[ARVADOS] updated: 9cb175a358a7ac410901827d5f7de6a5aabe52bf

git at public.curoverse.com git at public.curoverse.com
Thu Oct 8 11:08:30 EDT 2015 

Summary of changes:
 tools/keep-rsync/keep-rsync.go      |  7 ++--
 tools/keep-rsync/keep-rsync_test.go | 72 +++++++++++++++++++++++++++++++++----
 2 files changed, 71 insertions(+), 8 deletions(-)

       via  9cb175a358a7ac410901827d5f7de6a5aabe52bf (commit)
      from  0fa9a01d6fb567fa6e2f72cae3596da2c12c35fd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 9cb175a358a7ac410901827d5f7de6a5aabe52bf
Author: radhika <radhika at curoverse.com>
Date:   Thu Oct 8 11:06:57 2015 -0400

    7167: set enforce_permissions to true if blob signing key argument is provided.

diff --git a/tools/keep-rsync/keep-rsync.go b/tools/keep-rsync/keep-rsync.go
index 6bfbbac..313c188 100644
--- a/tools/keep-rsync/keep-rsync.go
+++ b/tools/keep-rsync/keep-rsync.go
@@ -14,6 +14,7 @@ import (
 var (
 	srcConfig           arvadosclient.APIConfig
 	dstConfig           arvadosclient.APIConfig
+	blobSigningKey      string
 	srcKeepServicesJSON string
 	dstKeepServicesJSON string
 	replications        int
@@ -30,7 +31,7 @@ func main() {
 		"",
 		"Source configuration filename with full path that contains "+
 			"an ARVADOS_API_TOKEN which is a valid datamanager token recognized by the source keep servers, "+
-			"ARVADOS_API_HOST, ARVADOS_API_HOST_INSECURE, and ARVADOS_BLOB_SIGNING_KEY.")
+			"ARVADOS_API_HOST, ARVADOS_API_HOST_INSECURE, ARVADOS_EXTERNAL_CLIENT and ARVADOS_BLOB_SIGNING_KEY.")
 
 	flag.StringVar(
 		&dstConfigFile,
@@ -38,7 +39,7 @@ func main() {
 		"",
 		"Destination configuration filename with full path that contains "+
 			"an ARVADOS_API_TOKEN which is a valid datamanager token recognized by the destination keep servers, "+
-			"ARVADOS_API_HOST, ARVADOS_API_HOST_INSECURE, and ARVADOS_BLOB_SIGNING_KEY.")
+			"ARVADOS_API_HOST, ARVADOS_API_HOST_INSECURE, ARVADOS_EXTERNAL_CLIENT and ARVADOS_BLOB_SIGNING_KEY.")
 
 	flag.StringVar(
 		&srcKeepServicesJSON,
@@ -121,6 +122,8 @@ func readConfigFromFile(filename string) (arvadosclient.APIConfig, error) {
 			config.APIHostInsecure = matchTrue.MatchString(kv[1])
 		case "ARVADOS_EXTERNAL_CLIENT":
 			config.ExternalClient = matchTrue.MatchString(kv[1])
+		case "ARVADOS_BLOB_SIGNING_KEY":
+			blobSigningKey = kv[1]
 		}
 	}
 	return config, nil
diff --git a/tools/keep-rsync/keep-rsync_test.go b/tools/keep-rsync/keep-rsync_test.go
index a4d26fd..c2a8112 100644
--- a/tools/keep-rsync/keep-rsync_test.go
+++ b/tools/keep-rsync/keep-rsync_test.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
+	"time"
 
