[ARVADOS] updated: 1.1.0-207-gf15c51d
Git user
git at public.curoverse.com
Wed Nov 29 01:24:05 EST 2017
Summary of changes:
.../components/{collections.js => search.js} | 88 +++--
.../app/assets/javascripts/components/sessions.js | 4 +-
.../app/assets/javascripts/models/session_db.js | 30 ++
.../app/controllers/collections_controller.rb | 2 +-
.../workbench/app/controllers/search_controller.rb | 2 +
apps/workbench/app/views/layouts/body.html.erb | 2 +-
.../app/views/projects/_show_dashboard.html.erb | 37 +-
.../multisite.html => search/index.html} | 2 +-
apps/workbench/config/routes.rb | 8 +-
.../test/controllers/projects_controller_test.rb | 4 +-
.../test/integration/application_layout_test.rb | 3 +-
build/libcloud-pin.sh | 2 +-
.../ubuntu1204/Dockerfile | 33 --
.../package-test-dockerfiles/ubuntu1204/Dockerfile | 21 --
build/run-build-packages-all-targets.sh | 5 +
build/run-tests.sh | 34 +-
docker/jobs/apt.arvados.org.list | 1 +
sdk/cwl/arvados_cwl/__init__.py | 1 -
sdk/cwl/arvados_cwl/arvworkflow.py | 21 +-
sdk/cwl/arvados_cwl/fsaccess.py | 36 +-
sdk/cwl/setup.py | 2 +-
sdk/cwl/tests/arvados-tests.sh | 2 +-
sdk/cwl/tests/arvados-tests.yml | 6 +
sdk/cwl/tests/test_fsaccess.py | 76 ++++
sdk/cwl/tests/wf/{scatter2.cwl => runin-wf.cwl} | 30 +-
sdk/go/asyncbuf/buf.go | 108 ++++++
sdk/go/asyncbuf/buf_test.go | 245 +++++++++++++
sdk/go/keepclient/hashcheck.go | 15 +-
sdk/go/keepclient/keepclient.go | 17 +-
sdk/go/keepclient/keepclient_test.go | 16 +-
sdk/go/keepclient/support.go | 20 +-
sdk/go/streamer/streamer.go | 158 ---------
sdk/go/streamer/streamer_test.go | 381 ---------------------
sdk/go/streamer/transfer.go | 310 -----------------
sdk/python/arvados/commands/get.py | 2 +-
sdk/python/tests/test_arv_get.py | 7 +
services/api/Gemfile | 1 -
services/api/Gemfile.lock | 2 -
.../api/app/controllers/application_controller.rb | 2 +-
.../v1/api_client_authorizations_controller.rb | 20 +-
.../controllers/arvados/v1/schema_controller.rb | 1 +
services/api/app/middlewares/arvados_api_token.rb | 40 ++-
.../api/app/models/api_client_authorization.rb | 27 +-
.../arvados/v1/groups_controller_test.rb | 12 -
.../arvados/v1/schema_controller_test.rb | 10 +-
.../api_client_authorizations_scopes_test.rb | 14 +
.../api/test/integration/reader_tokens_test.rb | 23 +-
services/api/test/integration/remote_user_test.rb | 39 ++-
services/crunch-run/crunchrun.go | 142 +++++---
services/crunch-run/crunchrun_test.go | 46 ++-
services/crunch-run/upload.go | 5 +-
services/fuse/arvados_fuse/unmount.py | 89 ++++-
services/fuse/tests/test_unmount.py | 46 +++
services/keepproxy/keepproxy_test.go | 29 ++
.../nodemanager/arvnodeman/test/fake_driver.py | 2 +-
services/nodemanager/setup.py | 4 +-
tools/arvbox/bin/arvbox | 9 +
tools/arvbox/lib/arvbox/docker/Dockerfile.base | 5 +-
tools/arvbox/lib/arvbox/docker/Dockerfile.demo | 5 +-
tools/arvbox/lib/arvbox/docker/common.sh | 1 +
tools/arvbox/lib/arvbox/docker/createusers.sh | 1 +
.../{workbench => composer}/log/main/.gitstub | 0
.../docker/service/{workbench => composer}/log/run | 0
.../arvbox/docker/service/{sdk => composer}/run | 3 +-
.../lib/arvbox/docker/service/composer/run-service | 22 ++
