*.asc
sdk/java-v2/build.gradle
sdk/java-v2/settings.gradle
+sdk/cwl/tests/wf/feddemo
\ No newline at end of file
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (e.g.,
- # sso-provider).
+ # These settings are provided by your OAuth2 provider (eg
+ # Google) used to perform upstream authentication.
ProviderAppSecret: ""
ProviderAppID: ""
+ # The cluster ID to delegate the user database. When set,
+ # logins on this cluster will be redirected to the login cluster
+ # (login cluster must appear in RemoteHosts with Proxy: true)
+ LoginCluster: ""
+
+ # How long a cached token belonging to a remote cluster will
+ # remain valid before it needs to be revalidated.
+ RemoteTokenRefresh: 5m
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
"InstanceTypes": true,
"InstanceTypes.*": true,
"InstanceTypes.*.*": true,
- "Login": false,
+ "Login": true,
+ "Login.ProviderAppSecret": false,
+ "Login.ProviderAppID": false,
+ "Login.LoginCluster": true,
+ "Login.RemoteTokenRefresh": true,
"Mail": false,
"ManagementToken": false,
"PostgreSQL": false,
MaxUUIDEntries: 1000
Login:
- # These settings are provided by your OAuth2 provider (e.g.,
- # sso-provider).
+ # These settings are provided by your OAuth2 provider (eg
+ # Google) used to perform upstream authentication.
ProviderAppSecret: ""
ProviderAppID: ""
+ # The cluster ID to delegate the user database. When set,
+ # logins on this cluster will be redirected to the login cluster
+ # (login cluster must appear in RemoteHosts with Proxy: true)
+ LoginCluster: ""
+
+ # How long a cached token belonging to a remote cluster will
+ # remain valid before it needs to be revalidated.
+ RemoteTokenRefresh: 5m
+
Git:
# Path to git or gitolite-shell executable. Each authenticated
# request will execute this program with the single argument "http-backend"
logger_handler=arvados.log_handler,
custom_schema_callback=add_arv_hints,
loadingContext=executor.loadingContext,
- runtimeContext=executor.runtimeContext)
+ runtimeContext=executor.runtimeContext,
+ input_required=not (arvargs.create_workflow or arvargs.update_workflow))
builder_job_order,
discovered)
- visit_class(workflowobj, ("CommandLineTool", "Workflow"), discover_default_secondary_files)
+ copied, _ = document_loader.resolve_all(copy.deepcopy(cmap(workflowobj)), base_url=uri, checklinks=False)
+ visit_class(copied, ("CommandLineTool", "Workflow"), discover_default_secondary_files)
for d in list(discovered):
# Only interested in discovered secondaryFiles which are local
# Note that arvados/build/run-build-packages.sh looks at this
# file to determine what version of cwltool and schema-salad to build.
install_requires=[
- 'cwltool==1.0.20190607183319',
- 'schema-salad==4.2.20190417121603',
+ 'cwltool==1.0.20190831161204',
+ 'schema-salad==4.5.20190815125611',
'typing >= 3.6.4',
'ruamel.yaml >=0.15.54, <=0.15.77',
'arvados-python-client{}'.format(pysdk_dep),
self.assertEqual(stubs.capture_stdout.getvalue(),
stubs.expect_workflow_uuid + '\n')
self.assertEqual(exited, 0)
+
+ @stubs
+ def test_create_with_imports(self, stubs):
+ project_uuid = 'zzzzz-j7d0g-zzzzzzzzzzzzzzz'
+
+ exited = arvados_cwl.main(
+ ["--create-workflow", "--debug",
+ "--api=containers",
+ "--project-uuid", project_uuid,
+ "tests/wf/feddemo/feddemo.cwl"],
+ stubs.capture_stdout, sys.stderr, api_client=stubs.api)
+
+ stubs.api.pipeline_templates().create.refute_called()
+ stubs.api.container_requests().create.refute_called()
+
+ self.assertEqual(stubs.capture_stdout.getvalue(),
+ stubs.expect_workflow_uuid + '\n')
+ self.assertEqual(exited, 0)
+
+ @stubs
+ def test_create_with_no_input(self, stubs):
+ project_uuid = 'zzzzz-j7d0g-zzzzzzzzzzzzzzz'
+
+ exited = arvados_cwl.main(
+ ["--create-workflow", "--debug",
+ "--api=containers",
+ "--project-uuid", project_uuid,
+ "tests/wf/revsort/revsort.cwl"],
+ stubs.capture_stdout, sys.stderr, api_client=stubs.api)
+
+ stubs.api.pipeline_templates().create.refute_called()
+ stubs.api.container_requests().create.refute_called()
+
+ self.assertEqual(stubs.capture_stdout.getvalue(),
+ stubs.expect_workflow_uuid + '\n')
+ self.assertEqual(exited, 0)
--- /dev/null
+../../../../doc/user/cwl/federated
\ No newline at end of file
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# This is a two-step workflow which uses "revtool" and "sorttool" defined above.
+#
+class: Workflow
+doc: "Reverse the lines in a document, then sort those lines."
+cwlVersion: v1.0
+
+
+# The inputs array defines the structure of the input object that describes
+# the inputs to the workflow.
+#
+# The "reverse_sort" input parameter demonstrates the "default" field. If the
+# field "reverse_sort" is not provided in the input object, the default value will
+# be used.
+inputs:
+ input:
+ type: File
+ doc: "The input file to be processed."
