[ARVADOS] created: 4425dbc002ec66aa18a6769d9c1aba46c8d30586

git at public.curoverse.com git at public.curoverse.com
Thu Apr 24 10:44:36 EDT 2014 

        at  4425dbc002ec66aa18a6769d9c1aba46c8d30586 (commit)


commit 4425dbc002ec66aa18a6769d9c1aba46c8d30586
Author: Brett Smith <brett at curoverse.com>
Date:   Thu Apr 24 10:45:06 2014 -0400

    workbench: Support api_ticket parameter.
    
    This parameter provides an API token to use for these requests only.
    We'll use it in no-auth-required URLs to make it easier for users to
    share resources with each other.

diff --git a/apps/workbench/app/controllers/application_controller.rb b/apps/workbench/app/controllers/application_controller.rb
index 41d5566..f48daa3 100644
--- a/apps/workbench/app/controllers/application_controller.rb
+++ b/apps/workbench/app/controllers/application_controller.rb
@@ -183,7 +183,7 @@ class ApplicationController < ActionController::Base
   end
 
   protected
-    
+
   def find_object_by_uuid
     if params[:id] and params[:id].match /\D/
       params[:uuid] = params.delete :id
@@ -206,7 +206,17 @@ class ApplicationController < ActionController::Base
   def thread_with_api_token(login_optional = false)
     begin
       try_redirect_to_login = true
-      if params[:api_token]
+      if params[:api_ticket]
+        # Use the provided token for this request only.
+        try_redirect_to_login = false
+        Thread.current[:arvados_api_token] = params[:api_ticket]
+        if verify_api_token
+          yield
+        else
+          @errors = ['Invalid API token']
+          self.render_error status: 401
+        end
+      elsif params[:api_token]
         try_redirect_to_login = false
         Thread.current[:arvados_api_token] = params[:api_token]
         # Before copying the token into session[], do a simple API
@@ -281,7 +291,7 @@ class ApplicationController < ActionController::Base
       yield
     else
       # We skipped thread_with_mandatory_api_token. Use the optional version.
-      thread_with_api_token(true) do 
+      thread_with_api_token(true) do
         yield
       end
     end
@@ -334,7 +344,7 @@ class ApplicationController < ActionController::Base
   @@notification_tests = []
 
   @@notification_tests.push lambda { |controller, current_user|
-    AuthorizedKey.limit(1).where(authorized_user_uuid: current_user.uuid).each do   
+    AuthorizedKey.limit(1).where(authorized_user_uuid: current_user.uuid).each do
       return nil
     end
     return lambda { |view|
@@ -374,7 +384,7 @@ class ApplicationController < ActionController::Base
     @notifications = []
 
     if current_user
-      @showallalerts = false      
+      @showallalerts = false
       @@notification_tests.each do |t|
         a = t.call(self, current_user)
         if a
diff --git a/apps/workbench/test/functional/api_ticket_test.rb b/apps/workbench/test/functional/api_ticket_test.rb
new file mode 100644
index 0000000..582de2c
--- /dev/null
+++ b/apps/workbench/test/functional/api_ticket_test.rb
@@ -0,0 +1,34 @@
+# This test exercises behavior in ApplicationController.
+
+require 'test_helper'
+
+class ApiTicketTest < ActionController::TestCase
+  test "api_ticket temporarily overrides api_token" do
+    # ApiClientAuthorizationsController provides the easiest way to get
+    # different results across different users.
+    @controller = ApiClientAuthorizationsController.new
+    def get_page_with(*get_args)
+      get :index, *get_args
+      assert_response(:success, "failed to get index with #{get_args}")
+      JSON.parse(@response.body).map { |auth| auth['api_token'] }
+    end
+    auths = api_fixture('api_client_authorizations')
+    json_param = {format: :json}
+    ticket_params =
+      json_param.merge(api_ticket: auths['active_trustedclient']['api_token'])
+    token_params =
+      json_param.merge(api_token: auths['admin_trustedclient']['api_token'])
+    # Make sure api_ticket works with no state.
+    ticket_results = get_page_with(ticket_params)
+    # Set up a session by using api_token.
+    token_results = get_page_with(token_params)
+    assert_not_equal(ticket_results, token_results,
+                     "different API tokens reported identical results")
+    # Make sure api_ticket overrides the session.
+    assert_equal(ticket_results, get_page_with(ticket_params),
+                 "results using api_ticket are inconsistent")
+    # Make sure using api_ticket didn't break the session.
+    assert_equal(token_results, get_page_with(json_param),
+                 "results relying on session token are inconsistent")
+  end
+end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list