.../lib/arvbox/docker/service/sso/run-service | 5 +-
.../arvbox/lib/arvbox/docker/service/workbench/run | 6 +
.../arvbox/docker/service/workbench/run-service | 3 +
68 files changed, 1139 insertions(+), 1206 deletions(-)
rename apps/workbench/app/assets/javascripts/components/{collections.js => search.js} (65%)
rename apps/workbench/app/views/{collections/multisite.html => search/index.html} (66%)
delete mode 100644 build/package-build-dockerfiles/ubuntu1204/Dockerfile
delete mode 100644 build/package-test-dockerfiles/ubuntu1204/Dockerfile
copy sdk/cwl/tests/wf/{scatter2.cwl => runin-wf.cwl} (69%)
create mode 100644 sdk/go/asyncbuf/buf.go
create mode 100644 sdk/go/asyncbuf/buf_test.go
delete mode 100644 sdk/go/streamer/streamer.go
delete mode 100644 sdk/go/streamer/streamer_test.go
delete mode 100644 sdk/go/streamer/transfer.go
copy tools/arvbox/lib/arvbox/docker/service/{workbench => composer}/log/main/.gitstub (100%)
copy tools/arvbox/lib/arvbox/docker/service/{workbench => composer}/log/run (100%)
copy tools/arvbox/lib/arvbox/docker/service/{sdk => composer}/run (68%)
create mode 100755 tools/arvbox/lib/arvbox/docker/service/composer/run-service
via f15c51d123da2db1deeeb0e76685cf17eb56e039 (commit)
via fb3b32f1aeeca1b52c1136ec48b50ea18ba71b17 (commit)
via 677b58da477a5e70b53b883a56554e18148fed5e (commit)
via d7c1ea62974317c40a66f5cc3c1797dcba30289f (commit)
via 07a2b2c0e743f36be03e746a7e265986db555d3e (commit)
via 3ed14dc61e8d39d748d0e7c25d12e4e5c45e09a8 (commit)
via cd4f5cfb00a253726a0c9087721273fd9b142be1 (commit)
via 0d06a2984420d9d48e16ccb6d85982b3dce05644 (commit)
via cac7dd48497923fc0141a8c4f928b524a38fbfac (commit)
via 49707c44d918ffd1c8f7d90012f9e4fba30c9542 (commit)
via d15a62ff5e6f0c1133f670bbd7c4efd2930044f5 (commit)
via a815150a573560278936f9534f14e2650345ef88 (commit)
via 7ad3a743e6dfa9f6084affc34346f42f9db8c3fb (commit)
via 9c627105e9634249cd303f46c3b81ecdcbaead39 (commit)
via c33a21739019843a5408ad11eec57cdd850decad (commit)
via 3737e05681b6cfb22ea0af0da08598e458da16f0 (commit)
via 90a8c9cd85b9974946682930974500614af858aa (commit)
via b81e83807ec568686a4dbb30d31a32cba5996e5f (commit)
via 08fe6b0770ad8b4aa5115052126f1e0d51dca1fa (commit)
via 4f1a135e93df78bb833dff32562efe713c6f690e (commit)
via abc241fb83523ae5ae5905ae47210f15d7e0671c (commit)
via b30548921f19177256890ad58b90dbf66d8407ef (commit)
via 2f83263d2978918561355b5b3b2bdaa05b38023f (commit)
via 36e2a9db3259bc73d09176d7e6b86bd448b724e9 (commit)
via bef091f69353d5a1ec7ef6c4e84f81756023596b (commit)
via eb84fae9410b06638de572751c64255ee1ea7997 (commit)
via 3156c76f53b4142beb912cb57fd66e343c9e09d4 (commit)
via cf6ebed6cb9f2cd5e2ef15f8ea02d5d4e3458306 (commit)
via 197d9db51a358ae6effdc58cbb94f77d30e16f74 (commit)
via 58be2f1c488248d11dfb2ad730b6a8d56e557e63 (commit)
via 25ce0f6576f76f569502bc55629c2f292dbba07e (commit)
via a14d826813a64223c9b9ddda5d918b3a20bcef6f (commit)
via fda4715560f9c679df6d08b20c09515fb2c1487f (commit)
via b7cd87b8bfccf98faa76d336f359c0f964777901 (commit)
via c8a75b03c12b26fcd810f1a35d6747400ac6627f (commit)
via 9ea1f795a9c4050d8f01cd2f130a3c6c3ea1fd69 (commit)
via 359c2058fb78793bbf06920e605b4a3c1fd5f029 (commit)
via 56776607fe1846810bb0396216e09ec09845b426 (commit)
