remote: https://rubygems.org/
specs:
RedCloth (4.3.2)
- actioncable (5.2.8)
- actionpack (= 5.2.8)
+ actioncable (5.2.8.1)
+ actionpack (= 5.2.8.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
- actionmailer (5.2.8)
- actionpack (= 5.2.8)
- actionview (= 5.2.8)
- activejob (= 5.2.8)
+ actionmailer (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ actionview (= 5.2.8.1)
+ activejob (= 5.2.8.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
- actionpack (5.2.8)
- actionview (= 5.2.8)
- activesupport (= 5.2.8)
+ actionpack (5.2.8.1)
+ actionview (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
rack (~> 2.0, >= 2.0.8)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
- actionview (5.2.8)
- activesupport (= 5.2.8)
+ actionview (5.2.8.1)
+ activesupport (= 5.2.8.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
- activejob (5.2.8)
- activesupport (= 5.2.8)
+ activejob (5.2.8.1)
+ activesupport (= 5.2.8.1)
globalid (>= 0.3.6)
- activemodel (5.2.8)
- activesupport (= 5.2.8)
- activerecord (5.2.8)
- activemodel (= 5.2.8)
- activesupport (= 5.2.8)
+ activemodel (5.2.8.1)
+ activesupport (= 5.2.8.1)
+ activerecord (5.2.8.1)
+ activemodel (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
arel (>= 9.0)
- activestorage (5.2.8)
- actionpack (= 5.2.8)
- activerecord (= 5.2.8)
+ activestorage (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ activerecord (= 5.2.8.1)
marcel (~> 1.0.0)
- activesupport (5.2.8)
+ activesupport (5.2.8.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
nio4r (2.5.8)
- nokogiri (1.13.6)
+ nokogiri (1.13.7)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
npm-rails (0.2.1)
websocket-driver (>= 0.2.0)
public_suffix (4.0.6)
racc (1.6.0)
- rack (2.2.3.1)
+ rack (2.2.4)
rack-mini-profiler (1.0.2)
rack (>= 1.2.0)
- rack-test (1.1.0)
- rack (>= 1.0, < 3)
- rails (5.2.8)
- actioncable (= 5.2.8)
- actionmailer (= 5.2.8)
- actionpack (= 5.2.8)
- actionview (= 5.2.8)
- activejob (= 5.2.8)
- activemodel (= 5.2.8)
- activerecord (= 5.2.8)
- activestorage (= 5.2.8)
- activesupport (= 5.2.8)
+ rack-test (2.0.2)
+ rack (>= 1.3)
+ rails (5.2.8.1)
+ actioncable (= 5.2.8.1)
+ actionmailer (= 5.2.8.1)
+ actionpack (= 5.2.8.1)
+ actionview (= 5.2.8.1)
+ activejob (= 5.2.8.1)
+ activemodel (= 5.2.8.1)
+ activerecord (= 5.2.8.1)
+ activestorage (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
bundler (>= 1.3.0)
- railties (= 5.2.8)
+ railties (= 5.2.8.1)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.4)
actionpack (>= 5.0.1.x)
rails-html-sanitizer (1.4.3)
loofah (~> 2.3)
rails-perftest (0.0.7)
- railties (5.2.8)
- actionpack (= 5.2.8)
- activesupport (= 5.2.8)
+ railties (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
method_source
rake (>= 0.8.7)
thor (>= 0.19.0, < 2.0)
if opts.Live != "" {
cmd.Args = append(cmd.Args,
"--env=domain="+opts.Live,
- "--env=initargs=-tls=acme",
+ "--env=initargs=-tls=/var/lib/acme/live/"+opts.Live,
"--env=bootargs=",
"--publish=:443:443",
"--publish=:4440-4460:4440-4460",
# echo > /etc/apt/sources.list.d/arvados.list "deb http://apt.arvados.org/$(lsb_release -sc) $(lsb_release -sc) main"
# apt update
# apt install arvados-server-easy
-# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls auto -login pam
+# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls acme -login pam
</pre>
When the "init" command is finished, navigate to the link shown in the terminal (e.g., @https://x9999.example.com/@) and log in with the account you created above.
