[ARVADOS] updated: 1.1.1-155-gf3dc896
Git user
git at public.curoverse.com
Wed Dec 6 11:41:17 EST 2017
Summary of changes:
.../api/app/models/api_client_authorization.rb | 9 +++-
services/api/test/integration/remote_user_test.rb | 63 +++++++++++++++++++++-
2 files changed, 69 insertions(+), 3 deletions(-)
via f3dc89653597f7f6de480850231ea1f6b991c8aa (commit)
via d3340a0c34dc9827c6cc595af4b741de5db5d51b (commit)
via 28bacfc853989e874f59cfa5465f085973046f9a (commit)
from 5b7d9ac131477e2769ca8a22dbb6172730698528 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit f3dc89653597f7f6de480850231ea1f6b991c8aa
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Wed Dec 6 11:39:57 2017 -0500
11453: Tests for invalid / future-proof / reanimated tokens.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 87505da..55bd317 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -99,6 +99,10 @@ class ApiClientAuthorization < ArvadosModel
case token[0..2]
when 'v2/'
_, uuid, secret = token.split('/')
+ unless uuid.andand.length == 27 && secret.andand.length.andand > 0
+ return nil
+ end
+
auth = ApiClientAuthorization.
includes(:user, :api_client).
where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', uuid).
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 9b20f88..8af0e62 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -86,7 +86,6 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
# revoke original token
@stub_status = 401
- @stub_content = {error: 'not authorized'}
# re-authorize before cache expires
get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
@@ -100,6 +99,11 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
# re-authorize after cache expires
get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response 401
+
+ # revive original token and re-authorize
+ @stub_status = 200
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+ assert_response :success
end
test 'authenticate with remote token from misbhehaving remote cluster' do
@@ -116,6 +120,36 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
assert_response 401
end
+ ['v2',
+ 'v2/',
+ 'v2//',
+ 'v2///',
+ "v2/'; delete from users where 1=1; commit; select '/lol",
+ 'v2/foo/bar',
+ 'v2/zzzzz-gj3su-077z32aux8dg2s1',
+ 'v2/zzzzz-gj3su-077z32aux8dg2s1/',
+ 'v2/3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi',
+ 'v2/3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi/zzzzz-gj3su-077z32aux8dg2s1',
+ 'v2//3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi',
+ 'v8/zzzzz-gj3su-077z32aux8dg2s1/3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi',
+ '/zzzzz-gj3su-077z32aux8dg2s1/3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi',
+ '"v2/zzzzz-gj3su-077z32aux8dg2s1/3kg6k6lzmp9kj5cpkcoxie963cmvjahbt2fod9zru30k1jqdmi"',
+ '/',
+ '//',
+ '///',
+ ].each do |token|
+ test "authenticate with malformed remote token #{token}" do
+ get '/arvados/v1/users/current', {format: 'json'}, {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
+ assert_response 401
+ end
+ end
+
+ test "ignore extra fields in remote token" do
+ token = salted_active_token(remote: 'zbbbb') + '/foo/bar/baz/*'
+ get '/arvados/v1/users/current', {format: 'json'}, {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
+ assert_response :success
+ end
+
test 'remote api server is not an api server' do
@stub_status = 200
@stub_content = '<html>bad</html>'
commit d3340a0c34dc9827c6cc595af4b741de5db5d51b
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Wed Dec 6 11:22:27 2017 -0500
11453: Test group membership with regular groups.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 6b49d31..9b20f88 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -151,5 +151,8 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
group_uuids = json_response['items'].collect { |i| i['uuid'] }
assert_includes(group_uuids, 'zzzzz-j7d0g-fffffffffffffff')
refute_includes(group_uuids, 'zzzzz-j7d0g-000000000000000')
+ assert_includes(group_uuids, groups(:aproject).uuid)
+ refute_includes(group_uuids, groups(:trashed_project).uuid)
+ refute_includes(group_uuids, groups(:testusergroup_admins).uuid)
end
end
commit 28bacfc853989e874f59cfa5465f085973046f9a
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Wed Dec 6 11:22:13 2017 -0500
11453: Fix & test remote token caching.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 542ab8e..87505da 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -17,6 +17,9 @@ class ApiClientAuthorization < ArvadosModel
t.add :owner_uuid
t.add :user_id
t.add :api_client_id
+ # NB the "api_token" db column is a misnomer in that it's only the
+ # "secret" part of a token: a v1 token is just the secret, but a
+ # v2 token is "v2/uuid/secret".
t.add :api_token
t.add :created_by_ip_address
t.add :default_owner_uuid
@@ -163,7 +166,7 @@ class ApiClientAuthorization < ArvadosModel
auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
auth.user = user
- auth.api_token = token
+ auth.api_token = secret
auth.api_client_id = 0
end
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 6e5b9e4..6b49d31 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -8,9 +8,14 @@ require 'test_helper'
require 'helpers/users_test_helper'
class RemoteUsersTest < ActionDispatch::IntegrationTest
+ include DbCurrentTime
+
+ def salted_active_token(remote:)
+ salt_token(fixture: :active, remote: remote).sub('/zzzzz-', '/'+remote+'-')
+ end
+
def auth(remote:)
- token = salt_token(fixture: :active, remote: remote)
- token.sub!('/zzzzz-', '/'+remote+'-')
+ token = salted_active_token(remote: remote)
{"HTTP_AUTHORIZATION" => "Bearer #{token}"}
end
@@ -78,6 +83,23 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
assert_response :success
assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
assert_equal false, json_response['is_admin']
+
+ # revoke original token
+ @stub_status = 401
+ @stub_content = {error: 'not authorized'}
+
+ # re-authorize before cache expires
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+ assert_response :success
+
+ # simulate cache expiry
+ ApiClientAuthorization.where(
+ uuid: salted_active_token(remote: 'zbbbb').split('/')[1]).
+ update_all(expires_at: db_current_time - 1.minute)
+
+ # re-authorize after cache expires
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+ assert_response 401
end
test 'authenticate with remote token from misbhehaving remote cluster' do
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list