ import ( "os" "os/signal" "path/filepath" - "regexp" "runtime" "strconv" "strings" @@ -35,14 +34,11 @@ import ( "golang.org/x/term" "github.com/ollama/ollama/api" - "github.com/ollama/ollama/auth" "github.com/ollama/ollama/envconfig" "github.com/ollama/ollama/format" "github.com/ollama/ollama/parser" "github.com/ollama/ollama/progress" "github.com/ollama/ollama/server" - "github.com/ollama/ollama/types/errtypes" - "github.com/ollama/ollama/types/model" "github.com/ollama/ollama/version" ) @@ -516,47 +512,6 @@ func RunHandler(cmd *cobra.Command, args []string) error { return generate(cmd, opts) } -func errFromUnknownKey(unknownKeyErr error) error { - // find SSH public key in the error message - sshKeyPattern := `ssh-\w+ [^\s"]+` - re := regexp.MustCompile(sshKeyPattern) - matches := re.FindStringSubmatch(unknownKeyErr.Error()) - - if len(matches) > 0 { - serverPubKey := matches[0] - - localPubKey, err := auth.GetPublicKey() - if err != nil { - return unknownKeyErr - } - - if runtime.GOOS == "linux" && serverPubKey != localPubKey { - // try the ollama service public key - svcPubKey, err := os.ReadFile("/usr/share/ollama/.ollama/id_ed25519.pub") - if err != nil { - return unknownKeyErr - } - localPubKey = strings.TrimSpace(string(svcPubKey)) - } - - // check if the returned public key matches the local public key, this prevents adding a remote key to the user's account - if serverPubKey != localPubKey { - return unknownKeyErr - } - - var msg strings.Builder - msg.WriteString(unknownKeyErr.Error()) - msg.WriteString("\n\nYour ollama key is:\n") - msg.WriteString(localPubKey) - msg.WriteString("\nAdd your key at:\n") - msg.WriteString("https://ollama.com/settings/keys") - - return errors.New(msg.String()) - } - - return unknownKeyErr -} - func PushHandler(cmd *cobra.Command, args []string) error { client, err := api.ClientFromEnvironment() if err != nil { @@ -610,14 +565,6 @@ func PushHandler(cmd *cobra.Command, args []string) error { if strings.Contains(err.Error(), "access denied") { return errors.New("you are not authorized to push to this namespace, create the model under a namespace you own") } - host := model.ParseName(args[0]).Host - isOllamaHost := strings.HasSuffix(host, ".ollama.ai") || strings.HasSuffix(host, ".ollama.com") - if strings.Contains(err.Error(), errtypes.UnknownOllamaKeyErrMsg) && isOllamaHost { - // the user has not added their ollama key to ollama.com - // re-throw an error with a more user-friendly message - return errFromUnknownKey(err) - } - return err } diff --git a/server/images.go b/server/images.go index 6a0e8ae3..1f6a9712 100644 --- a/server/images.go +++ b/server/images.go @@ -5,7 +5,6 @@ import ( "cmp" "context" "crypto/sha256" - "encoding/base64" "encoding/hex" "encoding/json" "errors" @@ -24,14 +23,12 @@ import ( "strings" "github.com/ollama/ollama/api" - "github.com/ollama/ollama/auth" "github.com/ollama/ollama/envconfig" "github.com/ollama/ollama/format" "github.com/ollama/ollama/llama" "github.com/ollama/ollama/llm" "github.com/ollama/ollama/parser" "github.com/ollama/ollama/template" - "github.com/ollama/ollama/types/errtypes" "github.com/ollama/ollama/types/model" "github.com/ollama/ollama/version" ) @@ -985,37 +982,7 @@ func GetSHA256Digest(r io.Reader) (string, int64) { var errUnauthorized = errors.New("unauthorized: access denied") -// getTokenSubject returns the subject of a JWT token, it does not validate the token -func getTokenSubject(token string) string { - parts := strings.Split(token, ".") - if len(parts) != 3 { - return "" - } - - payload := parts[1] - payloadBytes, err := base64.RawURLEncoding.DecodeString(payload) - if err != nil { - slog.Error(fmt.Sprintf("failed to decode jwt payload: %v", err)) - return "" - } - - var payloadMap map[string]interface{} - if err := json.Unmarshal(payloadBytes, &payloadMap); err != nil { - slog.Error(fmt.Sprintf("failed to unmarshal payload JSON: %v", err)) - return "" - } - - sub, ok := payloadMap["sub"] - if !ok { - slog.Error("jwt does not contain 'sub' field") - return "" - } - - return fmt.Sprintf("%s", sub) -} - func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.URL, headers http.Header, body io.ReadSeeker, regOpts *registryOptions) (*http.Response, error) { - anonymous := true // access will default to anonymous if no user is found associated with the public key for range 2 { resp, err := makeRequest(ctx, method, requestURL, headers, body, regOpts) if err != nil { @@ -1036,7 +1003,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR if err != nil { return nil, err } - anonymous = getTokenSubject(token) == "anonymous" regOpts.Token = token if body != nil { _, err = body.Seek(0, io.SeekStart) @@ -1059,16 +1025,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR } } - if anonymous { - // no user is associated with the public key, and the request requires non-anonymous access - pubKey, nestedErr := auth.GetPublicKey() - if nestedErr != nil { - slog.Error(fmt.Sprintf("couldn't get public key: %v", nestedErr)) - return nil, errUnauthorized - } - return nil, &errtypes.UnknownOllamaKey{Key: pubKey} - } - // user is associated with the public key, but is not authorized to make the request return nil, errUnauthorized }