[ARVADOS] updated: ab5c781a072ed673bba347b9418735b7007deeb4

git at public.curoverse.com git at public.curoverse.com
Wed Apr 23 16:52:07 EDT 2014 

Summary of changes:
 .../api/app/controllers/application_controller.rb  |   12 ++++--------
 .../arvados/v1/keep_disks_controller.rb            |    2 +-
 .../app/controllers/arvados/v1/nodes_controller.rb |    2 +-
 .../controllers/arvados/v1/schema_controller.rb    |    6 +++---
 services/api/app/controllers/static_controller.rb  |    2 +-
 .../app/controllers/user_sessions_controller.rb    |    2 +-
 services/api/lib/current_api_client.rb             |    8 ++++----
 .../api_client_authorizations_scopes_test.rb       |   16 ++++++++++------
 8 files changed, 25 insertions(+), 25 deletions(-)

       via  ab5c781a072ed673bba347b9418735b7007deeb4 (commit)
       via  d2de80719e4a002092813c40b5e63d1f83e8f2e0 (commit)
      from  2fc6dde609883cf65b6d0eadd16a7bb8a738f026 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit ab5c781a072ed673bba347b9418735b7007deeb4
Author: Brett Smith <brett at curoverse.com>
Date:   Wed Apr 23 16:52:36 2014 -0400

    api: Improve API token scope tests.
    
    Most of these changes clarify the purpose of the tests for readers.
    There's one minor new assertion.
    
    Refs #1904.

diff --git a/services/api/test/integration/api_client_authorizations_scopes_test.rb b/services/api/test/integration/api_client_authorizations_scopes_test.rb
index 0961b81..ba91670 100644
--- a/services/api/test/integration/api_client_authorizations_scopes_test.rb
+++ b/services/api/test/integration/api_client_authorizations_scopes_test.rb
@@ -20,7 +20,6 @@ class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
   end
 
   def request_with_auth(method, path, params={})
-    https!
     send(method, path, @token.merge(params))
   end
 
@@ -36,6 +35,8 @@ class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
     auth_with :active_userlist
     get_with_auth v1_url('users')
     assert_response :success
+    get_with_auth v1_url('users', '')  # Add trailing slash.
+    assert_response :success
     get_with_auth v1_url('users', 'current')
     assert_response 403
     get_with_auth v1_url('virtual_machines')
@@ -52,7 +53,7 @@ class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
     assert_includes(403..404, @response.status)
   end
 
-  test "multiple scopes" do
+  test "token with multiple scopes can use them all" do
     def get_token_count
       get_with_auth v1_url('api_client_authorizations')
       assert_response :success
@@ -61,15 +62,18 @@ class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
       token_count
     end
     auth_with :active_apitokens
-    get_with_auth v1_url('api_client_authorizations',
-                         api_client_authorizations(:active_apitokens).uuid)
-    assert_response 403
+    # Test the GET scope.
     token_count = get_token_count
+    # Test the POST scope.
     post_with_auth(v1_url('api_client_authorizations'),
                    api_client_authorization: {user_id: users(:active).id})
     assert_response :success
     assert_equal(token_count + 1, get_token_count,
-                 "token count suggests new token was not created")
+                 "token count suggests POST was not accepted")
+    # Test other requests are denied.
+    get_with_auth v1_url('api_client_authorizations',
+                         api_client_authorizations(:active_apitokens).uuid)
+    assert_response 403
   end
 
   test "token without scope has no access" do

commit d2de80719e4a002092813c40b5e63d1f83e8f2e0
Author: Brett Smith <brett at curoverse.com>
Date:   Wed Apr 23 16:33:51 2014 -0400

    api: Simplify API token scope checks.
    
    The previous code was organized with a slightly different idea of how
    scopes would be codified.  Now that we know they're a check against
    the request string, we can simplify a bit to reduce clutter.
    
    Refs #1904.

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 0331127..99906b8 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -7,7 +7,7 @@ class ApplicationController < ActionController::Base
   around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
 
   before_filter :remote_ip
-  before_filter :require_auth_scope_all, :except => :render_not_found
+  before_filter :require_auth_scope, :except => :render_not_found
   before_filter :catch_redirect_hint
 