}
func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
- if super.cluster.TLS.Automatic {
+ if super.cluster.TLS.ACME.Server != "" {
return bootAutoCert(ctx, fail, super)
} else if super.cluster.TLS.Key == "" && super.cluster.TLS.Certificate == "" {
return createSelfSignedCert(ctx, fail, super)
}
},
}
- if super.cluster.TLS.Staging {
+ if srv := super.cluster.TLS.ACME.Server; srv == "LE" {
+ // Leaving mgr.Client == nil means use Let's Encrypt
+ // production environment
+ } else if srv == "LE-staging" {
mgr.Client = &acme.Client{DirectoryURL: stagingDirectoryURL}
+ } else if strings.HasPrefix(srv, "https://") {
+ mgr.Client = &acme.Client{DirectoryURL: srv}
+ } else {
+ return fmt.Errorf("autocert setup: invalid directory URL in TLS.ACME.Server: %q", srv)
}
go func() {
err := http.ListenAndServe(":80", mgr.HTTPHandler(nil))
Repositories: /var/lib/arvados/git/repositories
TLS:
- # Use "file:///var/lib/acme/live/example.com/cert" and ".../key"
- # to load externally managed certificates.
+ # Use "file:///var/lib/acme/live/example.com/cert" and
+ # ".../privkey" to load externally managed certificates.
Certificate: ""
Key: ""
# use this in production.
Insecure: false
- # Agree to Let's Encrypt terms of service and obtain
- # certificates automatically for ExternalURL domains.
- #
- # Note: this feature is not yet implemented in released
- # versions, only in the alpha/prerelease arvados-server-easy
- # package.
- Automatic: false
-
- # Use Let's Encrypt staging environment instead of production
- # environment.
- Staging: false
+ ACME:
+ # Obtain certificates automatically for ExternalURL domains
+ # using an ACME server and http-01 validation.
+ #
+ # To use Let's Encrypt, specify "LE". To use the Let's
+ # Encrypt staging environment, specify "LE-staging". To use a
+ # different ACME server, specify the full directory URL
+ # ("https://...").
+ #
+ # Note: this feature is not yet implemented in released
+ # versions, only in the alpha/prerelease arvados-server-easy
+ # package.
+ #
+ # Implies agreement with the server's terms of service.
+ Server: ""
Containers:
# List of supported Docker Registry image formats that compute nodes
LoginGoogle bool
LoginGoogleClientID string
LoginGoogleClientSecret string
+ TLSDir string
}
func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Reader, stdout, stderr io.Writer) int {
flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
- flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, auto, insecure, or none")
+ flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, insecure, none, or /path/to/dir containing privkey and cert files")
flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
return code
return 1
}
+ switch initcmd.TLS {
+ case "none", "acme", "insecure":
+ default:
+ if !strings.HasPrefix(initcmd.TLS, "/") {
+ err = fmt.Errorf("invalid argument to -tls: %q; see %s -help", initcmd.TLS, prog)
+ return 1
+ }
+ initcmd.TLSDir = initcmd.TLS
+ }
+
confdir := "/etc/arvados"
conffile := confdir + "/config.yml"
if _, err = os.Stat(conffile); err == nil {
TLS:
{{if eq .TLS "insecure"}}
Insecure: true
- {{else if eq .TLS "auto"}}
- Automatic: true
{{else if eq .TLS "acme"}}
- Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
- Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
+ ACME:
+ Server: LE
+ {{else if ne .TLSDir ""}}
+ Certificate: {{printf "%q" (print .TLSDir "/cert")}}
+ Key: {{printf "%q" (print .TLSDir "/privkey")}}
{{else}}
{}
{{end}}
)
func makeTLSConfig(cluster *arvados.Cluster, logger logrus.FieldLogger) (*tls.Config, error) {
- if cluster.TLS.Automatic {
+ if cluster.TLS.ACME.Server != "" {
return makeAutocertConfig(cluster, logger)
} else {
return makeFileLoaderConfig(cluster, logger)
Certificate string
Key string
Insecure bool
- Automatic bool
- Staging bool
+ ACME struct {
+ Server string
+ }
}
Users struct {
ActivatedUsersAreVisibleToOthers bool
GEM
remote: https://rubygems.org/
specs:
- actioncable (5.2.8)
- actionpack (= 5.2.8)
+ actioncable (5.2.8.1)
+ actionpack (= 5.2.8.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
- actionmailer (5.2.8)
- actionpack (= 5.2.8)
- actionview (= 5.2.8)
- activejob (= 5.2.8)
+ actionmailer (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ actionview (= 5.2.8.1)
+ activejob (= 5.2.8.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
- actionpack (5.2.8)
- actionview (= 5.2.8)
- activesupport (= 5.2.8)
+ actionpack (5.2.8.1)
+ actionview (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
rack (~> 2.0, >= 2.0.8)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.2)
- actionview (5.2.8)
