[ARVADOS] updated: 1.1.0-127-ge9a9add
Git user
git at public.curoverse.com
Fri Nov 24 21:58:29 EST 2017
Summary of changes:
apps/workbench/Gemfile.lock | 30 +-
.../workbench/app/assets/javascripts/to_tsquery.js | 8 +-
.../app/assets/stylesheets/application.css.scss | 4 +
.../app/controllers/application_controller.rb | 21 +-
.../app/controllers/projects_controller.rb | 25 +-
.../app/controllers/trash_items_controller.rb | 91 ++-
apps/workbench/app/models/arvados_api_client.rb | 15 +-
apps/workbench/app/models/group.rb | 4 +
apps/workbench/app/views/application/404.html.erb | 57 +-
.../views/trash_items/_show_trash_rows.html.erb | 55 +-
.../_show_trashed_collection_rows.html.erb | 1 +
...html.erb => _show_trashed_collections.html.erb} | 22 +-
.../_show_trashed_project_rows.html.erb | 1 +
...sh.html.erb => _show_trashed_projects.html.erb} | 24 +-
.../app/views/trash_items/_untrash_item.html.erb | 8 +-
apps/workbench/config/initializers/lograge.rb | 15 +-
.../controllers/application_controller_test.rb | 23 +-
.../test/controllers/projects_controller_test.rb | 1 -
apps/workbench/test/integration/trash_test.rb | 77 ++-
build/libcloud-pin.sh | 2 +-
build/run-tests.sh | 15 +-
.../_container_runtime_constraints.liquid | 2 +-
.../_container_scheduling_parameters.liquid | 2 +-
doc/_includes/_mount_types.liquid | 6 +-
.../methods/container_requests.html.textile.liquid | 2 +-
sdk/cli/bin/crunch-job | 14 +-
sdk/cli/test/test_arv-keep-get.rb | 2 +-
sdk/go/arvados/collection_fs.go | 83 ++-
sdk/go/arvados/group.go | 20 +
sdk/go/arvados/link.go | 25 +
sdk/go/arvados/user.go | 9 +
sdk/go/dispatch/dispatch.go | 99 ++-
sdk/go/health/aggregator.go | 9 +-
sdk/go/health/aggregator_test.go | 46 +-
sdk/python/arvados/collection.py | 84 +--
sdk/python/arvados/commands/get.py | 34 +-
sdk/python/tests/test_collections.py | 64 +-
services/api/Gemfile | 1 +
services/api/Gemfile.lock | 36 +-
.../api/app/controllers/application_controller.rb | 34 +-
services/api/app/middlewares/arvados_api_token.rb | 20 +-
.../api/app/models/api_client_authorization.rb | 104 ++--
services/api/config/application.default.yml | 13 +-
services/api/config/application.rb | 3 +
.../api/config/environments/production.rb.example | 1 +
services/api/config/initializers/lograge.rb | 10 +-
.../20171027183824_add_index_to_containers.rb | 11 +
services/api/db/structure.sql | 16 +
services/api/lib/safer_file_store.rb | 16 +
services/api/lib/trashable.rb | 2 +-
services/api/test/fixtures/groups.yml | 3 +
.../test/functional/application_controller_test.rb | 22 +
.../functional/arvados/v1/users_controller_test.rb | 15 -
.../remote_user_test.rb} | 41 +-
services/api/test/integration/users_test.rb | 1 -
services/arv-git-httpd/auth_handler.go | 25 +-
services/arv-git-httpd/auth_handler_test.go | 54 ++
services/arv-git-httpd/server_test.go | 2 +-
services/crunch-run/crunchrun.go | 230 +++++--
services/crunch-run/crunchrun_test.go | 101 +++
services/crunch-run/upload.go | 71 +--
services/crunch-run/upload_test.go | 39 +-
services/fuse/arvados_fuse/fusedir.py | 13 +-
services/fuse/arvados_fuse/unmount.py | 2 +-
services/fuse/tests/test_mount.py | 57 +-
services/keep-web/cache.go | 8 +-
services/keep-web/cadaver_test.go | 60 ++
services/keep-web/handler.go | 74 ++-
services/keep-web/handler_test.go | 58 +-
