From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Wed, 6 Dec 2017 16:22:13 +0000 (-0500)
Subject: 11453: Fix & test remote token caching.
X-Git-Tag: 1.1.2~25^2~8
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/28bacfc853989e874f59cfa5465f085973046f9a

11453: Fix & test remote token caching.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 542ab8e88d..87505da874 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -17,6 +17,9 @@ class ApiClientAuthorization < ArvadosModel
     t.add :owner_uuid
     t.add :user_id
     t.add :api_client_id
+    # NB the "api_token" db column is a misnomer in that it's only the
+    # "secret" part of a token: a v1 token is just the secret, but a
+    # v2 token is "v2/uuid/secret".
     t.add :api_token
     t.add :created_by_ip_address
     t.add :default_owner_uuid
@@ -163,7 +166,7 @@ class ApiClientAuthorization < ArvadosModel
 
         auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
           auth.user = user
-          auth.api_token = token
+          auth.api_token = secret
           auth.api_client_id = 0
         end
 
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 6e5b9e452e..6b49d31555 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -8,9 +8,14 @@ require 'test_helper'
 require 'helpers/users_test_helper'
 
 class RemoteUsersTest < ActionDispatch::IntegrationTest
+  include DbCurrentTime
+
+  def salted_active_token(remote:)
+    salt_token(fixture: :active, remote: remote).sub('/zzzzz-', '/'+remote+'-')
+  end
+
   def auth(remote:)
-    token = salt_token(fixture: :active, remote: remote)
-    token.sub!('/zzzzz-', '/'+remote+'-')
+    token = salted_active_token(remote: remote)
     {"HTTP_AUTHORIZATION" => "Bearer #{token}"}
   end
 
@@ -78,6 +83,23 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
     assert_equal false, json_response['is_admin']
+
+    # revoke original token
+    @stub_status = 401
+    @stub_content = {error: 'not authorized'}
+
+    # re-authorize before cache expires
+    get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+    assert_response :success
+
+    # simulate cache expiry
+    ApiClientAuthorization.where(
+      uuid: salted_active_token(remote: 'zbbbb').split('/')[1]).
+      update_all(expires_at: db_current_time - 1.minute)
+
+    # re-authorize after cache expires
+    get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+    assert_response 401
   end
 
   test 'authenticate with remote token from misbhehaving remote cluster' do