From 9cabd51263de6dadf5000b488ee62d3c32af50c0 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Thu, 13 May 2021 12:50:21 -0300
Subject: [PATCH] feat(scoped_tokens): create scoped_tokens for webshell
 instances

---
 arvados/api/resources/virtual_machines.sls    | 52 +++++++++++++++----
 .../api/controls/resources_spec.rb            | 27 ++++++++--
 test/salt/pillar/arvados.sls                  |  3 ++
 3 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/arvados/api/resources/virtual_machines.sls b/arvados/api/resources/virtual_machines.sls
index 07a215d..0bb468d 100644
--- a/arvados/api/resources/virtual_machines.sls
+++ b/arvados/api/resources/virtual_machines.sls
@@ -16,11 +16,20 @@ include:
   - {{ sls_config_file }}
   - ..service
 
+arvados-api-resources-virtual-machines-jq-pkg-installed:
+  pkg.installed:
+    - name: jq
+
 {%- for vm, vm_params in virtual_machines.items() %}
   {%- set vm_name = vm_params.name | default(vm) %}
-  {%- set vm_backend = vm_params.backend | default(vm_name) %}
-  {%- set vm_port = vm_params.port | default(4200) %}
 
+  {%- set cmd_query_vm_uuid = 'ARVADOS_API_TOKEN=' ~ api_token ~
+                              ' ARVADOS_API_HOST=' ~ api_host ~
+                              ' arv --short virtual_machine list' ~
+                              ' --filters \'[["hostname", "=", "' ~ vm_name ~ '"]]\''
+  %}
+
+# Create the virtual machine record
 arvados-api-resources-virtual-machines-{{ vm }}-record-cmd-run:
   cmd.run:
     - env:
@@ -32,11 +41,36 @@ arvados-api-resources-virtual-machines-{{ vm }}-record-cmd-run:
           create \
           --virtual-machine '{"hostname":"{{ vm_name }}" }'
     - unless: |
-        ARVADOS_API_TOKEN={{ api_token }} \
-        ARVADOS_API_HOST="{{ api_host }}" \
-        arv --short \
-          virtual_machine \
-          list \
-          --filters '[["hostname", "=", "{{ vm_name }}"]]' | \
-          /bin/grep -qE "fixme-2x53u-[a-z0-9_]{15}"
+          {{ cmd_query_vm_uuid }} | \
+          /bin/grep -qE "fixme-2x53u-[a-z0-9]{15}"
+
+  # As we need the UUID generated in the previous command, we need to
+  # iterate again in order to get them
+  {% set vm_uuid = salt['cmd.shell'](cmd_query_vm_uuid) %}
+
+  {%- set scoped_token_url = '/arvados/v1/virtual_machines/' ~ vm_uuid ~ '/logins' %}
+
+  # There's no direct way to query the scoped_token for a given virtual_machine
+  # so we need to parse the api_client_authorization list through some jq
+  {%- set cmd_query_scoped_token_url = 'ARVADOS_API_TOKEN=' ~ api_token ~
+                                       ' ARVADOS_API_HOST=' ~ api_host ~
+                                       ' arv api_client_authorization list |' ~
+                                       ' jq -e \'.items[].scopes[] | select(. == "GET ' ~
+                                       scoped_token_url ~ '")\''
+  %}
+# Create the VM scoped tokens
+arvados-api-resources-virtual-machines-{{ vm }}-scoped-token-cmd-run:
+  cmd.run:
+    - env:
+      - ARVADOS_API_TOKEN: {{ api_token }}
+      - ARVADOS_API_HOST: {{ api_host }}
+    - name: |
+        arv --format=uuid \
+          api_client_authorization \
+          create \
+          --api-client-authorization '{"scopes":["GET {{ scoped_token_url }}"]}'
+    - require:
+      - pkg: arvados-api-resources-virtual-machines-jq-pkg-installed
+    - unless: {{ cmd_query_scoped_token_url }}
+
 {%- endfor %}
diff --git a/test/integration/api/controls/resources_spec.rb b/test/integration/api/controls/resources_spec.rb
index c4e2f6b..2d05a1e 100644
--- a/test/integration/api/controls/resources_spec.rb
+++ b/test/integration/api/controls/resources_spec.rb
@@ -1,11 +1,18 @@
 # frozen_string_literal: true
 
-test_cmd = <<~TEST_CMD
+query_virtual_machines = <<~TEST_VM_CMD
   su -l kitchen -c \
     "ARVADOS_API_TOKEN=\\"systemroottokenmushaveatleast32characters\\" \
     ARVADOS_API_HOST=\\"fixme.example.net\\" \
     arv virtual_machine list --filters '[[\\"hostname\\", \\"=\\", \\"%s\\"]]'"
-TEST_CMD
+TEST_VM_CMD
+
+query_scoped_token_urls = <<~TEST_STU_CMD
+  su -l kitchen -c \
+    "ARVADOS_API_TOKEN=\\"systemroottokenmushaveatleast32characters\\" \
+    ARVADOS_API_HOST=\\"fixme.example.net\\" \
+    arv api_client_authorization list"
+TEST_STU_CMD
 
 control 'arvados api resources' do
   impact 0.5
@@ -14,15 +21,29 @@ control 'arvados api resources' do
   %w[
     webshell1
     webshell2
+    webshell3
   ].each do |vm|
     describe "virtual machine #{vm}" do
       subject do
-        command(test_cmd % vm)
+        command(query_virtual_machines % vm)
       end
       its('stdout') { should match(/"uuid":"fixme-2x53u-[a-z0-9_]{15}"/) }
       its('stdout') { should match(/"hostname":"#{vm}"/) }
       its('stderr') { should eq '' }
       its('exit_status') { should eq 0 }
     end
+
+    describe "scoped token for #{vm}" do
+      subject do
+        command(query_scoped_token_urls % vm)
+      end
+      its('stdout') do
+        should match(
+          %r{"GET /arvados/v1/virtual_machines/fixme-2x53u-[a-z0-9]{15}/logins"}
+        )
+      end
+      its('stderr') { should eq '' }
+      its('exit_status') { should eq 0 }
+    end
   end
 end
diff --git a/test/salt/pillar/arvados.sls b/test/salt/pillar/arvados.sls
index 1abe76c..81d22d4 100644
--- a/test/salt/pillar/arvados.sls
+++ b/test/salt/pillar/arvados.sls
@@ -62,6 +62,9 @@ arvados:
           backend: 1.2.3.4
           port: 4200
         webshell2: {}
+        webshell3:
+          backend: 4.3.2.1
+          port: 4500
 
     ### TOKENS
     tokens:
-- 
2.30.2