services/keep-web/main.go | 1 +
services/keep-web/usage.go | 6 +-
services/keep-web/webdav.go | 182 ++++++
.../arvnodeman/computenode/dispatch/__init__.py | 10 +-
services/nodemanager/setup.py | 4 +-
.../nodemanager/tests/test_computenode_dispatch.py | 2 +-
tools/arv-sync-groups/.gitignore | 1 +
tools/arv-sync-groups/arv-sync-groups.go | 680 +++++++++++++++++++++
tools/arv-sync-groups/arv-sync-groups_test.go | 413 +++++++++++++
tools/arvbox/lib/arvbox/docker/Dockerfile.base | 2 +-
.../crunchstat_summary/command.py | 2 +-
.../crunchstat_summary/dygraphs.js | 35 +-
.../crunchstat_summary/summarizer.py | 17 +-
vendor/vendor.json | 12 +
83 files changed, 2863 insertions(+), 647 deletions(-)
create mode 120000 apps/workbench/app/views/trash_items/_show_trashed_collection_rows.html.erb
copy apps/workbench/app/views/trash_items/{_show_recent_trash.html.erb => _show_trashed_collections.html.erb} (76%)
create mode 120000 apps/workbench/app/views/trash_items/_show_trashed_project_rows.html.erb
rename apps/workbench/app/views/trash_items/{_show_recent_trash.html.erb => _show_trashed_projects.html.erb} (75%)
create mode 100644 sdk/go/arvados/group.go
create mode 100644 sdk/go/arvados/link.go
create mode 100644 services/api/db/migrate/20171027183824_add_index_to_containers.rb
create mode 100644 services/api/lib/safer_file_store.rb
rename services/api/test/{functional/remote_user_account_test.rb => integration/remote_user_test.rb} (69%)
create mode 100644 services/arv-git-httpd/auth_handler_test.go
create mode 100644 services/keep-web/cadaver_test.go
create mode 100644 services/keep-web/webdav.go
create mode 100644 tools/arv-sync-groups/.gitignore
create mode 100644 tools/arv-sync-groups/arv-sync-groups.go
create mode 100644 tools/arv-sync-groups/arv-sync-groups_test.go
via e9a9add82323c93e6da8b1ed8ed019e0f5a9323b (commit)
via d62abcbe1fe0fcf0ce65cb7ea812db307b734a45 (commit)
via 335f28908c61409ee12cbce0d4225d5a35d5c9b5 (commit)
via 2e60c3bde91754e93af639afeff8ec32f201d40e (commit)
via ecf6627111838530f64ffcd689e11d987cc7bf2f (commit)
via 1e3f8ceebd90058e902494fae84b1fd57ac6693b (commit)
via d493d06b4b93b87c10c59954e47a18d85db13150 (commit)
via a524fabd054d2b923eceb575de95674caca58e85 (commit)
via 105c22f44dad79968b59f577a40737ffc8da00ec (commit)
via 4a8561a37ef5878aefc8c5d8c47898a3879a0fda (commit)
via d6c06f757baee640f3cfd620bdb5a01d4ee8d4d2 (commit)
via 7c02cd4b2a226c0e341028379c30fdbad5815d99 (commit)
via 98e9073e7ca36edbe8dd0569d67405e2e030f8db (commit)
via e67d0f5d43c56f78694ea4a5f93acec5c93cd0fb (commit)
via ab82f5b47625e76b47893c992b31e9b2d2208d3f (commit)
via 4bc810b40c34c43efc6be4b1696aa14cfe865b79 (commit)
via c4ac98db757e738431dbcde54ac738fb554e16e8 (commit)
via 805dbba0797fc40d0df9f664902f34be369f7525 (commit)
via ab911da8a1d78dc1cabd583c49bce446accb5717 (commit)
via 805b4e7f801853e69514b11942bc2e5f79bc9dbd (commit)
via 289d2cf581b59632369087388f6163f3979c5e86 (commit)
via 0767da07b441afe6ec470ee9862c2fd2ee17c38a (commit)
via e663d52fd17d989ad4be1a34413c21537cbe957e (commit)
via bb1d0c7499ad7c8d48c28a611c2d6a99c170265b (commit)
via cc6f86f15e0d187cc1c84b874be3d2da7b20d19f (commit)
via eae1286badb67ee63888633ff59bda9cb736131e (commit)
via 295156a99251bf26d705272c329a64d58089bb9e (commit)
via 5913a5c085253fb4624411d65229e5b1467ea63a (commit)
