[ARVADOS] updated: 2.1.0-539-g64e4f7598
Git user
git at public.arvados.org
Tue Mar 30 23:00:32 UTC 2021
Summary of changes:
lib/controller/localdb/login_testuser.go | 2 +-
lib/controller/localdb/logout.go | 52 +++++++++++++++++++++++---------
2 files changed, 39 insertions(+), 15 deletions(-)
via 64e4f759884fadc7fb3b984eb773a1dd89b7848f (commit)
from 94b3b18d028468440d793c2f78da61acc0ba4270 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 64e4f759884fadc7fb3b984eb773a1dd89b7848f
Author: Lucas Di Pentima <lucas at di-pentima.com.ar>
Date: Tue Mar 30 19:57:04 2021 -0300
16159: Validates token uuid & secret before expiring.
Don't error out when no token is provided, to support old clients.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas at di-pentima.com.ar>
diff --git a/lib/controller/localdb/login_testuser.go b/lib/controller/localdb/login_testuser.go
index 2e99034b6..e2f38f35b 100644
--- a/lib/controller/localdb/login_testuser.go
+++ b/lib/controller/localdb/login_testuser.go
@@ -22,7 +22,7 @@ type testLoginController struct {
}
func (ctrl *testLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
- err := ctrl.Parent.ExpireAPIClientAuthorization(ctx)
+ err := ctrl.Parent.expireAPIClientAuthorization(ctx)
if err != nil {
return arvados.LogoutResponse{}, err
}
diff --git a/lib/controller/localdb/logout.go b/lib/controller/localdb/logout.go
index 417fdc066..66089539c 100644
--- a/lib/controller/localdb/logout.go
+++ b/lib/controller/localdb/logout.go
@@ -6,40 +6,59 @@ package localdb
import (
"context"
+ "database/sql"
"errors"
"fmt"
"strings"
"git.arvados.org/arvados.git/lib/ctrlctx"
"git.arvados.org/arvados.git/sdk/go/auth"
+ "git.arvados.org/arvados.git/sdk/go/ctxlog"
)
-func (conn *Conn) ExpireAPIClientAuthorization(ctx context.Context) error {
+func (conn *Conn) expireAPIClientAuthorization(ctx context.Context) error {
creds, ok := auth.FromContext(ctx)
-
if !ok {
return errors.New("credentials not found from context")
}
- if len(creds.Tokens) < 1 {
- return errors.New("no tokens found to expire")
+ if len(creds.Tokens) == 0 {
+ // Old client may not have provided the token to expire
+ return nil
+ }
+
+ tx, err := ctrlctx.CurrentTx(ctx)
+ if err != nil {
+ return err
}
token := creds.Tokens[0]
- tokensecret := token
- if strings.Contains(token, "/") {
- tokenparts := strings.Split(token, "/")
- if len(tokenparts) >= 3 {
- tokensecret = tokenparts[2]
+ tokenSecret := token
+ var tokenUuid string
+ if strings.HasPrefix(token, "v2/") {
+ tokenParts := strings.Split(token, "/")
+ if len(tokenParts) >= 3 {
+ tokenUuid = tokenParts[1]
+ tokenSecret = tokenParts[2]
}
}
- tx, err := ctrlctx.CurrentTx(ctx)
- if err != nil {
+ var retrievedUuid string
+ err = tx.QueryRowContext(ctx, `SELECT uuid FROM api_client_authorizations WHERE api_token=$1 AND (expires_at IS NULL OR expires_at > current_timestamp AT TIME ZONE 'UTC') LIMIT 1`, tokenSecret).Scan(&retrievedUuid)
+ if err == sql.ErrNoRows {
+ ctxlog.FromContext(ctx).Debugf("expireAPIClientAuthorization(%s): not found in database", token)
+ return nil
+ } else if err != nil {
+ ctxlog.FromContext(ctx).WithError(err).Debugf("expireAPIClientAuthorization(%s): database error", token)
return err
}
+ if tokenUuid != "" && retrievedUuid != tokenUuid {
+ // secret part matches, but UUID doesn't -- somewhat surprising
+ ctxlog.FromContext(ctx).Debugf("expireAPIClientAuthorization(%s): secret part found, but with different UUID: %s", tokenSecret, retrievedUuid)
+ return nil
+ }
- res, err := tx.ExecContext(ctx, "UPDATE api_client_authorizations SET expires_at=current_timestamp WHERE api_token=$1", tokensecret)
+ res, err := tx.ExecContext(ctx, "UPDATE api_client_authorizations SET expires_at=current_timestamp AT TIME ZONE 'UTC' WHERE (expires_at IS NULL OR expires_at > current_timestamp AT TIME ZONE 'UTC' AND api_token=$1)", tokenSecret)
if err != nil {
return err
}
@@ -48,8 +67,13 @@ func (conn *Conn) ExpireAPIClientAuthorization(ctx context.Context) error {
if err != nil {
return err
}
- if rows != 1 {
- return fmt.Errorf("token expiration affected rows: %d - token: %s", rows, token)
+ if rows == 0 {
+ ctxlog.FromContext(ctx).Debugf("expireAPIClientAuthorization(%s): no rows were updated", tokenSecret)
+ return fmt.Errorf("couldn't expire provided token")
+ } else if rows > 1 {
+ ctxlog.FromContext(ctx).Debugf("expireAPIClientAuthorization(%s): multiple (%d) rows updated", tokenSecret, rows)
+ } else {
+ ctxlog.FromContext(ctx).Debugf("expireAPIClientAuthorization(%s): ok", tokenSecret)
}
return nil
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list