X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3dccfa028282d8b667a7b447ea061b7eecc8618f..d7a49b632b5a20ec0167ea1d58265cd439e8b4db:/services/api/app/models/api_client.rb

diff --git a/services/api/app/models/api_client.rb b/services/api/app/models/api_client.rb
index 75a800ba45..791b971680 100644
--- a/services/api/app/models/api_client.rb
+++ b/services/api/app/models/api_client.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 class ApiClient < ArvadosModel
   include HasUuid
   include KindAndEtag
@@ -9,4 +13,50 @@ class ApiClient < ArvadosModel
     t.add :url_prefix
     t.add :is_trusted
   end
+
+  def is_trusted
+    (from_trusted_url && Rails.configuration.Login.IssueTrustedTokens) || super
+  end
+
+  protected
+
+  def from_trusted_url
+    norm_url_prefix = norm(self.url_prefix)
+
+    [Rails.configuration.Services.Workbench1.ExternalURL,
+     Rails.configuration.Services.Workbench2.ExternalURL,
+     "https://controller.api.client.invalid"].each do |url|
+      if norm_url_prefix == norm(url)
+        return true
+      end
+    end
+
+    Rails.configuration.Login.TrustedClients.keys.each do |url|
+      trusted = norm(url)
+      if norm_url_prefix == trusted
+        return true
+      end
+      if trusted.host.to_s.starts_with?("*.") &&
+         norm_url_prefix.to_s.starts_with?(trusted.scheme + "://") &&
+         norm_url_prefix.to_s.ends_with?(trusted.to_s[trusted.scheme.length + 4...])
+        return true
+      end
+    end
+
+    false
+  end
+
+  def norm url
+    # normalize URL for comparison
+    url = URI(url.to_s)
+    if url.scheme == "https" && url.port == ""
+      url.port = "443"
+    elsif url.scheme == "http" && url.port == ""
+      url.port = "80"
+    end
+    url.path = "/"
+    url.query = nil
+    url.fragment = nil
+    url
+  end
 end