via 797d52120825122da27d003772d75c6b8903fa90 (commit)
via ca92724ab6094bf16729581225122fc9992aa7a7 (commit)
via cd0e7f06116925d66cc370a03cef1b8c19d0002d (commit)
via 0eb79244613af42e17effc4437637da282bdaace (commit)
via 3371bf4ce0a99e6e944c7fcc54866cfec2718fc6 (commit)
via cf3f89d7645fcc6aafa376fea4fd5518d9a15cf0 (commit)
via 780e9fb871fd5ef04f9f01d077b739552ec0621d (commit)
via aa9fbcd3fbcc653fef23ca9f583d16e535c6ffb9 (commit)
via 68c4f5c494e6d25ca50275f6feabd5731f96ac0e (commit)
via 511ff9e86f2655e816f07f53401b911927d5f3e4 (commit)
via f93e925c4a4322ee4ef2244a0eb99552a01fce9a (commit)
via 174d343cf86e02e083293746f86366e1d0a95786 (commit)
via e9eb0975e100e76d1da2a6997656ff2524a2ba31 (commit)
via c2a4869875daca18e19954c1beb4fab1ac20d821 (commit)
via 9dbeb1f31dafd927495ede39c7653b095495da26 (commit)
via 60887cc6f720dcb67272acf1c2ed3ed66db0412e (commit)
via d9666e975ff53ad8bd09ec54fa3200aa8490d668 (commit)
via fb7a5ed138af5189206a5939610c1d96f599dfb9 (commit)
via 5f46fe83d8a15048c4a5b90553c379803e99b135 (commit)
via 8fc7e0dd5d214e3881b8a56669f82d76aa70bfdb (commit)
via 0e12d049716003b08c4fc881343ebf14c3522b99 (commit)
via fc63eab411143863c2f7fcf47b54516415b30ff5 (commit)
via 326c51070de62ecbb498f3f182ae3653bfc9ee8d (commit)
via 9b83c3ee103d121e9406fa93e6e95ad303dee577 (commit)
via eb772d62ecc9d1ad61df7bbf08a572fda689c5be (commit)
via 43d9a42f838e134b5f7f639375f1f0752292f694 (commit)
via 7327a28eb1d90b161708e9e4e855cf80f41f20ae (commit)
via f8067ef415fd66a92f9a0e957e8384445af92a6a (commit)
via 36d2b2d633801cdeff4bb92d906e48e80042139c (commit)
via 2da11acebf60b8f7237bb62533a2f5671b90915c (commit)
via a442ad28ac9bcbe782d0e1488a4b38ab0ae7076e (commit)
via 03e0ebb3be64fd3a3f2e1dbfe312f458d755ba44 (commit)
via 1ff58b4325d1d0dcfc091742c64f1f87118b55ce (commit)
via dcbe7480d9de61ed35fca508b06fa17075fce32c (commit)
via f38cea6fa1ac48dd50789d9e2ec653b6d961c461 (commit)
via 26b510d785df7f548f41a11445c07df34b60328c (commit)
via 3de17b282e8fc732862bd028c6d63ecfe70075af (commit)
via e2c27eaae38a904a4b05d800affdc7860ee24e79 (commit)
via 5c6ea9353797d13cbdb7603935a88fddecfa40c7 (commit)
via 78f3a483c39025cbec25d0bfee29780e0d28052c (commit)
via a0dcf5e4b837826ff75b9785bd3f3e695ac7bdca (commit)
via 96b24c1aabe0b9b475e8c743e548258775507481 (commit)
via 880351aef15100c0bae893174f47628b0100ba06 (commit)
via b9276721177e8aa6710ed7203f1142f9062af81c (commit)
via 904fb42f9e39872526ad14c89d3298afa7bd08d6 (commit)
via 4d2dfa766a8a78b4f3f303d1d8d8dfe7488a85af (commit)
via 24696c5a7411f66b2b1b1a677c60907629f209e9 (commit)
via e76a00ca471102d1e536737073314e0f36cf086a (commit)
via 6e68c94524cfb19fc0b51591eab7e4a55e485164 (commit)
via 1b5e5a3ef2c174358693f83849f05ed8276be657 (commit)
via ec253d9fd7debdc035fd5fa0cf721c9f9d87115f (commit)
via 6e8c3cc1fe4328b708d5979e27632835f74261fb (commit)
via ad0566781a4345f6b9574adaf65cf70da2e4858e (commit)
via 4402de7771598187e611dc6b5ce19f62b9492bb8 (commit)
via 92df2dab0bbb70c0b5ef99bac78d1a322b20648e (commit)
via 97ea117aeff5bda8b994825a2ddeabf8196053a6 (commit)
via e02c4e1b1ed61d57d86f98b9372813d913d5b375 (commit)
via 6afdf38337e3278234d03480b64e50beaddcd105 (commit)
via 93e437b0dfd453f00df59c6a84bcc5d3ef09a9be (commit)
via e4e97733a237b45ea7202946c7fd20935bc47a2a (commit)
via 3527167a0b54c054808ec292d287347af880a5d2 (commit)
