[ARVADOS] updated: 1.1.4-185-g209dd42

Git user git at public.curoverse.com
Wed May 2 16:55:08 EDT 2018 

Summary of changes:
 .../api/app/controllers/arvados/v1/users_controller.rb   |  4 ++++
 .../test/functional/arvados/v1/users_controller_test.rb  | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

       via  209dd423250e0ab9e9b4f9d27d28071669b13d7b (commit)
      from  49fb55aa1a9fb35d8e7e620717cb42f77d448a43 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 209dd423250e0ab9e9b4f9d27d28071669b13d7b
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Wed May 2 16:54:45 2018 -0400

    12626: Check for scoped tokens.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb
index 3b89067..3a2b347 100644
--- a/services/api/app/controllers/arvados/v1/users_controller.rb
+++ b/services/api/app/controllers/arvados/v1/users_controller.rb
@@ -128,6 +128,8 @@ class Arvados::V1::UsersController < ApplicationController
   def merge
     if !Thread.current[:api_client].andand.is_trusted
       return send_error("supplied API token is not from a trusted client", status: 403)
+    elsif Thread.current[:api_client_authorization].scopes != ['all']
+      return send_error("cannot merge with a scoped token", status: 403)
     end
 
     dst_auth = ApiClientAuthorization.validate(token: params[:new_user_token])
@@ -136,6 +138,8 @@ class Arvados::V1::UsersController < ApplicationController
     end
     if !dst_auth.api_client.andand.is_trusted
       return send_error("supplied new_user_token is not from a trusted client", status: 403)
+    elsif dst_auth.scopes != ['all']
+      return send_error("supplied new_user_token has restricted scope", status: 403)
     end
     dst_user = dst_auth.user
 
diff --git a/services/api/test/functional/arvados/v1/users_controller_test.rb b/services/api/test/functional/arvados/v1/users_controller_test.rb
index ebab993..3bcf3ed 100644
--- a/services/api/test/functional/arvados/v1/users_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/users_controller_test.rb
@@ -861,6 +861,22 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
     end
   end
 
+  [['src', :active_trustedclient],
+   ['dst', :project_viewer_trustedclient]].each do |which_scoped, auth|
+    test "refuse to merge with scoped #{which_scoped} token" do
+      act_as_system_user do
+        api_client_authorizations(auth).update_attributes(scopes: ["GET /", "POST /", "PUT /"])
+      end
+      authorize_with(:active_trustedclient)
+      post(:merge, {
+             new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
+             new_owner_uuid: users(:project_viewer).uuid,
+             redirect_to_new_user: true,
+           })
+      assert_response(403)
+    end
+  end
+
   test "refuse to merge if new_owner_uuid is not writable" do
     authorize_with(:project_viewer_trustedclient)
     post(:merge, {

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list