server: remove out of date anonymous access check (#7785)

In the past the ollama.com server would return a JWT that contained information about the user being authenticated. This was used to return different error messages to the user. This is no longer possible since the token used to authenticate does not contain information about the user anymore. Removing this code that no longer works. Follow up changes will improve the error messages returned here, but good to clean up first.
2024-11-22 11:57:35 -08:00 · 2024-11-22 11:57:35 -08:00 · 7b5585b9cb
commit 7b5585b9cb
parent f0a351810c
2 changed files with 0 additions and 97 deletions
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -19,7 +19,6 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@ -35,14 +34,11 @@ import (
 	"golang.org/x/term"
 	"github.com/ollama/ollama/api"
 	"github.com/ollama/ollama/auth"
 	"github.com/ollama/ollama/envconfig"
 	"github.com/ollama/ollama/format"
 	"github.com/ollama/ollama/parser"
 	"github.com/ollama/ollama/progress"
 	"github.com/ollama/ollama/server"
 	"github.com/ollama/ollama/types/errtypes"
 	"github.com/ollama/ollama/types/model"
 	"github.com/ollama/ollama/version"
 )
@ -516,47 +512,6 @@ func RunHandler(cmd *cobra.Command, args []string) error {
 	return generate(cmd, opts)
 }
 func errFromUnknownKey(unknownKeyErr error) error {
 	// find SSH public key in the error message
 	sshKeyPattern := `ssh-\w+ [^\s"]+`
 	re := regexp.MustCompile(sshKeyPattern)
 	matches := re.FindStringSubmatch(unknownKeyErr.Error())
 	if len(matches) > 0 {
 		serverPubKey := matches[0]
 		localPubKey, err := auth.GetPublicKey()
 		if err != nil {
 			return unknownKeyErr
 		}
 		if runtime.GOOS == "linux" && serverPubKey != localPubKey {
 			// try the ollama service public key
 			svcPubKey, err := os.ReadFile("/usr/share/ollama/.ollama/id_ed25519.pub")
 			if err != nil {
 				return unknownKeyErr
 			}
 			localPubKey = strings.TrimSpace(string(svcPubKey))
 		}
 		// check if the returned public key matches the local public key, this prevents adding a remote key to the user's account
 		if serverPubKey != localPubKey {
 			return unknownKeyErr
 		}
 		var msg strings.Builder
 		msg.WriteString(unknownKeyErr.Error())
 		msg.WriteString("\n\nYour ollama key is:\n")
 		msg.WriteString(localPubKey)
 		msg.WriteString("\nAdd your key at:\n")
 		msg.WriteString("https://ollama.com/settings/keys")
 		return errors.New(msg.String())
 	}
 	return unknownKeyErr
 }
 func PushHandler(cmd *cobra.Command, args []string) error {
 	client, err := api.ClientFromEnvironment()
 	if err != nil {
@ -610,14 +565,6 @@ func PushHandler(cmd *cobra.Command, args []string) error {
 		if strings.Contains(err.Error(), "access denied") {
 			return errors.New("you are not authorized to push to this namespace, create the model under a namespace you own")
 		}
 		host := model.ParseName(args[0]).Host
 		isOllamaHost := strings.HasSuffix(host, ".ollama.ai") || strings.HasSuffix(host, ".ollama.com")
 		if strings.Contains(err.Error(), errtypes.UnknownOllamaKeyErrMsg) && isOllamaHost {
 			// the user has not added their ollama key to ollama.com
 			// re-throw an error with a more user-friendly message
 			return errFromUnknownKey(err)
 		}
 		return err
 	}
--- a/server/images.go
+++ b/server/images.go
@ -5,7 +5,6 @@ import (
 	"cmp"
 	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
@ -24,14 +23,12 @@ import (
 	"strings"
 	"github.com/ollama/ollama/api"
 	"github.com/ollama/ollama/auth"
 	"github.com/ollama/ollama/envconfig"
 	"github.com/ollama/ollama/format"
 	"github.com/ollama/ollama/llama"
 	"github.com/ollama/ollama/llm"
 	"github.com/ollama/ollama/parser"
 	"github.com/ollama/ollama/template"
 	"github.com/ollama/ollama/types/errtypes"
 	"github.com/ollama/ollama/types/model"
 	"github.com/ollama/ollama/version"
 )
@ -985,37 +982,7 @@ func GetSHA256Digest(r io.Reader) (string, int64) {
 var errUnauthorized = errors.New("unauthorized: access denied")
 // getTokenSubject returns the subject of a JWT token, it does not validate the token
 func getTokenSubject(token string) string {
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
 		return ""
 	}
 	payload := parts[1]
 	payloadBytes, err := base64.RawURLEncoding.DecodeString(payload)
 	if err != nil {
 		slog.Error(fmt.Sprintf("failed to decode jwt payload: %v", err))
 		return ""
 	}
 	var payloadMap map[string]interface{}
 	if err := json.Unmarshal(payloadBytes, &payloadMap); err != nil {
 		slog.Error(fmt.Sprintf("failed to unmarshal payload JSON: %v", err))
 		return ""
 	}
 	sub, ok := payloadMap["sub"]
 	if !ok {
 		slog.Error("jwt does not contain 'sub' field")
 		return ""
 	}
 	return fmt.Sprintf("%s", sub)
 }
 func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.URL, headers http.Header, body io.ReadSeeker, regOpts *registryOptions) (*http.Response, error) {
 	anonymous := true // access will default to anonymous if no user is found associated with the public key
 	for range 2 {
 		resp, err := makeRequest(ctx, method, requestURL, headers, body, regOpts)
 		if err != nil {
@ -1036,7 +1003,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR
 			if err != nil {
 				return nil, err
 			}
 			anonymous = getTokenSubject(token) == "anonymous"
 			regOpts.Token = token
 			if body != nil {
 				_, err = body.Seek(0, io.SeekStart)
@ -1059,16 +1025,6 @@ func makeRequestWithRetry(ctx context.Context, method string, requestURL *url.UR
 		}
 	}
 	if anonymous {
 		// no user is associated with the public key, and the request requires non-anonymous access
 		pubKey, nestedErr := auth.GetPublicKey()
 		if nestedErr != nil {
 			slog.Error(fmt.Sprintf("couldn't get public key: %v", nestedErr))
 			return nil, errUnauthorized
 		}
 		return nil, &errtypes.UnknownOllamaKey{Key: pubKey}
 	}
 	// user is associated with the public key, but is not authorized to make the request
 	return nil, errUnauthorized
 }