via dece59a25d1063c22e01533af203e869f716de60 (commit)
via c8decf3f2f88611166603ca48677470b478c06a6 (commit)
via b3667766f108542aa3d0e479e4a1179a47f2a653 (commit)
via 656176226eeb75d24c17de792cc090e4862c46f5 (commit)
via 98aa37e898eca8021206b838b45cbe66bfa9e4e3 (commit)
via d80d6de97c0e54249bdbd1f7c92014ef6855448c (commit)
via e951503aca74be84ea501d4316e38a662210b247 (commit)
via c62d9a299247f31ef1baff27b9726010c963e3f1 (commit)
via ae0781e5decb54f1c18f1dc12961b18d03043337 (commit)
via 9d223ac56644eb23cdc39c5044f4fb12cf29b685 (commit)
via 14fccf0ed91ebb0a0dbf1bff47edfb156538f42f (commit)
via 9adcefaec1be61e847d0e463f609e035995bb51f (commit)
via b74478a602b3cc5fcc18c2beb2962f98d1225ac4 (commit)
via 9a4c456560f0b78660c2bfc9a7aa4030de74c741 (commit)
via b25f2bdceae4750c8c803853874227dc2d175767 (commit)
via 43b48acab676c1097d393c755e5320b370afa937 (commit)
via 83c3efb73a8e0f1bd1ccef750f49128be5cdd93c (commit)
via 6fd6ddcebda57df4ecb2303dc229420c2c13af7b (commit)
via a976b02dc7ecba18277aceeaf086ab76fe4bf3f0 (commit)
via 4557160adb2a68c3462fb339f49900d14a271112 (commit)
via b51d376ed64efc68f7ee27fd061323da43faabd5 (commit)
via 1b411c1882a37ae8f88c0b770994dd257cf3dee4 (commit)
via ea10340803abade2d35212866fcbc1beb1acd533 (commit)
via d6866ae54d8fe7eb0fb6c9df8a80d9b6a90e8759 (commit)
via 00a299d80ee03e3ae227eb8e237a43f29a6cc667 (commit)
via ea929fb925acea37ca13542569cc183e7170e395 (commit)
via ed6af9cb44515fe1759eeebabfcac4a068fd697c (commit)
via 2177ebfe318b33eafcc95607a48039a887047730 (commit)
via 2e087bc0a6231762cf9b7b6d829000041cf28e16 (commit)
via 4b4458cfb9dbc2f80ab819efcb1533fcff8f6503 (commit)
via ec0c244be178aed7af0cf990a256dda557034b68 (commit)
via 43e8eaee1c6065d768fdb2291f135eb3256da935 (commit)
via a7528146c436aae05e48711305e8dfcb3d55fdfa (commit)
via 696434828d9beeb33852de15b3866be040c5b0fa (commit)
via 337de2e3dfeacc5054cb644513be61f5d35585ae (commit)
via 1a6a840d3bad6c28d8fa4c04a7610fbb8bf8423f (commit)
via 991d7d7967cef46bf5aebf95f946e3072aa1e933 (commit)
via 3d5ee53dbf5ae2806cd6540afecc6328267da62f (commit)
via a23fa06e9849f2ab76fa271624e22a245c2abc47 (commit)
via 165993fac96251ec0ec2e881fab40a5db113a282 (commit)
via ec4c5a76c2050f7bf91c00ae0f6da9ec0aab9f63 (commit)
via 654ee9154fe85832a0862c27fd7b982831a75a0d (commit)
via 1cde975fed7a57b1397bded4d73502bf4b98f517 (commit)
via 46141b6c9098f30dcd6644845887789c1c9006da (commit)
via fd14dc21b4dc52b3168f32a644a4167cc55ab919 (commit)
via 596a5436204bc644b825987707ea295a71c58188 (commit)
from 530b25ab14999d0407e39e1bf0a0e5595da2a028 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit e9a9add82323c93e6da8b1ed8ed019e0f5a9323b
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Fri Nov 24 12:19:27 2017 -0500
11453: Improve config docs. Disable remote auth by default.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 47b4bf1..89f9892 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -386,14 +386,23 @@ common:
### Federation support.
###
- # Map known prefixes to hosts. Example:
+ # You can enable use of this cluster by users who are authenticated
+ # by a remote Arvados site. Control which remote hosts are trusted
+ # to authenticate which user IDs by configuring remote_hosts,
+ # remote_hosts_via_dns, or both. The default configuration disables
+ # remote authentication.