+ reverse_sort:
+ type: boolean
+ default: true
+ doc: "If true, reverse (decending) sort"
+
+# The "outputs" array defines the structure of the output object that describes
+# the outputs of the workflow.
+#
+# Each output field must be connected to the output of one of the workflow
+# steps using the "connect" field. Here, the parameter "#output" of the
+# workflow comes from the "#sorted" output of the "sort" step.
+outputs:
+ output:
+ type: File
+ outputSource: sorted/output
+ doc: "The output with the lines reversed and sorted."
+
+# The "steps" array lists the executable steps that make up the workflow.
+# The tool to execute each step is listed in the "run" field.
+#
+# In the first step, the "inputs" field of the step connects the upstream
+# parameter "#input" of the workflow to the input parameter of the tool
+# "revtool.cwl#input"
+#
+# In the second step, the "inputs" field of the step connects the output
+# parameter "#reversed" from the first step to the input parameter of the
+# tool "sorttool.cwl#input".
+steps:
+ rev:
+ in:
+ input: input
+ out: [output]
+ run: revtool.cwl
+
+ sorted:
+ in:
+ input: rev/output
+ reverse: reverse_sort
+ out: [output]
+ run: sorttool.cwl
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+#
+# Simplest example command line program wrapper for the Unix tool "rev".
+#
+class: CommandLineTool
+cwlVersion: v1.0
+doc: "Reverse each line using the `rev` command"
+
+hints:
+ ResourceRequirement:
+ ramMin: 8
+
+# The "inputs" array defines the structure of the input object that describes
+# the inputs to the underlying program. Here, there is one input field
+# defined that will be called "input" and will contain a "File" object.
+#
+# The input binding indicates that the input value should be turned into a
+# command line argument. In this example inputBinding is an empty object,
+# which indicates that the file name should be added to the command line at
+# a default location.
+inputs:
+ input:
+ type: File
+ inputBinding: {}
+
+# The "outputs" array defines the structure of the output object that
+# describes the outputs of the underlying program. Here, there is one
+# output field defined that will be called "output", must be a "File" type,
+# and after the program executes, the output value will be the file
+# output.txt in the designated output directory.
+outputs:
+ output:
+ type: File
+ outputBinding:
+ glob: output.txt
+
+# The actual program to execute.
+baseCommand: rev
+
+# Specify that the standard output stream must be redirected to a file called
+# output.txt in the designated output directory.
+stdout: output.txt
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Example command line program wrapper for the Unix tool "sort"
+# demonstrating command line flags.
+class: CommandLineTool
+doc: "Sort lines using the `sort` command"
+cwlVersion: v1.0
+hints:
+ ResourceRequirement:
+ ramMin: 8
+
+# This example is similar to the previous one, with an additional input
+# parameter called "reverse". It is a boolean parameter, which is
+# intepreted as a command line flag. The value of "prefix" is used for
+# flag to put on the command line if "reverse" is true, if "reverse" is
+# false, no flag is added.
+#
+# This example also introduced the "position" field. This indicates the
+# sorting order of items on the command line. Lower numbers are placed
+# before higher numbers. Here, the "-r" (same as "--reverse") flag (if
+# present) will be added to the command line before the input file path.
+inputs:
+ - id: reverse
+ type: boolean
+ inputBinding:
+ position: 1
+ prefix: "-r"
+ - id: input
+ type: File
+ inputBinding:
+ position: 2
+
+outputs:
+ - id: output
+ type: File
+ outputBinding:
+ glob: output.txt
+
+baseCommand: sort
+stdout: output.txt
Repositories string
}
Login struct {
- ProviderAppSecret string
- ProviderAppID string
+ ProviderAppSecret string
+ ProviderAppID string
+ LoginCluster string
+ RemoteTokenRefresh Duration
}
Mail struct {
MailchimpAPIKey string
# omniauth callback method
def create
- omniauth = request.env['omniauth.auth']
-
- identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false
- unless identity_url_ok
- # Whoa. This should never happen.
- logger.error "UserSessionsController.create: omniauth object missing/invalid"
- logger.error "omniauth: "+omniauth.pretty_inspect
-
- return redirect_to login_failure_url
- end
-
- # Only local users can create sessions, hence uuid_like_pattern
- # here.
- user = User.unscoped.where('identity_url = ? and uuid like ?',
- omniauth['info']['identity_url'],
- User.uuid_like_pattern).first
- if not user
- # Check for permission to log in to an existing User record with
- # a different identity_url
- Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?",
- 'permission',
- 'can_login',
- omniauth['info']['email'],
- User.uuid_like_pattern).each do |link|
- if prefix = link.properties['identity_url_prefix']
- if prefix == omniauth['info']['identity_url'][0..prefix.size-1]
- user = User.find_by_uuid(link.head_uuid)
- break if user
- end
- end
- end
+ if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+ raise "Local login disabled when LoginCluster is set"
end
- if not user
- # New user registration
- user = User.new(:email => omniauth['info']['email'],
- :first_name => omniauth['info']['first_name'],
- :last_name => omniauth['info']['last_name'],
- :identity_url => omniauth['info']['identity_url'],
- :is_active => Rails.configuration.Users.NewUsersAreActive,
- :owner_uuid => system_user_uuid)
- if omniauth['info']['username']
- user.set_initial_username(requested: omniauth['info']['username'])
- end
- act_as_system_user do
- user.save or raise Exception.new(user.errors.messages)
- end
- else
- user.email = omniauth['info']['email']
- user.first_name = omniauth['info']['first_name']
- user.last_name = omniauth['info']['last_name']
- if user.identity_url.nil?
