14196: Don't crash if element of params[:reader_tokens] is not a String

[arvados.git] / services / api / app / controllers / application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index c4f64f6039b3683127d2b5735ae11064446d10cb..a0555d13d762a495d9e30a57347ed3336f0e0984 100644 (file)
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0
 
 require 'safe_json'
+require 'request_error'
 
 module ApiTemplateOverride
   def allowed_to_render?(fieldset, field, model, options)
@@ -77,14 +78,21 @@ class ApplicationController < ActionController::Base
     @distinct = nil
     @response_resource_name = nil
     @attrs = nil
+    @extra_included = nil
   end
 
   def default_url_options
+    options = {}
     if Rails.configuration.host
-      {:host => Rails.configuration.host}
-    else
-      {}
+      options[:host] = Rails.configuration.host
+    end
+    if Rails.configuration.port
+      options[:port] = Rails.configuration.port
+    end
+    if Rails.configuration.protocol
+      options[:protocol] = Rails.configuration.protocol
     end
+    options
   end
 
   def index
@@ -137,7 +145,7 @@ class ApplicationController < ActionController::Base
 
   def render_error(e)
     logger.error e.inspect
-    if e.respond_to? :backtrace and e.backtrace
+    if !e.is_a? RequestError and (e.respond_to? :backtrace and e.backtrace)
       logger.error e.backtrace.collect { |x| x + "\n" }.join('')
     end
     if (@object.respond_to? :errors and
@@ -336,13 +344,20 @@ class ApplicationController < ActionController::Base
     # If there are too many reader tokens, assume the request is malicious
     # and ignore it.
     if request.get? and params[:reader_tokens] and
-        params[:reader_tokens].size < 100
+      params[:reader_tokens].size < 100
+      secrets = params[:reader_tokens].map { |t|
+        if t.is_a? String and t.starts_with? "v2/"
+          t.split("/")[2]
+        else
+          t
+        end
+      }
       @read_auths += ApiClientAuthorization
         .includes(:user)
         .where('api_token IN (?) AND
                 (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)',
-               params[:reader_tokens])
-        .all
+               secrets)
+        .to_a
     end
     @read_auths.select! { |auth| auth.scopes_allow_request? request }
     @read_users = @read_auths.map(&:user).uniq
@@ -381,7 +396,9 @@ class ApplicationController < ActionController::Base
       req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19]
     end
     response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id
-    yield
+    Rails.logger.tagged(req_id) do
+      yield
+    end
     Thread.current[:request_id] = nil
   end
 
@@ -491,6 +508,9 @@ class ApplicationController < ActionController::Base
       :limit => @limit,
       :items => @objects.as_api_response(nil, {select: @select})
     }
+    if @extra_included
+      list[:included] = @extra_included.as_api_response(nil, {select: @select})
+    end
     case params[:count]
     when nil, '', 'exact'
       if @objects.respond_to? :except
@@ -550,7 +570,13 @@ class ApplicationController < ActionController::Base
         location: "query",
         required: false,
         default: false
-      }
+      },
+      cluster_id: {
+        type: 'string',
+        description: "Create object on a remote federated cluster instead of the current one.",
+        location: "query",
+        required: false,
+      },
     }
   end