via d4de94839e7aabf550686ef3db9d43254ff2e4d7 (commit)
via 856b9bb8403383347f771badb98a9093e1bb3aca (commit)
via 357cbabe1731f73b8849ba0b4565351db776d0b9 (commit)
via 6247858b8041caf4899da501456661d25dd5491b (commit)
via 2e26522a30b1bb866be81b1013e3329b4d21ed6e (commit)
via 2cd5de4a961753c82876b6fbbf722b3d56e4df77 (commit)
via dc78526ba494973df7d298825e20503353e92adf (commit)
via 336973bf211f462aa826a1702991e056a30fd6ae (commit)
via e48ebb43f6e9810d8a2762b49da49fa7bf635a0a (commit)
via 6be9a2c8066a633327f797e537c228fb9b9d91c5 (commit)
via c23c3a36659e36e0b46088007664ee9dc625dad8 (commit)
via e20fbcb9eefcea9ea0b99eae0952817171bcd7a2 (commit)
via 423364e3772de59ca4638388605fd556a2a0da3e (commit)
via 2b713e548510a99803c41ceb13d47fa2f38b51bf (commit)
via c5d42c41795106305f6b965be77d94a935f5b0d3 (commit)
via 2f66ce454917c8d9d016a9438e529a0a20317028 (commit)
via 9e6a74aef4a1bad53c829d8853e6620a67f698d2 (commit)
via dc003f39ba6bfed060350127e4c5ce2941f1994b (commit)
via 3ff7fc1df61836d08b9862b0872d3ec8f12ae444 (commit)
via e1da2448fac9f060cdfe7f62a8783cd9b8cfaf96 (commit)
via 63f1542e94f3f1e66cbf0d88f557105ff5d104d0 (commit)
via a5d1a2aa40ad211b4faf870c603ae7ad5263b6bc (commit)
via fc128bc6497aa266f925e2aa4821bde6fce9aade (commit)
via 4b23309ecedb0010d907a6930844c6928b3755b6 (commit)
via 0af053088c83d1107866cb06fd6c5736d9065eee (commit)
via 47508624a359de86a402030e67737e5e81e78947 (commit)
via e2bf56f0a0fa1f6b4fb7b4efc4db5178b074b8ce (commit)
via 3b278b8959a80103506470457485f523dcbfba50 (commit)
via ec11b576da48f0272121f77268cef39a54c9bb7b (commit)
via fff3b19b8a7b8eca06065bdf60b0541c26e27935 (commit)
via 3c5de241f6a6ac56e8bf986c89ffe153b9d941fe (commit)
via 899d369bef489b89d9ce1b1cd5e07ce8304a9a85 (commit)
via 08a4ebba0e5bfbc179103ac5e6916164bc8083fa (commit)
via 8de691c25eac0454f8f30cfa35eccff15642e330 (commit)
via a18005f8b35a68b4fcd9ccdf76832b28e564289c (commit)
via a70727762dafee667b022331307f6c0f949fd7e7 (commit)
via d59645f3e566e691ba757f74bba503c13773dbe8 (commit)
via aabf1ca0e99701550f9af785e9f1fee098b0020a (commit)
via 7bc55d65082b3a39639508fcaebd1185b7e04089 (commit)
via 2778384cf0c3315c261bc1d52e6c39dac017a3bd (commit)
via ea2c309720610298ba23312290aeb788c80e9dcc (commit)
via cd45d6a3f9e3298cbab3d0f2ba655d7a9d0034d5 (commit)
from e9a9add82323c93e6da8b1ed8ed019e0f5a9323b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit f15c51d123da2db1deeeb0e76685cf17eb56e039
Merge: fb3b32f 677b58d
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Wed Nov 29 01:23:31 2017 -0500
11453: Merge branch 'master' into 11453-federated-tokens
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
commit fb3b32f1aeeca1b52c1136ec48b50ea18ba71b17
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 27 17:38:35 2017 -0500
11453: Fix remote token checks.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index de6ba6f..4098fd7 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -23,12 +23,12 @@ class ArvadosApiToken
remote = false
reader_tokens = nil
- if params[:remote] && request.get? && (
+ if params["remote"] && request.get? && (
request.path.start_with?('/arvados/v1/groups') ||
request.path.start_with?('/arvados/v1/users/current'))
