type oldKeepWebConfig struct {
Client *arvados.Client
- Listen string
+ Listen *string
- AnonymousTokens []string
- AttachmentOnlyHost string
- TrustAllContent bool
+ AnonymousTokens *[]string
+ AttachmentOnlyHost *string
+ TrustAllContent *bool
Cache struct {
- TTL arvados.Duration
- UUIDTTL arvados.Duration
- MaxCollectionEntries int
- MaxCollectionBytes int64
- MaxPermissionEntries int
- MaxUUIDEntries int
+ TTL *arvados.Duration
+ UUIDTTL *arvados.Duration
+ MaxCollectionEntries *int
+ MaxCollectionBytes *int64
+ MaxPermissionEntries *int
+ MaxUUIDEntries *int
}
// Hack to support old command line flag, which is a bool
// meaning "get actual token from environment".
- deprecatedAllowAnonymous bool
+ deprecatedAllowAnonymous *bool
// Authorization token to be included in all health check requests.
- ManagementToken string
+ ManagementToken *string
}
func (ldr *Loader) loadOldKeepWebConfig(cfg *arvados.Config) error {
loadOldClientConfig(cluster, oc.Client)
- cluster.Services.WebDAV.InternalURLs[arvados.URL{Host: oc.Listen}] = arvados.ServiceInstance{}
- cluster.Services.WebDAVDownload.InternalURLs[arvados.URL{Host: oc.Listen}] = arvados.ServiceInstance{}
- cluster.Services.WebDAVDownload.ExternalURL = arvados.URL{Host: oc.AttachmentOnlyHost}
- cluster.TLS.Insecure = oc.Client.Insecure
- cluster.ManagementToken = oc.ManagementToken
- cluster.Collections.TrustAllContent = oc.TrustAllContent
- cluster.Collections.WebDAVCache.TTL = oc.Cache.TTL
- cluster.Collections.WebDAVCache.UUIDTTL = oc.Cache.UUIDTTL
- cluster.Collections.WebDAVCache.MaxCollectionEntries = oc.Cache.MaxCollectionEntries
- cluster.Collections.WebDAVCache.MaxCollectionBytes = oc.Cache.MaxCollectionBytes
- cluster.Collections.WebDAVCache.MaxPermissionEntries = oc.Cache.MaxPermissionEntries
- cluster.Collections.WebDAVCache.MaxUUIDEntries = oc.Cache.MaxUUIDEntries
- if len(oc.AnonymousTokens) > 0 {
- cluster.Users.AnonymousUserToken = oc.AnonymousTokens[0]
- if len(oc.AnonymousTokens) > 1 {
- ldr.Logger.Warn("More than 1 anonymous tokens configured, using only the first and discarding the rest.")
+ if oc.Listen != nil {
+ cluster.Services.WebDAV.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ cluster.Services.WebDAVDownload.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ }
+ if oc.AttachmentOnlyHost != nil {
+ cluster.Services.WebDAVDownload.ExternalURL = arvados.URL{Host: *oc.AttachmentOnlyHost}
+ }
+ if oc.ManagementToken != nil {
+ cluster.ManagementToken = *oc.ManagementToken
+ }
+ if oc.TrustAllContent != nil {
+ cluster.Collections.TrustAllContent = *oc.TrustAllContent
+ }
+ if oc.Cache.TTL != nil {
+ cluster.Collections.WebDAVCache.TTL = *oc.Cache.TTL
+ }
+ if oc.Cache.UUIDTTL != nil {
+ cluster.Collections.WebDAVCache.UUIDTTL = *oc.Cache.UUIDTTL
+ }
+ if oc.Cache.MaxCollectionEntries != nil {
+ cluster.Collections.WebDAVCache.MaxCollectionEntries = *oc.Cache.MaxCollectionEntries
+ }
+ if oc.Cache.MaxCollectionBytes != nil {
+ cluster.Collections.WebDAVCache.MaxCollectionBytes = *oc.Cache.MaxCollectionBytes
+ }
+ if oc.Cache.MaxPermissionEntries != nil {
+ cluster.Collections.WebDAVCache.MaxPermissionEntries = *oc.Cache.MaxPermissionEntries
+ }
+ if oc.Cache.MaxUUIDEntries != nil {
+ cluster.Collections.WebDAVCache.MaxUUIDEntries = *oc.Cache.MaxUUIDEntries
+ }
+ if oc.AnonymousTokens != nil {
+ if len(*oc.AnonymousTokens) > 0 {
+ cluster.Users.AnonymousUserToken = (*oc.AnonymousTokens)[0]
+ if len(*oc.AnonymousTokens) > 1 {
+ ldr.Logger.Warn("More than 1 anonymous tokens configured, using only the first and discarding the rest.")