 	"git.curoverse.com/arvados.git/sdk/go/arvadostest"
 	"git.curoverse.com/arvados.git/sdk/go/keepclient"
@@ -42,7 +43,7 @@ func (s *ServerRequiredSuite) TearDownSuite(c *C) {
 // The test setup hence tweaks keep-rsync initialzation to achieve this.
 // First invoke initializeKeepRsync and then invoke StartKeepAdditional
 // to create the keep servers to be used as destination.
-func setupRsync(c *C) {
+func setupRsync(c *C, enforcePermissions bool) {
 	// srcConfig
 	srcConfig.APIHost = os.Getenv("ARVADOS_API_HOST")
 	srcConfig.APIToken = os.Getenv("ARVADOS_API_TOKEN")
@@ -54,17 +55,20 @@ func setupRsync(c *C) {
 	dstConfig.APIHostInsecure = matchTrue.MatchString(os.Getenv("ARVADOS_API_HOST_INSECURE"))
 
 	replications = 1
+	if enforcePermissions {
+		blobSigningKey = "zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc"
+	}
 
 	// Start API and Keep servers
 	arvadostest.StartAPI()
-	arvadostest.StartKeep()
+	arvadostest.StartKeepWithParams(false, enforcePermissions)
 
 	// initialize keep-rsync
 	err := initializeKeepRsync()
 	c.Assert(err, Equals, nil)
 
 	// Create two more keep servers to be used as destination
-	arvadostest.StartKeepWithParams(true, false)
+	arvadostest.StartKeepWithParams(true, enforcePermissions)
 
 	// load kcDst
 	kcDst, err = keepclient.MakeKeepClient(&arvDst)
@@ -81,7 +85,8 @@ func (s *ServerRequiredSuite) TestReadConfigFromFile(c *C) {
 
 	fileContent := "ARVADOS_API_HOST=testhost\n"
 	fileContent += "ARVADOS_API_TOKEN=testtoken\n"
-	fileContent += "ARVADOS_API_HOST_INSECURE=true"
+	fileContent += "ARVADOS_API_HOST_INSECURE=true\n"
+	fileContent += "ARVADOS_BLOB_SIGNING_KEY=abcdefg"
 
 	_, err = file.Write([]byte(fileContent))
 
@@ -92,6 +97,7 @@ func (s *ServerRequiredSuite) TestReadConfigFromFile(c *C) {
 	c.Assert(config.APIToken, Equals, "testtoken")
 	c.Assert(config.APIHostInsecure, Equals, true)
 	c.Assert(config.ExternalClient, Equals, false)
+	c.Assert(blobSigningKey, Equals, "abcdefg")
 }
 
 // Test keep-rsync initialization, with src and dst keep servers.
@@ -100,7 +106,7 @@ func (s *ServerRequiredSuite) TestReadConfigFromFile(c *C) {
 // Do a Get in dst for the src hash, which should raise block not found error.
 // Do a Get in src for the dst hash, which should raise block not found error.
 func (s *ServerRequiredSuite) TestRsyncPutInOne_GetFromOtherShouldFail(c *C) {
-	setupRsync(c)
+	setupRsync(c, false)
 
 	// Put a block in src using kcSrc and Get it
 	srcData := []byte("test-data1")
@@ -145,7 +151,7 @@ func (s *ServerRequiredSuite) TestRsyncPutInOne_GetFromOtherShouldFail(c *C) {
 func (s *ServerRequiredSuite) TestRsyncInitializeWithKeepServicesJSON(c *C) {
 	srcKeepServicesJSON = "{ \"kind\":\"arvados#keepServiceList\", \"etag\":\"\", \"self_link\":\"\", \"offset\":null, \"limit\":null, \"items\":[ { \"href\":\"/keep_services/zzzzz-bi6l4-123456789012340\", \"kind\":\"arvados#keepService\", \"etag\":\"641234567890enhj7hzx432e5\", \"uuid\":\"zzzzz-bi6l4-123456789012340\", \"owner_uuid\":\"zzzzz-tpzed-123456789012345\", \"service_host\":\"keep0.zzzzz.arvadosapi.com\", \"service_port\":25107, \"service_ssl_flag\":false, \"service_type\":\"disk\", \"read_only\":false }, { \"href\":\"/keep_services/zzzzz-bi6l4-123456789012341\", \"kind\":\"arvados#keepService\", \"etag\":\"641234567890enhj7hzx432e5\", \"uuid\":\"zzzzz-bi6l4-123456789012341\", \"owner_uuid\":\"zzzzz-tpzed-123456789012345\", \"service_host\":\"keep0.zzzzz.arvadosapi.com\", \"service_port\":25108, \"service_ssl_flag\":false, \"service_type\":\"disk\", \"read_only\":false } ], \"items_available\":2 }"
 