# Request from a remote API server, asking to validate a salted
# token.
- remote = params[:remote]
+ remote = params["remote"]
elsif request.get? || params["_method"] == 'GET'
reader_tokens = params["reader_tokens"]
if reader_tokens.is_a? String
@@ -42,13 +42,12 @@ class ArvadosApiToken
auth = nil
[params["api_token"],
params["oauth_token"],
- env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([a-zA-Z0-9]+)/).andand[2],
+ env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2],
*reader_tokens,
].each do |supplied|
next if !supplied
try_auth = ApiClientAuthorization.
- validate(token: Thread.current[:supplied_token],
- remote: remote)
+ validate(token: supplied, remote: remote)
if try_auth.andand.user
auth = try_auth
break
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index fba999c..542ab8e 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -131,28 +131,29 @@ class ApiClientAuthorization < ArvadosModel
{'remote' => Rails.configuration.uuid_prefix},
{'Authorization' => 'Bearer ' + token}))
rescue => e
- logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
- STDERR.puts e.backtrace
+ Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
return nil
end
- if !remote_user.is_a?(Hash) || !remote_user[:uuid].is_a?(String) || remote_user[:uuid][0..4] != uuid[0..4]
- logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
+ if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String) || remote_user['uuid'][0..4] != uuid[0..4]
+ Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
return nil
end
act_as_system_user do
# Add/update user and token in our database so we can
# validate subsequent requests faster.
- user = User.find_or_create_by(uuid: remote_user[:uuid])
+ user = User.find_or_create_by(uuid: remote_user['uuid']) do |user|
+ user.is_admin = false
+ end
updates = {}
[:first_name, :last_name, :email, :prefs].each do |attr|
- updates[attr] = remote_user[attr]
+ updates[attr] = remote_user[attr.to_s]
end
if Rails.configuration.new_users_are_active
# Update is_active to whatever it is at the remote end
- updates[:is_active] = remote_user[:is_active]
+ updates[:is_active] = remote_user['is_active']
elsif !updates[:is_active]
# Remote user is inactive; our mirror should be, too.
updates[:is_active] = false
@@ -160,11 +161,11 @@ class ApiClientAuthorization < ArvadosModel
user.update_attributes!(updates)
- auth = ApiClientAuthorization.find_or_create_by(uuid: uuid)
- auth.user = user
- auth.api_token = token
- auth.api_client_id = 0
- auth.save!
+ auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
+ auth.user = user
+ auth.api_token = token
+ auth.api_client_id = 0
+ end
# Accept this token (and don't reload the user record) for
# 5 minutes. TODO: Request the actual api_client_auth
diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb
index 6027dcb..3442eda 100644
--- a/services/api/test/functional/arvados/v1/groups_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb
@@ -704,17 +704,5 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase
assert_response :success
assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
end
-
- end
-
- test "list readable groups with salted token" do
- salted_token = salt_token(fixture: :active, remote: 'zbbbb')
- ArvadosApiToken.new.call("rack.input" => "",
- "HTTP_AUTHORIZATION" => "Bearer #{salted_token}")
- get :index, {remote: 'zbbbb', limit: 10000}
- assert_response 200
- group_uuids = json_response['items'].collect { |i| i['uuid'] }
- assert_includes(group_uuids, 'zzzzz-j7d0g-fffffffffffffff')
- refute_includes(group_uuids, 'zzzzz-j7d0g-000000000000000')
end
end
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 1201d44..6e5b9e4 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -22,6 +22,10 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
