end
if @object.auth.nil?
cr = ContainerRequest.
- where('container_uuid=? and priority>0', self.uuid).
+ where('container_uuid=? and priority>0', @object.uuid).
order('priority desc').
first
@object = ApiClientAuthorization.validate(token: cr.runtime_token)
errors.add :runtime_token, "not a v2 token"
return
end
- if ApiClientAuthorization.validate(token: cr.runtime_token).nil?
+ if ApiClientAuthorization.validate(token: runtime_token).nil?
errors.add :runtime_token, "failed validation"
end
end
- GET /arvados/v1/collections/zzzzz-4zz18-znfnqtbbv4spc3w
- GET /arvados/v1/collections/zzzzz-4zz18-znfnqtbbv4spc3w/
- GET /arvados/v1/keep_services/accessible
+
+container_runtime_token:
+ uuid: zzzzz-gj3su-2nj68s291f50gd9
+ api_client: untrusted
+ user: spectator
+ api_token: 2d19ue6ofx26o3mm7fs9u6t7hov9um0v92dzwk1o2xed3abprw
+ expires_at: 2038-01-01 00:00:00
vcpus: 1
ram: 123
+runtime_token:
+ uuid: zzzzz-xvhdp-11eklkhy0n4dm86
+ owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+ name: queued
+ state: Committed
+ priority: 1
+ created_at: <%= 2.minute.ago.to_s(:db) %>
+ updated_at: <%= 1.minute.ago.to_s(:db) %>
+ modified_at: <%= 1.minute.ago.to_s(:db) %>
+ modified_by_user_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+ container_image: test
+ cwd: test
+ output_path: test
+ command: ["echo", "hello"]
+ container_uuid: zzzzz-dz642-20isqbkl8xwnsao
+ runtime_token: v2/zzzzz-gj3su-2nj68s291f50gd9/2d19ue6ofx26o3mm7fs9u6t7hov9um0v92dzwk1o2xed3abprw
+ runtime_constraints:
+ vcpus: 1
+ ram: 123
+
# Test Helper trims the rest of the file
auth_uuid: zzzzz-gj3su-ty6lvu9d7u7c2sq
secret_mounts: {}
secret_mounts_md5: 99914b932bd37a50b983c5e7c90ae93b
+
+runtime_token:
+ uuid: zzzzz-dz642-20isqbkl8xwnsao
+ owner_uuid: zzzzz-tpzed-000000000000000
+ state: Queued
+ priority: 1
+ created_at: 2016-01-11 11:11:11.111111111 Z
+ updated_at: 2016-01-11 11:11:11.111111111 Z
+ container_image: test
+ cwd: test
+ output_path: test
+ command: ["echo", "hello"]
+ runtime_constraints:
+ ram: 12000000000
+ vcpus: 4
+ mounts:
+ /tmp:
+ kind: tmp
+ capacity: 24000000000
+ /var/spool/cwl:
+ kind: tmp
+ capacity: 24000000000
req.reload
assert_equal 'bar', req.secret_mounts['/foo']['content']
end
+
+ test "runtime_token not in #create responses" do
+ authorize_with :active
+
+ post :create, {
+ container_request: minimal_cr.merge(
+ runtime_token: api_client_authorizations(:spectator).token)
+ }
+ assert_response :success
+
+ resp = JSON.parse(@response.body)
+ refute resp.has_key?('runtime_token')
+
+ req = ContainerRequest.where(uuid: resp['uuid']).first
+ assert_equal api_client_authorizations(:spectator).token, req.runtime_token
+ end
+
end
end
end
end
+
+ test 'get runtime_token auth' do
+ authorize_with :dispatch1
+ c = containers(:runtime_token)
+ assert c.lock, show_errors(c)
+ get :auth, id: c.uuid
+ assert_response :success
+ assert_equal "v2/#{json_response['uuid']}/#{json_response['api_token']}", api_client_authorizations(:container_runtime_token).token
+ assert_equal 'arvados#apiClientAuthorization', json_response['kind']
+ end
+
end
assert_equal 'barney', json_response['username']
end
- test "validate unsalted token for remote cluster zbbbb" do
+ test "validate unsalted v2 token for remote cluster zbbbb" do
auth = api_client_authorizations(:active)
token = "v2/#{auth.uuid}/#{auth.api_token}"
get '/arvados/v1/users/current', {format: 'json', remote: 'zbbbb'}, {
"HTTP_AUTHORIZATION" => "Bearer #{token}"
}
- assert_response 200
+ assert_response :success
assert_equal(users(:active).uuid, json_response['uuid'])
end
-
- # test 'container request with remote runtime_token' do
- # auth = api_client_authorizations(:active)
- # token = "v2/#{auth.uuid.sub('zzzzz-', 'zbbbb-')}/#{auth.api_token}"
-
- # post '/arvados/v1/container_requests', {"container_request": {}}, {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
- # assert_response :success
- # end
+ test 'container request with runtime_token' do
+ [["valid local", "v2/#{api_client_authorizations(:active).uuid}/#{api_client_authorizations(:active).api_token}"],
+ ["valid remote", "v2/zbbbb-gj3su-000000000000000/abc"],
+ ["invalid local", "v2/#{api_client_authorizations(:active).uuid}/fakefakefake"]
+ ].each do |label, runtime_token|
+ post '/arvados/v1/container_requests', {
+ "container_request" => {
+ "command" => ["echo"],
+ "container_image" => "xyz",
+ "output_path" => "/",
+ "cwd" => "/",
+ "runtime_token" => runtime_token
+ }
+ }, {"HTTP_AUTHORIZATION" => "Bearer #{api_client_authorizations(:active).api_token}"}
+ if label.include? "invalid"
+ assert_response 422
+ else
+ assert_response :success
+ end
+ end
+ end
end
secret_mounts: sm)
assert_equal [:secret_mounts], cr.errors.messages.keys
end
+
+ test "valid runtime_token" do
+ set_user_from_auth :active
+ spec = api_client_authorizations(:spectator)
+ cr = create_minimal_req!(state: "Committed", runtime_token: spec.token)
+ cr.save!
+ c = Container.find_by_uuid cr.container_uuid
+ assert_nil c.auth_uuid
+ end
+
+ test "invalid runtime_token" do
+ set_user_from_auth :active
+ spec = api_client_authorizations(:spectator)
+ assert_raises(ActiveRecord::RecordInvalid) do
+ cr = create_minimal_req!(state: "Committed", runtime_token: "#{spec.token}xx")
+ cr.save!
+ end
+ end
end