X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/505c8fa50631201e289cc55230d46fdf52fa2055..d7a49b632b5a20ec0167ea1d58265cd439e8b4db:/services/api/app/models/api_client.rb diff --git a/services/api/app/models/api_client.rb b/services/api/app/models/api_client.rb index c6c48a5b6b..791b971680 100644 --- a/services/api/app/models/api_client.rb +++ b/services/api/app/models/api_client.rb @@ -15,26 +15,48 @@ class ApiClient < ArvadosModel end def is_trusted - (from_trusted_url && Rails.configuration.Login.TokenLifetime == 0) || super + (from_trusted_url && Rails.configuration.Login.IssueTrustedTokens) || super end protected def from_trusted_url - norm(self.url_prefix) == norm(Rails.configuration.Services.Workbench1.ExternalURL) || - norm(self.url_prefix) == norm(Rails.configuration.Services.Workbench2.ExternalURL) + norm_url_prefix = norm(self.url_prefix) + + [Rails.configuration.Services.Workbench1.ExternalURL, + Rails.configuration.Services.Workbench2.ExternalURL, + "https://controller.api.client.invalid"].each do |url| + if norm_url_prefix == norm(url) + return true + end + end + + Rails.configuration.Login.TrustedClients.keys.each do |url| + trusted = norm(url) + if norm_url_prefix == trusted + return true + end + if trusted.host.to_s.starts_with?("*.") && + norm_url_prefix.to_s.starts_with?(trusted.scheme + "://") && + norm_url_prefix.to_s.ends_with?(trusted.to_s[trusted.scheme.length + 4...]) + return true + end + end + + false end def norm url # normalize URL for comparison - url = URI(url) - if url.scheme == "https" - url.port == "443" - end - if url.scheme == "http" - url.port == "80" + url = URI(url.to_s) + if url.scheme == "https" && url.port == "" + url.port = "443" + elsif url.scheme == "http" && url.port == "" + url.port = "80" end url.path = "/" + url.query = nil + url.fragment = nil url end end