[ARVADOS] updated: 1.3.0-1827-gae562784e

Git user git at public.curoverse.com
Mon Nov 4 22:12:23 UTC 2019


Summary of changes:
 lib/controller/localdb/login.go         | 12 +++++-
 lib/controller/localdb/login_test.go    | 34 ++++++++++++++++
 lib/controller/railsproxy/railsproxy.go | 13 +-----
 sdk/go/arvadostest/proxy.go             | 72 +++++++++++++++++++++++++++++++++
 services/api/config/arvados_config.rb   |  5 ++-
 5 files changed, 121 insertions(+), 15 deletions(-)
 create mode 100644 sdk/go/arvadostest/proxy.go

       via  ae562784e8d8d8bd501c0bd373739d0a2da8fc9f (commit)
       via  514fb685c9d835441e0911d9b9499952b6787095 (commit)
       via  8e6c0553ed9c44221dd40408d43d9ce426e89533 (commit)
      from  deaf1d8f2f694b09562eddac055ccebba5a98517 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit ae562784e8d8d8bd501c0bd373739d0a2da8fc9f
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Nov 4 17:11:34 2019 -0500

    15107: Test controller-to-Rails callback.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/lib/controller/localdb/login_test.go b/lib/controller/localdb/login_test.go
index c6aa0d31f..362e25840 100644
--- a/lib/controller/localdb/login_test.go
+++ b/lib/controller/localdb/login_test.go
@@ -5,6 +5,7 @@
 package localdb
 
 import (
+	"bytes"
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
@@ -13,11 +14,14 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"strings"
 	"testing"
 	"time"
 
 	"git.curoverse.com/arvados.git/lib/config"
+	"git.curoverse.com/arvados.git/lib/controller/rpc"
 	"git.curoverse.com/arvados.git/sdk/go/arvados"
+	"git.curoverse.com/arvados.git/sdk/go/arvadostest"
 	"git.curoverse.com/arvados.git/sdk/go/auth"
 	"git.curoverse.com/arvados.git/sdk/go/ctxlog"
 	check "gopkg.in/check.v1"
@@ -35,6 +39,7 @@ type LoginSuite struct {
 	cluster    *arvados.Cluster
 	ctx        context.Context
 	localdb    *Conn
+	railsSpy   *arvadostest.Proxy
 	fakeIssuer *httptest.Server
 	issuerKey  *rsa.PrivateKey
 
@@ -119,6 +124,13 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
 
 	s.localdb = NewConn(s.cluster)
 	s.localdb.googleLoginController.issuer = s.fakeIssuer.URL
+
+	s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
+	s.localdb.railsProxy = rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
+}
+
+func (s *LoginSuite) TearDownTest(c *check.C) {
+	s.railsSpy.Close()
 }
 
 func (s *LoginSuite) TestGoogleLoginStart_Bogus(c *check.C) {
@@ -192,6 +204,25 @@ func (s *LoginSuite) TestGoogleLoginSuccess(c *check.C) {
 	token := target.Query().Get("api_token")
 	c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 
+	foundCallback := false
+	for _, dump := range s.railsSpy.RequestDumps {
+		c.Logf("spied request: %q", dump)
+		split := bytes.Split(dump, []byte("\r\n\r\n"))
+		c.Assert(split, check.HasLen, 2)
+		hdr, body := string(split[0]), string(split[1])
+		if strings.Contains(hdr, "POST /auth/controller/callback") {
+			vs, err := url.ParseQuery(body)
+			var authinfo map[string]interface{}
+			c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
+			c.Check(err, check.IsNil)
+			c.Check(authinfo["first_name"], check.Equals, "Fake User")
+			c.Check(authinfo["last_name"], check.Equals, "Name")
+			c.Check(authinfo["email"], check.Equals, "active-user at arvados.local")
+			foundCallback = true
+		}
+	}
+	c.Check(foundCallback, check.Equals, true)
+
 	// Try using the returned Arvados token.
 	c.Logf("trying an API call with new token %q", token)
 	ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
diff --git a/lib/controller/railsproxy/railsproxy.go b/lib/controller/railsproxy/railsproxy.go
index fe070b48c..54257cffc 100644
--- a/lib/controller/railsproxy/railsproxy.go
+++ b/lib/controller/railsproxy/railsproxy.go
@@ -7,8 +7,6 @@
 package railsproxy
 
 import (
-	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -16,7 +14,6 @@ import (
 
