[ARVADOS] updated: 1.3.0-3242-g93b166c90
Git user
git at public.arvados.org
Tue Sep 29 23:13:21 UTC 2020
Summary of changes:
lib/config/config.default.yml | 11 +++++++++++
lib/config/generated_config.go | 11 +++++++++++
sdk/go/arvados/config.go | 1 +
services/api/app/models/api_client.rb | 21 +++++++++++++++++----
services/api/config/arvados_config.rb | 1 +
services/api/test/unit/api_client_test.rb | 4 ++++
6 files changed, 45 insertions(+), 4 deletions(-)
via 93b166c90720c0091d766fa51630b5deba46f1da (commit)
from 60addb46ffafe6f6f8e7b42b573c44cc2b4bc1f3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 93b166c90720c0091d766fa51630b5deba46f1da
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Tue Sep 29 19:12:50 2020 -0400
16923: Add "TrustedClients" configuration option.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index d0338e8c8..04a1dafa3 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -727,6 +727,17 @@ Clusters:
# Default value zero means tokens don't have expiration.
TokenLifetime: 0s
+ # When the token is returned to a client, the token itself may
+ # be restricted from manipulating other tokens based on whether
+ # the client is "trusted" or not. The local Workbench1 are
+ # trusted by default, but if this is a LoginCluster, you
+ # probably want to include the Workbench instances in the
+ # federation in this list.
+ TrustedClients:
+ SAMPLE:
+ "https://workbench.federate1.example": {}
+ "https://workbench.federate2.example": {}
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 88d71eb0a..2b81f28c6 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -733,6 +733,17 @@ Clusters:
# Default value zero means tokens don't have expiration.
TokenLifetime: 0s
+ # When the token is returned to a client, the token itself may
+ # be restricted from manipulating other tokens based on whether
+ # the client is "trusted" or not. The local Workbench1 are
+ # trusted by default, but if this is a LoginCluster, you
+ # probably want to include the Workbench instances in the
+ # federation in this list.
+ TrustedClients:
+ SAMPLE:
+ "https://workbench.federate1.example": {}
+ "https://workbench.federate2.example": {}
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 00438bf34..27a4c1de3 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -183,6 +183,7 @@ type Cluster struct {
LoginCluster string
RemoteTokenRefresh Duration
TokenLifetime Duration
+ TrustedClients map[string]struct{}
}
Mail struct {
MailchimpAPIKey string
diff --git a/services/api/app/models/api_client.rb b/services/api/app/models/api_client.rb
index c9eeaf266..015b61dc4 100644
--- a/services/api/app/models/api_client.rb
+++ b/services/api/app/models/api_client.rb
@@ -22,14 +22,27 @@ class ApiClient < ArvadosModel
def from_trusted_url
norm_url_prefix = norm(self.url_prefix)
- norm_url_prefix == norm(Rails.configuration.Services.Workbench1.ExternalURL) or
- norm_url_prefix == norm(Rails.configuration.Services.Workbench2.ExternalURL) or
- norm_url_prefix == norm("https://controller.api.client.invalid")
+
+ [Rails.configuration.Services.Workbench1.ExternalURL,
+ Rails.configuration.Services.Workbench2.ExternalURL,
+ "https://controller.api.client.invalid"].each do |url|
+ if norm_url_prefix == norm(url)
+ return true
+ end
+ end
+
+ Rails.configuration.Login.TrustedClients.keys.each do |url|
+ if norm_url_prefix == norm(url)
+ return true
+ end
+ end
+
+ false
end
def norm url
# normalize URL for comparison
- url = URI(url)
+ url = URI(url.to_s)
if url.scheme == "https"
url.port == "443"
end
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 4f831160e..69b20420a 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -110,6 +110,7 @@ arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_
arvcfg.declare_config "Login.SSO.ProviderAppSecret", String, :sso_app_secret
arvcfg.declare_config "Login.SSO.ProviderAppID", String, :sso_app_id
arvcfg.declare_config "Login.LoginCluster", String
+arvcfg.declare_config "Login.TrustedClients", Hash
arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
arvcfg.declare_config "Login.TokenLifetime", ActiveSupport::Duration
arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
diff --git a/services/api/test/unit/api_client_test.rb b/services/api/test/unit/api_client_test.rb
index 93e4c51ab..bf47cd175 100644
--- a/services/api/test/unit/api_client_test.rb
+++ b/services/api/test/unit/api_client_test.rb
@@ -12,6 +12,8 @@ class ApiClientTest < ActiveSupport::TestCase
Rails.configuration.Login.TokenLifetime = token_lifetime_enabled ? 8.hours : 0
Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com")
Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443")
+ Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new
+ Rails.configuration.Login.TrustedClients[:"https://wb3.example.com"] = ActiveSupport::OrderedOptions.new
act_as_system_user do
[["http://wb0.example.com", false],
@@ -19,6 +21,8 @@ class ApiClientTest < ActiveSupport::TestCase
["http://wb2.example.com", false],
["https://wb2.example.com", true],
["https://wb2.example.com/", true],
+ ["https://wb3.example.com/", true],
+ ["https://wb4.example.com/", false],
].each do |pfx, result|
a = ApiClient.create(url_prefix: pfx, is_trusted: false)
if token_lifetime_enabled
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list