[ARVADOS] updated: 2.1.0-1640-ge6c9789a3
Git user
git at public.arvados.org
Wed Nov 24 20:13:49 UTC 2021
Summary of changes:
lib/controller/federation.go | 7 +++---
lib/controller/federation_test.go | 2 +-
lib/controller/handler_test.go | 27 +++++++++++++++++---
lib/controller/integration_test.go | 40 +++++++++++++++++++-----------
lib/controller/localdb/login.go | 4 +--
lib/controller/localdb/login_oidc.go | 9 +++----
sdk/go/arvados/api_client_authorization.go | 13 +++++-----
7 files changed, 64 insertions(+), 38 deletions(-)
via e6c9789a3500aba4ce1357d2d9f9fe0f24674b3a (commit)
via 7690110d5f23e689b80b3dabbbaa2b769b6d4d50 (commit)
via 978251ea0e2947b30e45bf2b8eea18e1c4572539 (commit)
from a98916d06cdfe7883dff80015a3eecfde3429dfa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit e6c9789a3500aba4ce1357d2d9f9fe0f24674b3a
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Wed Nov 24 17:12:36 2021 -0300
17785: Fixes ApiClientAuthorization.ExpiresAt type.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/lib/controller/federation.go b/lib/controller/federation.go
index cd69727ec..e7d6e29b8 100644
--- a/lib/controller/federation.go
+++ b/lib/controller/federation.go
@@ -214,10 +214,9 @@ VALUES ($1, $2, CURRENT_TIMESTAMP AT TIME ZONE 'UTC' + INTERVAL '2 weeks', $3,
}
return &arvados.APIClientAuthorization{
- UUID: uuid,
- APIToken: token,
- ExpiresAt: "",
- Scopes: scopes}, nil
+ UUID: uuid,
+ APIToken: token,
+ Scopes: scopes}, nil
}
// Extract the auth token supplied in req, and replace it with a
diff --git a/lib/controller/federation_test.go b/lib/controller/federation_test.go
index 211c76198..35bcc3636 100644
--- a/lib/controller/federation_test.go
+++ b/lib/controller/federation_test.go
@@ -721,7 +721,7 @@ func (s *FederationSuite) TestCreateRemoteContainerRequestCheckRuntimeToken(c *c
var aca arvados.APIClientAuthorization
c.Check(json.NewDecoder(resp.Body).Decode(&aca), check.IsNil)
c.Check(aca.ExpiresAt, check.NotNil) // Time.Now()+BlobSigningTTL
- t, _ := time.Parse(time.RFC3339Nano, aca.ExpiresAt)
+ t := aca.ExpiresAt
c.Check(t.After(time.Now().Add(s.testHandler.Cluster.API.MaxTokenLifetime.Duration())), check.Equals, true)
c.Check(t.Before(time.Now().Add(s.testHandler.Cluster.Collections.BlobSigningTTL.Duration())), check.Equals, true)
}
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 3c7b01baa..2b20491a0 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -147,13 +147,13 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st
tokensecret = tokenparts[2]
}
}
- var exp sql.NullString
+ var exp sql.NullTime
var scopes []byte
err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
if err != nil {
return
}
- resp.ExpiresAt = exp.String
+ resp.ExpiresAt = exp.Time
if len(scopes) > 0 {
err = json.Unmarshal(scopes, &resp.Scopes)
if err != nil {
diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 6182469ac..e076f7e12 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -408,11 +408,8 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
// cached positive result
aca := cached.(arvados.APIClientAuthorization)
var expiring bool
- if aca.ExpiresAt != "" {
- t, err := time.Parse(time.RFC3339Nano, aca.ExpiresAt)
- if err != nil {
- return fmt.Errorf("error parsing expires_at value: %w", err)
- }
+ if !aca.ExpiresAt.IsZero() {
+ t := aca.ExpiresAt
expiring = t.Before(time.Now().Add(time.Minute))
}
if !expiring {
@@ -505,7 +502,7 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
if err != nil {
return err
}
- aca.ExpiresAt = exp.Format(time.RFC3339Nano)
+ aca.ExpiresAt = exp
ta.cache.Add(tok, aca)
return nil
}