+
+ # Map known prefixes to hosts. For example, if user IDs beginning
+ # with "zzzzz-" should be authenticated by the Arvados server at
+ # "zzzzz.example.com", use:
+ #
# remote_hosts:
# zzzzz: zzzzz.example.com
remote_hosts: {}
# Use {prefix}.arvadosapi.com for any prefix not given in
# remote_hosts above.
- remote_hosts_via_dns: true
+ remote_hosts_via_dns: false
###
### Remaining assorted configuration options.
commit d62abcbe1fe0fcf0ce65cb7ea812db307b734a45
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Fri Nov 24 12:18:11 2017 -0500
11453: Check HTTP method of token validation request.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 3d680cb..105b00f 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -26,7 +26,7 @@ class ArvadosApiToken
env["HTTP_AUTHORIZATION"].andand.
match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
- if params[:remote] && (
+ if params[:remote] && request.get? && (
request.path.start_with?('/arvados/v1/groups') ||
request.path.start_with?('/arvados/v1/users/current'))
# Request from a remote API server, asking to validate a salted
commit 335f28908c61409ee12cbce0d4225d5a35d5c9b5
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Fri Nov 24 10:21:28 2017 -0500
11453: Only update safe fields from remote user record.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index fa4d1be..7efd8ea 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -142,8 +142,24 @@ class ApiClientAuthorization < ArvadosModel
act_as_system_user do
# Add/update user and token in our database so we can
# validate subsequent requests faster.
+
user = User.find_or_create_by(uuid: remote_user[:uuid])
- user.update_attributes!(remote_user.merge(is_admin: false))
+
+ updates = {}
+ [:first_name, :last_name, :email, :prefs].each do |attr|
+ updates[attr] = remote_user[attr]
+ end
+
+ if Rails.configuration.new_users_are_active
+ # Update is_active to whatever it is at the remote end
+ updates[:is_active] = remote_user[:is_active]
+ elsif !updates[:is_active]
+ # Remote user is inactive; our mirror should be, too.
+ updates[:is_active] = false
+ end
+
+ user.update_attributes!(updates)
+
auth = ApiClientAuthorization.
includes(:user).
find_or_create_by(uuid: uuid,
commit 2e60c3bde91754e93af639afeff8ec32f201d40e
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Fri Nov 24 09:18:51 2017 -0500
11453: Remove unused arvados client.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 43442c9..fa4d1be 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -124,9 +124,6 @@ class ApiClientAuthorization < ArvadosModel