+ }
}
}
type oldGitHttpdConfig struct {
Client *arvados.Client
- Listen string
- GitCommand string
- GitoliteHome string
- RepoRoot string
- ManagementToken string
+ Listen *string
+ GitCommand *string
+ GitoliteHome *string
+ RepoRoot *string
+ ManagementToken *string
}
func (ldr *Loader) loadOldGitHttpdConfig(cfg *arvados.Config) error {
loadOldClientConfig(cluster, oc.Client)
- cluster.Services.GitHTTP.InternalURLs[arvados.URL{Host: oc.Listen}] = arvados.ServiceInstance{}
- cluster.TLS.Insecure = oc.Client.Insecure
- cluster.ManagementToken = oc.ManagementToken
- cluster.Git.GitCommand = oc.GitCommand
- cluster.Git.GitoliteHome = oc.GitoliteHome
- cluster.Git.Repositories = oc.RepoRoot
+ if oc.Listen != nil {
+ cluster.Services.GitHTTP.InternalURLs[arvados.URL{Host: *oc.Listen}] = arvados.ServiceInstance{}
+ }
+ if oc.ManagementToken != nil {
+ cluster.ManagementToken = *oc.ManagementToken
+ }
+ if oc.GitCommand != nil {
+ cluster.Git.GitCommand = *oc.GitCommand
+ }
+ if oc.GitoliteHome != nil {
+ cluster.Git.GitoliteHome = *oc.GitoliteHome
+ }
+ if oc.RepoRoot != nil {
+ cluster.Git.Repositories = *oc.RepoRoot
+ }
cfg.Clusters[cluster.ClusterID] = *cluster
return nil
check "gopkg.in/check.v1"
)
+// Configured at: sdk/python/tests/run_test_server.py
+const TestServerManagementToken = "e687950a23c3a9bceec28c6223a06c79"
+
func testLoadLegacyConfig(content []byte, mungeFlag string, c *check.C) (*arvados.Cluster, error) {
tmpfile, err := ioutil.TempFile("", "example")
if err != nil {
c.Check(cluster.ManagementToken, check.Equals, "xyzzy")
}
+// Tests fix for https://dev.arvados.org/issues/15642
+func (s *LoadSuite) TestLegacyKeepWebConfigDoesntDisableMissingItems(c *check.C) {
+ content := []byte(`
+{
+ "Client": {
+ "Scheme": "",
+ "APIHost": "example.com",
+ "AuthToken": "abcdefg",
+ }
+}
+`)
+ cluster, err := testLoadLegacyConfig(content, "-legacy-keepweb-config", c)
+ c.Check(err, check.IsNil)
+ // The resulting ManagementToken should be the one set up on the test server.
+ c.Check(cluster.ManagementToken, check.Equals, TestServerManagementToken)
+}
+
func (s *LoadSuite) TestLegacyKeepproxyConfig(c *check.C) {
f := "-legacy-keepproxy-config"
content := []byte(fmtKeepproxyConfig("", true))
c.Check(cluster.Services.Keepproxy.InternalURLs[arvados.URL{Host: ":9000"}], check.Equals, arvados.ServiceInstance{})
}
+// Tests fix for https://dev.arvados.org/issues/15642
+func (s *LoadSuite) TestLegacyArvGitHttpdConfigDoesntDisableMissingItems(c *check.C) {
+ content := []byte(`
+{
+ "Client": {
+ "Scheme": "",
+ "APIHost": "example.com",
+ "AuthToken": "abcdefg",
+ }
+}
+`)
+ cluster, err := testLoadLegacyConfig(content, "-legacy-git-httpd-config", c)
+ c.Check(err, check.IsNil)
+ // The resulting ManagementToken should be the one set up on the test server.
