[ARVADOS] updated: 1.3.0-1916-g41fe33dff
Git user
git at public.curoverse.com
Mon Nov 25 16:52:36 UTC 2019
Summary of changes:
.../api/app/models/api_client_authorization.rb | 54 +++++++++++++++++++---
services/api/config/arvados_config.rb | 11 +++++
.../api/test/unit/api_client_authorization_test.rb | 31 +++++++++++++
3 files changed, 89 insertions(+), 7 deletions(-)
via 41fe33dff783af98076272a155121e8a96748778 (commit)
via c50742a2d79453375aef7de0b7188a6336d0f71b (commit)
from 41234987aab7c7c06d266edc5070e530f82f1380 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 41fe33dff783af98076272a155121e8a96748778
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Mon Nov 25 11:52:20 2019 -0500
15795: Update tests
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 4786d70a6..c19445c40 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -116,18 +116,22 @@ class ApiClientAuthorization < ArvadosModel
if auth.nil?
if token == Rails.configuration.SystemRootToken
# special case 1, system root token record wasn't found, create or update it
- auth = ApiClientAuthorization.find_or_create_by(uuid: root_token_uuid) do |on_create|
- on_create.user = User.find_by_uuid(system_user_uuid)
- on_create.api_token = Rails.configuration.SystemRootToken
- on_create.api_client = ApiClient.
- find_or_create_by(url_prefix: "ssh://root@localhost/",
- is_trusted: true)
- end
- if auth.api_token != Rails.configuration.SystemRootToken
- # SystemRootToken changed, this request is using the new
- # one, so update the record.
- auth.api_token = Rails.configuration.SystemRootToken
- auth.save!
+ act_as_system_user do
+ auth = ApiClientAuthorization.find_or_create_by(uuid: root_token_uuid) do |on_create|
+ on_create.user = User.find_by_uuid(system_user_uuid)
+ on_create.api_token = Rails.configuration.SystemRootToken
+ on_create.api_client = ApiClient.
+ find_or_create_by(url_prefix: "ssh://root@localhost/",
+ is_trusted: true)
+ end
+ if auth.api_token != Rails.configuration.SystemRootToken
+ # SystemRootToken changed, this request is using the new
+ # one, so update the record.
+ act_as_system_user do
+ auth.api_token = Rails.configuration.SystemRootToken
+ auth.save!
+ end
+ end
end
return auth
end
@@ -137,9 +141,11 @@ class ApiClientAuthorization < ArvadosModel
# special case 2, SystemRootToken changed, this request
# matched the old one, record needs to be updated. Return
# nil because the old token is revoked.
- auth.api_token = Rails.configuration.SystemRootToken
- auth.save!
- return nil
+ act_as_system_user do
+ auth.api_token = Rails.configuration.SystemRootToken
+ auth.save!
+ return nil
+ end
end
end
end
diff --git a/services/api/test/unit/api_client_authorization_test.rb b/services/api/test/unit/api_client_authorization_test.rb
index 591b05420..231dda3af 100644
--- a/services/api/test/unit/api_client_authorization_test.rb
+++ b/services/api/test/unit/api_client_authorization_test.rb
@@ -27,11 +27,42 @@ class ApiClientAuthorizationTest < ActiveSupport::TestCase
end
test "accepts SystemRootToken" do
+ root_token_uuid = [Rails.configuration.ClusterID,
+ ApiClientAuthorization.uuid_prefix,
+ '000000000000000'].join('-')
+
assert_nil ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx")
+
+ # will create a new ApiClientAuthorization record
Rails.configuration.SystemRootToken = "xxxSystemRootTokenxxx"
+ assert_nil ApiClientAuthorization.find_by(uuid: root_token_uuid)
+
auth = ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx")
assert_equal "xxxSystemRootTokenxxx", auth.api_token
assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id
+ assert_equal root_token_uuid, auth.uuid
+ assert_not_nil ApiClientAuthorization.find_by(uuid: root_token_uuid)
+
+ # now change the token and try to use the old one first
+ Rails.configuration.SystemRootToken = "newxxxSystemRootTokenxxx"
+
+ # old token will fail
+ assert_nil ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx")
+ # new token will work
+ auth = ApiClientAuthorization.validate(token: "newxxxSystemRootTokenxxx")
+ assert_equal "newxxxSystemRootTokenxxx", auth.api_token
+ assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id
+
+ # now change the token again and use the new one first
+ Rails.configuration.SystemRootToken = "new2xxxSystemRootTokenxxx"
+
+ # new token will work
+ auth = ApiClientAuthorization.validate(token: "new2xxxSystemRootTokenxxx")
+ assert_equal "new2xxxSystemRootTokenxxx", auth.api_token
+ assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id
+ # old token will fail
+ assert_nil ApiClientAuthorization.validate(token: "newxxxSystemRootTokenxxx")
end
+
end
commit c50742a2d79453375aef7de0b7188a6336d0f71b
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Mon Nov 25 11:12:00 2019 -0500
15795: sync system root token in api_client_authorizations table
New approach, this doesn't reduce database lookups but it minimizes
special behavior for the system root token by having it backed by a
real record.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 7eb47058e..4786d70a6 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -108,6 +108,45 @@ class ApiClientAuthorization < ArvadosModel
clnt
end
+ def self.check_system_root_token auth, token
+ root_token_uuid = [Rails.configuration.ClusterID,
+ ApiClientAuthorization.uuid_prefix,
+ '000000000000000'].join('-')
+
+ if auth.nil?