# Test cases can override the stub's default response to
# .../users/current by changing @stub_status and @stub_content.
setup do
+ clnt = HTTPClient.new
+ clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ HTTPClient.stubs(:new).returns clnt
+
@controller = Arvados::V1::UsersController.new
ready = Thread::Queue.new
srv = WEBrick::HTTPServer.new(
@@ -70,14 +74,14 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
end
test 'authenticate with remote token' do
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response :success
assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
assert_equal false, json_response['is_admin']
end
test 'authenticate with remote token from misbhehaving remote cluster' do
- get '/arvados/v1/users/current', {}, auth(remote: 'zbork')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbork')
assert_response 401
end
@@ -86,14 +90,14 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
@stub_content = {
error: 'not authorized',
}
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response 401
end
test 'remote api server is not an api server' do
@stub_status = 200
@stub_content = '<html>bad</html>'
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response 401
end
@@ -111,4 +115,19 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
end
end
end
+
+ test "list readable groups with salted token" do
+ salted_token = salt_token(fixture: :active, remote: 'zbbbb')
+ get '/arvados/v1/groups', {
+ format: 'json',
+ remote: 'zbbbb',
+ limit: 10000,
+ }, {
+ "HTTP_AUTHORIZATION" => "Bearer #{salted_token}"
+ }
+ assert_response 200
+ group_uuids = json_response['items'].collect { |i| i['uuid'] }
+ assert_includes(group_uuids, 'zzzzz-j7d0g-fffffffffffffff')
+ refute_includes(group_uuids, 'zzzzz-j7d0g-000000000000000')
+ end
end
commit 07a2b2c0e743f36be03e746a7e265986db555d3e
Merge: 3ed14dc cac7dd4
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 27 15:22:08 2017 -0500
Merge branch 'master' into 11453-federated-tokens
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --cc services/api/Gemfile
index 34e88a8,25e13a5..4cb5671
--- a/services/api/Gemfile
+++ b/services/api/Gemfile
@@@ -57,9 -57,7 +57,8 @@@ gem 'themes_for_rails', git: 'https://g
gem 'arvados', '>= 0.1.20150615153458'
gem 'arvados-cli', '>= 0.1.20161017193526'
+gem 'httpclient'
- gem 'puma', '~> 2.0'
gem 'sshkey'
gem 'safe_yaml'
gem 'lograge'
diff --cc services/api/app/controllers/arvados/v1/schema_controller.rb
index 25736d3,6f893bc..c3b3411
--- a/services/api/app/controllers/arvados/v1/schema_controller.rb
+++ b/services/api/app/controllers/arvados/v1/schema_controller.rb
@@@ -55,9 -49,8 +55,10 @@@ class Arvados::V1::SchemaController < A
crunchLogThrottleLines: Rails.application.config.crunch_log_throttle_lines,
crunchLimitLogBytesPerJob: Rails.application.config.crunch_limit_log_bytes_per_job,
crunchLogPartialLineThrottlePeriod: Rails.application.config.crunch_log_partial_line_throttle_period,
+ remoteHosts: Rails.configuration.remote_hosts,
+ remoteHostsViaDNS: Rails.configuration.remote_hosts_via_dns,
websocketUrl: Rails.application.config.websocket_address,
+ workbenchUrl: Rails.application.config.workbench_address,
parameters: {
alt: {
type: "string",
diff --cc services/api/app/middlewares/arvados_api_token.rb
index 105b00f,6a37631..de6ba6f
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@@ -20,31 -29,43 +20,46 @@@ class ArvadosApiToke
remote_ip = env["action_dispatch.remote_ip"]
Thread.current[:request_starttime] = Time.now
- Thread.current[:supplied_token] =
- params["api_token"] ||
- params["oauth_token"] ||
- env["HTTP_AUTHORIZATION"].andand.
- match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
- user = nil
- api_client = nil
- api_client_auth = nil
- if request.get? || params["_method"] == 'GET'
+
++ remote = false
++ reader_tokens = nil
+ if params[:remote] && request.get? && (
+ request.path.start_with?('/arvados/v1/groups') ||
+ request.path.start_with?('/arvados/v1/users/current'))
+ # Request from a remote API server, asking to validate a salted
+ # token.
