[ARVADOS] updated: 1.3.0-3107-g02ebaa22b

Git user git at public.arvados.org
Wed Sep 9 23:06:34 UTC 2020


Summary of changes:
 .../app/controllers/work_units_controller.rb       |   3 +
 .../app/views/users/_virtual_machines.html.erb     |   2 +-
 .../app/views/virtual_machines/webshell.html.erb   |  42 ++++--
 apps/workbench/config/initializers/assets.rb       |   2 +-
 .../assets/javascripts}/webshell/shell_in_a_box.js |  52 +++----
 .../assets/stylesheets}/webshell/styles.css        |  38 ++---
 .../test/integration/anonymous_access_test.rb      |   2 +-
 apps/workbench/test/integration/work_units_test.rb |  19 +++
 build/run-tests.sh                                 |  11 +-
 doc/install/arvbox.html.textile.liquid             |  20 ++-
 .../install-dispatch-cloud.html.textile.liquid     |   3 +
 .../install-shell-server.html.textile.liquid       |  50 ++++---
 doc/install/install-webshell.html.textile.liquid   |  11 +-
 ...quid => arvados-cwl-runner.html.textile.liquid} |  34 ++++-
 .../vm-login-with-webshell.html.textile.liquid     |   2 +-
 .../getting_started/workbench.html.textile.liquid  |  12 +-
 doc/user/index.html.textile.liquid                 |   2 +-
 docker/jobs/Dockerfile                             |   6 +-
 lib/boot/seed.go                                   |   4 +
 lib/boot/supervisor.go                             |   4 +
 lib/cloud/azure/azure.go                           |   4 +-
 lib/cloud/azure/azure_test.go                      |   4 +-
 lib/cloud/cloudtest/tester.go                      |   6 +-
 lib/cloud/ec2/ec2.go                               |   8 +-
 lib/cloud/ec2/ec2_test.go                          |   8 +-
 lib/config/cmd.go                                  |   3 +-
 lib/config/config.default.yml                      |  10 ++
 lib/config/export.go                               |   3 +-
 lib/config/generated_config.go                     |  10 ++
 lib/controller/federation/conn.go                  |  36 ++++-
 lib/controller/handler_test.go                     |   4 +-
 lib/controller/integration_test.go                 | 156 ++++++++++++++++++++-
 lib/controller/localdb/login_testuser.go           |  63 ++++++++-
 lib/controller/localdb/login_testuser_test.go      |   9 ++
 lib/controller/rpc/conn.go                         |   9 +-
 lib/controller/semaphore.go                        |   3 +-
 lib/crunchrun/copier.go                            |   3 +-
 lib/crunchrun/crunchrun.go                         |  37 +++--
 lib/dispatchcloud/dispatcher_test.go               |   6 +
 lib/dispatchcloud/driver.go                        |   5 +-
 lib/dispatchcloud/scheduler/run_queue.go           |  43 +++---
 lib/dispatchcloud/scheduler/run_queue_test.go      |  41 +++---
 lib/dispatchcloud/test/queue.go                    |   6 +-
 lib/dispatchcloud/test/stub_driver.go              |  40 ++----
 lib/dispatchcloud/worker/pool.go                   | 154 +++++++++++++-------
 lib/dispatchcloud/worker/pool_test.go              |  40 ++++++
 lib/dispatchcloud/worker/verify.go                 |   6 +-
 lib/dispatchcloud/worker/worker.go                 |  16 +++
 sdk/cwl/arvados_cwl/arv-cwl-schema-v1.0.yml        |   6 +
 sdk/cwl/arvados_cwl/arv-cwl-schema-v1.1.yml        |   6 +
 sdk/cwl/arvados_cwl/arv-cwl-schema-v1.2.yml        |   6 +
 sdk/cwl/arvados_cwl/arvworkflow.py                 |  35 +++--
 sdk/cwl/arvados_cwl/executor.py                    |   3 +-
 sdk/cwl/fpm-info.sh                                |   5 +-
 .../collection_per_tool_packed.cwl                 |   8 +-
 sdk/cwl/tests/test_submit.py                       |   4 +-
 ...{expect_packed.cwl => expect_upload_packed.cwl} |   8 +-
 sdk/go/arvados/blob_signature.go                   |   3 +-
