[ARVADOS] updated: 1.3.0-3194-g580d77ef4
Git user
git at public.arvados.org
Tue Sep 22 19:00:50 UTC 2020
Summary of changes:
services/keep-web/s3.go | 23 ++++++++++++++++++-----
services/keep-web/s3_test.go | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 52 insertions(+), 5 deletions(-)
via 580d77ef4d6b244971bc26c649e017e912ca8737 (commit)
from b15d39ec33dde9639f09bd1aff22fde7806aa24a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 580d77ef4d6b244971bc26c649e017e912ca8737
Author: Tom Clegg <tom at tomclegg.ca>
Date: Tue Sep 22 14:59:14 2020 -0400
16809: Accept S3 reqs with same token as AccessKey and SecretKey.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index 629f3c1ab..d555cb5b7 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -138,19 +138,32 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
Insecure: h.Config.cluster.TLS.Insecure,
}).WithRequestID(r.Header.Get("X-Request-Id"))
var aca arvados.APIClientAuthorization
- ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Config.cluster.SystemRootToken)
- err := client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/"+key, nil, nil)
+ var secret string
+ var err error
+ if len(key) == 27 && key[5:12] == "-gj3su-" {
+ // Access key is the UUID of an Arvados token, secret
+ // key is the secret part.
+ ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+h.Config.cluster.SystemRootToken)
+ err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/"+key, nil, nil)
+ secret = aca.APIToken
+ } else {
+ // Access key and secret key are both an entire
+ // Arvados token or OIDC access token.
+ ctx := arvados.ContextWithAuthorization(r.Context(), "Bearer "+key)
+ err = client.RequestAndDecodeContext(ctx, &aca, "GET", "arvados/v1/api_client_authorizations/current", nil, nil)
+ secret = key
+ }
if err != nil {
- ctxlog.FromContext(ctx).WithError(err).WithField("UUID", key).Info("token lookup failed")
+ ctxlog.FromContext(r.Context()).WithError(err).WithField("UUID", key).Info("token lookup failed")
return "", errors.New("invalid access key")
}
- expect, err := s3signature(s3SignAlgorithm, aca.APIToken, scope, signedHeaders, r)
+ expect, err := s3signature(s3SignAlgorithm, secret, scope, signedHeaders, r)
if err != nil {
return "", err
} else if expect != signature {
return "", errors.New("signature does not match")
}
- return aca.TokenV2(), nil
+ return secret, nil
}
// serveS3 handles r and returns true if r is a request from an S3
diff --git a/services/keep-web/s3_test.go b/services/keep-web/s3_test.go
index 9a3989f61..5acc18e49 100644
--- a/services/keep-web/s3_test.go
+++ b/services/keep-web/s3_test.go
@@ -105,6 +105,40 @@ func (stage s3stage) teardown(c *check.C) {
}
}
+func (s *IntegrationSuite) TestS3Signatures(c *check.C) {
+ stage := s.s3setup(c)
+ defer stage.teardown(c)
+
+ bucket := stage.collbucket
+ for _, trial := range []struct {
+ success bool
+ signature int
+ accesskey string
+ secretkey string
+ }{
+ {true, aws.V2Signature, arvadostest.ActiveToken, "none"},
+ {false, aws.V2Signature, "none", "none"},
+ {false, aws.V2Signature, "none", arvadostest.ActiveToken},
+
+ {true, aws.V4Signature, arvadostest.ActiveTokenUUID, arvadostest.ActiveToken},
+ {true, aws.V4Signature, arvadostest.ActiveToken, arvadostest.ActiveToken},
+ {false, aws.V4Signature, arvadostest.ActiveToken, ""},
+ {false, aws.V4Signature, arvadostest.ActiveToken, "none"},
+ {false, aws.V4Signature, "none", arvadostest.ActiveToken},
+ {false, aws.V4Signature, "none", "none"},
+ } {
+ c.Logf("%#v", trial)
+ bucket.S3.Auth = *(aws.NewAuth(trial.accesskey, trial.secretkey, "", time.Now().Add(time.Hour)))
+ bucket.S3.Signature = trial.signature
+ _, err := bucket.GetReader("emptyfile")
+ if trial.success {
+ c.Check(err, check.IsNil)
+ } else {
+ c.Check(err, check.NotNil)
+ }
+ }
+}
+
func (s *IntegrationSuite) TestS3HeadBucket(c *check.C) {
stage := s.s3setup(c)
defer stage.teardown(c)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list