+ remote = params[:remote]
- else
- # Normal request.
- remote = false
++ elsif request.get? || params["_method"] == 'GET'
+ reader_tokens = params["reader_tokens"]
+ if reader_tokens.is_a? String
+ reader_tokens = SafeJSON.load(reader_tokens)
+ end
- else
- reader_tokens = nil
+ end
+
+ # Set current_user etc. based on the primary session token if a
+ # valid one is present. Otherwise, use the first valid token in
+ # reader_tokens.
++ auth = nil
+ [params["api_token"],
+ params["oauth_token"],
- env["HTTP_AUTHORIZATION"].andand.match(/OAuth2 ([a-zA-Z0-9]+)/).andand[1],
++ env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([a-zA-Z0-9]+)/).andand[2],
+ *reader_tokens,
+ ].each do |supplied|
+ next if !supplied
+ try_auth = ApiClientAuthorization.
- includes(:api_client, :user).
- where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', supplied).
- first
++ validate(token: Thread.current[:supplied_token],
++ remote: remote)
+ if try_auth.andand.user
- api_client_auth = try_auth
- user = api_client_auth.user
- api_client = api_client_auth.api_client
++ auth = try_auth
+ break
+ end
end
- auth = ApiClientAuthorization.
- validate(token: Thread.current[:supplied_token],
- remote: remote)
+
Thread.current[:api_client_ip_address] = remote_ip
- Thread.current[:api_client_authorization] = api_client_auth
- Thread.current[:api_client_uuid] = api_client.andand.uuid
- Thread.current[:api_client] = api_client
- Thread.current[:user] = user
+ Thread.current[:api_client_authorization] = auth
+ Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
+ Thread.current[:api_client] = auth.andand.api_client
+ Thread.current[:user] = auth.andand.user
@app.call env if @app
end
commit 3ed14dc61e8d39d748d0e7c25d12e4e5c45e09a8
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 27 15:12:20 2017 -0500
11453: Make local cache of remote token more robust.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 7efd8ea..fba999c 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -160,12 +160,12 @@ class ApiClientAuthorization < ArvadosModel
user.update_attributes!(updates)
- auth = ApiClientAuthorization.
- includes(:user).
- find_or_create_by(uuid: uuid,
- api_token: token,
- user: user,
- api_client_id: 0)
+ auth = ApiClientAuthorization.find_or_create_by(uuid: uuid)
+ auth.user = user
+ auth.api_token = token
+ auth.api_client_id = 0
+ auth.save!
+
# Accept this token (and don't reload the user record) for
# 5 minutes. TODO: Request the actual api_client_auth
# record from the remote server in case it wants the token
commit cd4f5cfb00a253726a0c9087721273fd9b142be1
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 27 15:11:56 2017 -0500
11453: Clarify stub server behavior.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index a7a7899..1201d44 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -14,6 +14,13 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
{"HTTP_AUTHORIZATION" => "Bearer #{token}"}
end
+ # For remote authentication tests, we bring up a simple stub server
+ # (on a port chosen by webrick) and configure the SUT so the stub is
+ # responsible for clusters "zbbbb" (a well-behaved cluster) and
+ # "zbork" (a misbehaving cluster).
+ #
+ # Test cases can override the stub's default response to
+ # .../users/current by changing @stub_status and @stub_content.
setup do
@controller = Arvados::V1::UsersController.new
ready = Thread::Queue.new
@@ -48,7 +55,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
@remote_server = srv
@remote_host = "127.0.0.1:#{srv.config[:Port]}"
Rails.configuration.remote_hosts['zbbbb'] = @remote_host
- Rails.configuration.remote_hosts['zcccc'] = @remote_host
+ Rails.configuration.remote_hosts['zbork'] = @remote_host
Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host}"
@stub_status = 200
@stub_content = {
@@ -69,9 +76,8 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
assert_equal false, json_response['is_admin']
end
- test 'authenticate with remote token from wrong site' do
- @stub_content[:uuid] = 'zcccc-tpzed-000000000000000'
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ test 'authenticate with remote token from misbhehaving remote cluster' do
+ get '/arvados/v1/users/current', {}, auth(remote: 'zbork')
assert_response 401
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list