 sdk/go/arvados/config.go                           |  39 +++---
 sdk/go/arvados/keep_service.go                     |   2 +-
 sdk/go/arvadosclient/arvadosclient.go              |  12 +-
 sdk/go/blockdigest/blockdigest.go                  |   2 +-
 sdk/go/keepclient/root_sorter.go                   |   5 +-
 sdk/go/keepclient/support.go                       |  15 +-
 sdk/python/setup.py                                |   2 +-
 .../api/app/models/api_client_authorization.rb     |  18 ++-
 services/api/app/models/database_seeds.rb          |   1 +
 services/api/lib/current_api_client.rb             |  10 ++
 services/api/script/get_anonymous_user_token.rb    |  48 ++++---
 services/api/test/fixtures/api_clients.yml         |   7 +
 services/api/test/fixtures/workflows.yml           |  25 ++++
 .../api_client_authorizations_api_test.rb          |  46 ++++--
 services/api/test/integration/remote_user_test.rb  |  30 +++-
 .../api/test/integration/user_sessions_test.rb     |  55 +++++++-
 services/arv-git-httpd/auth_handler_test.go        |   2 +-
 services/arv-git-httpd/git_handler_test.go         |   2 +-
 services/arv-git-httpd/integration_test.go         |   2 +-
 services/fuse/arvados_fuse/fusedir.py              |  15 +-
 services/fuse/arvados_fuse/unmount.py              |   1 +
 services/keep-web/s3.go                            |  41 ++++--
 services/keep-web/s3_test.go                       |  42 +++++-
 services/keepproxy/keepproxy_test.go               |   2 +-
 services/keepstore/proxy_remote_test.go            |   2 +-
 services/login-sync/bin/arvados-login-sync         | 101 ++++++++++---
 services/login-sync/test/test_add_user.rb          |  13 +-
 services/ws/service_test.go                        |   2 +-
 tools/arvbox/bin/arvbox                            |  46 ++++--
 tools/arvbox/lib/arvbox/docker/Dockerfile.base     |   4 +-
 tools/arvbox/lib/arvbox/docker/Dockerfile.demo     |  10 +-
 tools/arvbox/lib/arvbox/docker/Dockerfile.dev      |   1 -
 tools/arvbox/lib/arvbox/docker/api-setup.sh        |   5 -
 tools/arvbox/lib/arvbox/docker/cluster-config.sh   |  31 ++--
 tools/arvbox/lib/arvbox/docker/common.sh           |   3 +-
 tools/arvbox/lib/arvbox/docker/edit_users.py       |  70 +++++++++
 tools/arvbox/lib/arvbox/docker/service/nginx/run   |  45 ++++++
 .../lib/arvbox/docker/service/ready/run-service    |   3 +-
 tools/arvbox/lib/arvbox/docker/service/sso/run     |   1 -
 .../lib/arvbox/docker/service/sso/run-service      |  88 ------------
 .../service/{sso => webshell}/log/main/.gitstub    |   0
 .../docker/service/{sso => webshell}/log/run       |   0
 .../arvbox/lib/arvbox/docker/service/webshell/run  |  43 ++++++
 .../lib/arvbox/docker/service/webshell/run-service |  13 ++
 102 files changed, 1442 insertions(+), 599 deletions(-)
 rename apps/workbench/{public => lib/assets/javascripts}/webshell/shell_in_a_box.js (99%)
 rename apps/workbench/{public => lib/assets/stylesheets}/webshell/styles.css (93%)
 copy doc/sdk/python/{arvados-fuse.html.textile.liquid => arvados-cwl-runner.html.textile.liquid} (59%)
 copy sdk/cwl/tests/wf/{expect_packed.cwl => expect_upload_packed.cwl} (93%)
 create mode 100755 tools/arvbox/lib/arvbox/docker/edit_users.py
 delete mode 120000 tools/arvbox/lib/arvbox/docker/service/sso/run
 delete mode 100755 tools/arvbox/lib/arvbox/docker/service/sso/run-service
 rename tools/arvbox/lib/arvbox/docker/service/{sso => webshell}/log/main/.gitstub (100%)
 rename tools/arvbox/lib/arvbox/docker/service/{sso => webshell}/log/run (100%)
 create mode 100755 tools/arvbox/lib/arvbox/docker/service/webshell/run
 create mode 100755 tools/arvbox/lib/arvbox/docker/service/webshell/run-service

