Merge branch 'master' into 11453-federated-tokens

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

diff --cc build/run-tests.sh
Simple merge

diff --cc services/api/Gemfile
index 34e88a85e625792cae8ad74cdf7b85d68b2abff3,25e13a51dbbf70444dbd0eaa6c4417fad93b1d15..4cb5671e1801fc75107057da949653482cbf8430
--- 1/services/api/Gemfile
--- 2/services/api/Gemfile
+++ b/services/api/Gemfile
@@@ -57,9 -57,7 +57,8 @@@ gem 'themes_for_rails', git: 'https://g
  
  gem 'arvados', '>= 0.1.20150615153458'
  gem 'arvados-cli', '>= 0.1.20161017193526'
 +gem 'httpclient'
  
- gem 'puma', '~> 2.0'
  gem 'sshkey'
  gem 'safe_yaml'
  gem 'lograge'

diff --cc services/api/Gemfile.lock
Simple merge

diff --cc services/api/app/controllers/application_controller.rb
Simple merge

diff --cc services/api/app/controllers/arvados/v1/schema_controller.rb
index 25736d31e7d017431b224a526e61671466f3097b,6f893bcc850015b7c682243e1913ac121dbf9551..c3b34112b2d32134a154d8dbc67e2c0eacd6c321
--- 1/services/api/app/controllers/arvados/v1/schema_controller.rb
--- 2/services/api/app/controllers/arvados/v1/schema_controller.rb
+++ b/services/api/app/controllers/arvados/v1/schema_controller.rb
@@@ -55,9 -49,8 +55,10 @@@ class Arvados::V1::SchemaController < A
          crunchLogThrottleLines: Rails.application.config.crunch_log_throttle_lines,
          crunchLimitLogBytesPerJob: Rails.application.config.crunch_limit_log_bytes_per_job,
          crunchLogPartialLineThrottlePeriod: Rails.application.config.crunch_log_partial_line_throttle_period,
 +        remoteHosts: Rails.configuration.remote_hosts,
 +        remoteHostsViaDNS: Rails.configuration.remote_hosts_via_dns,
          websocketUrl: Rails.application.config.websocket_address,
+         workbenchUrl: Rails.application.config.workbench_address,
          parameters: {
            alt: {
              type: "string",

diff --cc services/api/app/middlewares/arvados_api_token.rb
index 105b00faa4dc4d108737949381f9f5c40d8c17ca,6a376318271472db857db6b926ba90d4d8262244..de6ba6f97f94aa868e20ac228a93df9387b7088b
--- 1/services/api/app/middlewares/arvados_api_token.rb
--- 2/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@@ -20,31 -29,43 +20,46 @@@ class ArvadosApiToke
      remote_ip = env["action_dispatch.remote_ip"]
  
      Thread.current[:request_starttime] = Time.now
-     Thread.current[:supplied_token] =
-       params["api_token"] ||
-       params["oauth_token"] ||
-       env["HTTP_AUTHORIZATION"].andand.
-         match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2]
 -    user = nil
 -    api_client = nil
 -    api_client_auth = nil
 -    if request.get? || params["_method"] == 'GET'
 +
++    remote = false
++    reader_tokens = nil
 +    if params[:remote] && request.get? && (
 +         request.path.start_with?('/arvados/v1/groups') ||
 +         request.path.start_with?('/arvados/v1/users/current'))
 +      # Request from a remote API server, asking to validate a salted
 +      # token.
 +      remote = params[:remote]
-     else
-       # Normal request.
-       remote = false
++    elsif request.get? || params["_method"] == 'GET'
+       reader_tokens = params["reader_tokens"]
+       if reader_tokens.is_a? String
+         reader_tokens = SafeJSON.load(reader_tokens)
+       end
 -    else
 -      reader_tokens = nil
+     end
+ 
+     # Set current_user etc. based on the primary session token if a
+     # valid one is present. Otherwise, use the first valid token in
+     # reader_tokens.
++    auth = nil
+     [params["api_token"],
+      params["oauth_token"],
 -     env["HTTP_AUTHORIZATION"].andand.match(/OAuth2 ([a-zA-Z0-9]+)/).andand[1],
++     env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([a-zA-Z0-9]+)/).andand[2],
+      *reader_tokens,
+     ].each do |supplied|
+       next if !supplied
+       try_auth = ApiClientAuthorization.
 -        includes(:api_client, :user).
 -        where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', supplied).
 -        first
++                 validate(token: Thread.current[:supplied_token],
++                          remote: remote)
+       if try_auth.andand.user
 -        api_client_auth = try_auth
 -        user = api_client_auth.user
 -        api_client = api_client_auth.api_client
++        auth = try_auth
+         break
+       end
      end
-     auth = ApiClientAuthorization.
-            validate(token: Thread.current[:supplied_token],
-                     remote: remote)
 +
      Thread.current[:api_client_ip_address] = remote_ip
 -    Thread.current[:api_client_authorization] = api_client_auth
 -    Thread.current[:api_client_uuid] = api_client.andand.uuid
 -    Thread.current[:api_client] = api_client
 -    Thread.current[:user] = user
 +    Thread.current[:api_client_authorization] = auth
 +    Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
 +    Thread.current[:api_client] = auth.andand.api_client
 +    Thread.current[:user] = auth.andand.user
  
      @app.call env if @app
    end