[ARVADOS] created: 2.1.0-740-g78844c6fd

Git user git at public.arvados.org
Wed Apr 28 14:24:00 UTC 2021 

        at  78844c6fd4fe560835071f718e52b446cd00abf7 (commit)


commit 78844c6fd4fe560835071f718e52b446cd00abf7
Author: Tom Clegg <tom at curii.com>
Date:   Wed Apr 28 10:22:56 2021 -0400

    17217: Sign manifests in controller instead of RailsAPI.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/collection.go b/lib/controller/localdb/collection.go
new file mode 100644
index 000000000..f75a322d5
--- /dev/null
+++ b/lib/controller/localdb/collection.go
@@ -0,0 +1,70 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+package localdb
+
+import (
+	"context"
+	"time"
+
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+)
+
+// CollectionGet defers to railsProxy for everything except blob
+// signatures.
+func (conn *Conn) CollectionGet(ctx context.Context, opts arvados.GetOptions) (arvados.Collection, error) {
+	return conn.railsProxy.CollectionGet(ctx, opts)
+}
+
+// CollectionList defers to railsProxy for everything except blob
+// signatures.
+func (conn *Conn) CollectionList(ctx context.Context, opts arvados.ListOptions) (arvados.CollectionList, error) {
+	signing := false
+	keepUnsigned := true
+	var fields []string
+	if len(opts.Select) > 0 {
+		keepUnsigned = false
+		fields = make([]string, 0, len(opts.Select)+2)
+		for _, f := range opts.Select {
+			if f == "manifest_text" {
+				fields = append(fields, "is_trashed", "trash_at", "unsigned_manifest_text")
+				signing = true
+			} else {
+				fields = append(fields, f)
+				if f == "unsigned_manifest_text" {
+					keepUnsigned = true
+				}
+			}
+		}
+		opts.Select = fields
+	}
+	resp, err := conn.railsProxy.CollectionList(ctx, opts)
+	if err != nil || !signing {
+		return resp, err
+	}
+
+	var token string
+	if creds, ok := auth.FromContext(ctx); ok && len(creds.Tokens) > 0 {
+		token = creds.Tokens[0]
+	}
+	ttl := conn.cluster.Collections.BlobSigningTTL.Duration()
+	expDefault := time.Now().Add(ttl)
+	for i := range resp.Items {
+		coll := &resp.Items[i]
+		if coll.IsTrashed {
+			coll.ManifestText = coll.UnsignedManifestText
+		} else {
+			exp := expDefault
+			if coll.TrashAt != nil && !coll.TrashAt.IsZero() && coll.TrashAt.Before(exp) {
+				exp = *coll.TrashAt
+			}
+			coll.ManifestText = arvados.SignManifest(coll.UnsignedManifestText, token, exp, ttl, []byte(conn.cluster.Collections.BlobSigningKey))
+		}
+		if !keepUnsigned {
+			coll.UnsignedManifestText = ""
+		}
+	}
+	return resp, nil
+}
diff --git a/lib/controller/localdb/collection_test.go b/lib/controller/localdb/collection_test.go
new file mode 100644
index 000000000..d75ca3c40
--- /dev/null
+++ b/lib/controller/localdb/collection_test.go
@@ -0,0 +1,80 @@
+// Copyright (C) The Arvados Authors. All rights reserved.
+//
+// SPDX-License-Identifier: AGPL-3.0
+
+package localdb
+
+import (
+	"context"
+
+	"git.arvados.org/arvados.git/lib/config"
+	"git.arvados.org/arvados.git/lib/controller/rpc"
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/arvadostest"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/ctxlog"
+	check "gopkg.in/check.v1"
+)
+
+var _ = check.Suite(&CollectionSuite{})
+
+type CollectionSuite struct {
+	cluster  *arvados.Cluster
+	localdb  *Conn
+	railsSpy *arvadostest.Proxy
+}
+
+func (s *CollectionSuite) TearDownSuite(c *check.C) {
+	// Undo any changes/additions to the user database so they
+	// don't affect subsequent tests.
+	arvadostest.ResetEnv()
+	c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
+}
+
+func (s *CollectionSuite) SetUpTest(c *check.C) {
+	cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
+	c.Assert(err, check.IsNil)
+	s.cluster, err = cfg.GetCluster("")
+	c.Assert(err, check.IsNil)
+	s.localdb = NewConn(s.cluster)
+	s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
+	*s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
+}
+
+func (s *CollectionSuite) TearDownTest(c *check.C) {
+	s.railsSpy.Close()
+}
+
+func (s *CollectionSuite) TestSignatures(c *check.C) {
+	ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.ActiveTokenV2}})
+
+	resp, err := s.localdb.CollectionGet(ctx, arvados.GetOptions{UUID: arvadostest.FooCollection})
+	c.Check(err, check.IsNil)
+	c.Check(resp.ManifestText, check.Matches, `(?ms).* acbd[^ ]*\+3\+A[0-9a-f]+@[0-9a-f]+ 0:.*`)
+
+	resp, err = s.localdb.CollectionGet(ctx, arvados.GetOptions{UUID: arvadostest.FooCollection, Select: []string{"manifest_text"}})
+	c.Check(err, check.IsNil)
+	c.Check(resp.ManifestText, check.Matches, `(?ms).* acbd[^ ]*\+3\+A[0-9a-f]+@[0-9a-f]+ 0:.*`)
+
+	lresp, err := s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"uuid", "=", arvadostest.FooCollection}}})
+	c.Check(err, check.IsNil)
+	if c.Check(lresp.Items, check.HasLen, 1) {
+		c.Check(lresp.Items[0].UUID, check.Equals, arvadostest.FooCollection)
+		c.Check(lresp.Items[0].ManifestText, check.Equals, "")
+		c.Check(lresp.Items[0].UnsignedManifestText, check.Equals, "")
+	}
+
+	lresp, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"uuid", "=", arvadostest.FooCollection}}, Select: []string{"manifest_text"}})
+	c.Check(err, check.IsNil)
+	if c.Check(lresp.Items, check.HasLen, 1) {
+		c.Check(lresp.Items[0].ManifestText, check.Matches, `(?ms).* acbd[^ ]*\+3\+A[0-9a-f]+@[0-9a-f]+ 0:.*`)
+		c.Check(lresp.Items[0].UnsignedManifestText, check.Equals, "")
+	}
+
+	lresp, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"uuid", "=", arvadostest.FooCollection}}, Select: []string{"unsigned_manifest_text"}})
+	c.Check(err, check.IsNil)
+	if c.Check(lresp.Items, check.HasLen, 1) {
+		c.Check(lresp.Items[0].ManifestText, check.Equals, "")
+		c.Check(lresp.Items[0].UnsignedManifestText, check.Matches, `(?ms).* acbd[^ ]*\+3 0:.*`)
+	}
+}
diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb
index 4e7b64cf5..c51dbd552 100644
--- a/services/api/app/models/collection.rb
+++ b/services/api/app/models/collection.rb
@@ -418,17 +418,7 @@ class Collection < ArvadosModel
   end
 
   def self.sign_manifest manifest, token, exp=nil
-    if exp.nil?
-      exp = db_current_time.to_i + Rails.configuration.Collections.BlobSigningTTL.to_i
-    end
-    signing_opts = {
-      api_token: token,
-      expire: exp,
-    }
-    m = munge_manifest_locators(manifest) do |match|
-      Blob.sign_locator(match[0], signing_opts)
-    end
-    return m
+    return manifest
   end
 
   def self.munge_manifest_locators manifest

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list