       via  02ebaa22b0b481d6b8525b3571e2b112769de4a2 (commit)
       via  3160fe4ab72efd37b87b2acb560c739314173027 (commit)
       via  274ca75e0b5277d6d591b45e29b1a2c9185bed5a (commit)
       via  1771152da97200b038378666457d18679f4c8cd7 (commit)
       via  49a89ce984eb69ef4316882e91dec652dc353e39 (commit)
       via  3ee2186cb06b822f113696ccb24a78b79269d318 (commit)
       via  47aa52f1b343c93e09908b69d40bf8b389e8b15c (commit)
       via  472fff42d6105a4457deeb1579e9d14caffc82dc (commit)
       via  8bad7194a84fd1973f9b19d68db3dd56cbca3162 (commit)
       via  21dc468b7c86996d05f019650d2b7b3e472c5ed5 (commit)
       via  0f3db3d5f1bc976f38f6eed05c236ece79b7f876 (commit)
       via  51d7a5b2a23074a130aa6dd74cbaf5f335920769 (commit)
       via  36e3b4021e376e74806df16816bd3f207ff37ecb (commit)
       via  5c5ac412b722025d1af37f81bea60a4b503ce6aa (commit)
       via  64d38dcbfb53c240a99523e250ad576788954a56 (commit)
       via  8f8329e7d99e9d1c0e753fb26bf4dc1e76828017 (commit)
       via  513865a8e58b8adf28c17f12093053cdb62cfa71 (commit)
       via  0036a0a5755f6c0fb5c7747c7d4442c0972b696c (commit)
       via  a5b73a1a47bed348098dc116950a01b77c04c208 (commit)
       via  72beb46ad804361a8ae012b1bc4475480912d8a8 (commit)
       via  6ed2e2c51fe463bfcf1b484d764af5bf47d416ad (commit)
       via  201812edc08fc1fd11cc6635e2224adad2b913f5 (commit)
       via  b1a9b18e4bd1691294b60a90c595bccd29725ca7 (commit)
       via  a528347f7edc85282c3f618fbae4030e9f9da226 (commit)
       via  3241db378301b3d507e928776d5e3e511c38a998 (commit)
       via  71c57454fc3adf2d63db8b3cb1d0e8ecdff5c93f (commit)
       via  16919ef3f156ee7cc99fa78af3701f1d8a66ec25 (commit)
       via  c1bd1ee9ed5c36a3af524178e876a9b2255ab5f0 (commit)
       via  fbd40a96ea616d8042db23371083ebf80684825f (commit)
       via  ac4599592d265dc5a922ec8f468d46cfe7de52e2 (commit)
       via  a730ff3281e2a4eff04240e6233c9c13ac8fdbfb (commit)
       via  b30659d514ce281209fa7b99863413832fa8d44b (commit)
       via  b6462cf67d9c3a0d9eb6d2d6997b2a88ece8ad6c (commit)
       via  98db65de63c9e2acfeae6636ccc619171635bda0 (commit)
       via  8a17791b5f16b785eeaff86051dbcce84699ceac (commit)
       via  b35dfa1f2b6c2fe57b7bc8a6e107425ed4e44f2a (commit)
       via  09ff850dc6e3e8f10d7d96adfc02674222f7aa9a (commit)
       via  76182f26191190c405077106becdde149c0ad7c5 (commit)
       via  b521d2c5254e439e23cd750f86d55eadffb3e4b9 (commit)
       via  64eac5879fe80f9ad52665421962740390a14eee (commit)
       via  bcee68ee657af1591d1ae0624e2d12029b0b92d5 (commit)
       via  0b38c1d85c04e15ec45dcaaf63882c01dd3f91d7 (commit)
       via  cf0dfaa4494d591bb34c2fa23589061f4d89d0aa (commit)
       via  201e2b7e3965aebc87de3139d31b8f14a312ec6f (commit)
       via  0ff4ed45a7ab1730118eadfb92ddea7d332f0328 (commit)
       via  4355586821d71fed6a3fe95fea69f548797f77d8 (commit)
       via  509a6d6764aae8b8bbe5b32c21c8f64a49d02ad3 (commit)
       via  b108bdfa0f3c74239fa565a1d14db945eb4dcf18 (commit)
