[ARVADOS] updated: 2.1.0-308-gb51ddf762
Git user
git at public.arvados.org
Tue Feb 9 22:28:20 UTC 2021
Summary of changes:
lib/controller/federation_test.go | 9 +++++++++
services/api/app/controllers/user_sessions_controller.rb | 4 ++--
services/api/app/models/api_client_authorization.rb | 9 ++++-----
.../test/integration/api_client_authorizations_api_test.rb | 14 ++++++++------
services/api/test/integration/container_dispatch_test.rb | 1 -
services/api/test/unit/container_test.rb | 11 +++++++++++
6 files changed, 34 insertions(+), 14 deletions(-)
via b51ddf762b2bf441b899704866f1228e1262a2fa (commit)
via 4582fd3b2af72c03dcaf82a556f586c884d72d0c (commit)
via bb040b1ea234599f5001b1d08493d22471ddad29 (commit)
from bb5d1bb6158ebd6b9fc64ff465feba7c22eaa077 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit b51ddf762b2bf441b899704866f1228e1262a2fa
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date: Tue Feb 9 19:27:23 2021 -0300
16736: Adds tests to confirm expires_at doesn't get set on container's tokens.
WIP
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>
diff --git a/lib/controller/federation_test.go b/lib/controller/federation_test.go
index a92fc7105..b64225f1a 100644
--- a/lib/controller/federation_test.go
+++ b/lib/controller/federation_test.go
@@ -705,6 +705,15 @@ func (s *FederationSuite) TestCreateRemoteContainerRequestCheckRuntimeToken(c *c
c.Check(cr.RuntimeToken, check.Matches, "v2/zzzzz-gj3su-.*")
// RuntimeToken must be different than the Original Token we originally did the request with.
c.Check(cr.RuntimeToken, check.Not(check.Equals), arvadostest.ActiveTokenV2)
+
+ req2 := httptest.NewRequest("GET", "/arvados/v1/api_client_authorizations/current", nil)
+ req2.Header.Set("Authorization", "Bearer "+cr.RuntimeToken)
+ req2.Header.Set("Content-type", "application/json")
+ resp = s.testRequest(req2).Result()
+ c.Check(resp.StatusCode, check.Equals, http.StatusOK)
+ var aca arvados.APIClientAuthorization
+ c.Check(json.NewDecoder(resp.Body).Decode(&aca), check.IsNil)
+ c.Check(aca.ExpiresAt, check.IsNil)
}
func (s *FederationSuite) TestCreateRemoteContainerRequestCheckSetRuntimeToken(c *check.C) {
diff --git a/services/api/test/integration/container_dispatch_test.rb b/services/api/test/integration/container_dispatch_test.rb
index 61e01da64..556b889fa 100644
--- a/services/api/test/integration/container_dispatch_test.rb
+++ b/services/api/test/integration/container_dispatch_test.rb
@@ -11,7 +11,6 @@ class ContainerDispatchTest < ActionDispatch::IntegrationTest
get("/arvados/v1/api_client_authorizations/current",
headers: authheaders)
assert_response 200
- #assert_not_empty json_response['uuid']
system_auth_uuid = json_response['uuid']
post("/arvados/v1/containers/#{containers(:queued).uuid}/lock",
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 4d8538524..dbb51b826 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -750,6 +750,17 @@ class ContainerTest < ActiveSupport::TestCase
check_no_change_from_cancelled c
end
+ test "Container locked with non-expiring token" do
+ Rails.configuration.API.TokenMaxLifetime = 1.hour
+ set_user_from_auth :active
+ c, _ = minimal_new
+ set_user_from_auth :dispatch1
+ assert c.lock, show_errors(c)
+ refute c.auth.nil?
+ assert c.auth.expires_at.nil?