# Token was issued by a different cluster. If it's expired or
# missing in our database, ask the originating cluster to
# [re]validate it.
- arv = Arvados.new(api_host: host,
- api_token: token,
- suppress_ssl_warnings: Rails.env == 'test')
begin
clnt = HTTPClient.new
remote_user = SafeJSON.load(
commit ecf6627111838530f64ffcd689e11d987cc7bf2f
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Tue Nov 7 13:09:50 2017 -0500
11453: Move remote token validation to middleware. Bypass Ruby SDK.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/build/run-tests.sh b/build/run-tests.sh
index e1e83ed..e25bd37 100755
--- a/build/run-tests.sh
+++ b/build/run-tests.sh
@@ -780,6 +780,12 @@ install_apiserver() {
mkdir -p "$WORKSPACE/services/api/tmp/pids"
+ cert="$WORKSPACE/services/api/tmp/self-signed"
+ if ! [[ -e "$cert.key" ]]; then
+ dir="$WORKSPACE/services/api/tmp"
+ openssl req -new -x509 -nodes -out "$cert.pem" -keyout "$cert.key" -days 3650 -subj /CN=0.0.0.0 -extfile <(printf 'subjectAltName=DNS:127.0.0.1,DNS:localhost,DNS:::1')
+ fi
+
cd "$WORKSPACE/services/api" \
&& RAILS_ENV=test bundle exec rake db:drop \
&& RAILS_ENV=test bundle exec rake db:setup \
diff --git a/services/api/Gemfile b/services/api/Gemfile
index c06a9c5..34e88a8 100644
--- a/services/api/Gemfile
+++ b/services/api/Gemfile
@@ -57,6 +57,7 @@ gem 'themes_for_rails', git: 'https://github.com/curoverse/themes_for_rails'
gem 'arvados', '>= 0.1.20150615153458'
gem 'arvados-cli', '>= 0.1.20161017193526'
+gem 'httpclient'
gem 'puma', '~> 2.0'
gem 'sshkey'
diff --git a/services/api/Gemfile.lock b/services/api/Gemfile.lock
index ebb594c..85e90e3 100644
--- a/services/api/Gemfile.lock
+++ b/services/api/Gemfile.lock
@@ -127,6 +127,7 @@ GEM
hashie (3.5.5)
highline (1.7.8)
hike (1.2.3)
+ httpclient (2.8.3)
i18n (0.9.0)
concurrent-ruby (~> 1.0)
jquery-rails (4.2.2)
@@ -296,6 +297,7 @@ DEPENDENCIES
database_cleaner
factory_girl_rails
faye-websocket
+ httpclient
jquery-rails
lograge
logstash-event
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index a627bf4..3c5ed60 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -345,20 +345,6 @@ class ApplicationController < ActionController::Base
.all
end
@read_auths.select! { |auth| auth.scopes_allow_request? request }
-
- # Use a salted token as a reader token for /groups/ and /users/current
- if params[:remote] && (
- request.path.start_with?('/arvados/v1/groups') ||
- request.path.start_with?('/arvados/v1/users/current'))
- auth = ApiClientAuthorization.
- validate(token: Thread.current[:supplied_token],
- remote: params[:remote])
- if auth && auth.user
- Thread.current[:user] = auth.user
- @read_auths << auth
- end
- end
-
@read_users = @read_auths.map(&:user).uniq
end
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index fa8d987..3d680cb 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -26,8 +26,20 @@ class ArvadosApiToken
env["HTTP_AUTHORIZATION"].andand.
match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
+ if params[:remote] && (
+ request.path.start_with?('/arvados/v1/groups') ||
+ request.path.start_with?('/arvados/v1/users/current'))
+ # Request from a remote API server, asking to validate a salted
+ # token.
+ remote = params[:remote]
+ else
+ # Normal request.
+ remote = false
+ end
auth = ApiClientAuthorization.
- validate(token: Thread.current[:supplied_token], remote: false)
+ validate(token: Thread.current[:supplied_token],
+ remote: remote)
+
Thread.current[:api_client_ip_address] = remote_ip
Thread.current[:api_client_authorization] = auth
Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 6ab8abd..43442c9 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -83,10 +83,10 @@ class ApiClientAuthorization < ArvadosModel
["#{table_name}.id desc"]
end
- def self.remote_host(uuid:)
- Rails.configuration.remote_hosts[uuid[0..4]] ||
+ def self.remote_host(uuid_prefix:)
+ Rails.configuration.remote_hosts[uuid_prefix] ||
(Rails.configuration.remote_hosts_via_dns &&
- uuid[0..4]+".arvadosapi.com")
+ uuid_prefix+".arvadosapi.com")
end
def self.validate(token:, remote:)
@@ -104,41 +104,62 @@ class ApiClientAuthorization < ArvadosModel
(secret == auth.api_token ||
secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
return auth
- elsif uuid[0..4] != Rails.configuration.uuid_prefix
- # Token was issued by a different cluster. If it's expired or
- # missing in our database, ask the originating cluster to
- # [re]validate it.
- arv = Arvados.new(api_host: remote_host(uuid: uuid),
- api_token: token)
- begin
- remote_user = arv.user.current(remote: Rails.configuration.uuid_prefix)
- rescue => e
- logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
- return nil
- end
- if !remote_user.is_a?(Hash) || !remote_user[:uuid].is_a?(String) || remote_user[:uuid][0..4] != uuid[0..4]
- logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
- return nil
- end
- act_as_system_user do
- # Add/update user and token in our database so we can
- # validate subsequent requests faster.
- user = User.find_or_create_by(uuid: remote_user[:uuid])
- user.update_attributes!(remote_user.merge(is_admin: false))
- auth = ApiClientAuthorization.
- includes(:user).
