[ARVADOS] updated: 1.3.0-1827-gae562784e
Git user
git at public.curoverse.com
Mon Nov 4 22:12:23 UTC 2019
Summary of changes:
lib/controller/localdb/login.go | 12 +++++-
lib/controller/localdb/login_test.go | 34 ++++++++++++++++
lib/controller/railsproxy/railsproxy.go | 13 +-----
sdk/go/arvadostest/proxy.go | 72 +++++++++++++++++++++++++++++++++
services/api/config/arvados_config.rb | 5 ++-
5 files changed, 121 insertions(+), 15 deletions(-)
create mode 100644 sdk/go/arvadostest/proxy.go
via ae562784e8d8d8bd501c0bd373739d0a2da8fc9f (commit)
via 514fb685c9d835441e0911d9b9499952b6787095 (commit)
via 8e6c0553ed9c44221dd40408d43d9ce426e89533 (commit)
from deaf1d8f2f694b09562eddac055ccebba5a98517 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit ae562784e8d8d8bd501c0bd373739d0a2da8fc9f
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 4 17:11:34 2019 -0500
15107: Test controller-to-Rails callback.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/lib/controller/localdb/login_test.go b/lib/controller/localdb/login_test.go
index c6aa0d31f..362e25840 100644
--- a/lib/controller/localdb/login_test.go
+++ b/lib/controller/localdb/login_test.go
@@ -5,6 +5,7 @@
package localdb
import (
+ "bytes"
"context"
"crypto/rand"
"crypto/rsa"
@@ -13,11 +14,14 @@ import (
"net/http"
"net/http/httptest"
"net/url"
+ "strings"
"testing"
"time"
"git.curoverse.com/arvados.git/lib/config"
+ "git.curoverse.com/arvados.git/lib/controller/rpc"
"git.curoverse.com/arvados.git/sdk/go/arvados"
+ "git.curoverse.com/arvados.git/sdk/go/arvadostest"
"git.curoverse.com/arvados.git/sdk/go/auth"
"git.curoverse.com/arvados.git/sdk/go/ctxlog"
check "gopkg.in/check.v1"
@@ -35,6 +39,7 @@ type LoginSuite struct {
cluster *arvados.Cluster
ctx context.Context
localdb *Conn
+ railsSpy *arvadostest.Proxy
fakeIssuer *httptest.Server
issuerKey *rsa.PrivateKey
@@ -119,6 +124,13 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
s.localdb = NewConn(s.cluster)
s.localdb.googleLoginController.issuer = s.fakeIssuer.URL
+
+ s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
+ s.localdb.railsProxy = rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
+}
+
+func (s *LoginSuite) TearDownTest(c *check.C) {
+ s.railsSpy.Close()
}
func (s *LoginSuite) TestGoogleLoginStart_Bogus(c *check.C) {
@@ -192,6 +204,25 @@ func (s *LoginSuite) TestGoogleLoginSuccess(c *check.C) {
token := target.Query().Get("api_token")
c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
+ foundCallback := false
+ for _, dump := range s.railsSpy.RequestDumps {
+ c.Logf("spied request: %q", dump)
+ split := bytes.Split(dump, []byte("\r\n\r\n"))
+ c.Assert(split, check.HasLen, 2)
+ hdr, body := string(split[0]), string(split[1])
+ if strings.Contains(hdr, "POST /auth/controller/callback") {
+ vs, err := url.ParseQuery(body)
+ var authinfo map[string]interface{}
+ c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
+ c.Check(err, check.IsNil)
+ c.Check(authinfo["first_name"], check.Equals, "Fake User")
+ c.Check(authinfo["last_name"], check.Equals, "Name")
+ c.Check(authinfo["email"], check.Equals, "active-user at arvados.local")
+ foundCallback = true
+ }
+ }
+ c.Check(foundCallback, check.Equals, true)
+
// Try using the returned Arvados token.
