[ARVADOS] created: 1.3.0-2944-g2973b96cd

[Git user]

        at  2973b96cd34f301cf2b51e91c93a4cf6c3545a4c (commit)


commit 2973b96cd34f301cf2b51e91c93a4cf6c3545a4c
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Thu Aug 20 13:47:21 2020 -0300

    16736: Adds a test exposing the bug.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/services/api/test/integration/user_sessions_test.rb b/services/api/test/integration/user_sessions_test.rb
index fcc0ce4e5..07060ea55 100644
--- a/services/api/test/integration/user_sessions_test.rb
+++ b/services/api/test/integration/user_sessions_test.rb
@@ -56,6 +56,30 @@ class UserSessionsApiTest < ActionDispatch::IntegrationTest
     assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
   end
 
+  test 'trusted api client token cannot create tokens with expiration dates past its own' do
+    exp_date = Time.now + 12.hours
+    mock_auth_with(identity_url: "https://active-user.openid.local")
+    u = assigns(:user)
+    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    auth = assigns(:api_client_auth)
+    assert_equal auth.user_id, u.id
+    act_as_system_user do
+      assert auth.update_attributes!(expires_at: exp_date)
+      assert auth.api_client.update_attributes!(is_trusted: true)
+    end
+    assert_not_nil auth.expires_at
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => u.uuid,
+          :expires_at => exp_date + 1.hour
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{auth.api_token}"}
+    assert_response 403
+  end
+
   test 'user redirect_to_user_uuid' do
     mock_auth_with(identity_url: "https://redirects-to-active-user.openid.local")
     u = assigns(:user)

-----------------------------------------------------------------------


hooks/post-receive
--