+ assert c.auth.user_id == User.find_by_uuid(users(:active).uuid).id
+ end
+
test "Container locked cancel with log" do
set_user_from_auth :active
c, _ = minimal_new
commit 4582fd3b2af72c03dcaf82a556f586c884d72d0c
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date: Mon Feb 8 19:01:41 2021 -0300
16736: Simplifies conditionals.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 03e1b38fd..ee63c4d93 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -390,9 +390,7 @@ class ApiClientAuthorization < ArvadosModel
def clamp_token_expiration
if !current_user.andand.is_admin && Rails.configuration.API.MaxTokenLifetime > 0
max_token_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime
- if self.new_record? && (self.expires_at.nil? || self.expires_at > max_token_expiration)
- self.expires_at = max_token_expiration
- elsif !self.new_record? && self.expires_at_changed? && (self.expires_at.nil? || self.expires_at > max_token_expiration)
+ if (self.new_record? || self.expires_at_changed?) && (self.expires_at.nil? || self.expires_at > max_token_expiration)
self.expires_at = max_token_expiration
end
end
commit bb040b1ea234599f5001b1d08493d22471ddad29
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date: Mon Feb 8 18:16:52 2021 -0300
16736: Replaces Time.now with db_current_time on token expiration handling code.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>
diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index da0523d2b..8e9a26b7a 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -158,9 +158,9 @@ class UserSessionsController < ApplicationController
end
if Rails.configuration.Login.TokenLifetime > 0
if token_expiration == nil
- token_expiration = Time.now + Rails.configuration.Login.TokenLifetime
+ token_expiration = db_current_time + Rails.configuration.Login.TokenLifetime
else
- token_expiration = [token_expiration, Time.now + Rails.configuration.Login.TokenLifetime].min
+ token_expiration = [token_expiration, db_current_time + Rails.configuration.Login.TokenLifetime].min
end
end
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 4218645d5..03e1b38fd 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -7,6 +7,7 @@ class ApiClientAuthorization < ArvadosModel
include KindAndEtag
include CommonApiTemplate
extend CurrentApiClient
+ extend DbCurrentTime
belongs_to :api_client
belongs_to :user
@@ -356,7 +357,7 @@ class ApiClientAuthorization < ArvadosModel
auth.update_attributes!(user: user,
api_token: stored_secret,
api_client_id: 0,
- expires_at: Time.now + Rails.configuration.Login.RemoteTokenRefresh)
+ expires_at: db_current_time + Rails.configuration.Login.RemoteTokenRefresh)
Rails.logger.debug "cached remote token #{token_uuid} with secret #{stored_secret} in local db"
auth.api_token = secret
return auth
@@ -388,7 +389,7 @@ class ApiClientAuthorization < ArvadosModel
def clamp_token_expiration
if !current_user.andand.is_admin && Rails.configuration.API.MaxTokenLifetime > 0
- max_token_expiration = Time.now + Rails.configuration.API.MaxTokenLifetime
+ max_token_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime
if self.new_record? && (self.expires_at.nil? || self.expires_at > max_token_expiration)
self.expires_at = max_token_expiration
elsif !self.new_record? && self.expires_at_changed? && (self.expires_at.nil? || self.expires_at > max_token_expiration)
diff --git a/services/api/test/integration/api_client_authorizations_api_test.rb b/services/api/test/integration/api_client_authorizations_api_test.rb
index 3a7b20131..ce79fc557 100644
--- a/services/api/test/integration/api_client_authorizations_api_test.rb
+++ b/services/api/test/integration/api_client_authorizations_api_test.rb
@@ -5,6 +5,8 @@
require 'test_helper'
class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
+ include DbCurrentTime
+ extend DbCurrentTime
fixtures :all
test "create system auth" do
@@ -74,12 +76,12 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
assert_response 403
end
- [nil, Time.now + 2.hours].each do |desired_expiration|
+ [nil, db_current_time + 2.hours].each do |desired_expiration|
test "expires_at gets clamped on non-admins when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
Rails.configuration.API.MaxTokenLifetime = 1.hour
# Test token creation
- start_t = Time.now
+ start_t = db_current_time
post "/arvados/v1/api_client_authorizations",
params: {
:format => :json,
@@ -89,7 +91,7 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
}
},
headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
- end_t = Time.now
+ end_t = db_current_time
assert_response 200
expiration_t = json_response['expires_at'].to_time
assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
@@ -102,7 +104,7 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
# Test token update
previous_expiration = expiration_t
token_uuid = json_response["uuid"]
- start_t = Time.now
+ start_t = db_current_time
put "/arvados/v1/api_client_authorizations/#{token_uuid}",
params: {
:api_client_authorization => {
@@ -110,7 +112,7 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
}
},
headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
- end_t = Time.now
+ end_t = db_current_time
assert_response 200
expiration_t = json_response['expires_at'].to_time
assert_operator previous_expiration.to_f, :<, expiration_t.to_f
@@ -146,7 +148,7 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
previous_expiration = json_response['expires_at']
token_uuid = json_response['uuid']
if previous_expiration.nil?
- desired_updated_expiration = Time.now + Rails.configuration.API.MaxTokenLifetime + 1.hour
+ desired_updated_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime + 1.hour
else
desired_updated_expiration = nil
end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list