- activesupport (= 5.2.8)
+ actionview (5.2.8.1)
+ activesupport (= 5.2.8.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.0.3)
- activejob (5.2.8)
- activesupport (= 5.2.8)
+ activejob (5.2.8.1)
+ activesupport (= 5.2.8.1)
globalid (>= 0.3.6)
- activemodel (5.2.8)
- activesupport (= 5.2.8)
- activerecord (5.2.8)
- activemodel (= 5.2.8)
- activesupport (= 5.2.8)
+ activemodel (5.2.8.1)
+ activesupport (= 5.2.8.1)
+ activerecord (5.2.8.1)
+ activemodel (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
arel (>= 9.0)
- activestorage (5.2.8)
- actionpack (= 5.2.8)
- activerecord (= 5.2.8)
+ activestorage (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ activerecord (= 5.2.8.1)
marcel (~> 1.0.0)
- activesupport (5.2.8)
+ activesupport (5.2.8.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
multi_json (1.15.0)
multipart-post (2.1.1)
nio4r (2.5.8)
- nokogiri (1.13.6)
+ nokogiri (1.13.7)
mini_portile2 (~> 2.8.0)
racc (~> 1.4)
oj (3.9.2)
power_assert (1.1.4)
public_suffix (4.0.6)
racc (1.6.0)
- rack (2.2.3.1)
- rack-test (1.1.0)
- rack (>= 1.0, < 3)
- rails (5.2.8)
- actioncable (= 5.2.8)
- actionmailer (= 5.2.8)
- actionpack (= 5.2.8)
- actionview (= 5.2.8)
- activejob (= 5.2.8)
- activemodel (= 5.2.8)
- activerecord (= 5.2.8)
- activestorage (= 5.2.8)
- activesupport (= 5.2.8)
+ rack (2.2.4)
+ rack-test (2.0.2)
+ rack (>= 1.3)
+ rails (5.2.8.1)
+ actioncable (= 5.2.8.1)
+ actionmailer (= 5.2.8.1)
+ actionpack (= 5.2.8.1)
+ actionview (= 5.2.8.1)
+ activejob (= 5.2.8.1)
+ activemodel (= 5.2.8.1)
+ activerecord (= 5.2.8.1)
+ activestorage (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
bundler (>= 1.3.0)
- railties (= 5.2.8)
+ railties (= 5.2.8.1)
sprockets-rails (>= 2.0.0)
rails-controller-testing (1.0.4)
actionpack (>= 5.0.1.x)
rails-observers (0.1.5)
activemodel (>= 4.0)
rails-perftest (0.0.7)
- railties (5.2.8)
- actionpack (= 5.2.8)
- activesupport (= 5.2.8)
+ railties (5.2.8.1)
+ actionpack (= 5.2.8.1)
+ activesupport (= 5.2.8.1)
method_source
rake (>= 0.8.7)
thor (>= 0.19.0, < 2.0)
validate :identity_url_nil_if_empty
before_update :prevent_privilege_escalation
before_update :prevent_inactive_admin
+ before_update :prevent_nonadmin_system_root
before_update :verify_repositories_empty, :if => Proc.new {
username.nil? and username_changed?
}
# delete user signatures, login, repo, and vm perms, and mark as inactive
def unsetup
+ if self.uuid == system_user_uuid
+ raise "System root user cannot be deactivated"
+ end
+
# delete oid_login_perms for this user
#
# note: these permission links are obsolete, they have no effect
self.save!
end
+ # Called from ArvadosModel
+ def set_default_owner
+ self.owner_uuid = system_user_uuid
+ end
+
def must_unsetup_to_deactivate
if !self.new_record? &&
self.uuid[0..4] == Rails.configuration.Login.LoginCluster &&
true
end
+ def prevent_nonadmin_system_root
+ if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin
+ raise "System root user cannot be non-admin"
+ end
+ true
+ end
+
def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
nextpaths = graph[start]
return merged if !nextpaths
assert_response 403
end
+ test "disabling system root user not permitted" do
+ put("/arvados/v1/users/#{users(:system_user).uuid}",
+ params: {
+ user: {is_admin: false}
+ },
+ headers: auth(:admin))
+ assert_response 422
+
+ post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup",
+ params: {},
+ headers: auth(:admin))
+ assert_response 422
+ end
+
+ test "creating users only accepted for admins" do
+ assert_equal false, users(:active).is_admin
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "username" => "barney"
+ }
+ },
+ headers: auth(:active)
+ assert_response 403
+ end
+
+ test "create users assigns the system root user as their owner" do
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "username" => "barney"
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+ assert_not_nil json_response["uuid"]
+ assert_equal users(:system_user).uuid, json_response["owner_uuid"]
+ end
+
+ test "create users ignores provided owner_uuid field" do
+ assert_equal false, users(:admin).uuid == users(:system_user).uuid
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "owner_uuid" => users(:admin).uuid,
+ "username" => "barney"
+ }
+ },
+ headers: auth(:admin)
+ assert_response :success
+ assert_not_nil json_response["uuid"]
+ assert_equal users(:system_user).uuid, json_response["owner_uuid"]
+ end
end
}
}
// The client's token was invalid (e.g., expired), or
- // the client didn't even provide one. Propagate the
- // 401 to encourage the client to use a [different]
- // token.