+ c.Check(cluster.ManagementToken, check.Equals, TestServerManagementToken)
+}
+
func (s *LoadSuite) TestLegacyKeepBalanceConfig(c *check.C) {
f := "-legacy-keepbalance-config"
content := []byte(fmtKeepBalanceConfig(""))
BaseApiClient(ConfigProvider config) {
this.config = config;
- client = OkHttpClientFactory.builder()
- .build()
- .create(config.isApiHostInsecure());
+ this.client = OkHttpClientFactory.INSTANCE.create(config.isApiHostInsecure());
}
Request.Builder getRequestBuilder() {
package org.arvados.client.api.client.factory;
+import com.google.common.base.Suppliers;
import okhttp3.OkHttpClient;
import org.arvados.client.exception.ArvadosClientException;
import org.slf4j.Logger;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
+import java.util.function.Supplier;
-public class OkHttpClientFactory {
-
+/**
+ * {@link OkHttpClient} instance factory that builds and configures client instances sharing
+ * the common resource pool: this is the recommended approach to optimize resource usage.
+ */
+public final class OkHttpClientFactory {
+ public static final OkHttpClientFactory INSTANCE = new OkHttpClientFactory();
private final Logger log = org.slf4j.LoggerFactory.getLogger(OkHttpClientFactory.class);
+ private final OkHttpClient clientSecure = new OkHttpClient();
+ private final Supplier<OkHttpClient> clientUnsecure =
+ Suppliers.memoize(this::getDefaultClientAcceptingAllCertificates);
+
+ private OkHttpClientFactory() { /* singleton */}
- OkHttpClientFactory() {
+ public OkHttpClient create(boolean apiHostInsecure) {
+ return apiHostInsecure ? getDefaultUnsecureClient() : getDefaultClient();
}
- public static OkHttpClientFactoryBuilder builder() {
- return new OkHttpClientFactoryBuilder();
+ /**
+ * @return default secure {@link OkHttpClient} with shared resource pool.
+ */
+ public OkHttpClient getDefaultClient() {
+ return clientSecure;
}
- public OkHttpClient create(boolean apiHostInsecure) {
- OkHttpClient.Builder builder = new OkHttpClient.Builder();
- if (apiHostInsecure) {
- trustAllCertificates(builder);
- }
- return builder.build();
+ /**
+ * @return default {@link OkHttpClient} with shared resource pool
+ * that will accept all SSL certificates by default.
+ */
+ public OkHttpClient getDefaultUnsecureClient() {
+ return clientUnsecure.get();
+ }
+
+ /**
+ * @return default {@link OkHttpClient.Builder} with shared resource pool.
+ */
+ public OkHttpClient.Builder getDefaultClientBuilder() {
+ return clientSecure.newBuilder();
+ }
+
+ /**
+ * @return default {@link OkHttpClient.Builder} with shared resource pool
+ * that is preconfigured to accept all SSL certificates.
