[ARVADOS] updated: 13163d646a6da8d53984dfb54d365cdfb90afde3

Wed Feb 10 12:26:03 EST 2016

Summary of changes:
 .../v1/api_client_authorizations_controller.rb     | 19 +++++++---
 .../api_client_authorizations_controller_test.rb   | 44 ++++++++++++++++++++++
 2 files changed, 58 insertions(+), 5 deletions(-)

       via  13163d646a6da8d53984dfb54d365cdfb90afde3 (commit)
      from  54e24a7233fe2dd4c84c9c6a54262f2858400f92 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 13163d646a6da8d53984dfb54d365cdfb90afde3
Author: radhika <radhika at curoverse.com>
Date:   Wed Feb 10 12:19:23 2016 -0500

    8079: Added support get using uuid and list using uuid or api_token and added tests.

diff --git a/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb b/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
index f365a7f..2eb79c0 100644
--- a/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
+++ b/services/api/app/controllers/arvados/v1/api_client_authorizations_controller.rb
@@ -56,7 +56,7 @@ class Arvados::V1::ApiClientAuthorizationsController < ApplicationController
         ((attr == 'scopes') and (operator == '=')) ? operand : nil
       })
       @filters.select! { |attr, operator, operand|
-        (attr == 'uuid') and (operator == '=')
+        ((attr == 'uuid') and (operator == '=')) || ((attr == 'api_token') and (operator == '='))
       }
     end
     if @where
@@ -74,14 +74,23 @@ class Arvados::V1::ApiClientAuthorizationsController < ApplicationController
   end
 
   def find_object_by_uuid
-    # Again, to make things easier for the client and our own routing,
-    # here we look for the api_token key in a "uuid" (POST) or "id"
-    # (GET) parameter.
-    @object = model_class.where('api_token=?', params[:uuid] || params[:id]).first
+    @object = model_class.where(uuid: (params[:uuid] || params[:id])).first
   end
 
   def current_api_client_is_trusted
     unless Thread.current[:api_client].andand.is_trusted
+      if params["action"] == "show"
+        if @object and @object['api_token'] == current_api_client_authorization.andand.api_token
+          return true
+        end
+      elsif params["action"] == "index" and @objects.andand.size == 1
+        filters = @filters.map{|f|f.first}.uniq
+        if ['uuid'] == filters
+          return true if @objects.first['api_token'] == current_api_client_authorization.andand.api_token
+        elsif ['api_token'] == filters
+          return true if @objects.first[:user_id] = current_user.id
+        end
+      end
       send_error('Forbidden: this API client cannot manipulate other clients\' access tokens.',
                  status: 403)
     end
diff --git a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
index 8877719..5da9145 100644
--- a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
@@ -23,6 +23,7 @@ class Arvados::V1::ApiClientAuthorizationsControllerTest < ActionController::Tes
     authorize_with :admin_trustedclient
     post :create_system_auth, scopes: '["test"]'
     assert_response :success
+    assert_not_nil JSON.parse(@response.body)['uuid']
   end
 
   test "prohibit create system auth with token from non-trusted client" do
@@ -66,4 +67,47 @@ class Arvados::V1::ApiClientAuthorizationsControllerTest < ActionController::Tes
       assert_found_tokens(auth, {filters: [['scopes', '=', scopes]]}, *expected)
     end
   end
+
+  [
+    [:admin, :admin, 200],
+    [:admin, :active, 403],
+    [:admin, :admin_vm, 403], # this belongs to the user of current session, but we can't get it by uuid
+    [:admin_trustedclient, :active, 200],
+  ].each do |user, token, status|
+    test "as user #{user} get #{token} token and expect #{status}" do
+      authorize_with user
+      get :show, {id: api_client_authorizations(token).uuid}
+      assert_response status
+    end
+  end
+
+  [
+    [:admin, :admin, 200],
+    [:admin, :active, 403],
+    [:admin, :admin_vm, 403], # this belongs to the user of current session, but we can't list it by uuid
+    [:admin_trustedclient, :active, 200],
+  ].each do |user, token, status|
+    test "as user #{user} list #{token} token using uuid and expect #{status}" do
+      authorize_with user
+      get :index, {
+        filters: [['uuid','=',api_client_authorizations(token).uuid]]
+      }
+      assert_response status
+    end
+  end
+
+  [
+    [:admin, :admin, 200],
+    [:admin, :active, 403],
+    [:admin, :admin_vm, 200], # this belongs to the user of current session, and can be listed by token
+    [:admin_trustedclient, :active, 200],
+  ].each do |user, token, status|
+    test "as user #{user} list #{token} token using token and expect #{status}" do
+      authorize_with user
+      get :index, {
+        filters: [['api_token','=',api_client_authorizations(token).api_token]]
+      }
+      assert_response status
+    end
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
-- 