+ // the client didn't even provide one. Redirect to
+ // workbench2's login-and-redirect-to-download url if
+ // this is a browser navigation request. (The redirect
+ // flow can't preserve the original method if it's not
+ // GET, and doesn't make sense if the UA is a
+ // command-line tool, is trying to load an inline
+ // image, etc.; in these cases, there's nothing we can
+ // do, so return 401 unauthorized.)
+ //
+ // Note Sec-Fetch-Mode is sent by all non-EOL
+ // browsers, except Safari.
+ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode
//
// TODO(TC): This response would be confusing to
// someone trying (anonymously) to download public
// data that has been deleted. Allow a referrer to
// provide this context somehow?
- w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
- http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
+ if r.Method == http.MethodGet && r.Header.Get("Sec-Fetch-Mode") == "navigate" {
+ target := url.URL(h.Cluster.Services.Workbench2.ExternalURL)
+ redirkey := "redirectToPreview"
+ if attachment {
+ redirkey = "redirectToDownload"
+ }
+ callback := "/c=" + collectionID + "/" + strings.Join(targetPath, "/")
+ // target.RawQuery = url.Values{redirkey:
+ // {target}}.Encode() would be the obvious
+ // thing to do here, but wb2 doesn't decode
+ // this as a query param -- it takes
+ // everything after "${redirkey}=" as the
+ // target URL. If we encode "/" as "%2F" etc.,
+ // the redirect won't work.
+ target.RawQuery = redirkey + "=" + callback
+ w.Header().Add("Location", target.String())
+ w.WriteHeader(http.StatusSeeOther)
+ } else {
+ w.Header().Add("WWW-Authenticate", "Basic realm=\"collections\"")
+ http.Error(w, unauthorizedMessage, http.StatusUnauthorized)
+ }
return
}
s.testVhostRedirectTokenToCookie(c, "GET",
arvadostest.FooCollection+".example.com/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"foo",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.ActiveToken+"/foo",
"",
- "",
+ nil,
"",
http.StatusOK,
"foo",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.FooCollection+"/t=bogus/foo",
"",
- "",
+ nil,
"",
http.StatusNotFound,
notFoundMessage+"\n",
}
// Bad token in a cookie (even if it got there via our own
-// query-string-to-cookie redirect) is, in principle, retryable at the
-// same URL so it's 401 Unauthorized.
+// query-string-to-cookie redirect) is, in principle, retryable via
+// wb2-login-and-redirect flow.
func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) {
- s.testVhostRedirectTokenToCookie(c, "GET",
+ // Inline
+ resp := s.testVhostRedirectTokenToCookie(c, "GET",
+ arvadostest.FooCollection+".example.com/foo",
+ "?api_token=thisisabogustoken",
+ http.Header{"Sec-Fetch-Mode": {"navigate"}},
+ "",
+ http.StatusSeeOther,
+ "",
+ )
+ u, err := url.Parse(resp.Header().Get("Location"))
+ c.Assert(err, check.IsNil)
+ c.Logf("redirected to %s", u)
+ c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+ c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+ c.Check(u.Query().Get("redirectToDownload"), check.Equals, "")
+
+ // Download/attachment indicated by ?disposition=attachment
+ resp = s.testVhostRedirectTokenToCookie(c, "GET",
arvadostest.FooCollection+".example.com/foo",
+ "?api_token=thisisabogustoken&disposition=attachment",
+ http.Header{"Sec-Fetch-Mode": {"navigate"}},
+ "",
+ http.StatusSeeOther,
+ "",
+ )
+ u, err = url.Parse(resp.Header().Get("Location"))
+ c.Assert(err, check.IsNil)
+ c.Logf("redirected to %s", u)
+ c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+ c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
+ c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+
+ // Download/attachment indicated by vhost
+ resp = s.testVhostRedirectTokenToCookie(c, "GET",
+ s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
"?api_token=thisisabogustoken",
+ http.Header{"Sec-Fetch-Mode": {"navigate"}},
"",
+ http.StatusSeeOther,
+ "",
+ )
+ u, err = url.Parse(resp.Header().Get("Location"))
+ c.Assert(err, check.IsNil)
+ c.Logf("redirected to %s", u)
+ c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
+ c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
+ c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
+
+ // Without "Sec-Fetch-Mode: navigate" header, just 401.