diff --git a/sdk/go/arvados/api_client_authorization.go b/sdk/go/arvados/api_client_authorization.go
index 686caf49d..c920d2dc3 100644
--- a/sdk/go/arvados/api_client_authorization.go
+++ b/sdk/go/arvados/api_client_authorization.go
@@ -15,7 +15,7 @@ type APIClientAuthorization struct {
CreatedByIPAddress string `json:"created_by_ip_address"`
DefaultOwnerUUID string `json:"default_owner_uuid"`
Etag string `json:"etag"`
- ExpiresAt string `json:"expires_at"`
+ ExpiresAt time.Time `json:"expires_at"`
LastUsedAt time.Time `json:"last_used_at"`
LastUsedByIPAddress string `json:"last_used_by_ip_address"`
ModifiedAt time.Time `json:"modified_at"`
commit 7690110d5f23e689b80b3dabbbaa2b769b6d4d50
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Wed Nov 24 16:53:02 2021 -0300
17785: Fixes ACA type so that it doesn't have pointers to string fields.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/lib/controller/handler_test.go b/lib/controller/handler_test.go
index f854079f9..57816de2c 100644
--- a/lib/controller/handler_test.go
+++ b/lib/controller/handler_test.go
@@ -392,12 +392,32 @@ func (s *HandlerSuite) TestGetObjects(c *check.C) {
json.Unmarshal(resp.Body.Bytes(), &ksList)
c.Assert(len(ksList.Items), check.Not(check.Equals), 0)
ksUUID := ksList.Items[0].UUID
+ // Create a new token for the test user so that we're not comparing
+ // the ones from the fixtures.
+ req = httptest.NewRequest("POST", "/arvados/v1/api_client_authorizations",
+ strings.NewReader(`{
+ "api_client_authorization": {
+ "owner_uuid": "`+arvadostest.AdminUserUUID+`",
+ "created_by_ip_address": "::1",
+ "last_used_by_ip_address": "::1",
+ "default_owner_uuid": "`+arvadostest.AdminUserUUID+`"
+ }
+ }`))
+ req.Header.Set("Authorization", "Bearer "+arvadostest.SystemRootToken)
+ req.Header.Set("Content-type", "application/json")
+ resp = httptest.NewRecorder()
+ s.handler.ServeHTTP(resp, req)
+ c.Assert(resp.Code, check.Equals, http.StatusOK,
+ check.Commentf("%s", resp.Body.String()))
+ var auth arvados.APIClientAuthorization
+ json.Unmarshal(resp.Body.Bytes(), &auth)
+ c.Assert(auth.UUID, check.Not(check.Equals), "")
testCases := map[string]map[string]bool{
"api_clients/" + arvadostest.TrustedWorkbenchAPIClientUUID: nil,
- "api_client_authorizations/" + arvadostest.AdminTokenUUID: nil,
+ "api_client_authorizations/" + auth.UUID: {"href": true},
"authorized_keys/" + arvadostest.AdminAuthorizedKeysUUID: nil,
- "collections/" + arvadostest.CollectionWithUniqueWordsUUID: {"href": true},
+ "collections/" + arvadostest.CollectionWithUniqueWordsUUID: {"href": true, "modified_by_client_uuid": true, "modified_by_user_uuid": true},
"containers/" + arvadostest.RunningContainerUUID: nil,
"container_requests/" + arvadostest.QueuedContainerRequestUUID: nil,
"groups/" + arvadostest.AProjectUUID: nil,
@@ -411,7 +431,8 @@ func (s *HandlerSuite) TestGetObjects(c *check.C) {
"workflows/" + arvadostest.WorkflowWithDefinitionYAMLUUID: nil,
}
for url, skippedFields := range testCases {
- s.CheckObjectType(c, "/arvados/v1/"+url, arvadostest.AdminToken, skippedFields)
+ c.Logf("Testing %q", url)
+ s.CheckObjectType(c, "/arvados/v1/"+url, auth.TokenV2(), skippedFields)
}
}
diff --git a/sdk/go/arvados/api_client_authorization.go b/sdk/go/arvados/api_client_authorization.go
index 0fb1dd894..686caf49d 100644
--- a/sdk/go/arvados/api_client_authorization.go
+++ b/sdk/go/arvados/api_client_authorization.go
@@ -12,16 +12,15 @@ type APIClientAuthorization struct {
APIClientID int `json:"api_client_id"`
APIToken string `json:"api_token"`
CreatedAt time.Time `json:"created_at"`
- CreatedByIPAddress *string `json:"created_by_ip_address"`
