[ARVADOS] updated: 1059fd1f9e22ebcae51413d2b0fde0416c71c79b

git at public.curoverse.com git at public.curoverse.com
Wed Apr 23 13:07:37 EDT 2014 

Summary of changes:
 .../app/controllers/arvados/v1/users_controller.rb |    2 +-
 services/api/lib/current_api_client.rb             |    8 +++--
 .../functional/arvados/v1/users_controller_test.rb |   25 +++++++++++++++
 services/api/test/unit/application_test.rb         |   32 ++++++++++++++++++++
 4 files changed, 63 insertions(+), 4 deletions(-)
 create mode 100644 services/api/test/unit/application_test.rb

       via  1059fd1f9e22ebcae51413d2b0fde0416c71c79b (commit)
      from  49aaa9f26dfaf50056abd7527976b681be26208b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 1059fd1f9e22ebcae51413d2b0fde0416c71c79b
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Wed Apr 23 13:00:03 2014 -0400

    Security bug fix to act_as_system_user to restore correct user if an
    exception is raised.  Also adds tests for act_as_system_user.
    
    Also a minor style cleanup of "== []" to ".empty?" and some additional
    checks to test "refuse to activate a user before signing UA".

diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb
index f5255bc..c2a32f0 100644
--- a/services/api/app/controllers/arvados/v1/users_controller.rb
+++ b/services/api/app/controllers/arvados/v1/users_controller.rb
@@ -74,7 +74,7 @@ class Arvados::V1::UsersController < ApplicationController
                                   head_uuid: required_uuids).
           collect(&:head_uuid)
         todo_uuids = required_uuids - signed_uuids
-        if todo_uuids == []
+        if todo_uuids.empty?
           @object.update_attributes is_active: true
           logger.info "User #{@object.uuid} activated"
         else
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 401be16..bbba4dc 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -98,9 +98,11 @@ module CurrentApiClient
     if block_given?
       user_was = Thread.current[:user]
       Thread.current[:user] = system_user
-      ret = yield
-      Thread.current[:user] = user_was
-      ret
+      begin
+        yield
+      ensure
+        Thread.current[:user] = user_was
+      end
     else
       Thread.current[:user] = system_user
     end
diff --git a/services/api/test/functional/arvados/v1/users_controller_test.rb b/services/api/test/functional/arvados/v1/users_controller_test.rb
index abf1ba1..b6bb205 100644
--- a/services/api/test/functional/arvados/v1/users_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/users_controller_test.rb
@@ -21,12 +21,37 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
   end
 
   test "refuse to activate a user before signing UA" do
+    act_as_system_user do
+    required_uuids = Link.where("owner_uuid = ? and link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?",
+                                system_user_uuid,
+                                'signature',
+                                'require',
+                                system_user_uuid,
+                                Collection.uuid_like_pattern).
+      collect(&:head_uuid)
+
+      assert required_uuids.length > 0
+
+      signed_uuids = Link.where(owner_uuid: system_user_uuid,
+                                link_class: 'signature',
+                                name: 'click',
+                                tail_uuid: users(:inactive).uuid,
+                                head_uuid: required_uuids).
+        collect(&:head_uuid)
+
+      assert_equal 0, signed_uuids.length
+    end
+
     authorize_with :inactive
+
     get :current
     assert_response :success
     me = JSON.parse(@response.body)
+    assert_equal false, me['is_active']
+
     post :activate, uuid: me['uuid']
     assert_response 403
+
     get :current
     assert_response :success
     me = JSON.parse(@response.body)
diff --git a/services/api/test/unit/application_test.rb b/services/api/test/unit/application_test.rb
new file mode 100644
index 0000000..ca80319
--- /dev/null
+++ b/services/api/test/unit/application_test.rb
@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class ApplicationTest < ActiveSupport::TestCase
+  include CurrentApiClient
+
+  test "test act_as_system_user" do
+    Thread.current[:user] = users(:active)
+    assert_equal users(:active), Thread.current[:user]
+    act_as_system_user do
+      assert_not_equal users(:active), Thread.current[:user]
+      assert_equal system_user, Thread.current[:user]
+    end
+    assert_equal users(:active), Thread.current[:user]
+  end
+
+  test "test act_as_system_user is exception safe" do
+    Thread.current[:user] = users(:active)
+    assert_equal users(:active), Thread.current[:user]
+    caught = false
+    begin
+      act_as_system_user do
+        assert_not_equal users(:active), Thread.current[:user]
+        assert_equal system_user, Thread.current[:user]
+        raise "Fail"
+      end
+    rescue
+      caught = true
+    end
+    assert caught
+    assert_equal users(:active), Thread.current[:user]
+  end
+end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list