- # First login to a pre-activated account
- user.identity_url = omniauth['info']['identity_url']
- end
+ omniauth = request.env['omniauth.auth']
- while (uuid = user.redirect_to_user_uuid)
- user = User.unscoped.where(uuid: uuid).first
- if !user
- raise Exception.new("identity_url #{omniauth['info']['identity_url']} redirects to nonexistent uuid #{uuid}")
- end
- end
+ begin
+ user = User.register omniauth['info']
+ rescue => e
+ Rails.logger.warn e
+ return redirect_to login_failure_url
end
# For the benefit of functional and integration tests:
end
p = []
p << "auth_provider=#{CGI.escape(params[:auth_provider])}" if params[:auth_provider]
- if params[:return_to]
- # Encode remote param inside callback's return_to, so that we'll get it on
- # create() after login.
- remote_param = params[:remote].nil? ? '' : params[:remote]
- p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+
+ if !Rails.configuration.Login.LoginCluster.empty? and Rails.configuration.Login.LoginCluster != Rails.configuration.ClusterID
+ host = ApiClientAuthorization.remote_host(uuid_prefix: Rails.configuration.Login.LoginCluster)
+ if not host
+ raise "LoginCluster #{Rails.configuration.Login.LoginCluster} missing from RemoteClusters"
+ end
+ scheme = "https"
+ cluster = Rails.configuration.RemoteClusters[Rails.configuration.Login.LoginCluster]
+ if cluster and cluster['Scheme'] and !cluster['Scheme'].empty?
+ scheme = cluster['Scheme']
+ end
+ login_cluster = "#{scheme}://#{host}"
+ p << "remote=#{CGI.escape(params[:remote])}" if params[:remote]
+ p << "return_to=#{CGI.escape(params[:return_to])}" if params[:return_to]
+ redirect_to "#{login_cluster}/login?#{p.join('&')}"
+ else
+ if params[:return_to]
+ # Encode remote param inside callback's return_to, so that we'll get it on
+ # create() after login.
+ remote_param = params[:remote].nil? ? '' : params[:remote]
+ p << "return_to=#{CGI.escape(remote_param + ',' + params[:return_to])}"
+ end
+ redirect_to "/auth/joshid?#{p.join('&')}"
end
- redirect_to "/auth/joshid?#{p.join('&')}"
end
def send_api_token_to(callback_url, user, remote=nil)
end
def self.remote_host(uuid_prefix:)
- (Rails.configuration.RemoteClusters[uuid_prefix].andand.Host) ||
- (Rails.configuration.RemoteClusters["*"].Proxy &&
+ (Rails.configuration.RemoteClusters[uuid_prefix].andand["Host"]) ||
+ (Rails.configuration.RemoteClusters["*"]["Proxy"] &&
uuid_prefix+".arvadosapi.com")
end
+ def self.make_http_client
+ clnt = HTTPClient.new
+ if Rails.configuration.TLS.Insecure
+ clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ else
+ # Use system CA certificates
+ ["/etc/ssl/certs/ca-certificates.crt",
+ "/etc/pki/tls/certs/ca-bundle.crt"]
+ .select { |ca_path| File.readable?(ca_path) }
+ .each { |ca_path| clnt.ssl_config.add_trust_ca(ca_path) }
+ end
+ clnt
+ end
+
def self.validate(token:, remote: nil)
return nil if !token
remote ||= Rails.configuration.ClusterID
case token[0..2]
when 'v2/'
- _, uuid, secret, optional = token.split('/')
- unless uuid.andand.length == 27 && secret.andand.length.andand > 0
+ _, token_uuid, secret, optional = token.split('/')
+ unless token_uuid.andand.length == 27 && secret.andand.length.andand > 0
return nil
end
# matches expections.
c = Container.where(uuid: optional).first
if !c.nil?
- if !c.auth_uuid.nil? and c.auth_uuid != uuid
+ if !c.auth_uuid.nil? and c.auth_uuid != token_uuid
# token doesn't match the container's token
return nil
end
- if !c.runtime_token.nil? and "v2/#{uuid}/#{secret}" != c.runtime_token
+ if !c.runtime_token.nil? and "v2/#{token_uuid}/#{secret}" != c.runtime_token
# token doesn't match the container's token
return nil
end
end
end
+ # fast path: look up the token in the local database
auth = ApiClientAuthorization.
includes(:user, :api_client).
- where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', uuid).
+ where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token_uuid).
first
if auth && auth.user &&
(secret == auth.api_token ||
secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
+ # found it
return auth
end
- uuid_prefix = uuid[0..4]
- if uuid_prefix == Rails.configuration.ClusterID
- # If the token were valid, we would have validated it above
+ token_uuid_prefix = token_uuid[0..4]
+ if token_uuid_prefix == Rails.configuration.ClusterID
+ # Token is supposedly issued by local cluster, but if the
+ # token were valid, we would have been found in the database
+ # in the above query.
return nil
- elsif uuid_prefix.length != 5
+ elsif token_uuid_prefix.length != 5
# malformed
return nil
end
- host = remote_host(uuid_prefix: uuid_prefix)
+ # Invariant: token_uuid_prefix != Rails.configuration.ClusterID
+ #
+ # In other words the remaing code in this method below is the
+ # case that determines whether to accept a token that was issued
+ # by a remote cluster when the token absent or expired in our
+ # database. To begin, we need to ask the cluster that issued
+ # the token to [re]validate it.
