6087: Get database time only once per manifest-signing/verifying event, rather than...

diff --git a/services/api/app/models/blob.rb b/services/api/app/models/blob.rb
index 799279d0400f31c2cf54feb503a1f48401e96321..7ae13ef2d0126d0b41b28a344e391ad55a7e6a41 100644 (file)
--- a/services/api/app/models/blob.rb
+++ b/services/api/app/models/blob.rb
@@ -91,7 +91,7 @@ class Blob
     if !timestamp.match /^[\da-f]+$/
       raise Blob::InvalidSignatureError.new 'Timestamp is not a base16 number.'
     end
-    if timestamp.to_i(16) < db_current_time.to_i
+    if timestamp.to_i(16) < (opts[:now] or db_current_time.to_i)
       raise Blob::InvalidSignatureError.new 'Signature expiry time has passed.'
     end
 

diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb
index ccfb35e49685e6746312291c852bfb2e5ed1867f..7f93e2069148613cd2cf26eab52d54977e7df64c 100644 (file)
--- a/services/api/app/models/collection.rb
+++ b/services/api/app/models/collection.rb
@@ -1,6 +1,7 @@
 require 'arvados/keep'
 
 class Collection < ArvadosModel
+  extend DbCurrentTime
   include HasUuid
   include KindAndEtag
   include CommonApiTemplate
@@ -60,7 +61,7 @@ class Collection < ArvadosModel
       signing_opts = {
         key: Rails.configuration.blob_signing_key,
         api_token: api_token,
-        ttl: Rails.configuration.blob_signature_ttl,
+        now: db_current_time.to_i,
       }
       self.manifest_text.lines.each do |entry|
         entry.split[1..-1].each do |tok|
@@ -195,7 +196,7 @@ class Collection < ArvadosModel
     signing_opts = {
       key: Rails.configuration.blob_signing_key,
       api_token: token,
-      ttl: Rails.configuration.blob_signature_ttl,
+      expire: db_current_time.to_i + Rails.configuration.blob_signature_ttl,
     }
     m = manifest.dup
     munge_manifest_locators!(m) do |loc|