       via  bc11ee32eeb31c63a3fb99819087d2def0988789 (commit)
       via  a5fef23f2863cd0183ff596f4579110e2ddb3b3d (commit)
       via  9e9142058cdee68ad567836799883b1aa6962bbd (commit)
       via  db13716484018404860275de75d278e0aaa08d8a (commit)
       via  4e6985fea736b4a46537005bf853de80be1b013a (commit)
       via  cf16a3c479626c18e408a12c18c5a6ed547f85dc (commit)
       via  da85d6516630d06ae3c34b4a52dc5ddff9fd5ace (commit)
       via  baa1f256924655d67b704f35981e9839743fab99 (commit)
       via  8991b43990aa7a77edd78f165114b93a6a207985 (commit)
       via  f3e3a6cc4b72120f856e14f3039b1c0c1f0326bd (commit)
       via  5ce6d49b5a632b8e846fb0d794444ecd39f74fa5 (commit)
       via  27566b089a00a4038fceb320175b37fcb0e77033 (commit)
       via  87977ae72b8cfded3263b109caa5245fa1abd74f (commit)
       via  8661ab4aa19494699915a9a9c1c492345d367855 (commit)
       via  bee95c1cdbc3859f47a0a95940680ebaa2a4c9a5 (commit)
       via  ffe94bef9cd17abb522d7fabb32326405d466a94 (commit)
       via  b36ffab0228e53226614f7d33e4a8e3921d0256f (commit)
       via  ae50c333f57298b5d4b81229476cd990aab1dad5 (commit)
       via  ecc2f49233c0b52820e856ba0b18e4123d99d228 (commit)
       via  434dee9ff1b42d7169fbd9368263e6a0f5c40bed (commit)
       via  5ce67dcb90e196227d920c52fc1a7256e39ede92 (commit)
       via  d3b6bdd6ef2b543c607bd7c3cdf9df5c74e90dc0 (commit)
       via  83d9f52a85cd19e9821d54b3d6ec9efdff337777 (commit)
       via  065aa362326aae3ec05958436053c72299bdad7d (commit)
       via  be28c5f528a93ee32eef4c1dc2d0872cb718b29f (commit)
       via  4706c89f091563cc56a6d4f819e025850031a009 (commit)
       via  43da0e7ce859cb8ed3385417a2fc97a36cc688e6 (commit)
       via  a46ef7496b83b2778de8db36e4948b55dddf3754 (commit)
       via  92ff0d8081ad46b1c7e7c3407745d6b9cde50a1a (commit)
       via  ecff7e34ea7d5e8321c2821cae476355bffbc248 (commit)
       via  6d827e6be83d9b3129b4bc7a812d43d2ca874174 (commit)
       via  d67b634b9afe9bebeaef461dfdd2edfa4e5740fd (commit)
       via  5895b2710b4331109a0056275e8b046a53b5ba06 (commit)
       via  1617202c337078fb94ea19893c73061983be94ad (commit)
       via  3e975aa25c141ccd3f08335906d96d9ff7035bf2 (commit)
       via  81ff58f4addd05346161a9b44648d1ab31e027bc (commit)
       via  5c4b585cd03d6fba1779113f7cba6b34e0c526b7 (commit)
       via  f9e6c9f5e30cbf0fc3d6f9981b6e3673d603f3e1 (commit)
       via  505c8fa50631201e289cc55230d46fdf52fa2055 (commit)
       via  b4091adb7ac1a85de6ae1f18895e9d8f9da5d441 (commit)
       via  47833c68da26e2dd1fd65784cb56a352503dbcb9 (commit)
       via  4de0821a28d54153c6046655d4a2d8f57da7e005 (commit)
       via  09f4d9f7fd5fc0518aa7d614c7f061c0b8f7d5a4 (commit)
       via  26519f015ebbd7e7b4ef288d4e89d877ea05c0ec (commit)
       via  2fc9d1ac9dbb3557541c449820f4bba4cd4b7313 (commit)
      from  5baf26bc79fa6886e43f51631befd3bcc7a5b60b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 02ebaa22b0b481d6b8525b3571e2b112769de4a2
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Wed Sep 9 20:05:43 2020 -0300