   before_filter :load_where_param, :only => :index
@@ -320,13 +320,9 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def require_auth_scope_all
-    require_login and
-      require_auth_scope(["#{request.method} #{request.path}"])
-  end
-
-  def require_auth_scope(ok_scopes)
-    unless current_api_client_auth_has_scope(ok_scopes)
+  def require_auth_scope
+    return false unless require_login
+    unless current_api_client_auth_has_scope("#{request.method} #{request.path}")
       render :json => { errors: ['Forbidden'] }.to_json, status: 403
     end
   end
diff --git a/services/api/app/controllers/arvados/v1/keep_disks_controller.rb b/services/api/app/controllers/arvados/v1/keep_disks_controller.rb
index 3d91916..47018d4 100644
--- a/services/api/app/controllers/arvados/v1/keep_disks_controller.rb
+++ b/services/api/app/controllers/arvados/v1/keep_disks_controller.rb
@@ -1,5 +1,5 @@
 class Arvados::V1::KeepDisksController < ApplicationController
-  skip_before_filter :require_auth_scope_all, :only => :ping
+  skip_before_filter :require_auth_scope, :only => :ping
 
   def self._ping_requires_parameters
     {
diff --git a/services/api/app/controllers/arvados/v1/nodes_controller.rb b/services/api/app/controllers/arvados/v1/nodes_controller.rb
index eda8b07..d7a477d 100644
--- a/services/api/app/controllers/arvados/v1/nodes_controller.rb
+++ b/services/api/app/controllers/arvados/v1/nodes_controller.rb
@@ -1,5 +1,5 @@
 class Arvados::V1::NodesController < ApplicationController
-  skip_before_filter :require_auth_scope_all, :only => :ping
+  skip_before_filter :require_auth_scope, :only => :ping
   skip_before_filter :find_object_by_uuid, :only => :ping
   skip_before_filter :render_404_if_no_object, :only => :ping
 
diff --git a/services/api/app/controllers/arvados/v1/schema_controller.rb b/services/api/app/controllers/arvados/v1/schema_controller.rb
index 1cc8496..625519e 100644
--- a/services/api/app/controllers/arvados/v1/schema_controller.rb
+++ b/services/api/app/controllers/arvados/v1/schema_controller.rb
@@ -2,7 +2,7 @@ class Arvados::V1::SchemaController < ApplicationController
   skip_before_filter :find_objects_for_index
   skip_before_filter :find_object_by_uuid
   skip_before_filter :render_404_if_no_object
-  skip_before_filter :require_auth_scope_all
+  skip_before_filter :require_auth_scope
 
   def index
     expires_in 24.hours, public: true
@@ -69,7 +69,7 @@ class Arvados::V1::SchemaController < ApplicationController
         schemas: {},
         resources: {}
       }
-      
+
       ActiveRecord::Base.descendants.reject(&:abstract_class?).each do |k|
         begin
           ctl_class = "Arvados::V1::#{k.to_s.pluralize}Controller".constantize
@@ -175,7 +175,7 @@ class Arvados::V1::SchemaController < ApplicationController
               description:
                  %|List #{k.to_s.pluralize}.
 
-                   The <code>list</code> method returns a 
+                   The <code>list</code> method returns a
                    <a href="/api/resources.html">resource list</a> of
                    matching #{k.to_s.pluralize}. For example:
 
diff --git a/services/api/app/controllers/static_controller.rb b/services/api/app/controllers/static_controller.rb
index fda0880..c71b850 100644
--- a/services/api/app/controllers/static_controller.rb
+++ b/services/api/app/controllers/static_controller.rb
@@ -3,7 +3,7 @@ class StaticController < ApplicationController
 
   skip_before_filter :find_object_by_uuid
   skip_before_filter :render_404_if_no_object
-  skip_before_filter :require_auth_scope_all, :only => [ :home, :login_failure ]
+  skip_before_filter :require_auth_scope, :only => [ :home, :login_failure ]
 
   def home
     if Rails.configuration.respond_to? :workbench_address
diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index a7391bd..3d4b05a 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -1,5 +1,5 @@
 class UserSessionsController < ApplicationController
-  before_filter :require_auth_scope_all, :only => [ :destroy ]
+  before_filter :require_auth_scope, :only => [ :destroy ]
 
   skip_before_filter :find_object_by_uuid
   skip_before_filter :render_404_if_no_object
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 2d9fe18..c3f55a9 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -29,15 +29,15 @@ module CurrentApiClient
     Thread.current[:api_client_ip_address]
   end
 
-  # Does the current API client authorization include any of ok_scopes?
-  def current_api_client_auth_has_scope(ok_scopes)
+  # Is the current API client authorization scoped for the request?
+  def current_api_client_auth_has_scope(req_s)
     (current_api_client_authorization.andand.scopes || []).select { |scope|
       if scope == 'all'
         true
       elsif scope.end_with? '/'
-        ok_scopes.select { |s| s.start_with? scope }.any?
+        req_s.start_with? scope
       else
-        ok_scopes.include? scope
+        req_s == scope
       end
     }.any?
   end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list