 	"git.curoverse.com/arvados.git/lib/controller/rpc"
 	"git.curoverse.com/arvados.git/sdk/go/arvados"
-	"git.curoverse.com/arvados.git/sdk/go/auth"
 )
 
 // For now, FindRailsAPI always uses the rails API running on this
@@ -41,18 +38,10 @@ func NewConn(cluster *arvados.Cluster) *rpc.Conn {
 	if err != nil {
 		panic(err)
 	}
-	conn := rpc.NewConn(cluster.ClusterID, url, insecure, provideIncomingToken)
+	conn := rpc.NewConn(cluster.ClusterID, url, insecure, rpc.PassthroughTokenProvider)
 	// If Rails is running with force_ssl=true, this
 	// "X-Forwarded-Proto: https" header prevents it from
 	// redirecting our internal request to an invalid https URL.
 	conn.SendHeader = http.Header{"X-Forwarded-Proto": []string{"https"}}
 	return conn
 }
-
-func provideIncomingToken(ctx context.Context) ([]string, error) {
-	incoming, ok := auth.FromContext(ctx)
-	if !ok {
-		return nil, errors.New("no token provided")
-	}
-	return incoming.Tokens, nil
-}
diff --git a/sdk/go/arvadostest/proxy.go b/sdk/go/arvadostest/proxy.go
new file mode 100644
index 000000000..015061ad5
--- /dev/null
+++ b/sdk/go/arvadostest/proxy.go
@@ -0,0 +1,72 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package arvadostest
+
+import (
+	"crypto/tls"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/http/httputil"
+	"net/url"
+	"time"
+
+	"git.curoverse.com/arvados.git/sdk/go/arvados"
+	"gopkg.in/check.v1"
+)
+
+type Proxy struct {
+	*httptest.Server
+
+	// URL where the proxy is listening. Same as Server.URL, but
+	// with parsing already done for you.
+	URL *url.URL
+
+	// A dump of each request that has been proxied.
+	RequestDumps [][]byte
+}
+
+// NewProxy returns a new Proxy that saves a dump of each reqeust
+// before forwarding to the indicated service.
+func NewProxy(c *check.C, svc arvados.Service) *Proxy {
+	var target url.URL
+	c.Assert(svc.InternalURLs, check.HasLen, 1)
+	for u := range svc.InternalURLs {
+		target = url.URL(u)
+		break
+	}
+	rp := httputil.NewSingleHostReverseProxy(&target)
+	rp.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+		dump, _ := httputil.DumpRequest(r, false)
+		c.Logf("arvadostest.Proxy ErrorHandler(%s): %s\n%s", r.URL, err, dump)
+		http.Error(w, err.Error(), http.StatusBadGateway)
+	}
+	rp.Transport = &http.Transport{
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: true},
+	}
+	srv := httptest.NewServer(rp)
+	u, err := url.Parse(srv.URL)
+	c.Assert(err, check.IsNil)
+	proxy := &Proxy{
+		Server: srv,
+		URL:    u,
+	}
+	rp.Director = func(r *http.Request) {
+		dump, _ := httputil.DumpRequest(r, true)
+		proxy.RequestDumps = append(proxy.RequestDumps, dump)
+		r.URL.Scheme = target.Scheme
+		r.URL.Host = target.Host
+	}
+	return proxy
+}

commit 514fb685c9d835441e0911d9b9499952b6787095
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Nov 4 11:07:32 2019 -0500