+ clnt = ApiClientAuthorization.make_http_client
+
+ host = remote_host(uuid_prefix: token_uuid_prefix)
if !host
- Rails.logger.warn "remote authentication rejected: no host for #{uuid_prefix.inspect}"
+ Rails.logger.warn "remote authentication rejected: no host for #{token_uuid_prefix.inspect}"
return nil
end
- # Token was issued by a different cluster. If it's expired or
- # missing in our database, ask the originating cluster to
- # [re]validate it.
begin
- clnt = HTTPClient.new
- if Rails.configuration.TLS.Insecure
- clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
- else
- # Use system CA certificates
- ["/etc/ssl/certs/ca-certificates.crt",
- "/etc/pki/tls/certs/ca-bundle.crt"]
- .select { |ca_path| File.readable?(ca_path) }
- .each { |ca_path| clnt.ssl_config.add_trust_ca(ca_path) }
- end
remote_user = SafeJSON.load(
clnt.get_content('https://' + host + '/arvados/v1/users/current',
{'remote' => Rails.configuration.ClusterID},
Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
return nil
end
- if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String) || remote_user['uuid'][0..4] != uuid[0..4]
+
+ # Check the response is well formed.
+ if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String)
Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
return nil
end
- act_as_system_user do
- # Add/update user and token in our database so we can
- # validate subsequent requests faster.
-
- user = User.find_or_create_by(uuid: remote_user['uuid']) do |user|
- # (this block runs for the "create" case, not for "find")
- user.is_admin = false
- user.email = remote_user['email']
- if remote_user['username'].andand.length.andand > 0
- user.set_initial_username(requested: remote_user['username'])
- end
- end
+ remote_user_prefix = remote_user['uuid'][0..4]
+
+ # Clusters can only authenticate for their own users.
+ if remote_user_prefix != token_uuid_prefix
+ Rails.logger.warn "remote authentication rejected: claimed remote user #{remote_user_prefix} but token was issued by #{token_uuid_prefix}"
+ return nil
+ end
+
+ # Invariant: remote_user_prefix == token_uuid_prefix
+ # therefore: remote_user_prefix != Rails.configuration.ClusterID
+
+ # Add or update user and token in local database so we can
+ # validate subsequent requests faster.
+
+ user = User.find_by_uuid(remote_user['uuid'])
+
+ if !user
+ # Create a new record for this user.
+ user = User.new(uuid: remote_user['uuid'],
+ is_active: false,
+ is_admin: false,
+ email: remote_user['email'],
+ owner_uuid: system_user_uuid)
+ user.set_initial_username(requested: remote_user['username'])
+ end
+
+ # Sync user record.
+ if remote_user_prefix == Rails.configuration.Login.LoginCluster
+ # Remote cluster controls our user database, copy both
+ # 'is_active' and 'is_admin'
+ user.is_active = remote_user['is_active']
+ user.is_admin = remote_user['is_admin']
+ else
if Rails.configuration.Users.NewUsersAreActive ||
- Rails.configuration.RemoteClusters[remote_user['uuid'][0..4]].andand["ActivateUsers"]
- # Update is_active to whatever it is at the remote end
+ Rails.configuration.RemoteClusters[remote_user_prefix].andand["ActivateUsers"]
+ # Default policy is to activate users, so match activate
+ # with the remote record.
user.is_active = remote_user['is_active']
elsif !remote_user['is_active']
- # Remote user is inactive; our mirror should be, too.
+ # Deactivate user if the remote is inactive, otherwise don't
+ # change 'is_active'.
user.is_active = false
end
+ end
- %w[first_name last_name email prefs].each do |attr|
- user.send(attr+'=', remote_user[attr])
- end
+ %w[first_name last_name email prefs].each do |attr|
+ user.send(attr+'=', remote_user[attr])
+ end
+ act_as_system_user do
user.save!
- auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
+ # We will accept this token (and avoid reloading the user
+ # record) for 'RemoteTokenRefresh' (default 5 minutes).
+ # Possible todo:
+ # Request the actual api_client_auth record from the remote
+ # server in case it wants the token to expire sooner.
+ auth = ApiClientAuthorization.find_or_create_by(uuid: token_uuid) do |auth|
auth.user = user
- auth.api_token = secret
auth.api_client_id = 0
end
-
- # Accept this token (and don't reload the user record) for
- # 5 minutes. TODO: Request the actual api_client_auth
- # record from the remote server in case it wants the token
- # to expire sooner.
auth.update_attributes!(user: user,
api_token: secret,
api_client_id: 0,
- expires_at: Time.now + 5.minutes)
+ expires_at: Time.now + Rails.configuration.Login.RemoteTokenRefresh)
end
return auth
else
+ # token is not a 'v2' token
auth = ApiClientAuthorization.
- includes(:user, :api_client).
- where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token).
- first
+ includes(:user, :api_client).
+ where('api_token=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', token).
+ first
if auth && auth.user
return auth
end
end
+
return nil
end
# Finalize the container request after the container has
# finished/cancelled.
def finalize!
