[ARVADOS] created: 2.1.0-743-g4accc0fe3

Git user git at public.arvados.org
Thu Apr 29 21:18:05 UTC 2021


        at  4accc0fe357a9b3fdcca3dc8f3353ff6dd6eded2 (commit)


commit 4accc0fe357a9b3fdcca3dc8f3353ff6dd6eded2
Author: Tom Clegg <tom at curii.com>
Date:   Thu Apr 29 17:17:52 2021 -0400

    17610: Check scopes when using a remote token.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index ee63c4d93..06a74feec 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -249,21 +249,22 @@ class ApiClientAuthorization < ArvadosModel
 
     remote_user_prefix = remote_user['uuid'][0..4]
 
-    if token_uuid == ''
-      # Use the same UUID as the remote when caching the token.
-      begin
-        remote_token = SafeJSON.load(
-          clnt.get_content('https://' + host + '/arvados/v1/api_client_authorizations/current',
-                           {'remote' => Rails.configuration.ClusterID},
-                           {'Authorization' => 'Bearer ' + token}))
-        token_uuid = remote_token['uuid']
-        if !token_uuid.match(HasUuid::UUID_REGEX) || token_uuid[0..4] != upstream_cluster_id
-          raise "remote cluster #{upstream_cluster_id} returned invalid token uuid #{token_uuid.inspect}"
-        end
-      rescue => e
-        Rails.logger.warn "error getting remote token details for #{token.inspect}: #{e}"
-        return nil
+    # Get token scope, and make sure we use the same UUID as the
+    # remote when caching the token.
+    remote_token_scopes = ['all']
+    begin
+      remote_token = SafeJSON.load(
+        clnt.get_content('https://' + host + '/arvados/v1/api_client_authorizations/current',
+                         {'remote' => Rails.configuration.ClusterID},
+                         {'Authorization' => 'Bearer ' + token}))
+      token_uuid = remote_token['uuid']
+      if !token_uuid.match(HasUuid::UUID_REGEX) || token_uuid[0..4] != upstream_cluster_id
+        raise "remote cluster #{upstream_cluster_id} returned invalid token uuid #{token_uuid.inspect}"
       end
+      remote_token_scopes = remote_token['scopes']
+    rescue => e
+      Rails.logger.warn "error getting remote token details for #{token.inspect}: #{e}"
+      return nil
     end
 
     # Clusters can only authenticate for their own users.
@@ -339,26 +340,30 @@ class ApiClientAuthorization < ArvadosModel
         end
       end
 
-      # We will accept this token (and avoid reloading the user
-      # record) for 'RemoteTokenRefresh' (default 5 minutes).
-      # Possible todo:
-      # Request the actual api_client_auth record from the remote
-      # server in case it wants the token to expire sooner.
-      auth = ApiClientAuthorization.find_or_create_by(uuid: token_uuid) do |auth|
-        auth.user = user
-        auth.api_client_id = 0
-      end
       # If stored_secret is set, we save stored_secret in the database
       # but return the real secret to the caller. This way, if we end
       # up returning the auth record to the client, they see the same
       # secret they supplied, instead of the HMAC we saved in the
       # database.
       stored_secret = stored_secret || secret
+
+      # We will accept this token (and avoid reloading the user
+      # record) for 'RemoteTokenRefresh' (default 5 minutes).
+      exp = [db_current_time + Rails.configuration.Login.RemoteTokenRefresh,
+             remote_token.andand['expires_at']].compact.min
+      auth = ApiClientAuthorization.find_or_create_by(uuid: token_uuid) do |auth|
+        auth.user = user
+        auth.api_token = stored_secret
+        auth.api_client_id = 0
+        auth.scopes = remote_token_scopes
+        auth.expires_at = exp
+      end
       auth.update_attributes!(user: user,
                               api_token: stored_secret,
                               api_client_id: 0,
-                              expires_at: db_current_time + Rails.configuration.Login.RemoteTokenRefresh)
-      Rails.logger.debug "cached remote token #{token_uuid} with secret #{stored_secret} in local db"
+                              scopes: remote_token_scopes,
+                              expires_at: exp)
+      Rails.logger.debug "cached remote token #{token_uuid} with secret #{stored_secret} and scopes #{remote_token_scopes} in local db"
       auth.api_token = secret
       return auth
     end
diff --git a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
index c2c71ca54..bf407afcd 100644
--- a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb
@@ -81,6 +81,15 @@ class Arvados::V1::ApiClientAuthorizationsControllerTest < ActionController::Tes
     end
   end
 
+  [:admin, :active].each do |token|
+    test "using '#{token}', get token details via 'current'" do
+      authorize_with token
+      get :current
+      assert_response 200
+      assert_equal json_response['scopes'], ['all']
+    end
+  end
+
   [# anyone can look up the token they're currently using
    [:admin, :admin, 200, 200, 1],
    [:active, :active, 200, 200, 1],
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 432388452..568d5088d 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -67,6 +67,20 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
         res.status = @stub_status
         res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
       end
+      srv.mount_proc '/arvados/v1/api_client_authorizations/current' do |req, res|
+        if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork'
+          # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork
+          res.status = 401
+          return
+        end
+        res.status = @stub_token_status
+        if res.status == 200
+          res.body = {
+            uuid: api_client_authorizations(:active).uuid.sub('zzzzz', clusterid),
+            scopes: @stub_token_scopes,
+          }.to_json
+        end
+      end
       Thread.new do
         srv.start
       end
@@ -86,6 +100,8 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
       is_active: true,
       is_invited: true,
     }
+    @stub_token_status = 200
+    @stub_token_scopes = ["all"]
   end
 
   teardown do
@@ -94,6 +110,31 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'authenticate with remote token that has limited scope' do
+    get '/arvados/v1/collections',
+        params: {format: 'json'},
+        headers: auth(remote: 'zbbbb')
+    assert_response :success
+
+    @stub_token_scopes = ["GET /arvados/v1/users/current"]
+
+    # re-authorize before cache expires
+    get '/arvados/v1/collections',
+        params: {format: 'json'},
+        headers: auth(remote: 'zbbbb')
+    assert_response :success
+
+    # simulate cache expiry
+    ApiClientAuthorization.where('uuid like ?', 'zbbbb-%').
+      update_all(expires_at: db_current_time - 1.minute)
+
+    # re-authorize after cache expires
+    get '/arvados/v1/collections',
+        params: {format: 'json'},
+        headers: auth(remote: 'zbbbb')
+    assert_response 403
+  end
+
   test 'authenticate with remote token' do
     get '/arvados/v1/users/current',
       params: {format: 'json'},
@@ -115,8 +156,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     assert_response :success
 
     # simulate cache expiry
-    ApiClientAuthorization.where(
-      uuid: salted_active_token(remote: 'zbbbb').split('/')[1]).
+    ApiClientAuthorization.where('uuid like ?', 'zbbbb-%').
       update_all(expires_at: db_current_time - 1.minute)
 
     # re-authorize after cache expires

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list