[arvados-workbench2] created: 2.6.3-35-g975d8b1c
git repository hosting
git at public.arvados.org
Fri Jul 14 18:52:46 UTC 2023
at 975d8b1c70417e69b05961a97d5c8642554dd5bf (commit)
commit 975d8b1c70417e69b05961a97d5c8642554dd5bf
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Fri Jul 14 14:19:43 2023 -0400
19933: Fix token sharing scope
I'm not totally thrilled with adding user/current to the scopes
because it means sharing links leak a small amount of personal
information. We should think about whether we can either make it
unnecessary or hide the fields of the user record.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/src/services/api-client-authorization-service/api-client-authorization-service.test.ts b/src/services/api-client-authorization-service/api-client-authorization-service.test.ts
index 4dd01b87..624cd7cd 100644
--- a/src/services/api-client-authorization-service/api-client-authorization-service.test.ts
+++ b/src/services/api-client-authorization-service/api-client-authorization-service.test.ts
@@ -32,12 +32,14 @@ describe('ApiClientAuthorizationService', () => {
await apiClientAuthorizationService.createCollectionSharingToken(uuid);
expect(serverApi.post).toHaveBeenCalledWith(
'/api_client_authorizations', {
- scopes: [
- `GET /arvados/v1/collections/${uuid}`,
- `GET /arvados/v1/collections/${uuid}/`,
- `GET /arvados/v1/keep_services/accessible`,
- ]
- }
+ scopes: [
+ `GET /arvados/v1/collections/${uuid}`,
+ `GET /arvados/v1/collections/${uuid}/`,
+ `GET /arvados/v1/keep_services/accessible`,
+ `GET /arvados/v1/users/current`,
+ `GET /arvados/v1/api_client_authorizations/current`
+ ]
+ }
);
});
@@ -50,13 +52,15 @@ describe('ApiClientAuthorizationService', () => {
await apiClientAuthorizationService.createCollectionSharingToken(uuid, expDate);
expect(serverApi.post).toHaveBeenCalledWith(
'/api_client_authorizations', {
- scopes: [
- `GET /arvados/v1/collections/${uuid}`,
- `GET /arvados/v1/collections/${uuid}/`,
- `GET /arvados/v1/keep_services/accessible`,
- ],
- expires_at: expDate.toUTCString()
- }
+ scopes: [
+ `GET /arvados/v1/collections/${uuid}`,
+ `GET /arvados/v1/collections/${uuid}/`,
+ `GET /arvados/v1/keep_services/accessible`,
+ `GET /arvados/v1/users/current`,
+ `GET /arvados/v1/api_client_authorizations/current`
+ ],
+ expires_at: expDate.toUTCString()
+ }
);
});
});
@@ -73,15 +77,19 @@ describe('ApiClientAuthorizationService', () => {
const uuid = 'zzzzz-4zz18-0123456789abcde'
await apiClientAuthorizationService.listCollectionSharingTokens(uuid);
expect(serverApi.get).toHaveBeenCalledWith(
- `/api_client_authorizations`, {params: {
- filters: JSON.stringify([["scopes","=",[
+ `/api_client_authorizations`, {
+ params: {
+ filters: JSON.stringify([["scopes", "=", [
`GET /arvados/v1/collections/${uuid}`,
`GET /arvados/v1/collections/${uuid}/`,
'GET /arvados/v1/keep_services/accessible',
+ `GET /arvados/v1/users/current`,
+ `GET /arvados/v1/api_client_authorizations/current`
]]]),
select: undefined,
- }}
+ }
+ }
);
});
});
-});
\ No newline at end of file
+});
diff --git a/src/services/api-client-authorization-service/api-client-authorization-service.ts b/src/services/api-client-authorization-service/api-client-authorization-service.ts
index dbda0a42..e3443b97 100644
--- a/src/services/api-client-authorization-service/api-client-authorization-service.ts
+++ b/src/services/api-client-authorization-service/api-client-authorization-service.ts