- update_collections(container: Container.find_by_uuid(container_uuid))
+ container = Container.find_by_uuid(container_uuid)
+ update_collections(container: container)
+
+ if container.state == Container::Complete
+ log_col = Collection.where(portable_data_hash: container.log).first
+ if log_col
+ # Need to save collection
+ completed_coll = Collection.new(
+ owner_uuid: self.owner_uuid,
+ name: "Container log for container #{container_uuid}",
+ properties: {
+ 'type' => 'log',
+ 'container_request' => self.uuid,
+ 'container_uuid' => container_uuid,
+ },
+ portable_data_hash: log_col.portable_data_hash,
+ manifest_text: log_col.manifest_text)
+ completed_coll.save_with_unique_name!
+ end
+ end
+
update_attributes!(state: Final)
end
end
if out_type == "log"
+ # Copy the log into a merged collection
src = Arv::Collection.new(manifest)
dst = Arv::Collection.new(coll.manifest_text)
dst.cp_r("./", ".", src)
include KindAndEtag
include CommonApiTemplate
include CanBeAnOwner
+ extend CurrentApiClient
serialize :prefs, Hash
has_many :api_client_authorizations
end
end
+ def redirects_to
+ user = self
+ redirects = 0
+ while (uuid = user.redirect_to_user_uuid)
+ user = User.unscoped.find_by_uuid(uuid)
+ if !user
+ raise Exception.new("user uuid #{user.uuid} redirects to nonexistent uuid #{uuid}")
+ end
+ redirects += 1
+ if redirects > 15
+ raise "Starting from #{self.uuid} redirect_to_user_uuid exceeded maximum number of redirects"
+ end
+ end
+ user
+ end
+
+ def self.register info
+ # login info expected fields, all can be optional but at minimum
+ # must supply either 'identity_url' or 'email'
+ #
+ # email
+ # first_name
+ # last_name
+ # username
+ # alternate_emails
+ # identity_url
+
+ info = info.with_indifferent_access
+
+ primary_user = nil
+
+ # local database
+ identity_url = info['identity_url']
+
+ if identity_url && identity_url.length > 0
+ # Only local users can create sessions, hence uuid_like_pattern
+ # here.
+ user = User.unscoped.where('identity_url = ? and uuid like ?',
+ identity_url,
+ User.uuid_like_pattern).first
+ primary_user = user.redirects_to if user
+ end
+
+ if !primary_user
+ # identity url is unset or didn't find matching record.
+ emails = [info['email']] + (info['alternate_emails'] || [])
+ emails.select! {|em| !em.nil? && !em.empty?}
+
+ User.unscoped.where('email in (?) and uuid like ?',
+ emails,
+ User.uuid_like_pattern).each do |user|
+ if !primary_user
+ primary_user = user.redirects_to
+ elsif primary_user.uuid != user.redirects_to.uuid
+ raise "Ambigious email address, directs to both #{primary_user.uuid} and #{user.redirects_to.uuid}"
+ end
+ end
+ end
+
+ if !primary_user
+ # New user registration
+ primary_user = User.new(:owner_uuid => system_user_uuid,
+ :is_admin => false,
+ :is_active => Rails.configuration.Users.NewUsersAreActive)
+
+ primary_user.set_initial_username(requested: info['username']) if info['username']
+ primary_user.identity_url = info['identity_url'] if identity_url
+ end
+
+ primary_user.email = info['email'] if info['email']
+ primary_user.first_name = info['first_name'] if info['first_name']
+ primary_user.last_name = info['last_name'] if info['last_name']
+
+ if (!primary_user.email or primary_user.email.empty?) and (!primary_user.identity_url or primary_user.identity_url.empty?)
+ raise "Must have supply at least one of 'email' or 'identity_url' to User.register"
+ end
+
+ act_as_system_user do
+ primary_user.save!
+ end
+
+ primary_user
+ end
+
protected
def change_all_uuid_refs(old_uuid:, new_uuid:)
end
def permission_to_update
- if username_changed? || redirect_to_user_uuid_changed?
+ if username_changed? || redirect_to_user_uuid_changed? || email_changed?
