[ARVADOS] updated: 1.3.0-3242-g93b166c90

Git user git at public.arvados.org
Tue Sep 29 23:13:21 UTC 2020 

Summary of changes:
 lib/config/config.default.yml             | 11 +++++++++++
 lib/config/generated_config.go            | 11 +++++++++++
 sdk/go/arvados/config.go                  |  1 +
 services/api/app/models/api_client.rb     | 21 +++++++++++++++++----
 services/api/config/arvados_config.rb     |  1 +
 services/api/test/unit/api_client_test.rb |  4 ++++
 6 files changed, 45 insertions(+), 4 deletions(-)

       via  93b166c90720c0091d766fa51630b5deba46f1da (commit)
      from  60addb46ffafe6f6f8e7b42b573c44cc2b4bc1f3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 93b166c90720c0091d766fa51630b5deba46f1da
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Tue Sep 29 19:12:50 2020 -0400

    16923: Add "TrustedClients" configuration option.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index d0338e8c8..04a1dafa3 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -727,6 +727,17 @@ Clusters:
       # Default value zero means tokens don't have expiration.
       TokenLifetime: 0s
 
+      # When the token is returned to a client, the token itself may
+      # be restricted from manipulating other tokens based on whether
+      # the client is "trusted" or not.  The local Workbench1 are
+      # trusted by default, but if this is a LoginCluster, you
+      # probably want to include the Workbench instances in the
+      # federation in this list.
+      TrustedClients:
+        SAMPLE:
+          "https://workbench.federate1.example": {}
+          "https://workbench.federate2.example": {}
+
     Git:
       # Path to git or gitolite-shell executable. Each authenticated
       # request will execute this program with the single argument "http-backend"
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 88d71eb0a..2b81f28c6 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -733,6 +733,17 @@ Clusters:
       # Default value zero means tokens don't have expiration.
       TokenLifetime: 0s
 
+      # When the token is returned to a client, the token itself may
+      # be restricted from manipulating other tokens based on whether
+      # the client is "trusted" or not.  The local Workbench1 are
+      # trusted by default, but if this is a LoginCluster, you
+      # probably want to include the Workbench instances in the
+      # federation in this list.
+      TrustedClients:
+        SAMPLE:
+          "https://workbench.federate1.example": {}
+          "https://workbench.federate2.example": {}
+
     Git:
       # Path to git or gitolite-shell executable. Each authenticated
       # request will execute this program with the single argument "http-backend"
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 00438bf34..27a4c1de3 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -183,6 +183,7 @@ type Cluster struct {
 		LoginCluster       string
 		RemoteTokenRefresh Duration
 		TokenLifetime      Duration
+		TrustedClients     map[string]struct{}
 	}
 	Mail struct {
 		MailchimpAPIKey                string
diff --git a/services/api/app/models/api_client.rb b/services/api/app/models/api_client.rb
index c9eeaf266..015b61dc4 100644
--- a/services/api/app/models/api_client.rb
+++ b/services/api/app/models/api_client.rb
@@ -22,14 +22,27 @@ class ApiClient < ArvadosModel
 
   def from_trusted_url
     norm_url_prefix = norm(self.url_prefix)
-    norm_url_prefix == norm(Rails.configuration.Services.Workbench1.ExternalURL) or
-      norm_url_prefix == norm(Rails.configuration.Services.Workbench2.ExternalURL) or
-      norm_url_prefix == norm("https://controller.api.client.invalid")
+
+    [Rails.configuration.Services.Workbench1.ExternalURL,
+     Rails.configuration.Services.Workbench2.ExternalURL,
+     "https://controller.api.client.invalid"].each do |url|
+      if norm_url_prefix == norm(url)
+        return true
+      end
+    end
+
+    Rails.configuration.Login.TrustedClients.keys.each do |url|
+      if norm_url_prefix == norm(url)
+        return true
+      end
+    end
+
+    false
   end
 
   def norm url
     # normalize URL for comparison
-    url = URI(url)
+    url = URI(url.to_s)
     if url.scheme == "https"
       url.port == "443"
     end
diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb
index 4f831160e..69b20420a 100644
--- a/services/api/config/arvados_config.rb
+++ b/services/api/config/arvados_config.rb
@@ -110,6 +110,7 @@ arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_
 arvcfg.declare_config "Login.SSO.ProviderAppSecret", String, :sso_app_secret
 arvcfg.declare_config "Login.SSO.ProviderAppID", String, :sso_app_id
 arvcfg.declare_config "Login.LoginCluster", String
+arvcfg.declare_config "Login.TrustedClients", Hash
 arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
 arvcfg.declare_config "Login.TokenLifetime", ActiveSupport::Duration
 arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
diff --git a/services/api/test/unit/api_client_test.rb b/services/api/test/unit/api_client_test.rb
index 93e4c51ab..bf47cd175 100644
--- a/services/api/test/unit/api_client_test.rb
+++ b/services/api/test/unit/api_client_test.rb
@@ -12,6 +12,8 @@ class ApiClientTest < ActiveSupport::TestCase
       Rails.configuration.Login.TokenLifetime = token_lifetime_enabled ? 8.hours : 0
       Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com")
       Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443")
+      Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new
+      Rails.configuration.Login.TrustedClients[:"https://wb3.example.com"] = ActiveSupport::OrderedOptions.new
 
       act_as_system_user do
         [["http://wb0.example.com", false],
@@ -19,6 +21,8 @@ class ApiClientTest < ActiveSupport::TestCase
         ["http://wb2.example.com", false],
         ["https://wb2.example.com", true],
         ["https://wb2.example.com/", true],
+        ["https://wb3.example.com/", true],
+        ["https://wb4.example.com/", false],
         ].each do |pfx, result|
           a = ApiClient.create(url_prefix: pfx, is_trusted: false)
           if token_lifetime_enabled

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list