[arvados] updated: 2.6.0-536-gc26761f7a5

git repository hosting git at public.arvados.org
Wed Aug 23 21:08:57 UTC 2023 

Summary of changes:
 .../api/app/models/api_client_authorization.rb     |  5 +-
 services/api/test/integration/remote_user_test.rb  | 59 ++++++++++++++++------
 2 files changed, 48 insertions(+), 16 deletions(-)

       via  c26761f7a57e52560bc663e4d748af265eae0900 (commit)
       via  3835284814eb1b4db5bf42c0b449da43f47c9157 (commit)
      from  cd669fe0345a9cbc09973ae957b97a0715364488 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit c26761f7a57e52560bc663e4d748af265eae0900
Author: Brett Smith <brett.smith at curii.com>
Date:   Wed Aug 23 17:06:18 2023 -0400

    20750: Propagate 401 errors when getting current remote user
    
    See comments for rationale. For cases where the token has limited scopes
    like we're trying to address, the API server returns 403 instead. My
    hope is this change prevents problems later in the code that aren't
    prepared to handle it, and in particular gets the last check of
    controller's IntegrationSuite.TestListUsers passing.
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 0c5ba3aff1..b9e1c5fcf9 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -321,8 +321,11 @@ class ApiClientAuthorization < ArvadosModel
       remote_url.path = "/arvados/v1/users/current"
       remote_user = SafeJSON.load(clnt.get_content(remote_url, remote_query, remote_headers))
     rescue HTTPClient::BadResponseError => e
+      # If the error was 401, then our token apparently become invalid since
+      # the last request. There's no way it can work from here, so propagate
+      # the error now.
       # If user is defined, we will use that alone for auth, see below.
-      if user.nil?
+      if e.res.status_code == 401 or user.nil?
         # See comment above about ApplicationController#render_error.
         def e.http_status
           self.res.status_code
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index eab2d66f4c..bead2e6c8c 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -613,23 +613,43 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
       end
     end
 
-    test "use cached user after getting #{status} response" do
-      url_path = "/arvados/v1/users/#{@stub_content[:uuid]}"
-      params = {format: "json"}
-      headers = auth(remote: "zbbbb")
+    case status
+    when 401
+      test "propagate #{status} response when updating cached user" do
+        url_path = "/arvados/v1/users/#{@stub_content[:uuid]}"
+        params = {format: "json"}
+        headers = auth(remote: "zbbbb")
+
+        get url_path, params: params, headers: headers
+        assert_response :success
 
-      get url_path, params: params, headers: headers
-      assert_response :success
+        uncache_token(headers["HTTP_AUTHORIZATION"])
+        expect_email = @stub_content[:email]
+        @stub_content[:email] = "new#{expect_email}"
+        @stub_status = status
+        expect_bad_status(status) do
+          get url_path, params: params, headers: headers
+        end
+      end
+    else
+      test "use cached user after getting #{status} response" do
+        url_path = "/arvados/v1/users/#{@stub_content[:uuid]}"
+        params = {format: "json"}
+        headers = auth(remote: "zbbbb")
 
-      uncache_token(headers["HTTP_AUTHORIZATION"])
-      expect_email = @stub_content[:email]
-      @stub_content[:email] = "new#{expect_email}"
-      @stub_status = status
-      get url_path, params: params, headers: headers
-      assert_response :success
-      user = User.find_by_uuid(@stub_content[:uuid])
-      assert_not_nil user
-      assert_equal expect_email, user.email
+        get url_path, params: params, headers: headers
+        assert_response :success
+
+        uncache_token(headers["HTTP_AUTHORIZATION"])
+        expect_email = @stub_content[:email]
+        @stub_content[:email] = "new#{expect_email}"
+        @stub_status = status
+        get url_path, params: params, headers: headers
+        assert_response :success
+        user = User.find_by_uuid(@stub_content[:uuid])
+        assert_not_nil user
+        assert_equal expect_email, user.email
+      end
     end
   end
 end

commit 3835284814eb1b4db5bf42c0b449da43f47c9157
Author: Brett Smith <brett.smith at curii.com>
Date:   Wed Aug 23 16:56:44 2023 -0400

    20750: Add tests for failures to get current token
    
    Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>

diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index e1fa3d0526..eab2d66f4c 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -595,6 +595,15 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
   end
 
   [401, 403, 422, 500, 502, 503].each do |status|
+    test "propagate #{status} response from getting remote token" do
+      @stub_token_status = status
+      expect_bad_status(status) do
+        get "/arvados/v1/users/#{@stub_content[:uuid]}",
+            params: {format: "json"},
+            headers: auth(remote: "zbbbb")
+      end
+    end
+
     test "propagate #{status} response from getting uncached user" do
       @stub_status = status
       expect_bad_status(status) do

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list