current_user.andand.is_admin
else
# users must be able to update themselves (even if they are
arvcfg.declare_config "Users.NewInactiveUserNotificationRecipients", Hash, :new_inactive_user_notification_recipients, method(:arrayToHash)
arvcfg.declare_config "Login.ProviderAppSecret", NonemptyString, :sso_app_secret
arvcfg.declare_config "Login.ProviderAppID", NonemptyString, :sso_app_id
+arvcfg.declare_config "Login.LoginCluster", String
+arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration
arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure
arvcfg.declare_config "Services.SSO.ExternalURL", NonemptyString, :sso_provider_url
arvcfg.declare_config "AuditLogs.MaxAge", ActiveSupport::Duration, :max_audit_log_age
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+class EnforceUniqueIdentityUrl < ActiveRecord::Migration[5.0]
+ def change
+ add_index :users, [:identity_url], :unique => true
+ end
+end
CREATE INDEX index_users_on_created_at ON public.users USING btree (created_at);
+--
+-- Name: index_users_on_identity_url; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE UNIQUE INDEX index_users_on_identity_url ON public.users USING btree (identity_url);
+
+
--
-- Name: index_users_on_modified_at; Type: INDEX; Schema: public; Owner: -
--
('20190422144631'),
('20190523180148'),
('20190808145904'),
-('20190809135453');
+('20190809135453'),
+('20190905151603');
email: zbbbb-active-user@arvados.local
first_name: Active
last_name: User
- identity_url: https://active-user.openid.local
+ identity_url: https://federated-active-user.openid.local
is_active: true
is_admin: false
username: federatedactive
email: spectator@arvados.local
first_name: Spect
last_name: Ator
- identity_url: https://spectator.openid.local
+ identity_url: https://container_runtime_token_user.openid.local
is_active: true
is_admin: false
username: containerruntimetokenuser
email: jobber@arvados.local
first_name: Job
last_name: Er
- identity_url: https://spectator.openid.local
+ identity_url: https://job_reader.openid.local
is_active: true
is_admin: false
username: jobber
email: fuse@arvados.local
first_name: FUSE
last_name: User
- identity_url: https://fuse.openid.local
+ identity_url: https://permission_perftest.openid.local
is_active: true
is_admin: false
username: perftest
class UserSessionsControllerTest < ActionController::TestCase
- test "new user from new api client" do
+ test "redirect to joshid" do
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("http://test.host/auth/joshid?return_to=%2Chttp%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
+
+ test "send token when user is already logged in" do
authorize_with :inactive
api_client_page = 'http://client.example.com/home'
get :login, params: {return_to: api_client_page}
get :login, params: {return_to: api_client_page, remote: remote_prefix}
assert_response 400
end
+
+ test "login to LoginCluster" do
+ Rails.configuration.Login.LoginCluster = 'zbbbb'
+ Rails.configuration.RemoteClusters['zbbbb'] = {'Host' => 'zbbbb.example.com'}
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("https://zbbbb.example.com/login?return_to=http%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
+ test "don't go into redirect loop if LoginCluster is self" do
+ Rails.configuration.Login.LoginCluster = 'zzzzz'
+ api_client_page = 'http://client.example.com/home'
+ get :login, params: {return_to: api_client_page}
+ assert_response :redirect
+ assert_equal("http://test.host/auth/joshid?return_to=%2Chttp%3A%2F%2Fclient.example.com%2Fhome", @response.redirect_url)
+ assert_nil assigns(:api_client)
+ end
+
end
@controller = Arvados::V1::UsersController.new
ready = Thread::Queue.new
- srv = WEBrick::HTTPServer.new(
- Port: 0,
- Logger: WEBrick::Log.new(
- Rails.root.join("log", "webrick.log").to_s,
- WEBrick::Log::INFO),
- AccessLog: [[File.open(Rails.root.join(
- "log", "webrick_access.log").to_s, 'a+'),
- WEBrick::AccessLog::COMBINED_LOG_FORMAT]],
- SSLEnable: true,
- SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
- SSLPrivateKey: OpenSSL::PKey::RSA.new(
- File.open(Rails.root.join("tmp", "self-signed.key")).read),
- SSLCertificate: OpenSSL::X509::Certificate.new(
- File.open(Rails.root.join("tmp", "self-signed.pem")).read),
- SSLCertName: [["CN", WEBrick::Utils::getservername]],
- StartCallback: lambda { ready.push(true) })
- srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res|
- Rails.cache.delete 'arvados_v1_rest_discovery'
- res.body = Arvados::V1::SchemaController.new.send(:discovery_doc).to_json
- end
- srv.mount_proc '/arvados/v1/users/current' do |req, res|
- res.status = @stub_status
- res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
- end
- Thread.new do
- srv.start
+
+ @remote_server = []
+ @remote_host = []
+
+ ['zbbbb', 'zbork'].each do |clusterid|
+ srv = WEBrick::HTTPServer.new(
+ Port: 0,
+ Logger: WEBrick::Log.new(
+ Rails.root.join("log", "webrick.log").to_s,
+ WEBrick::Log::INFO),
+ AccessLog: [[File.open(Rails.root.join(
+ "log", "webrick_access.log").to_s, 'a+'),
+ WEBrick::AccessLog::COMBINED_LOG_FORMAT]],
+ SSLEnable: true,
+ SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
+ SSLPrivateKey: OpenSSL::PKey::RSA.new(
+ File.open(Rails.root.join("tmp", "self-signed.key")).read),
+ SSLCertificate: OpenSSL::X509::Certificate.new(
+ File.open(Rails.root.join("tmp", "self-signed.pem")).read),
+ SSLCertName: [["CN", WEBrick::Utils::getservername]],
+ StartCallback: lambda { ready.push(true) })
+ srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res|
+ Rails.cache.delete 'arvados_v1_rest_discovery'
+ res.body = Arvados::V1::SchemaController.new.send(:discovery_doc).to_json
+ end
+ srv.mount_proc '/arvados/v1/users/current' do |req, res|
+ if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork'
+ # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork
+ res.status = 401
+ return
+ end
+ res.status = @stub_status
