# Set current_user etc. based on the primary session token if a
# valid one is present. Otherwise, use the first valid token in
# reader_tokens.
+ accepted = false
auth = nil
[params["api_token"],
params["oauth_token"],
validate(token: supplied, remote: remote)
if try_auth.andand.user
auth = try_auth
+ accepted = supplied
break
end
end
Thread.current[:api_client_authorization] = auth
Thread.current[:api_client_uuid] = auth.andand.api_client.andand.uuid
Thread.current[:api_client] = auth.andand.api_client
+ Thread.current[:token] = accepted
Thread.current[:user] = auth.andand.user
@app.call env if @app
# Check permissions on the collection manifest.
# If any signature cannot be verified, raise PermissionDeniedError
# which will return 403 Permission denied to the client.
- api_token = current_api_client_authorization.andand.api_token
+ api_token = Thread.current[:token]
signing_opts = {
api_token: api_token,
now: @validation_timestamp.to_i,
elsif is_trashed
return manifest_text
else
- token = current_api_client_authorization.andand.api_token
+ token = Thread.current[:token]
exp = [db_current_time.to_i + Rails.configuration.blob_signature_ttl,
trash_at].compact.map(&:to_i).min
self.class.sign_manifest manifest_text, token, exp
Rails.configuration.permit_create_collection_with_unsigned_manifest = isok
end
- def assert_signed_manifest manifest_text, label=''
+ def assert_signed_manifest manifest_text, label='', token: false
assert_not_nil manifest_text, "#{label} manifest_text was nil"
manifest_text.scan(/ [[:xdigit:]]{32}\S*/) do |tok|
assert_match(PERM_TOKEN_RE, tok,
"Locator in #{label} manifest_text was not signed")
+ if token
+ bare = tok.gsub(/\+A[^\+]*/, '').sub(/^ /, '')
+ exp = tok[/\+A[[:xdigit:]]+@([[:xdigit:]]+)/, 1].to_i(16)
+ sig = Blob.sign_locator(
+ bare,
+ key: Rails.configuration.blob_signing_key,
+ expire: exp,
+ api_token: token)[/\+A[^\+]*/, 0]
+ assert_includes tok, sig
+ end
end
end
refute_includes json_response, 'unsigned_manifest_text'
end
+ ['v1token', 'v2token'].each do |token_method|
+ test "correct signatures are given for #{token_method}" do
+ token = api_client_authorizations(:active).send(token_method)
+ authorize_with_token token
+ get :show, {id: collections(:foo_file).uuid}
+ assert_response :success
+ assert_signed_manifest json_response['manifest_text'], 'foo_file', token: token
+ end
+
+ test "signatures with #{token_method} are accepted" do
+ token = api_client_authorizations(:active).send(token_method)
+ signed = Blob.sign_locator(
+ 'acbd18db4cc2f85cedef654fccc4a4d8+3',
+ key: Rails.configuration.blob_signing_key,
+ api_token: token)
+ authorize_with_token token
+ put :update, {
+ id: collections(:collection_owned_by_active).uuid,
+ collection: {
+ manifest_text: ". #{signed} 0:3:foo.txt\n",
+ },
+ }
+ assert_response :success
+ assert_signed_manifest json_response['manifest_text'], 'updated', token: token
+ end
+ end
+
test "index with manifest_text selected returns signed locators" do
columns = %w(uuid owner_uuid manifest_text)
authorize_with :active
Thread.current[:api_client_authorization] = nil
Thread.current[:api_client_uuid] = nil
Thread.current[:api_client] = nil
+ Thread.current[:token] = nil
Thread.current[:user] = nil
restore_configuration
end
Thread.current[:api_client_authorization] = client_auth
Thread.current[:api_client] = client_auth.api_client
Thread.current[:user] = client_auth.user
+ Thread.current[:token] = client_auth.token
end
def expect_json
Thread.current[:api_client_authorization] = nil
Thread.current[:api_client_uuid] = nil
Thread.current[:api_client] = nil
+ Thread.current[:token] = nil
Thread.current[:user] = nil
end
end
projects / arvados.git / commitdiff