+ */
+ public OkHttpClient.Builder getDefaultUnsecureClientBuilder() {
+ return clientUnsecure.get().newBuilder();
}
- private void trustAllCertificates(OkHttpClient.Builder builder) {
+ private OkHttpClient getDefaultClientAcceptingAllCertificates() {
log.warn("Creating unsafe OkHttpClient. All SSL certificates will be accepted.");
try {
// Create a trust manager that does not validate certificate chains
- final TrustManager[] trustAllCerts = new TrustManager[] { createX509TrustManager() };
+ final TrustManager[] trustAllCerts = {createX509TrustManager()};
// Install the all-trusting trust manager
SSLContext sslContext = SSLContext.getInstance("SSL");
// Create an ssl socket factory with our all-trusting manager
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
+ // Create the OkHttpClient.Builder with shared resource pool
+ final OkHttpClient.Builder builder = clientSecure.newBuilder();
builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);
builder.hostnameVerifier((hostname, session) -> true);
+ return builder.build();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new ArvadosClientException("Error establishing SSL context", e);
}
private static X509TrustManager createX509TrustManager() {
return new X509TrustManager() {
-
+
@Override
- public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+ public void checkClientTrusted(X509Certificate[] chain, String authType) {
+ }
@Override
- public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+ public void checkServerTrusted(X509Certificate[] chain, String authType) {
+ }
@Override
public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[] {};
+ return new X509Certificate[]{};
}
};
}
-
- public static class OkHttpClientFactoryBuilder {
- OkHttpClientFactoryBuilder() {
- }
-
- public OkHttpClientFactory build() {
- return new OkHttpClientFactory();
- }
-
- public String toString() {
- return "OkHttpClientFactory.OkHttpClientFactoryBuilder()";
- }
- }
}
return collectionsApiClient.list(listArgument);
}
+ /**
+ * Gets project details by uuid.
+ *
+ * @param projectUuid uuid of project
+ * @return Group object containing information about project
+ */
+ public Group getProjectByUuid(String projectUuid) {
+ Group project = groupsApiClient.get(projectUuid);
+ log.debug("Retrieved " + project.getName() + " with UUID: " + project.getUuid());
+ return project;
+ }
+
/**
* Creates new project that will be a subproject of "home" for current user.
*
public void secureOkHttpClientIsCreated() throws Exception {
// given
- OkHttpClientFactory factory = OkHttpClientFactory.builder().build();
+ OkHttpClientFactory factory = OkHttpClientFactory.INSTANCE;
// * configure HTTPS server
SSLSocketFactory sf = getSSLSocketFactoryWithSelfSignedCertificate();
server.useHttps(sf, false);
@Test
public void insecureOkHttpClientIsCreated() throws Exception {
// given
- OkHttpClientFactory factory = OkHttpClientFactory.builder().build();
+ OkHttpClientFactory factory = OkHttpClientFactory.INSTANCE;
// * configure HTTPS server
SSLSocketFactory sf = getSSLSocketFactoryWithSelfSignedCertificate();
server.useHttps(sf, false);
t.add :url_prefix
t.add :is_trusted
end
+
+ def is_trusted
+ norm(self.url_prefix) == norm(Rails.configuration.Services.Workbench1.ExternalURL) ||
+ norm(self.url_prefix) == norm(Rails.configuration.Services.Workbench2.ExternalURL) ||
+ super
+ end
+
+ protected
+
+ def norm url
+ # normalize URL for comparison
+ url = URI(url)
+ if url.scheme == "https"
+ url.port == "443"
+ end
+ if url.scheme == "http"
+ url.port == "80"
+ end
+ url.path = "/"
+ url
+ end
end
require 'test_helper'
class ApiClientTest < ActiveSupport::TestCase
- # test "the truth" do
- # assert true
- # end
+ include CurrentApiClient
+
+ test "configured workbench is trusted" do
+ Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com")
+ Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443")
+
+ act_as_system_user do
+ [["http://wb0.example.com", false],
+ ["http://wb1.example.com", true],
+ ["http://wb2.example.com", false],
+ ["https://wb2.example.com", true],
+ ["https://wb2.example.com/", true],
+ ].each do |pfx, result|
+ a = ApiClient.create(url_prefix: pfx, is_trusted: false)
+ assert_equal result, a.is_trusted
+ end
+
+ a = ApiClient.create(url_prefix: "http://example.com", is_trusted: true)
+ a.save!
+ a.reload
+ assert a.is_trusted
+ end
+ end
end
Description=Arvados Docker Image Cleaner
Documentation=https://doc.arvados.org/
After=network.target
-#AssertPathExists=/etc/arvados/docker-cleaner/docker-cleaner.json
# systemd==229 (ubuntu:xenial) obeys StartLimitInterval in the [Unit] section
StartLimitInterval=0