    15107: Propagate first/last names from Google to RailsAPI.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index b41ca6490..8b83c3857 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -107,6 +107,7 @@ func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.C
 			return ctrl.loginError(fmt.Errorf("error verifying ID token: %s", err))
 		}
 		var claims struct {
+			Name     string `json:"name"`
 			Email    string `json:"email"`
 			Verified bool   `json:"email_verified"`
 		}
@@ -116,11 +117,20 @@ func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.C
 		if !claims.Verified {
 			return ctrl.loginError(errors.New("cannot authenticate using an unverified email address"))
 		}
+
+		firstname, lastname := strings.TrimSpace(claims.Name), ""
+		if names := strings.Fields(firstname); len(names) > 1 {
+			firstname = strings.Join(names[0:len(names)-1], " ")
+			lastname = names[len(names)-1]
+		}
+
 		ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{cluster.SystemRootToken}})
 		return railsproxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
 			ReturnTo: state.Remote + "," + state.ReturnTo,
 			AuthInfo: map[string]interface{}{
-				"email": claims.Email,
+				"email":      claims.Email,
+				"first_name": firstname,
+				"last_name":  lastname,
 			},
 		})
 	}
diff --git a/lib/controller/localdb/login_test.go b/lib/controller/localdb/login_test.go
index f35a2d25f..c6aa0d31f 100644
--- a/lib/controller/localdb/login_test.go
+++ b/lib/controller/localdb/login_test.go
@@ -43,6 +43,7 @@ type LoginSuite struct {
 	// desired response from token endpoint
 	authEmail         string
 	authEmailVerified bool
+	authName          string
 }
 
 func (s *LoginSuite) SetUpTest(c *check.C) {
@@ -52,6 +53,7 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
 
 	s.authEmail = "active-user at arvados.local"
 	s.authEmailVerified = true
+	s.authName = "Fake User Name"
 	s.fakeIssuer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		req.ParseForm()
 		c.Logf("fakeIssuer: got req: %s %s %s", req.Method, req.URL, req.Form)
@@ -79,6 +81,7 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
 				"nonce":          "fake-nonce",
 				"email":          s.authEmail,
 				"email_verified": s.authEmailVerified,
+				"name":           s.authName,
 			})
 			json.NewEncoder(w).Encode(struct {
 				AccessToken  string `json:"access_token"`

commit 8e6c0553ed9c44221dd40408d43d9ce426e89533
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Mon Nov 4 09:52:08 2019 -0500

    15107: Google login option makes SSO credentials optional.
    
    Add SystemRootToken to config loader.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 5546e8e40..4c2dc5e33 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -85,6 +85,7 @@ end
 arvcfg = ConfigLoader.new
 arvcfg.declare_config "ClusterID", NonemptyString, :uuid_prefix
 arvcfg.declare_config "ManagementToken", String, :ManagementToken
+arvcfg.declare_config "SystemRootToken", String, :SystemRootToken
 arvcfg.declare_config "Git.Repositories", String, :git_repositories_dir
 arvcfg.declare_config "API.DisabledAPIs", Hash, :disable_api_methods, ->(cfg, k, v) { arrayToHash cfg, "API.DisabledAPIs", v }
 arvcfg.declare_config "API.MaxRequestSize", Integer, :max_request_size
@@ -105,8 +106,8 @@ arvcfg.declare_config "Users.EmailSubjectPrefix", String, :email_subject_prefix
 arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_email_from
 arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
 arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
-arvcfg.declare_config "Login.ProviderAppSecret", NonemptyString, :sso_app_secret
-arvcfg.declare_config "Login.ProviderAppID", NonemptyString, :sso_app_id
+arvcfg.declare_config "Login.ProviderAppSecret", String, :sso_app_secret
+arvcfg.declare_config "Login.ProviderAppID", String, :sso_app_id
 arvcfg.declare_config "Login.LoginCluster", String
 arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
 arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list