    16736: Adds check on api client auth creation/update for expires_at.
    
    Also, adds some more tests.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index ab6fd8000..5bf32e6ed 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -326,7 +326,10 @@ class ApiClientAuthorization < ArvadosModel
   protected
 
   def permission_to_create
-    current_user.andand.is_admin or (current_user.andand.id == self.user_id)
+    current_user.andand.is_admin or
+      ((current_user.andand.id == self.user_id)) and
+        (current_api_client_authorization.andand.expires_at.nil? or
+          (self.expires_at and current_api_client_authorization.expires_at >= self.expires_at))
   end
 
   def permission_to_update
@@ -335,7 +338,6 @@ class ApiClientAuthorization < ArvadosModel
   end
 
   def log_update
-
     super unless (saved_changes.keys - UNLOGGED_CHANGES).empty?
   end
 end
diff --git a/services/api/test/integration/user_sessions_test.rb b/services/api/test/integration/user_sessions_test.rb
index 2d5ccfe4a..6eb3f20d7 100644
--- a/services/api/test/integration/user_sessions_test.rb
+++ b/services/api/test/integration/user_sessions_test.rb
@@ -53,14 +53,14 @@ class UserSessionsApiTest < ActionDispatch::IntegrationTest
   test 'existing user login' do
     mock_auth_with(identity_url: "https://active-user.openid.local")
     u = assigns(:user)
-    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    assert_equal users(:active).uuid, u.uuid
   end
 
   test 'trusted api client token cannot create tokens with expiration dates past its own' do
     exp_date = Time.now + 12.hours
     mock_auth_with(identity_url: "https://active-user.openid.local")
     u = assigns(:user)
-    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    assert_equal users(:active).uuid, u.uuid
     auth = assigns(:api_client_auth)
     assert_equal auth.user_id, u.id
     act_as_system_user do
@@ -83,7 +83,7 @@ class UserSessionsApiTest < ActionDispatch::IntegrationTest
   test 'trusted api client expiring token cannot create tokens with no expiration' do
     mock_auth_with(identity_url: "https://active-user.openid.local")
     u = assigns(:user)
-    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    assert_equal users(:active).uuid, u.uuid
     auth = assigns(:api_client_auth)
     assert_equal auth.user_id, u.id
     act_as_system_user do
@@ -103,16 +103,61 @@ class UserSessionsApiTest < ActionDispatch::IntegrationTest
     assert_response 403
   end
 
+  test 'trusted api client token cannot update tokens with expiration dates past its own' do
+    exp_date = Time.now + 12.hours
+    mock_auth_with(identity_url: "https://active-user.openid.local")
+    u = assigns(:user)
+    assert_equal users(:active).uuid, u.uuid
+    auth = assigns(:api_client_auth)
+    assert_equal auth.user_id, u.id
+    act_as_system_user do
+      assert auth.update_attributes!(expires_at: exp_date)
+      assert auth.api_client.update_attributes!(is_trusted: true)
+    end
+    assert_not_nil auth.expires_at
+    put "/arvados/v1/api_client_authorizations/#{auth.uuid}",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :expires_at => exp_date + 1.hour
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{auth.api_token}"}
+    assert_response 403
+  end
+
+  test 'trusted api client expiring token cannot update tokens with no expiration' do
+    mock_auth_with(identity_url: "https://active-user.openid.local")
+    u = assigns(:user)
+    assert_equal users(:active).uuid, u.uuid
+    auth = assigns(:api_client_auth)
+    assert_equal auth.user_id, u.id
+    act_as_system_user do
+      assert auth.update_attributes!(expires_at: Time.now + 12.hours)
+      assert auth.api_client.update_attributes!(is_trusted: true)
+    end
+    assert_not_nil auth.expires_at
+    put "/arvados/v1/api_client_authorizations/#{auth.uuid}",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :expires_at => nil
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{auth.api_token}"}
+    assert_response 403
+  end
+
   test 'user redirect_to_user_uuid' do
     mock_auth_with(identity_url: "https://redirects-to-active-user.openid.local")
     u = assigns(:user)
-    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    assert_equal users(:active).uuid, u.uuid
   end
 
   test 'user double redirect_to_user_uuid' do
     mock_auth_with(identity_url: "https://double-redirects-to-active-user.openid.local")
     u = assigns(:user)
-    assert_equal 'zzzzz-tpzed-xurymjxw79nv3jz', u.uuid
+    assert_equal users(:active).uuid, u.uuid
   end
 
   test 'create new user during omniauth callback' do

commit 3160fe4ab72efd37b87b2acb560c739314173027
Merge: 5baf26bc7 274ca75e0
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date:   Tue Sep 8 16:47:01 2020 -0300

    16736: Merge branch 'master' into 16736-expiring-tokens-limits
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>


-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list