+ s.testVhostRedirectTokenToCookie(c, "GET",
+ s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
+ "?api_token=thisisabogustoken",
+ http.Header{"Sec-Fetch-Mode": {"cors"}},
+ "",
+ http.StatusUnauthorized,
+ unauthorizedMessage+"\n",
+ )
+ s.testVhostRedirectTokenToCookie(c, "GET",
+ s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
+ "?api_token=thisisabogustoken",
+ nil,
"",
http.StatusUnauthorized,
unauthorizedMessage+"\n",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.FooCollection+"/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusBadRequest,
"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
resp := s.testVhostRedirectTokenToCookie(c, "GET",
arvadostest.FooCollection+".example.com/foo",
"?disposition=attachment&api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"foo",
resp := s.testVhostRedirectTokenToCookie(c, "GET",
"download.example.com/by_id/"+arvadostest.FooCollection+"/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"foo",
resp := s.testVhostRedirectTokenToCookie(c, "GET",
"download.example.com/c="+arvadostest.WazVersion1Collection+"/waz",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"waz",
resp = s.testVhostRedirectTokenToCookie(c, "GET",
"download.example.com/by_id/"+arvadostest.WazVersion1Collection+"/waz",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"waz",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.FooCollection+"/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"foo",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.FooCollection+"/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusBadRequest,
"cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n",
resp := s.testVhostRedirectTokenToCookie(c, "GET",
"example.com:1234/c="+arvadostest.FooCollection+"/foo",
"?api_token="+arvadostest.ActiveToken,
- "",
+ nil,
"",
http.StatusOK,
"foo",
s.testVhostRedirectTokenToCookie(c, "POST",
arvadostest.FooCollection+".example.com/foo",
"",
- "application/x-www-form-urlencoded",
+ http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
url.Values{"api_token": {arvadostest.ActiveToken}}.Encode(),
http.StatusOK,
"foo",
s.testVhostRedirectTokenToCookie(c, "POST",
arvadostest.FooCollection+".example.com/foo",
"",
- "application/x-www-form-urlencoded",
+ http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
url.Values{"api_token": {arvadostest.SpectatorToken}}.Encode(),
http.StatusNotFound,
notFoundMessage+"\n",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
"",
- "",
+ nil,
"",
http.StatusOK,
"Hello world\n",
s.testVhostRedirectTokenToCookie(c, "GET",
"example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
"",
- "",
+ nil,
"",
http.StatusNotFound,
notFoundMessage+"\n",
c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
}
-func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString, contentType, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder {
+func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString string, reqHeader http.Header, reqBody string, expectStatus int, expectRespBody string) *httptest.ResponseRecorder {
+ if reqHeader == nil {
+ reqHeader = http.Header{}
+ }
u, _ := url.Parse(`http://` + hostPath + queryString)
+ c.Logf("requesting %s", u)
req := &http.Request{
Method: method,
Host: u.Host,
URL: u,
RequestURI: u.RequestURI(),
- Header: http.Header{"Content-Type": {contentType}},
+ Header: reqHeader,
Body: ioutil.NopCloser(strings.NewReader(reqBody)),
}
return resp
}
c.Check(resp.Body.String(), check.Matches, `.*href="http://`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
+ c.Check(strings.Split(resp.Header().Get("Location"), "?")[0], check.Equals, "http://"+hostPath)
cookies := (&http.Response{Header: resp.Header()}).Cookies()
- u, _ = u.Parse(resp.Header().Get("Location"))
+ u, err := u.Parse(resp.Header().Get("Location"))
+ c.Assert(err, check.IsNil)
+ c.Logf("following redirect to %s", u)
req = &http.Request{
Method: "GET",
Host: u.Host,
URL: u,
RequestURI: u.RequestURI(),
- Header: http.Header{},
+ Header: reqHeader,
}
for _, c := range cookies {
req.AddCookie(c)
resp = httptest.NewRecorder()
s.handler.ServeHTTP(resp, req)
- c.Check(resp.Header().Get("Location"), check.Equals, "")
+
+ if resp.Code != http.StatusSeeOther {
+ c.Check(resp.Header().Get("Location"), check.Equals, "")
+ }
return resp
}