-	setupRsync(c)
+	setupRsync(c, false)
 
 	localRoots := kcSrc.LocalRoots()
 	c.Check(localRoots != nil, Equals, true)
@@ -166,3 +172,57 @@ func (s *ServerRequiredSuite) TestRsyncInitializeWithKeepServicesJSON(c *C) {
 	}
 	c.Check(foundIt, Equals, true)
 }
+
+// Test keep-rsync initialization, with src and dst keep servers with blobSingingKey.
+// Do a Put and Get in src, both of which should succeed.
+// Do a Put and Get in dst, both of which should succeed.
+// Do a Get in dst for the src hash, which should raise block not found error.
+// Do a Get in src for the dst hash, which should raise block not found error.
+func (s *ServerRequiredSuite) TestRsyncWithBlobSigning_PutInOne_GetFromOtherShouldFail(c *C) {
+	setupRsync(c, true)
+
+	// Put a block in src using kcSrc and Get it
+	srcData := []byte("test-data1")
+	locatorInSrc := fmt.Sprintf("%x", md5.Sum(srcData))
+
+	hash, rep, err := kcSrc.PutB(srcData)
+	c.Check(hash, Matches, fmt.Sprintf(`^%s\+10(\+.+)?$`, locatorInSrc))
+	c.Check(rep, Equals, 2)
+	c.Check(err, Equals, nil)
+
+	tomorrow := time.Now().AddDate(0, 0, 1)
+	signedLocator := keepclient.SignLocator(locatorInSrc, arvSrc.ApiToken, tomorrow, []byte(blobSigningKey))
+
+	reader, blocklen, _, err := kcSrc.Get(signedLocator)
+	c.Assert(err, Equals, nil)
+	c.Check(blocklen, Equals, int64(10))
+	all, err := ioutil.ReadAll(reader)
+	c.Check(all, DeepEquals, srcData)
+
+	// Put a different block in src using kcSrc and Get it
+	dstData := []byte("test-data2")
+	locatorInDst := fmt.Sprintf("%x", md5.Sum(dstData))
+
+	hash, rep, err = kcDst.PutB(dstData)
+	c.Check(hash, Matches, fmt.Sprintf(`^%s\+10(\+.+)?$`, locatorInDst))
+	c.Check(rep, Equals, 1)
+	c.Check(err, Equals, nil)
+
+	signedLocator = keepclient.SignLocator(locatorInDst, arvDst.ApiToken, tomorrow, []byte(blobSigningKey))
+
+	reader, blocklen, _, err = kcDst.Get(signedLocator)
+	c.Assert(err, Equals, nil)
+	c.Check(blocklen, Equals, int64(10))
+	all, err = ioutil.ReadAll(reader)
+	c.Check(all, DeepEquals, dstData)
+
+	// Get srcLocator using kcDst should fail with NotFound error
+	signedLocator = keepclient.SignLocator(locatorInSrc, arvDst.ApiToken, tomorrow, []byte(blobSigningKey))
+	_, _, _, err = kcDst.Get(locatorInSrc)
+	c.Assert(err.Error(), Equals, "Block not found")
+
+	// Get dstLocator using kcSrc should fail with NotFound error
+	signedLocator = keepclient.SignLocator(locatorInDst, arvSrc.ApiToken, tomorrow, []byte(blobSigningKey))
+	_, _, _, err = kcSrc.Get(locatorInDst)
+	c.Assert(err.Error(), Equals, "Block not found")
+}

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list