From 7b5585b9cbc5f803583ebd6a9627c563521c8970 Mon Sep 17 00:00:00 2001 From: Bruce MacDonald Date: Fri, 22 Nov 2024 11:57:35 -0800 Subject: [PATCH] server: remove out of date anonymous access check (#7785) In the past the ollama.com server would return a JWT that contained information about the user being authenticated. This was used to return different error messages to the user. This is no longer possible since the token used to authenticate does not contain information about the user anymore. Removing this code that no longer works. Follow up changes will improve the error messages returned here, but good to clean up first. --- cmd/cmd.go | 53 ------------------------------------------------ server/images.go | 44 ---------------------------------------- 2 files changed, 97 deletions(-) diff --git a/cmd/cmd.go b/cmd/cmd.go index 97e821c7..fad06ffd 100644 --- a/cmd/cmd.go +++ b/cmd/cmd.go @@ -19,7 +19,6 @@ import ( "os" "os/signal" "path/filepath" - "regexp" "runtime" "strconv" "strings" @@ -35,14 +34,11 @@ import ( "golang.org/x/term" "github.com/ollama/ollama/api" - "github.com/ollama/ollama/auth" "github.com/ollama/ollama/envconfig" "github.com/ollama/ollama/format" "github.com/ollama/ollama/parser" "github.com/ollama/ollama/progress" "github.com/ollama/ollama/server" - "github.com/ollama/ollama/types/errtypes" - "github.com/ollama/ollama/types/model" "github.com/ollama/ollama/version" ) @@ -516,47 +512,6 @@ func RunHandler(cmd *cobra.Command, args []string) error { return generate(cmd, opts) } -func errFromUnknownKey(unknownKeyErr error) error { - // find SSH public key in the error message - sshKeyPattern := `ssh-\w+ [^\s"]+` - re := regexp.MustCompile(sshKeyPattern) - matches := re.FindStringSubmatch(unknownKeyErr.Error()) - - if len(matches) > 0 { - serverPubKey := matches[0] - - localPubKey, err := auth.GetPublicKey() - if err != nil { - return unknownKeyErr - } - - if runtime.GOOS == "linux" && serverPubKey != localPubKey { - // try the ollama service public key - svcPubKey, err := os.ReadFile("/usr/share/ollama/.ollama/id_ed25519.pub") - if err != nil { - return unknownKeyErr - } - localPubKey = strings.TrimSpace(string(svcPubKey)) - } - - // check if the returned public key matches the local public key, this prevents adding a remote key to the user's account - if serverPubKey != localPubKey { - return unknownKeyErr - } - - var msg strings.Builder - msg.WriteString(unknownKeyErr.Error()) - msg.WriteString("\n\nYour ollama key is:\n") - msg.WriteString(localPubKey) - msg.WriteString("\nAdd your key at:\n") - msg.WriteString("https://ollama.com/settings/keys") - - return errors.New(msg.String()) - } - - return unknownKeyErr -} - func PushHandler(cmd *cobra.Command, args []string) error { client, err := api.ClientFromEnvironment() if err != nil { @@ -610,14 +565,6 @@ func PushHandler(cmd *cobra.Command, args []string) error { if strings.Contains(err.Error(), "access denied") { return errors.New("you are not authorized to push to this namespace, create the model under a namespace you own") } - host := model.ParseName(args[0]).Host - isOllamaHost := strings.HasSuffix(host, ".ollama.ai") || strings.HasSuffix(host, ".ollama.com") - if strings.Contains(err.Error(), errtypes.UnknownOllamaKeyErrMsg) && isOllamaHost { - // the user has not added their ollama key to ollama.com - // re-throw an error with a more user-friendly message - return errFromUnknownKey(err) - } - return err } diff --git a/server/images.go b/server/images.go index 6a0e8ae3..1f6a9712 100644 --- a/server/images.go +++ b/server/images.go @@ -5,7 +5,6 @@ import ( "cmp" "context" "crypto/sha256" - "encoding/base64" "encoding/hex" "encoding/json" "errors" @@ -24,14 +23,12 @@ import ( "strings" "github.com/ollama/ollama/api" - "github.com/ollama/ollama/auth" "github.com/ollama/ollama/envconfig" "github.com/ollama/ollama/format" "github.com/ollama/ollama/llama" "github.com/ollama/ollama/llm" "github.com/ollama/ollama/parser" "github.com/ollama/ollama/template" - "github.com/ollama/ollama/types/errtypes" "github.com/ollama/ollama/types/model" "github.com/ollama/ollama/version" ) @@ -985,37 +982,7 @@ func GetSHA256Digest(r io.Reader) (string, int64) { var errUnauthorized = errors.New("unauthorized: access denied") -// getTokenSubject returns the subject of a JWT token, it does not validate the token -func getTokenSubject(token string) string { - parts := strings.Split(token, ".") - if len(parts) != 3 { - return "" - } - - payload := parts[1] - payloadBytes, err := base64.RawURLEncoding.DecodeString(payload) - if err != nil { - slog.Error(fmt.Sprintf("failed to decode jwt payload: %v", err)) - return "" - } - - var payloadMap map[string]interface{} - if err := json.Unmarshal(payloadBytes, &payloadMap); err != nil { - slog.Error(fmt.Sprintf("failed to unmarshal payload JSON: %v", err)) - return "" - } - - sub, ok := payloadMap["sub"] - if !ok { - slog.Error("jwt does not contain 'sub' field") - return "" - } - - return fmt.Sprintf("%s", sub) -} - func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.URL, headers http.Header, body io.ReadSeeker, regOpts *registryOptions) (*http.Response, error) { - anonymous := true // access will default to anonymous if no user is found associated with the public key for range 2 { resp, err := makeRequest(ctx, method, requestURL, headers, body, regOpts) if err != nil { @@ -1036,7 +1003,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR if err != nil { return nil, err } - anonymous = getTokenSubject(token) == "anonymous" regOpts.Token = token if body != nil { _, err = body.Seek(0, io.SeekStart) @@ -1059,16 +1025,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR } } - if anonymous { - // no user is associated with the public key, and the request requires non-anonymous access - pubKey, nestedErr := auth.GetPublicKey() - if nestedErr != nil { - slog.Error(fmt.Sprintf("couldn't get public key: %v", nestedErr)) - return nil, errUnauthorized - } - return nil, &errtypes.UnknownOllamaKey{Key: pubKey} - } - // user is associated with the public key, but is not authorized to make the request return nil, errUnauthorized }