- find_or_create_by(uuid: uuid,
- api_token: token,
- user: user,
- api_client_id: 0)
- # Accept this token (and don't reload the user record) for
- # 5 minutes. TODO: Request the actual api_client_auth
- # record from the remote server in case it wants the token
- # to expire sooner.
- auth.update_attributes!(expires_at: Time.now + 5.minutes)
- end
- return auth
end
+
+ uuid_prefix = uuid[0..4]
+ if uuid_prefix == Rails.configuration.uuid_prefix
+ # If the token were valid, we would have validated it above
+ return nil
+ elsif uuid_prefix.length != 5
+ # malformed
+ return nil
+ end
+
+ host = remote_host(uuid_prefix: uuid_prefix)
+ if !host
+ Rails.logger.warn "remote authentication rejected: no host for #{uuid_prefix.inspect}"
+ return nil
+ end
+
+ # Token was issued by a different cluster. If it's expired or
+ # missing in our database, ask the originating cluster to
+ # [re]validate it.
+ arv = Arvados.new(api_host: host,
+ api_token: token,
+ suppress_ssl_warnings: Rails.env == 'test')
+ begin
+ clnt = HTTPClient.new
+ remote_user = SafeJSON.load(
+ clnt.get_content('https://' + host + '/arvados/v1/users/current',
+ {'remote' => Rails.configuration.uuid_prefix},
+ {'Authorization' => 'Bearer ' + token}))
+ rescue => e
+ logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
+ STDERR.puts e.backtrace
+ return nil
+ end
+ if !remote_user.is_a?(Hash) || !remote_user[:uuid].is_a?(String) || remote_user[:uuid][0..4] != uuid[0..4]
+ logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
+ return nil
+ end
+ act_as_system_user do
+ # Add/update user and token in our database so we can
+ # validate subsequent requests faster.
+ user = User.find_or_create_by(uuid: remote_user[:uuid])
+ user.update_attributes!(remote_user.merge(is_admin: false))
+ auth = ApiClientAuthorization.
+ includes(:user).
+ find_or_create_by(uuid: uuid,
+ api_token: token,
+ user: user,
+ api_client_id: 0)
+ # Accept this token (and don't reload the user record) for
+ # 5 minutes. TODO: Request the actual api_client_auth
+ # record from the remote server in case it wants the token
+ # to expire sooner.
+ auth.update_attributes!(expires_at: Time.now + 5.minutes)
+ end
+ return auth
else
auth = ApiClientAuthorization.
includes(:user, :api_client).
diff --git a/services/api/test/functional/arvados/v1/users_controller_test.rb b/services/api/test/functional/arvados/v1/users_controller_test.rb
index b89145b..b75479f 100644
--- a/services/api/test/functional/arvados/v1/users_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/users_controller_test.rb
@@ -870,19 +870,4 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
}
return return_obj
end
-
- ['zbbbb', 'z0000'].each do |token_valid_for|
- test "validate #{token_valid_for}-salted token for remote cluster zbbbb" do
- salted_token = salt_token(fixture: :active, remote: token_valid_for)
- ArvadosApiToken.new.call("rack.input" => "",
- "HTTP_AUTHORIZATION" => "Bearer #{salted_token}")
- get :current, {remote: 'zbbbb'}
- if token_valid_for == 'zbbbb'
- assert_equal(users(:active).uuid, json_response['uuid'])
- assert_response 200
- else
- assert_response 401
- end
- end
- end
end
diff --git a/services/api/test/functional/remote_user_account_test.rb b/services/api/test/integration/remote_user_test.rb
similarity index 69%
rename from services/api/test/functional/remote_user_account_test.rb
rename to services/api/test/integration/remote_user_test.rb
index 8b07be5..a7a7899 100644
--- a/services/api/test/functional/remote_user_account_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -5,13 +5,13 @@
require 'webrick'
require 'webrick/https'
require 'test_helper'
+require 'helpers/users_test_helper'
-class RemoteUserAccountTest < ActionController::TestCase
+class RemoteUsersTest < ActionDispatch::IntegrationTest
def auth(remote:)
token = salt_token(fixture: :active, remote: remote)
token.sub!('/zzzzz-', '/'+remote+'-')
- ArvadosApiToken.new.call("rack.input" => "",
- "HTTP_AUTHORIZATION" => "Bearer #{token}")
+ {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
end
setup do
@@ -28,9 +28,9 @@ class RemoteUserAccountTest < ActionController::TestCase
SSLEnable: true,
SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
SSLPrivateKey: OpenSSL::PKey::RSA.new(
- File.open("self-signed.key").read),