+ res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json
+ end
+ Thread.new do
+ srv.start
+ end
+ ready.pop
+ @remote_server << srv
+ @remote_host << "127.0.0.1:#{srv.config[:Port]}"
end
- ready.pop
- @remote_server = srv
- @remote_host = "127.0.0.1:#{srv.config[:Port]}"
- Rails.configuration.RemoteClusters = Rails.configuration.RemoteClusters.merge({zbbbb: ActiveSupport::InheritableOptions.new({Host: @remote_host}),
- zbork: ActiveSupport::InheritableOptions.new({Host: @remote_host})})
- Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host}"
+ Rails.configuration.RemoteClusters = Rails.configuration.RemoteClusters.merge({zbbbb: ActiveSupport::InheritableOptions.new({Host: @remote_host[0]}),
+ zbork: ActiveSupport::InheritableOptions.new({Host: @remote_host[1]})})
+ Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host[0]}"
@stub_status = 200
@stub_content = {
uuid: 'zbbbb-tpzed-000000000000000',
end
teardown do
- @remote_server.andand.stop
+ @remote_server.each do |srv|
+ srv.stop
+ end
end
test 'authenticate with remote token' do
assert_equal 'foo', json_response['username']
end
- test 'authenticate with remote token from misbhehaving remote cluster' do
+ test 'authenticate with remote token from misbehaving remote cluster' do
get '/arvados/v1/users/current',
params: {format: 'json'},
headers: auth(remote: 'zbork')
assert_equal 'barney', json_response['username']
end
+ test 'get user from Login cluster' do
+ Rails.configuration.Login.LoginCluster = 'zbbbb'
+ get '/arvados/v1/users/current',
+ params: {format: 'json'},
+ headers: auth(remote: 'zbbbb')
+ assert_response :success
+ assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
+ assert_equal true, json_response['is_admin']
+ assert_equal true, json_response['is_active']
+ assert_equal 'foo@example.com', json_response['email']
+ assert_equal 'barney', json_response['username']
+ end
+
test 'pre-activate remote user' do
+ @stub_content = {
+ uuid: 'zbbbb-tpzed-000000000001234',
+ email: 'foo@example.com',
+ username: 'barney',
+ is_admin: true,
+ is_active: true,
+ }
+
post '/arvados/v1/users',
params: {
"user" => {
- "uuid" => "zbbbb-tpzed-000000000000000",
+ "uuid" => "zbbbb-tpzed-000000000001234",
"email" => 'foo@example.com',
"username" => 'barney',
- "is_active" => true
+ "is_active" => true,
+ "is_admin" => false
}
},
headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"}
params: {format: 'json'},
headers: auth(remote: 'zbbbb')
assert_response :success
- assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
- assert_equal nil, json_response['is_admin']
+ assert_equal 'zbbbb-tpzed-000000000001234', json_response['uuid']
+ assert_equal false, json_response['is_admin']
assert_equal true, json_response['is_active']
assert_equal 'foo@example.com', json_response['email']
assert_equal 'barney', json_response['username']
end
+
+ test 'remote user inactive without pre-activation' do
+ @stub_content = {
+ uuid: 'zbbbb-tpzed-000000000001234',
+ email: 'foo@example.com',
+ username: 'barney',
+ is_admin: true,
+ is_active: true,
+ }
+
+ get '/arvados/v1/users/current',
+ params: {format: 'json'},
+ headers: auth(remote: 'zbbbb')
+ assert_response :success
+ assert_equal 'zbbbb-tpzed-000000000001234', json_response['uuid']
+ assert_equal false, json_response['is_admin']
+ assert_equal false, json_response['is_active']
+ assert_equal 'foo@example.com', json_response['email']
+ assert_equal 'barney', json_response['username']
+ end
+
test "validate unsalted v2 token for remote cluster zbbbb" do
auth = api_client_authorizations(:active)
token = "v2/#{auth.uuid}/#{auth.api_token}"
assert_response(:success)
assert_equal(project_uuid, json_response['owner_uuid'])
end
+
+ test 'pre-activate user' do
+ post '/arvados/v1/users',
+ params: {
+ "user" => {
+ "email" => 'foo@example.com',
+ "is_active" => true,
+ "username" => "barney"
+ }
+ },
+ headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"}
+ assert_response :success
+ rp = json_response
+ assert_not_nil rp["uuid"]
+ assert_not_nil rp["is_active"]
+ assert_nil rp["is_admin"]
+
+ get "/arvados/v1/users/#{rp['uuid']}",
+ params: {format: 'json'},
+ headers: auth(:admin)
+ assert_response :success
+ assert_equal rp["uuid"], json_response['uuid']
+ assert_nil json_response['is_admin']
+ assert_equal true, json_response['is_active']
+ assert_equal 'foo@example.com', json_response['email']
+ assert_equal 'barney', json_response['username']
+ end
+
end
set_user_from_auth :active
cr1 = create_minimal_req!(common_attrs.merge({state: ContainerRequest::Committed,
environment: env1}))
+ run_container(cr1)
+ cr1.reload
if use_existing.nil?
# Testing with use_existing default value
cr2 = create_minimal_req!(common_attrs.merge({state: ContainerRequest::Uncommitted,
def run_container(cr)
act_as_system_user do
+ logc = Collection.new(owner_uuid: system_user_uuid,
+ manifest_text: ". ef772b2f28e2c8ca84de45466ed19ee9+7815 0:0:arv-mount.txt\n")
+ logc.save!
+
c = Container.find_by_uuid(cr.container_uuid)
c.update_attributes!(state: Container::Locked)
c.update_attributes!(state: Container::Running)
c.update_attributes!(state: Container::Complete,
exit_code: 0,
output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45',
- log: 'fa7aeb5140e2848d39b416daeef4ffc5+45')
+ log: logc.portable_data_hash)
+ logc.destroy
c
end
end
end
end
end
+
+ test "lookup user by email" do
+ u = User.register({"email" => "active-user@arvados.local", "identity_url" => "different-identity-url"})
+ active = User.find_by_uuid(users(:active).uuid)
+ assert_equal active.uuid, u.uuid
+ assert_equal "active-user@arvados.local", active.email
+ # identity_url is not updated
+ assert_equal "https://active-user.openid.local", active.identity_url
+ end
+
+ test "lookup user by alternate email" do
+ # register method will find that active-user@arvados.local already
+ # exists and return existing 'active' user.
