[ARVADOS] created: 97de2f908fddbdf690f5811cea7d7dc48fa4bc24

[Git user]

        at  97de2f908fddbdf690f5811cea7d7dc48fa4bc24 (commit)


commit 97de2f908fddbdf690f5811cea7d7dc48fa4bc24
Author: Tom Clegg <tom at curoverse.com>
Date:   Thu Oct 20 11:26:23 2016 -0400

    10273: Check scope=[all] when looking for an existing superuser token.

diff --git a/services/api/lib/create_superuser_token.rb b/services/api/lib/create_superuser_token.rb
index 54faa9a..72b1ae7 100755
--- a/services/api/lib/create_superuser_token.rb
+++ b/services/api/lib/create_superuser_token.rb
@@ -14,8 +14,12 @@ module CreateSuperUserToken
         api_client_auth = ApiClientAuthorization.
           where(api_token: supplied_token).
           first
-        if api_client_auth && !api_client_auth.user.uuid.match(/-000000000000000$/)
-          raise "Token already exists but is not a superuser token."
+        if !api_client_auth
+          # fall through to create a token
+        elsif !api_client_auth.user.uuid.match(/-000000000000000$/)
+          raise "Token exists but is not a superuser token."
+        elsif api_client_auth.scopes != ['all']
+          raise "Token exists but has limited scope #{api_client_auth.scopes.inspect}."
         end
       end
 
@@ -26,10 +30,11 @@ module CreateSuperUserToken
 
         # Check if there is an unexpired superuser token corresponding to this api client
         api_client_auth = ApiClientAuthorization.where(
-                'user_id = (?) AND
-                 api_client_id = (?) AND
+                'user_id = ? AND
+                 api_client_id = ? AND
+                 scopes = ? AND
                  (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)',
-               system_user.id, apiClient.id).first
+               system_user.id, apiClient.id, ['all'].to_yaml).first
 
         # none exist; create one with the supplied token
         if !api_client_auth
diff --git a/services/api/test/unit/create_superuser_token_test.rb b/services/api/test/unit/create_superuser_token_test.rb
index d5ca3f9..ba81360 100644
--- a/services/api/test/unit/create_superuser_token_test.rb
+++ b/services/api/test/unit/create_superuser_token_test.rb
@@ -73,6 +73,25 @@ class CreateSuperUserTokenTest < ActiveSupport::TestCase
       create_superuser_token active_user_token
     end
     assert_not_nil e
-    assert_equal "Token already exists but is not a superuser token.", e.message
+    assert_equal "Token exists but is not a superuser token.", e.message
+  end
+
+  test "specified token has limited scope" do
+    active_user_token = api_client_authorizations("data_manager").api_token
+    e = assert_raises RuntimeError do
+      create_superuser_token active_user_token
+    end
+    assert_not_nil e
+    assert_match /^Token exists but has limited scope/, e.message
+  end
+
+  test "existing token has limited scope" do
+    active_user_token = api_client_authorizations("admin_vm").api_token
+    ApiClientAuthorization.
+      where(user_id: system_user.id).
+      update_all(scopes: ["GET /"])
+    fixture_tokens = ApiClientAuthorization.all.collect(&:api_token)
+    new_token = create_superuser_token
+    refute_includes(fixture_tokens, new_token)
   end
 end

-----------------------------------------------------------------------


hooks/post-receive
--