+ File.open(Rails.root.join("tmp", "self-signed.key")).read),
SSLCertificate: OpenSSL::X509::Certificate.new(
- File.open("self-signed.pem").read),
+ File.open(Rails.root.join("tmp", "self-signed.pem")).read),
SSLCertName: [["CN", WEBrick::Utils::getservername]],
StartCallback: lambda { ready.push(true) })
srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res|
@@ -59,12 +59,11 @@ class RemoteUserAccountTest < ActionController::TestCase
end
teardown do
- @remote_server.stop
+ @remote_server.andand.stop
end
test 'authenticate with remote token' do
- auth(remote: 'zbbbb')
- get :current
+ get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
assert_response :success
assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
assert_equal false, json_response['is_admin']
@@ -72,8 +71,7 @@ class RemoteUserAccountTest < ActionController::TestCase
test 'authenticate with remote token from wrong site' do
@stub_content[:uuid] = 'zcccc-tpzed-000000000000000'
- auth(remote: 'zbbbb')
- get :current
+ get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
assert_response 401
end
@@ -82,16 +80,29 @@ class RemoteUserAccountTest < ActionController::TestCase
@stub_content = {
error: 'not authorized',
}
- auth(remote: 'zbbbb')
- get :current
+ get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
assert_response 401
end
test 'remote api server is not an api server' do
- @stub_status = 401
+ @stub_status = 200
@stub_content = '<html>bad</html>'
- auth(remote: 'zbbbb')
- get :current
+ get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
assert_response 401
end
+
+ ['zbbbb', 'z0000'].each do |token_valid_for|
+ test "validate #{token_valid_for}-salted token for remote cluster zbbbb" do
+ salted_token = salt_token(fixture: :active, remote: token_valid_for)
+ get '/arvados/v1/users/current', {format: 'json', remote: 'zbbbb'}, {
+ "HTTP_AUTHORIZATION" => "Bearer #{salted_token}"
+ }
+ if token_valid_for == 'zbbbb'
+ assert_response 200
+ assert_equal(users(:active).uuid, json_response['uuid'])
+ else
+ assert_response 401
+ end
+ end
+ end
end
diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb
index 0288e88..8ddab3f 100644
--- a/services/api/test/integration/users_test.rb
+++ b/services/api/test/integration/users_test.rb
@@ -216,5 +216,4 @@ class UsersTest < ActionDispatch::IntegrationTest
end
nil
end
-
end
commit 1e3f8ceebd90058e902494fae84b1fd57ac6693b
Merge: 530b25a d493d06
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 6 17:12:34 2017 -0500
Merge branch 'master' into 11453-federated-tokens
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --cc services/api/app/middlewares/arvados_api_token.rb
index be6bf04,5eb756b..fa8d987
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@@ -20,26 -29,32 +20,20 @@@ class ArvadosApiToke
remote_ip = env["action_dispatch.remote_ip"]
Thread.current[:request_starttime] = Time.now
- user = nil
- api_client = nil
- api_client_auth = nil
- supplied_token =
+ Thread.current[:supplied_token] =
params["api_token"] ||
params["oauth_token"] ||
- env["HTTP_AUTHORIZATION"].andand.match(/OAuth2 ([a-zA-Z0-9]+)/).andand[1]
- if supplied_token
- api_client_auth = ApiClientAuthorization.
- includes(:api_client, :user).
- where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', supplied_token).
- first
- if api_client_auth.andand.user
- user = api_client_auth.user
- api_client = api_client_auth.api_client
- else
- # Token seems valid, but points to a non-existent (deleted?) user.
- api_client_auth = nil
- end
- end
+ env["HTTP_AUTHORIZATION"].andand.
+ match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
+
+ auth = ApiClientAuthorization.
+ validate(token: Thread.current[:supplied_token], remote: false)
Thread.current[:api_client_ip_address] = remote_ip
- Thread.current[:api_client_authorization] = api_client_auth
- Thread.current[:api_client_uuid] = api_client.andand.uuid
- Thread.current[:api_client] = api_client
- Thread.current[:user] = user
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
+ Thread.current[:api_client] = auth.andand.api_client
+ Thread.current[:user] = auth.andand.user
- if auth
- auth.last_used_at = Time.now
- auth.last_used_by_ip_address = remote_ip.to_s
- auth.save validate: false
- end
-
@app.call env if @app
end
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list