[ARVADOS] created: f84926fc3f934ea1958c810637851ec91994fc16
Git user
git at public.curoverse.com
Thu Oct 20 09:06:31 EDT 2016
at f84926fc3f934ea1958c810637851ec91994fc16 (commit)
commit f84926fc3f934ea1958c810637851ec91994fc16
Author: Tom Clegg <tom at curoverse.com>
Date: Thu Oct 20 09:06:10 2016 -0400
10291: Respond 404 to requests for disabled APIs.
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 3c5bf94..776f7e1 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -25,6 +25,7 @@ class ApplicationController < ActionController::Base
ERROR_ACTIONS = [:render_error, :render_not_found]
+ before_filter :disable_api_methods
before_filter :set_cors_headers
before_filter :respond_with_json_by_default
before_filter :remote_ip
@@ -385,6 +386,13 @@ class ApplicationController < ActionController::Base
end
end
+ def disable_api_methods
+ if Rails.configuration.disable_api_methods.
+ include?(controller_name + "." + action_name)
+ send_error("Disabled", status: 404)
+ end
+ end
+
def set_cors_headers
response.headers['Access-Control-Allow-Origin'] = '*'
response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE'
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index b4b396a..5fe0302 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -265,9 +265,8 @@ common:
unlogged_attributes: []
# API methods to disable. Disabled methods are not listed in the
- # discovery document. Note: currently, disabled methods are still
- # accessible to clients that don't pay attention to the discovery
- # document. Example: ["jobs.create"]
+ # discovery document, and respond 404 to all requests.
+ # Example: ["jobs.create", "pipeline_instances.create"]
disable_api_methods: []
###
diff --git a/services/api/test/functional/arvados/v1/jobs_controller_test.rb b/services/api/test/functional/arvados/v1/jobs_controller_test.rb
index b84c93d..34871ef 100644
--- a/services/api/test/functional/arvados/v1/jobs_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/jobs_controller_test.rb
@@ -508,4 +508,16 @@ class Arvados::V1::JobsControllerTest < ActionController::TestCase
assert_not_nil json_response["components"]
assert_equal [], json_response["components"].keys
end
+
+ test 'jobs.create disabled in config' do
+ Rails.configuration.disable_api_methods = ["jobs.create"]
+ authorize_with :active
+ post :create, job: {
+ script: "hash",
+ script_version: "master",
+ repository: "active/foo",
+ script_parameters: {}
+ }
+ assert_response 404
+ end
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list