[ARVADOS] created: f84926fc3f934ea1958c810637851ec91994fc16

Git user git at public.curoverse.com
Thu Oct 20 09:06:31 EDT 2016 

        at  f84926fc3f934ea1958c810637851ec91994fc16 (commit)


commit f84926fc3f934ea1958c810637851ec91994fc16
Author: Tom Clegg <tom at curoverse.com>
Date:   Thu Oct 20 09:06:10 2016 -0400

    10291: Respond 404 to requests for disabled APIs.

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 3c5bf94..776f7e1 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base
 
   ERROR_ACTIONS = [:render_error, :render_not_found]
 
+  before_filter :disable_api_methods
   before_filter :set_cors_headers
   before_filter :respond_with_json_by_default
   before_filter :remote_ip
@@ -385,6 +386,13 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def disable_api_methods
+    if Rails.configuration.disable_api_methods.
+        include?(controller_name + "." + action_name)
+      send_error("Disabled", status: 404)
+    end
+  end
+
   def set_cors_headers
     response.headers['Access-Control-Allow-Origin'] = '*'
     response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE'
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index b4b396a..5fe0302 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -265,9 +265,8 @@ common:
   unlogged_attributes: []
 
   # API methods to disable. Disabled methods are not listed in the
-  # discovery document. Note: currently, disabled methods are still
-  # accessible to clients that don't pay attention to the discovery
-  # document. Example: ["jobs.create"]
+  # discovery document, and respond 404 to all requests.
+  # Example: ["jobs.create", "pipeline_instances.create"]
   disable_api_methods: []
 
   ###
diff --git a/services/api/test/functional/arvados/v1/jobs_controller_test.rb b/services/api/test/functional/arvados/v1/jobs_controller_test.rb
index b84c93d..34871ef 100644
--- a/services/api/test/functional/arvados/v1/jobs_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/jobs_controller_test.rb
@@ -508,4 +508,16 @@ class Arvados::V1::JobsControllerTest < ActionController::TestCase
     assert_not_nil json_response["components"]
     assert_equal [], json_response["components"].keys
   end
+
+  test 'jobs.create disabled in config' do
+    Rails.configuration.disable_api_methods = ["jobs.create"]
+    authorize_with :active
+    post :create, job: {
+      script: "hash",
+      script_version: "master",
+      repository: "active/foo",
+      script_parameters: {}
+    }
+    assert_response 404
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list