+ if token == Rails.configuration.SystemRootToken
+ # special case 1, system root token record wasn't found, create or update it
+ auth = ApiClientAuthorization.find_or_create_by(uuid: root_token_uuid) do |on_create|
+ on_create.user = User.find_by_uuid(system_user_uuid)
+ on_create.api_token = Rails.configuration.SystemRootToken
+ on_create.api_client = ApiClient.
+ find_or_create_by(url_prefix: "ssh://root@localhost/",
+ is_trusted: true)
+ end
+ if auth.api_token != Rails.configuration.SystemRootToken
+ # SystemRootToken changed, this request is using the new
+ # one, so update the record.
+ auth.api_token = Rails.configuration.SystemRootToken
+ auth.save!
+ end
+ return auth
+ end
+ else
+ if auth.uuid == root_token_uuid
+ if token != Rails.configuration.SystemRootToken
+ # special case 2, SystemRootToken changed, this request
+ # matched the old one, record needs to be updated. Return
+ # nil because the old token is revoked.
+ auth.api_token = Rails.configuration.SystemRootToken
+ auth.save!
+ return nil
+ end
+ end
+ end
+
+ return auth
+ end
+
def self.validate(token:, remote: nil)
return nil if token.nil? or token.empty?
remote ||= Rails.configuration.ClusterID
@@ -144,6 +183,7 @@ class ApiClientAuthorization < ArvadosModel
includes(:user, :api_client).
where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token_uuid).
first
+ auth = self.check_system_root_token(auth, secret)
if auth && auth.user &&
(secret == auth.api_token ||
secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
@@ -261,18 +301,12 @@ class ApiClientAuthorization < ArvadosModel
end
return auth
else
- if token == Rails.configuration.SystemRootToken
- # Return a bogus record, this won't get saved to the database.
- return ApiClientAuthorization.new(user: User.find_by_uuid(system_user_uuid),
- api_token: token,
- api_client_id: 0)
- end
-
# token is not a 'v2' token
auth = ApiClientAuthorization.
includes(:user, :api_client).
where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token).
first
+ auth = self.check_system_root_token(auth, token)
if auth && auth.user
return auth
end
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 592d0b59f..5551aaf6f 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -240,6 +240,17 @@ dbcfg.coercion_and_check $arvados_config, check_nonempty: true
# * $arvados_config is $arvados_config_global merged with the migrated contents of application.yml
# This is what actually gets copied into the Rails configuration object.
+if $arvados_config["SystemRootToken"][0..2] == "v2/"
+ _, token_uuid, secret, optional = token.split('/')
+ auth_token_uuid = [$arvados_config["ClusterID"],
+ ApiClientAuthorization.uuid_prefix,
+ '000000000000000'].join('-')
+ if token_uuid != auth_token_uuid
+ raise "SystemRootToken in v2 format must have uuid #{auth_token_uuid}"
+ end
+ $arvados_config["SystemRootToken"] = secret
+end
+
if $arvados_config["Collections"]["DefaultTrashLifetime"] < 86400.seconds then
raise "default_trash_lifetime is %d, must be at least 86400" % Rails.configuration.Collections.DefaultTrashLifetime
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list