From: Peter Amstutz Date: Tue, 26 Nov 2019 20:06:42 +0000 (-0500) Subject: Merge branch '15795-sys-root-token' refs #15795 X-Git-Tag: 2.0.0~101 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/0110ce93702def9a641d92d90d5544d4d0adf22b?hp=59442e10fbf012ffec80c0a178778c3698ff4789 Merge branch '15795-sys-root-token' refs #15795 Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 3afbd3b3e7..651eacf626 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -108,10 +108,25 @@ class ApiClientAuthorization < ArvadosModel clnt end + def self.check_system_root_token token + if token == Rails.configuration.SystemRootToken + return ApiClientAuthorization.new(user: User.find_by_uuid(system_user_uuid), + api_token: token, + api_client: ApiClient.new(is_trusted: true, url_prefix: "")) + else + return nil + end + end + def self.validate(token:, remote: nil) - return nil if !token + return nil if token.nil? or token.empty? remote ||= Rails.configuration.ClusterID + auth = self.check_system_root_token(token) + if !auth.nil? + return auth + end + case token[0..2] when 'v2/' _, token_uuid, secret, optional = token.split('/') diff --git a/services/api/config/arvados_config.rb b/services/api/config/arvados_config.rb index f82f6e5f37..b5fcd43414 100644 --- a/services/api/config/arvados_config.rb +++ b/services/api/config/arvados_config.rb @@ -111,7 +111,7 @@ arvcfg.declare_config "Login.ProviderAppID", String, :sso_app_id arvcfg.declare_config "Login.LoginCluster", String arvcfg.declare_config "Login.RemoteTokenRefresh", ActiveSupport::Duration arvcfg.declare_config "TLS.Insecure", Boolean, :sso_insecure -arvcfg.declare_config "Services.SSO.ExternalURL", NonemptyString, :sso_provider_url +arvcfg.declare_config "Services.SSO.ExternalURL", String, :sso_provider_url arvcfg.declare_config "AuditLogs.MaxAge", ActiveSupport::Duration, :max_audit_log_age arvcfg.declare_config "AuditLogs.MaxDeleteBatch", Integer, :max_audit_log_delete_batch arvcfg.declare_config "AuditLogs.UnloggedAttributes", Hash, :unlogged_attributes, ->(cfg, k, v) { arrayToHash cfg, "AuditLogs.UnloggedAttributes", v } diff --git a/services/api/test/unit/api_client_authorization_test.rb b/services/api/test/unit/api_client_authorization_test.rb index c390a02c04..fb90418b84 100644 --- a/services/api/test/unit/api_client_authorization_test.rb +++ b/services/api/test/unit/api_client_authorization_test.rb @@ -26,4 +26,37 @@ class ApiClientAuthorizationTest < ActiveSupport::TestCase assert_empty ApiClientAuthorization.where(uuid: api_client_authorizations(:expired).uuid) end + test "accepts SystemRootToken" do + assert_nil ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx") + + # will create a new ApiClientAuthorization record + Rails.configuration.SystemRootToken = "xxxSystemRootTokenxxx" + + auth = ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx") + assert_equal "xxxSystemRootTokenxxx", auth.api_token + assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id + assert auth.api_client.is_trusted + + # now change the token and try to use the old one first + Rails.configuration.SystemRootToken = "newxxxSystemRootTokenxxx" + + # old token will fail + assert_nil ApiClientAuthorization.validate(token: "xxxSystemRootTokenxxx") + # new token will work + auth = ApiClientAuthorization.validate(token: "newxxxSystemRootTokenxxx") + assert_equal "newxxxSystemRootTokenxxx", auth.api_token + assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id + + # now change the token again and use the new one first + Rails.configuration.SystemRootToken = "new2xxxSystemRootTokenxxx" + + # new token will work + auth = ApiClientAuthorization.validate(token: "new2xxxSystemRootTokenxxx") + assert_equal "new2xxxSystemRootTokenxxx", auth.api_token + assert_equal User.find_by_uuid(system_user_uuid).id, auth.user_id + # old token will fail + assert_nil ApiClientAuthorization.validate(token: "newxxxSystemRootTokenxxx") + end + + end