[arvados] created: 2.7.0-6259-g342d41c174

[git repository hosting]

        at  342d41c1745b40ef78739fe9599be11f6dc529c5 (commit)


commit 342d41c1745b40ef78739fe9599be11f6dc529c5
Author: Tom Clegg <tom at curii.com>
Date:   Mon Mar 25 17:25:10 2024 -0400

    21617: Accept bogus tokens at endpoints that do not require auth.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index 53e6a90b8f..45f35a6d2e 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -28,6 +28,7 @@ import (
 	"git.arvados.org/arvados.git/sdk/go/arvadostest"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
 	"git.arvados.org/arvados.git/sdk/go/httpserver"
+	"git.arvados.org/arvados.git/sdk/go/keepclient"
 	check "gopkg.in/check.v1"
 )
 
@@ -167,6 +168,20 @@ func (s *IntegrationSuite) TestDefaultStorageClassesOnCollections(c *check.C) {
 	c.Assert(coll.StorageClassesDesired, check.DeepEquals, kc.DefaultStorageClasses)
 }
 
+func (s *IntegrationSuite) createTestCollectionManifest(c *check.C, ac *arvados.Client, kc *keepclient.KeepClient, content string) string {
+	fs, err := (&arvados.Collection{}).FileSystem(ac, kc)
+	c.Assert(err, check.IsNil)
+	f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
+	c.Assert(err, check.IsNil)
+	_, err = io.WriteString(f, content)
+	c.Assert(err, check.IsNil)
+	err = f.Close()
+	c.Assert(err, check.IsNil)
+	mtxt, err := fs.MarshalManifest(".")
+	c.Assert(err, check.IsNil)
+	return mtxt
+}
+
 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
 	conn1 := s.super.Conn("z1111")
 	rootctx1, _, _ := s.super.RootClients("z1111")
@@ -175,34 +190,70 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
 
 	// Create the collection to find its PDH (but don't save it
 	// anywhere yet)
-	var coll1 arvados.Collection
-	fs1, err := coll1.FileSystem(ac1, kc1)
-	c.Assert(err, check.IsNil)
-	f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
-	c.Assert(err, check.IsNil)
-	_, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
-	c.Assert(err, check.IsNil)
-	err = f.Close()
-	c.Assert(err, check.IsNil)
-	mtxt, err := fs1.MarshalManifest(".")
-	c.Assert(err, check.IsNil)
+	mtxt := s.createTestCollectionManifest(c, ac1, kc1, c.TestName())
 	pdh := arvados.PortableDataHash(mtxt)
 
 	// Looking up the PDH before saving returns 404 if cycle
 	// detection is working.
-	_, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
+	_, err := conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
 	c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
 
 	// Save the collection on cluster z1111.
-	coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+	_, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
 		"manifest_text": mtxt,
 	}})
 	c.Assert(err, check.IsNil)
 
 	// Retrieve the collection from cluster z3333.
-	coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
+	coll2, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
 	c.Check(err, check.IsNil)
-	c.Check(coll.PortableDataHash, check.Equals, pdh)
+	c.Check(coll2.PortableDataHash, check.Equals, pdh)
+}
+
+func (s *IntegrationSuite) TestFederation_Write1Read2(c *check.C) {
+	s.testFederationCollectionAccess(c, "z1111", "z2222")
+}
+
+func (s *IntegrationSuite) TestFederation_Write2Read1(c *check.C) {
+	s.testFederationCollectionAccess(c, "z2222", "z1111")
+}
+
+func (s *IntegrationSuite) TestFederation_Write2Read3(c *check.C) {
+	s.testFederationCollectionAccess(c, "z2222", "z3333")
+}
+
+func (s *IntegrationSuite) testFederationCollectionAccess(c *check.C, writeCluster, readCluster string) {
+	conn1 := s.super.Conn("z1111")
+	rootctx1, _, _ := s.super.RootClients("z1111")
+	_, ac1, _, _ := s.super.UserClients("z1111", rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
+
+	connW := s.super.Conn(writeCluster)
+	userctxW, acW, kcW := s.super.ClientsWithToken(writeCluster, ac1.AuthToken)
+	kcW.DiskCacheSize = keepclient.DiskCacheDisabled
+	connR := s.super.Conn(readCluster)
+	userctxR, acR, kcR := s.super.ClientsWithToken(readCluster, ac1.AuthToken)
+	kcR.DiskCacheSize = keepclient.DiskCacheDisabled
+
+	filedata := fmt.Sprintf("%s: write to %s, read from %s", c.TestName(), writeCluster, readCluster)
+	mtxt := s.createTestCollectionManifest(c, acW, kcW, filedata)
+	collW, err := connW.CollectionCreate(userctxW, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"manifest_text": mtxt,
+	}})
+	c.Assert(err, check.IsNil)
+
+	collR, err := connR.CollectionGet(userctxR, arvados.GetOptions{UUID: collW.UUID})
+	if !c.Check(err, check.IsNil) {
+		return
+	}
+	fsR, err := collR.FileSystem(acR, kcR)
+	if !c.Check(err, check.IsNil) {
+		return
+	}
+	buf, err := fs.ReadFile(arvados.FS(fsR), "test.txt")
+	if !c.Check(err, check.IsNil) {
+		return
+	}
+	c.Check(string(buf), check.Equals, filedata)
 }
 
 // Tests bug #18004
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index af553997e5..e41fa99a08 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -294,6 +294,10 @@ class ApiClientAuthorization < ArvadosModel
         raise "remote cluster #{upstream_cluster_id} returned invalid token uuid #{token_uuid.inspect}"
       end
     rescue HTTPClient::BadResponseError => e
+      if e.res.status_code == 401
+        # Token is not valid.
+        return nil
+      end
       # CurrentApiToken#call and ApplicationController#render_error will
       # propagate the status code from the #http_status method, so define
       # that here.

-----------------------------------------------------------------------


hooks/post-receive
--