- DefaultOwnerUUID *string `json:"default_owner_uuid"`
+ CreatedByIPAddress string `json:"created_by_ip_address"`
+ DefaultOwnerUUID string `json:"default_owner_uuid"`
Etag string `json:"etag"`
ExpiresAt string `json:"expires_at"`
- Href string `json:"href"`
LastUsedAt time.Time `json:"last_used_at"`
- LastUsedByIPAddress *string `json:"last_used_by_ip_address"`
+ LastUsedByIPAddress string `json:"last_used_by_ip_address"`
ModifiedAt time.Time `json:"modified_at"`
- ModifiedByClientUUID *string `json:"modified_by_client_uuid"`
- ModifiedByUserUUID *string `json:"modified_by_user_uuid"`
+ ModifiedByClientUUID string `json:"modified_by_client_uuid"`
+ ModifiedByUserUUID string `json:"modified_by_user_uuid"`
OwnerUUID string `json:"owner_uuid"`
Scopes []string `json:"scopes"`
UserID int `json:"user_id"`
commit 978251ea0e2947b30e45bf2b8eea18e1c4572539
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Nov 23 19:20:11 2021 -0300
17785: Enhances test.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index c877d046b..1498da5a2 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -668,19 +668,17 @@ func (s *IntegrationSuite) TestFederatedApiClientAuthHandling(c *check.C) {
conn1 := s.testClusters["z1111"].Conn()
// Make sure LoginCluster is properly configured
- for cls := range s.testClusters {
- if cls == "z1111" || cls == "z3333" {
- c.Check(
- s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
- check.Equals, "z1111",
- check.Commentf("incorrect LoginCluster config on cluster %q", cls))
- }
+ for _, cls := range []string{"z1111", "z3333"} {
+ c.Check(
+ s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+ check.Equals, "z1111",
+ check.Commentf("incorrect LoginCluster config on cluster %q", cls))
}
// Get user's UUID & attempt to create a token for it on the remote cluster
_, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1,
"user at example.com", true)
_, rootclnt3, _ := s.testClusters["z3333"].ClientsWithToken(rootclnt1.AuthToken)
- var resp interface{}
+ var resp arvados.APIClientAuthorization
err := rootclnt3.RequestAndDecode(
&resp, "POST", "arvados/v1/api_client_authorizations", nil,
map[string]interface{}{
@@ -690,6 +688,20 @@ func (s *IntegrationSuite) TestFederatedApiClientAuthHandling(c *check.C) {
},
)
c.Assert(err, check.IsNil)
+ newTok := resp.TokenV2()
+ c.Assert(newTok, check.Not(check.Equals), "")
+
+ // Confirm the token is from z1111
+ c.Assert(strings.HasPrefix(newTok, "v2/z1111-gj3su-"), check.Equals, true)
+
+ // Confirm the token works and is from the correct user
+ _, rootclnt3bis, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+ var curUser arvados.User
+ err = rootclnt3bis.RequestAndDecode(
+ &curUser, "GET", "arvados/v1/users/current", nil, nil,
+ )
+ c.Assert(err, check.IsNil)
+ c.Assert(curUser.UUID, check.Equals, user.UUID)
}
// Test for bug #18076
@@ -700,13 +712,11 @@ func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
conn3 := s.testClusters["z3333"].Conn()
// Make sure LoginCluster is properly configured
- for cls := range s.testClusters {
- if cls == "z1111" || cls == "z3333" {
- c.Check(
- s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
- check.Equals, "z1111",
- check.Commentf("incorrect LoginCluster config on cluster %q", cls))
- }
+ for _, cls := range []string{"z1111", "z3333"} {
+ c.Check(
+ s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+ check.Equals, "z1111",
+ check.Commentf("incorrect LoginCluster config on cluster %q", cls))
}
for testCaseNr, testCase := range []struct {
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list