From: Tom Clegg <tom@tomclegg.ca>
Date: Mon, 27 Apr 2020 20:37:19 +0000 (-0400)
Subject: 16349: Test token expiry using actual token validation func.
X-Git-Tag: 2.1.0~231^2~3
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/20fd0e67ddcbba8c4bc1e5e9c5e2def6eccd9d85

16349: Test token expiry using actual token validation func.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@tomclegg.ca>
---

diff --git a/services/api/app/models/container.rb b/services/api/app/models/container.rb
index 376be55ffb..912a801a6f 100644
--- a/services/api/app/models/container.rb
+++ b/services/api/app/models/container.rb
@@ -570,8 +570,13 @@ class Container < ArvadosModel
          return errors.add :auth_uuid, 'is readonly'
     end
     if not [Locked, Running].include? self.state
-      # don't need one
-      self.auth.andand.update_attributes(expires_at: db_current_time)
+      # Don't need one. If auth already exists, expire it.
+      #
+      # We use db_transaction_time here (not db_current_time) to
+      # ensure the token doesn't validate later in the same
+      # transaction (e.g., in a test case) by satisfying expires_at >
+      # transaction timestamp.
+      self.auth.andand.update_attributes(expires_at: db_transaction_time)
       self.auth = nil
       return
     elsif self.auth
diff --git a/services/api/lib/db_current_time.rb b/services/api/lib/db_current_time.rb
index fdb6641521..80516521b4 100644
--- a/services/api/lib/db_current_time.rb
+++ b/services/api/lib/db_current_time.rb
@@ -8,4 +8,8 @@ module DbCurrentTime
   def db_current_time
     Time.parse(ActiveRecord::Base.connection.select_value(CURRENT_TIME_SQL)).to_time
   end
+
+  def db_transaction_time
+    Time.parse(ActiveRecord::Base.connection.select_value('SELECT current_timestamp')).to_time
+  end
 end
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb
index 5f17efc445..0bbbc17b0c 100644
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -605,6 +605,10 @@ class ContainerTest < ActiveSupport::TestCase
   end
 
   test "Lock and unlock" do
+    # The "token is expired" check (at the end of this test case)
+    # requires a west-of-UTC time zone in order to be effective.
+    ActiveRecord::Base.connection.select_value("SET TIME ZONE '-4'")
+
     set_user_from_auth :active
     c, cr = minimal_new priority: 0
 
@@ -663,6 +667,8 @@ class ContainerTest < ActiveSupport::TestCase
 
     auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
     assert_operator auth_exp, :<, db_current_time
+
+    assert_nil ApiClientAuthorization.validate(token: ApiClientAuthorization.find_by_uuid(auth_uuid_was).token)
   end
 
   test "Exceed maximum lock-unlock cycles" do