[ARVADOS] created: 1.3.0-3014-g5baf26bc7

Git user git at public.arvados.org
Tue Aug 25 23:09:12 UTC 2020 

        at  5baf26bc79fa6886e43f51631befd3bcc7a5b60b (commit)


commit 5baf26bc79fa6886e43f51631befd3bcc7a5b60b
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Thu Aug 20 13:47:21 2020 -0300

    16736: Adds tests exposing the bug.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/services/api/test/integration/user_sessions_test.rb b/services/api/test/integration/user_sessions_test.rb
index fcc0ce4e5..2d5ccfe4a 100644
--- a/services/api/test/integration/user_sessions_test.rb
+++ b/services/api/test/integration/user_sessions_test.rb
@@ -56,6 +56,53 @@ class UserSessionsApiTest < ActionDispatch::IntegrationTest
     assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
   end
 
+  test 'trusted api client token cannot create tokens with expiration dates past its own' do
+    exp_date = Time.now + 12.hours
+    mock_auth_with(identity_url: "https://active-user.openid.local")
+    u = assigns(:user)
+    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    auth = assigns(:api_client_auth)
+    assert_equal auth.user_id, u.id
+    act_as_system_user do
+      assert auth.update_attributes!(expires_at: exp_date)
+      assert auth.api_client.update_attributes!(is_trusted: true)
+    end
+    assert_not_nil auth.expires_at
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => u.uuid,
+          :expires_at => exp_date + 1.hour
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{auth.api_token}"}
+    assert_response 403
+  end
+
+  test 'trusted api client expiring token cannot create tokens with no expiration' do
+    mock_auth_with(identity_url: "https://active-user.openid.local")
+    u = assigns(:user)
+    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    auth = assigns(:api_client_auth)
+    assert_equal auth.user_id, u.id
+    act_as_system_user do
+      assert auth.update_attributes!(expires_at: Time.now + 12.hours)
+      assert auth.api_client.update_attributes!(is_trusted: true)
+    end
+    assert_not_nil auth.expires_at
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => u.uuid,
+          :expires_at => nil
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{auth.api_token}"}
+    assert_response 403
+  end
+
   test 'user redirect_to_user_uuid' do
     mock_auth_with(identity_url: "https://redirects-to-active-user.openid.local")
     u = assigns(:user)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list