@@ -23,10 +23,12 @@ export class ApiClientAuthorizationService extends CommonService<ApiClientAuthor
`GET /arvados/v1/collections/${uuid}`,
`GET /arvados/v1/collections/${uuid}/`,
`GET /arvados/v1/keep_services/accessible`,
+ `GET /arvados/v1/users/current`,
+ `GET /arvados/v1/api_client_authorizations/current`
]
}
return expDate !== undefined
- ? this.create({...data, expiresAt: expDate.toUTCString()})
+ ? this.create({ ...data, expiresAt: expDate.toUTCString() })
: this.create(data);
}
@@ -39,8 +41,10 @@ export class ApiClientAuthorizationService extends CommonService<ApiClientAuthor
.addEqual("scopes", [
`GET /arvados/v1/collections/${uuid}`,
`GET /arvados/v1/collections/${uuid}/`,
- "GET /arvados/v1/keep_services/accessible"
+ `GET /arvados/v1/keep_services/accessible`,
+ `GET /arvados/v1/users/current`,
+ `GET /arvados/v1/api_client_authorizations/current`
]).getFilters()
});
}
-}
\ No newline at end of file
+}
diff --git a/src/views-components/sharing-dialog/sharing-dialog.tsx b/src/views-components/sharing-dialog/sharing-dialog.tsx
index 1c9e4d03..732fde4d 100644
--- a/src/views-components/sharing-dialog/sharing-dialog.tsx
+++ b/src/views-components/sharing-dialog/sharing-dialog.tsx
@@ -52,7 +52,9 @@ const mapStateToProps = (state: RootState, { working, ...props }: Props): Sharin
resource.kind === ResourceKind.API_CLIENT_AUTHORIZATION &&
resource.scopes.includes(`GET /arvados/v1/collections/${sharedResourceUuid}`) &&
resource.scopes.includes(`GET /arvados/v1/collections/${sharedResourceUuid}/`) &&
- resource.scopes.includes('GET /arvados/v1/keep_services/accessible')
+ resource.scopes.includes('GET /arvados/v1/keep_services/accessible') &&
+ resource.scopes.includes('GET /arvados/v1/users/current') &&
+ resource.scopes.includes('GET /arvados/v1/api_client_authorizations/current')
)(state.resources) as ApiClientAuthorization[]).length
: 0,
privateAccess: getSharingPublicAccessFormData(state)?.visibility === VisibilityLevel.PRIVATE,
diff --git a/src/views-components/sharing-dialog/sharing-urls.tsx b/src/views-components/sharing-dialog/sharing-urls.tsx
index 6fbf799b..715048b1 100644
--- a/src/views-components/sharing-dialog/sharing-urls.tsx
+++ b/src/views-components/sharing-dialog/sharing-urls.tsx
@@ -23,11 +23,13 @@ const mapStateToProps =
(state: RootState, ownProps: { uuid: string }): SharingURLsComponentDataProps => {
const sharingTokens = filterResources(
(resource: ApiClientAuthorization) =>
- resource.kind === ResourceKind.API_CLIENT_AUTHORIZATION &&
+ resource.kind === ResourceKind.API_CLIENT_AUTHORIZATION &&
resource.scopes.includes(`GET /arvados/v1/collections/${ownProps.uuid}`) &&
resource.scopes.includes(`GET /arvados/v1/collections/${ownProps.uuid}/`) &&
- resource.scopes.includes('GET /arvados/v1/keep_services/accessible')
- )(state.resources) as ApiClientAuthorization[];
+ resource.scopes.includes('GET /arvados/v1/keep_services/accessible') &&
+ resource.scopes.includes('GET /arvados/v1/users/current') &&
+ resource.scopes.includes('GET /arvados/v1/api_client_authorizations/current')
+ )(state.resources) as ApiClientAuthorization[];
const sharingURLsPrefix = state.auth.config.keepWebInlineServiceUrl;
return {
collectionUuid: ownProps.uuid,
@@ -50,4 +52,3 @@ const mapDispatchToProps = (dispatch: Dispatch): SharingURLsComponentActionProps
})
export const SharingURLsContent = connect(mapStateToProps, mapDispatchToProps)(SharingURLsComponent)
-
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list