+ u = User.register({"email" => "user@parent-company.com",
+ "alternate_emails" => ["active-user@arvados.local"],
+ "identity_url" => "different-identity-url"})
+ active = User.find_by_uuid(users(:active).uuid)
+ assert_equal active.uuid, u.uuid
+
+ # email should be updated
+ assert_equal "user@parent-company.com", active.email
+
+ # identity_url is not updated
+ assert_equal "https://active-user.openid.local", active.identity_url
+ end
+
+ test "register new user" do
+ u = User.register({"email" => "never-before-seen-user@arvados.local",
+ "identity_url" => "different-identity-url",
+ "first_name" => "Robert",
+ "last_name" => "Baratheon",
+ "username" => "bobby"})
+ nbs = User.find_by_uuid(u.uuid)
+ assert_equal nbs.uuid, u.uuid
+ assert_equal "different-identity-url", nbs.identity_url
+ assert_equal "never-before-seen-user@arvados.local", nbs.email
+ assert_equal false, nbs.is_admin
+ assert_equal false , nbs.is_active
+ assert_equal "bobby", nbs.username
+ assert_equal "Robert", nbs.first_name
+ assert_equal "Baratheon", nbs.last_name
+ end
+
+ test "fail when email address is ambigious" do
+ User.register({"email" => "active-user@arvados.local"})
+ u = User.register({"email" => "never-before-seen-user@arvados.local"})
+ u.email = "active-user@arvados.local"
+ act_as_system_user do
+ u.save!
+ end
+ assert_raises do
+ User.register({"email" => "active-user@arvados.local"})
+ end
+ end
+
+ test "fail lookup without identifiers" do
+ assert_raises do
+ User.register({"first_name" => "Robert", "last_name" => "Baratheon"})
+ end
+ assert_raises do
+ User.register({"first_name" => "Robert", "last_name" => "Baratheon", "identity_url" => "", "email" => ""})
+ end
+ end
+
+ test "user can update name" do
+ set_user_from_auth :active
+ user = users(:active)
+ user.first_name = "MyNewName"
+ assert user.save
+ end
+
+ test "user cannot update email" do
+ set_user_from_auth :active
+ user = users(:active)
+ user.email = "new-name@example.com"
+ assert_not_allowed { user.save }
+ end
+
+ test "admin can update email" do
+ set_user_from_auth :admin
+ user = users(:active)
+ user.email = "new-name@example.com"
+ assert user.save
+ end
+
end
PATH
remote: .
specs:
- arvados-login-sync (1.4.0.20190709140013)
+ arvados-login-sync (1.4.0.20190729193732)
arvados (~> 1.3.0, >= 1.3.0)
GEM
mocha (1.8.0)
metaclass (~> 0.0.1)
multi_json (1.13.1)
- multipart-post (2.0.0)
- os (1.0.0)
- public_suffix (3.0.3)
+ multipart-post (2.1.1)
+ os (1.0.1)
+ public_suffix (3.1.1)
rake (12.3.2)
retriable (1.4.1)
signet (0.11.0)
"ignore": "test",
"package": [
{
- "checksumSHA1": "j4je0EzPGzjb6INLY1BHZ+hyMjc=",
+ "checksumSHA1": "jfYWZyRWLMfG0J5K7G2K8a9AKfs=",
"origin": "github.com/curoverse/goamz/aws",
"path": "github.com/AdRoll/goamz/aws",
- "revision": "888b4804f2653cd35ebcc95f046079e63b5b2799",
- "revisionTime": "2017-07-27T13:52:37Z"
+ "revision": "1bba09f407ef1d02c90bc37eff7e91e2231fa587",
+ "revisionTime": "2019-09-05T14:15:25Z"
},
{
- "checksumSHA1": "0+n3cT6e7sQCCbBAH8zg6neiHTk=",
+ "checksumSHA1": "lqoARtBgwnvhEhLyIjR3GLnR5/c=",
"origin": "github.com/curoverse/goamz/s3",
"path": "github.com/AdRoll/goamz/s3",
- "revision": "888b4804f2653cd35ebcc95f046079e63b5b2799",
- "revisionTime": "2017-07-27T13:52:37Z"
+ "revision": "1bba09f407ef1d02c90bc37eff7e91e2231fa587",
+ "revisionTime": "2019-09-05T14:15:25Z"
},
{
"checksumSHA1": "tvxbsTkdjB0C/uxEglqD6JfVnMg=",
"origin": "github.com/curoverse/goamz/s3/s3test",
"path": "github.com/AdRoll/goamz/s3/s3test",
- "revision": "888b4804f2653cd35ebcc95f046079e63b5b2799",
- "revisionTime": "2017-07-27T13:52:37Z"
+ "revision": "1bba09f407ef1d02c90bc37eff7e91e2231fa587",
+ "revisionTime": "2019-09-05T14:15:25Z"
},
{
"checksumSHA1": "KF4DsRUpZ+h+qRQ/umRAQZfVvw0=",