c.Logf("trying an API call with new token %q", token)
ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
diff --git a/lib/controller/railsproxy/railsproxy.go b/lib/controller/railsproxy/railsproxy.go
index fe070b48c..54257cffc 100644
--- a/lib/controller/railsproxy/railsproxy.go
+++ b/lib/controller/railsproxy/railsproxy.go
@@ -7,8 +7,6 @@
package railsproxy
import (
- "context"
- "errors"
"fmt"
"net/http"
"net/url"
@@ -16,7 +14,6 @@ import (
"git.curoverse.com/arvados.git/lib/controller/rpc"
"git.curoverse.com/arvados.git/sdk/go/arvados"
- "git.curoverse.com/arvados.git/sdk/go/auth"
)
// For now, FindRailsAPI always uses the rails API running on this
@@ -41,18 +38,10 @@ func NewConn(cluster *arvados.Cluster) *rpc.Conn {
if err != nil {
panic(err)
}
- conn := rpc.NewConn(cluster.ClusterID, url, insecure, provideIncomingToken)
+ conn := rpc.NewConn(cluster.ClusterID, url, insecure, rpc.PassthroughTokenProvider)
// If Rails is running with force_ssl=true, this
// "X-Forwarded-Proto: https" header prevents it from
// redirecting our internal request to an invalid https URL.
conn.SendHeader = http.Header{"X-Forwarded-Proto": []string{"https"}}
return conn
}
-
-func provideIncomingToken(ctx context.Context) ([]string, error) {
- incoming, ok := auth.FromContext(ctx)
- if !ok {
- return nil, errors.New("no token provided")
- }
- return incoming.Tokens, nil
-}
diff --git a/sdk/go/arvadostest/proxy.go b/sdk/go/arvadostest/proxy.go
new file mode 100644
index 000000000..015061ad5
--- /dev/null
+++ b/sdk/go/arvadostest/proxy.go
@@ -0,0 +1,72 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package arvadostest
+
+import (
+ "crypto/tls"
+ "net"
+ "net/http"
+ "net/http/httptest"
+ "net/http/httputil"
+ "net/url"
+ "time"
+
+ "git.curoverse.com/arvados.git/sdk/go/arvados"
+ "gopkg.in/check.v1"
+)
+
+type Proxy struct {
+ *httptest.Server
+
+ // URL where the proxy is listening. Same as Server.URL, but
+ // with parsing already done for you.
+ URL *url.URL
+
+ // A dump of each request that has been proxied.
+ RequestDumps [][]byte
+}
+
+// NewProxy returns a new Proxy that saves a dump of each reqeust
+// before forwarding to the indicated service.
+func NewProxy(c *check.C, svc arvados.Service) *Proxy {
+ var target url.URL
+ c.Assert(svc.InternalURLs, check.HasLen, 1)
+ for u := range svc.InternalURLs {
+ target = url.URL(u)
+ break
+ }
+ rp := httputil.NewSingleHostReverseProxy(&target)
+ rp.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+ dump, _ := httputil.DumpRequest(r, false)
+ c.Logf("arvadostest.Proxy ErrorHandler(%s): %s\n%s", r.URL, err, dump)
+ http.Error(w, err.Error(), http.StatusBadGateway)
+ }
+ rp.Transport = &http.Transport{
+ DialContext: (&net.Dialer{
+ Timeout: 30 * time.Second,
+ KeepAlive: 30 * time.Second,
+ DualStack: true,
+ }).DialContext,
+ MaxIdleConns: 100,
+ IdleConnTimeout: 90 * time.Second,
+ TLSHandshakeTimeout: 10 * time.Second,
+ ExpectContinueTimeout: 1 * time.Second,
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ }
+ srv := httptest.NewServer(rp)
+ u, err := url.Parse(srv.URL)
+ c.Assert(err, check.IsNil)
+ proxy := &Proxy{
+ Server: srv,
+ URL: u,
+ }
+ rp.Director = func(r *http.Request) {
+ dump, _ := httputil.DumpRequest(r, true)
+ proxy.RequestDumps = append(proxy.RequestDumps, dump)
+ r.URL.Scheme = target.Scheme
+ r.URL.Host = target.Host
+ }
+ return proxy
+}
commit 514fb685c9d835441e0911d9b9499952b6787095
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 4 11:07:32 2019 -0500
15107: Propagate first/last names from Google to RailsAPI.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index b41ca6490..8b83c3857 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -107,6 +107,7 @@ func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.C
