t.add :owner_uuid
t.add :user_id
t.add :api_client_id
+ # NB the "api_token" db column is a misnomer in that it's only the
+ # "secret" part of a token: a v1 token is just the secret, but a
+ # v2 token is "v2/uuid/secret".
t.add :api_token
t.add :created_by_ip_address
t.add :default_owner_uuid
auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
auth.user = user
- auth.api_token = token
+ auth.api_token = secret
auth.api_client_id = 0
end
require 'helpers/users_test_helper'
class RemoteUsersTest < ActionDispatch::IntegrationTest
+ include DbCurrentTime
+
+ def salted_active_token(remote:)
+ salt_token(fixture: :active, remote: remote).sub('/zzzzz-', '/'+remote+'-')
+ end
+
def auth(remote:)
- token = salt_token(fixture: :active, remote: remote)
- token.sub!('/zzzzz-', '/'+remote+'-')
+ token = salted_active_token(remote: remote)
{"HTTP_AUTHORIZATION" => "Bearer #{token}"}
end
assert_response :success
assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
assert_equal false, json_response['is_admin']
+
+ # revoke original token
+ @stub_status = 401
+ @stub_content = {error: 'not authorized'}
+
+ # re-authorize before cache expires
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+ assert_response :success
+
+ # simulate cache expiry
+ ApiClientAuthorization.where(
+ uuid: salted_active_token(remote: 'zbbbb').split('/')[1]).
+ update_all(expires_at: db_current_time - 1.minute)
+
+ # re-authorize after cache expires
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+ assert_response 401
end
test 'authenticate with remote token from misbhehaving remote cluster' do
projects / arvados.git / commitdiff