[ARVADOS] created: 1.3.0-3015-gab767ee94

Git user git at public.arvados.org
Tue Aug 25 20:04:03 UTC 2020 

        at  ab767ee94ac40e31d67e1eee8ad0f79fe38ca7ed (commit)


commit ab767ee94ac40e31d67e1eee8ad0f79fe38ca7ed
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Tue Aug 25 16:03:38 2020 -0400

    16613: Create special-purpose ApiClient record for SystemRootToken
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index a4d49c35c..c31f09782 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -113,7 +113,7 @@ class ApiClientAuthorization < ArvadosModel
       return ApiClientAuthorization.new(user: User.find_by_uuid(system_user_uuid),
                                         uuid: Rails.configuration.ClusterID+"-gj3su-000000000000000",
                                         api_token: token,
-                                        api_client: ApiClient.new(is_trusted: true, url_prefix: ""))
+                                        api_client: system_root_token_api_client)
     else
       return nil
     end
diff --git a/services/api/app/models/database_seeds.rb b/services/api/app/models/database_seeds.rb
index 39f491503..d7c5e04df 100644
--- a/services/api/app/models/database_seeds.rb
+++ b/services/api/app/models/database_seeds.rb
@@ -13,6 +13,7 @@ class DatabaseSeeds
     anonymous_group
     anonymous_group_read_permission
     anonymous_user
+    system_root_token_api_client
     empty_collection
     refresh_permissions
     refresh_trashed
diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 98112c858..953047005 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -189,6 +189,16 @@ module CurrentApiClient
     end
   end
 
+  def system_root_token_api_client
+    $system_root_token_api_client = check_cache $system_root_token_api_client do
+      act_as_system_user do
+        ActiveRecord::Base.transaction do
+          ApiClient.find_or_create_by!(is_trusted: true, url_prefix: "SystemRootToken")
+        end
+      end
+    end
+  end
+
   def empty_collection_pdh
     'd41d8cd98f00b204e9800998ecf8427e+0'
   end
diff --git a/services/api/test/fixtures/api_clients.yml b/services/api/test/fixtures/api_clients.yml
index 7b522734a..f0ef7d691 100644
--- a/services/api/test/fixtures/api_clients.yml
+++ b/services/api/test/fixtures/api_clients.yml
@@ -17,3 +17,10 @@ untrusted:
   name: Untrusted
   url_prefix: https://untrusted.local/
   is_trusted: false
+
+system_root:
+  uuid: zzzzz-ozdt8-pbw7foaks3qjyej
+  owner_uuid: zzzzz-tpzed-000000000000000
+  name: SystemRootToken
+  url_prefix: SystemRootToken
+  is_trusted: true

commit 91c73953fc86cc7a900937e1ab048421052b03f3
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Thu Aug 20 18:10:43 2020 -0400

    16613: Add test using SystemRootToken to create other tokens.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/services/api/test/integration/api_client_authorizations_api_test.rb b/services/api/test/integration/api_client_authorizations_api_test.rb
index b9bfd3a39..296ab8a2f 100644
--- a/services/api/test/integration/api_client_authorizations_api_test.rb
+++ b/services/api/test/integration/api_client_authorizations_api_test.rb
@@ -14,22 +14,40 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
     assert_response :success
   end
 
-  test "create token for different user" do
-    post "/arvados/v1/api_client_authorizations",
-      params: {
-        :format => :json,
-        :api_client_authorization => {
-          :owner_uuid => users(:spectator).uuid
-        }
-      },
-      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
-    assert_response :success
+  [:admin_trustedclient, :SystemRootToken].each do |tk|
+    test "create token for different user using #{tk}" do
+      if tk == :SystemRootToken
+        token = "xyzzy-SystemRootToken"
+        Rails.configuration.SystemRootToken = token
+      else
+        token = api_client_authorizations(tk).api_token
+      end
+
+      post "/arvados/v1/api_client_authorizations",
+           params: {
+             :format => :json,
+             :api_client_authorization => {
+               :owner_uuid => users(:spectator).uuid
+             }
+           },
+           headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+      assert_response :success
+
+      get "/arvados/v1/users/current",
+          params: {:format => :json},
+          headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{json_response['api_token']}"}
+      @json_response = nil
+      assert_equal json_response['uuid'], users(:spectator).uuid
+    end
+  end
 
+  test "System root token is system user" do
+    token = "xyzzy-SystemRootToken"
+    Rails.configuration.SystemRootToken = token
     get "/arvados/v1/users/current",
-      params: {:format => :json},
-      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{json_response['api_token']}"}
-    @json_response = nil
-    assert_equal users(:spectator).uuid, json_response['uuid']
+        params: {:format => :json},
+        headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+    assert_equal json_response['uuid'], system_user_uuid
   end
 
   test "refuse to create token for different user if not trusted client" do

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list