return ctrl.loginError(fmt.Errorf("error verifying ID token: %s", err))
}
var claims struct {
+ Name string `json:"name"`
Email string `json:"email"`
Verified bool `json:"email_verified"`
}
@@ -116,11 +117,20 @@ func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.C
if !claims.Verified {
return ctrl.loginError(errors.New("cannot authenticate using an unverified email address"))
}
+
+ firstname, lastname := strings.TrimSpace(claims.Name), ""
+ if names := strings.Fields(firstname); len(names) > 1 {
+ firstname = strings.Join(names[0:len(names)-1], " ")
+ lastname = names[len(names)-1]
+ }
+
ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{cluster.SystemRootToken}})
return railsproxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
ReturnTo: state.Remote + "," + state.ReturnTo,
AuthInfo: map[string]interface{}{
- "email": claims.Email,
+ "email": claims.Email,
+ "first_name": firstname,
+ "last_name": lastname,
},
})
}
diff --git a/lib/controller/localdb/login_test.go b/lib/controller/localdb/login_test.go
index f35a2d25f..c6aa0d31f 100644
--- a/lib/controller/localdb/login_test.go
+++ b/lib/controller/localdb/login_test.go
@@ -43,6 +43,7 @@ type LoginSuite struct {
// desired response from token endpoint
authEmail string
authEmailVerified bool
+ authName string
}
func (s *LoginSuite) SetUpTest(c *check.C) {
@@ -52,6 +53,7 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
s.authEmail = "active-user at arvados.local"
s.authEmailVerified = true
+ s.authName = "Fake User Name"
s.fakeIssuer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
req.ParseForm()
c.Logf("fakeIssuer: got req: %s %s %s", req.Method, req.URL, req.Form)
@@ -79,6 +81,7 @@ func (s *LoginSuite) SetUpTest(c *check.C) {
"nonce": "fake-nonce",
"email": s.authEmail,
"email_verified": s.authEmailVerified,
+ "name": s.authName,
})
json.NewEncoder(w).Encode(struct {
AccessToken string `json:"access_token"`
commit 8e6c0553ed9c44221dd40408d43d9ce426e89533
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date: Mon Nov 4 09:52:08 2019 -0500
15107: Google login option makes SSO credentials optional.
Add SystemRootToken to config loader.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 5546e8e40..4c2dc5e33 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -85,6 +85,7 @@ end
arvcfg = ConfigLoader.new
arvcfg.declare_config "ClusterID", NonemptyString, :uuid_prefix
arvcfg.declare_config "ManagementToken", String, :ManagementToken
+arvcfg.declare_config "SystemRootToken", String, :SystemRootToken
arvcfg.declare_config "Git.Repositories", String, :git_repositories_dir
arvcfg.declare_config "API.DisabledAPIs", Hash, :disable_api_methods, ->(cfg, k, v) { arrayToHash cfg, "API.DisabledAPIs", v }
arvcfg.declare_config "API.MaxRequestSize", Integer, :max_request_size
@@ -105,8 +106,8 @@ arvcfg.declare_config "Users.EmailSubjectPrefix", String, :email_subject_prefix
arvcfg.declare_config "Users.UserNotifierEmailFrom", String, :user_notifier_email_from
arvcfg.declare_config "Users.NewUserNotificationRecipients", Hash, :new_user_notification_recipients, ->(cfg, k, v) { arrayToHash cfg, "Users.NewUserNotificationRecipients", v }
arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
-arvcfg.declare_config "Login.ProviderAppSecret", NonemptyString, :sso_app_secret
-arvcfg.declare_config "Login.ProviderAppID", NonemptyString, :sso_app_id
+arvcfg.declare_config "Login.ProviderAppSecret", String, :sso_app_secret
+arvcfg.declare_config "Login.ProviderAppID", String, :sso_app_id
arvcfg.declare_config "Login.LoginCluster", String
arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list