end
[nil, db_current_time + 2.hours].each do |desired_expiration|
- test "expires_at gets clamped on non-admins when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
- Rails.configuration.API.MaxTokenLifetime = 1.hour
-
- # Test token creation
- start_t = db_current_time
- post "/arvados/v1/api_client_authorizations",
- params: {
- :format => :json,
- :api_client_authorization => {
- :owner_uuid => users(:active).uuid,
- :expires_at => desired_expiration,
- }
- },
- headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
- end_t = db_current_time
- assert_response 200
- expiration_t = json_response['expires_at'].to_time
- assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
- if !desired_expiration.nil?
- assert_operator expiration_t.to_f, :<, desired_expiration.to_f
- else
- assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
- end
-
- # Test token update
- previous_expiration = expiration_t
- token_uuid = json_response["uuid"]
- start_t = db_current_time
- put "/arvados/v1/api_client_authorizations/#{token_uuid}",
- params: {
- :api_client_authorization => {
- :expires_at => desired_expiration
- }
- },
- headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
- end_t = db_current_time
- assert_response 200
- expiration_t = json_response['expires_at'].to_time
- assert_operator previous_expiration.to_f, :<, expiration_t.to_f
- assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
- if !desired_expiration.nil?
- assert_operator expiration_t.to_f, :<, desired_expiration.to_f
- else
- assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
- end
- end
-
- test "behavior when expires_at is set to #{desired_expiration.nil? ? 'nil' : 'exceed the limit'} by admins when API.MaxTokenLifetime is set" do
- Rails.configuration.API.MaxTokenLifetime = 1.hour
-
- # Test token creation
- post "/arvados/v1/api_client_authorizations",
- params: {
- :format => :json,
- :api_client_authorization => {
- :owner_uuid => users(:admin).uuid,
- :expires_at => desired_expiration,
- }
- },
- headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
- assert_response 200
- if desired_expiration.nil?
- # When expires_at is nil, default to MaxTokenLifetime
- assert_operator (json_response['expires_at'].to_time.to_i - (db_current_time + Rails.configuration.API.MaxTokenLifetime).to_i).abs, :<, 2
- else
- assert_equal json_response['expires_at'].to_time.to_i, desired_expiration.to_i
- end
-
- # Test token update (reverse the above behavior)
- token_uuid = json_response['uuid']
- if desired_expiration.nil?
- submitted_updated_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime + 1.hour
- else
- submitted_updated_expiration = nil
- end
- put "/arvados/v1/api_client_authorizations/#{token_uuid}",
- params: {
- :api_client_authorization => {
- :expires_at => submitted_updated_expiration,
- }
- },
- headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
- assert_response 200
- if submitted_updated_expiration.nil?
- assert_operator (json_response['expires_at'].to_time.to_i - (db_current_time + Rails.configuration.API.MaxTokenLifetime).to_i).abs, :<, 2
- else
- assert_equal json_response['expires_at'].to_time.to_i, submitted_updated_expiration.to_i
+ [false, true].each do |admin|
+ test "expires_at gets clamped on #{admin ? 'admins' : 'non-admins'} when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
+ Rails.configuration.API.MaxTokenLifetime = 1.hour
+ token = api_client_authorizations(admin ? :admin_trustedclient : :active_trustedclient).api_token
+
+ # Test token creation
+ start_t = db_current_time
+ post "/arvados/v1/api_client_authorizations",
+ params: {
+ :format => :json,
+ :api_client_authorization => {
+ :owner_uuid => users(admin ? :admin : :active).uuid,
+ :expires_at => desired_expiration,
+ }
+ },
+ headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+ assert_response 200
+ expiration_t = json_response['expires_at'].to_time
+ if admin && desired_expiration
+ assert_in_delta desired_expiration.to_f, expiration_t.to_f, 1
+ else
+ assert_in_delta (start_t + Rails.configuration.API.MaxTokenLifetime).to_f, expiration_t.to_f, 2
+ end
+
+ # Test token update
+ previous_expiration = expiration_t
+ token_uuid = json_response["uuid"]
+
+ start_t = db_current_time
+ patch "/arvados/v1/api_client_authorizations/#{token_uuid}",
+ params: {
+ :api_client_authorization => {
+ :expires_at => desired_expiration
+ }
+ },
+ headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
+ assert_response 200
+ expiration_t = json_response['expires_at'].to_time
+ if admin && desired_expiration
+ assert_in_delta desired_expiration.to_f, expiration_t.to_f, 1
+ else
+ assert_in_delta (start_t + Rails.configuration.API.MaxTokenLifetime).to_f, expiration_t.to_f, 2
+ end
end
end
end