remote = false
reader_tokens = nil
- if params[:remote] && request.get? && (
+ if params["remote"] && request.get? && (
request.path.start_with?('/arvados/v1/groups') ||
request.path.start_with?('/arvados/v1/users/current'))
# Request from a remote API server, asking to validate a salted
# token.
- remote = params[:remote]
+ remote = params["remote"]
elsif request.get? || params["_method"] == 'GET'
reader_tokens = params["reader_tokens"]
if reader_tokens.is_a? String
auth = nil
[params["api_token"],
params["oauth_token"],
- env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([a-zA-Z0-9]+)/).andand[2],
+ env["HTTP_AUTHORIZATION"].andand.match(/(OAuth2|Bearer) ([-\/a-zA-Z0-9]+)/).andand[2],
*reader_tokens,
].each do |supplied|
next if !supplied
try_auth = ApiClientAuthorization.
- validate(token: Thread.current[:supplied_token],
- remote: remote)
+ validate(token: supplied, remote: remote)
if try_auth.andand.user
auth = try_auth
break
{'remote' => Rails.configuration.uuid_prefix},
{'Authorization' => 'Bearer ' + token}))
rescue => e
- logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
- STDERR.puts e.backtrace
+ Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
return nil
end
- if !remote_user.is_a?(Hash) || !remote_user[:uuid].is_a?(String) || remote_user[:uuid][0..4] != uuid[0..4]
- logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
+ if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String) || remote_user['uuid'][0..4] != uuid[0..4]
+ Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
return nil
end
act_as_system_user do
# Add/update user and token in our database so we can
# validate subsequent requests faster.
- user = User.find_or_create_by(uuid: remote_user[:uuid])
+ user = User.find_or_create_by(uuid: remote_user['uuid']) do |user|
+ user.is_admin = false
+ end
updates = {}
[:first_name, :last_name, :email, :prefs].each do |attr|
- updates[attr] = remote_user[attr]
+ updates[attr] = remote_user[attr.to_s]
end
if Rails.configuration.new_users_are_active
# Update is_active to whatever it is at the remote end
- updates[:is_active] = remote_user[:is_active]
+ updates[:is_active] = remote_user['is_active']
elsif !updates[:is_active]
# Remote user is inactive; our mirror should be, too.
updates[:is_active] = false
user.update_attributes!(updates)
- auth = ApiClientAuthorization.find_or_create_by(uuid: uuid)
- auth.user = user
- auth.api_token = token
- auth.api_client_id = 0
- auth.save!
+ auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
+ auth.user = user
+ auth.api_token = token
+ auth.api_client_id = 0
+ end
# Accept this token (and don't reload the user record) for
# 5 minutes. TODO: Request the actual api_client_auth
assert_response :success
assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
end
-
- end
-
- test "list readable groups with salted token" do
- salted_token = salt_token(fixture: :active, remote: 'zbbbb')
- ArvadosApiToken.new.call("rack.input" => "",
- "HTTP_AUTHORIZATION" => "Bearer #{salted_token}")
- get :index, {remote: 'zbbbb', limit: 10000}
- assert_response 200
- group_uuids = json_response['items'].collect { |i| i['uuid'] }
- assert_includes(group_uuids, 'zzzzz-j7d0g-fffffffffffffff')
- refute_includes(group_uuids, 'zzzzz-j7d0g-000000000000000')
end
end
# Test cases can override the stub's default response to
# .../users/current by changing @stub_status and @stub_content.
setup do
+ clnt = HTTPClient.new
+ clnt.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+ HTTPClient.stubs(:new).returns clnt
+
@controller = Arvados::V1::UsersController.new
ready = Thread::Queue.new
srv = WEBrick::HTTPServer.new(
end
test 'authenticate with remote token' do
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response :success
assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
assert_equal false, json_response['is_admin']
end
test 'authenticate with remote token from misbhehaving remote cluster' do
- get '/arvados/v1/users/current', {}, auth(remote: 'zbork')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbork')
assert_response 401
end
@stub_content = {
error: 'not authorized',
}
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response 401
end
test 'remote api server is not an api server' do
@stub_status = 200
@stub_content = '<html>bad</html>'
- get '/arvados/v1/users/current', {}, auth(remote: 'zbbbb')
+ get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
assert_response 401
end
end
end
end
+
+ test "list readable groups with salted token" do
+ salted_token = salt_token(fixture: :active, remote: 'zbbbb')
+ get '/arvados/v1/groups', {
+ format: 'json',
+ remote: 'zbbbb',
+ limit: 10000,
+ }, {
+ "HTTP_AUTHORIZATION" => "Bearer #{salted_token}"
+ }
+ assert_response 200
+ group_uuids = json_response['items'].collect { |i| i['uuid'] }
+ assert_includes(group_uuids, 'zzzzz-j7d0g-fffffffffffffff')
+ refute_includes(group_uuids, 'zzzzz-j7d0g-000000000000000')
+ end
end