From: Tom Clegg Date: Mon, 25 Mar 2024 21:25:10 +0000 (-0400) Subject: 21617: Accept bogus tokens at endpoints that do not require auth. X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/342d41c1745b40ef78739fe9599be11f6dc529c5 21617: Accept bogus tokens at endpoints that do not require auth. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 53e6a90b8f..45f35a6d2e 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -28,6 +28,7 @@ import ( "git.arvados.org/arvados.git/sdk/go/arvadostest" "git.arvados.org/arvados.git/sdk/go/ctxlog" "git.arvados.org/arvados.git/sdk/go/httpserver" + "git.arvados.org/arvados.git/sdk/go/keepclient" check "gopkg.in/check.v1" ) @@ -167,6 +168,20 @@ func (s *IntegrationSuite) TestDefaultStorageClassesOnCollections(c *check.C) { c.Assert(coll.StorageClassesDesired, check.DeepEquals, kc.DefaultStorageClasses) } +func (s *IntegrationSuite) createTestCollectionManifest(c *check.C, ac *arvados.Client, kc *keepclient.KeepClient, content string) string { + fs, err := (&arvados.Collection{}).FileSystem(ac, kc) + c.Assert(err, check.IsNil) + f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) + c.Assert(err, check.IsNil) + _, err = io.WriteString(f, content) + c.Assert(err, check.IsNil) + err = f.Close() + c.Assert(err, check.IsNil) + mtxt, err := fs.MarshalManifest(".") + c.Assert(err, check.IsNil) + return mtxt +} + func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { conn1 := s.super.Conn("z1111") rootctx1, _, _ := s.super.RootClients("z1111") @@ -175,34 +190,70 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { // Create the collection to find its PDH (but don't save it // anywhere yet) - var coll1 arvados.Collection - fs1, err := coll1.FileSystem(ac1, kc1) - c.Assert(err, check.IsNil) - f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) - c.Assert(err, check.IsNil) - _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH") - c.Assert(err, check.IsNil) - err = f.Close() - c.Assert(err, check.IsNil) - mtxt, err := fs1.MarshalManifest(".") - c.Assert(err, check.IsNil) + mtxt := s.createTestCollectionManifest(c, ac1, kc1, c.TestName()) pdh := arvados.PortableDataHash(mtxt) // Looking up the PDH before saving returns 404 if cycle // detection is working. - _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) + _, err := conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`) // Save the collection on cluster z1111. - coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + _, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ "manifest_text": mtxt, }}) c.Assert(err, check.IsNil) // Retrieve the collection from cluster z3333. - coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) + coll2, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) c.Check(err, check.IsNil) - c.Check(coll.PortableDataHash, check.Equals, pdh) + c.Check(coll2.PortableDataHash, check.Equals, pdh) +} + +func (s *IntegrationSuite) TestFederation_Write1Read2(c *check.C) { + s.testFederationCollectionAccess(c, "z1111", "z2222") +} + +func (s *IntegrationSuite) TestFederation_Write2Read1(c *check.C) { + s.testFederationCollectionAccess(c, "z2222", "z1111") +} + +func (s *IntegrationSuite) TestFederation_Write2Read3(c *check.C) { + s.testFederationCollectionAccess(c, "z2222", "z3333") +} + +func (s *IntegrationSuite) testFederationCollectionAccess(c *check.C, writeCluster, readCluster string) { + conn1 := s.super.Conn("z1111") + rootctx1, _, _ := s.super.RootClients("z1111") + _, ac1, _, _ := s.super.UserClients("z1111", rootctx1, c, conn1, s.oidcprovider.AuthEmail, true) + + connW := s.super.Conn(writeCluster) + userctxW, acW, kcW := s.super.ClientsWithToken(writeCluster, ac1.AuthToken) + kcW.DiskCacheSize = keepclient.DiskCacheDisabled + connR := s.super.Conn(readCluster) + userctxR, acR, kcR := s.super.ClientsWithToken(readCluster, ac1.AuthToken) + kcR.DiskCacheSize = keepclient.DiskCacheDisabled + + filedata := fmt.Sprintf("%s: write to %s, read from %s", c.TestName(), writeCluster, readCluster) + mtxt := s.createTestCollectionManifest(c, acW, kcW, filedata) + collW, err := connW.CollectionCreate(userctxW, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": mtxt, + }}) + c.Assert(err, check.IsNil) + + collR, err := connR.CollectionGet(userctxR, arvados.GetOptions{UUID: collW.UUID}) + if !c.Check(err, check.IsNil) { + return + } + fsR, err := collR.FileSystem(acR, kcR) + if !c.Check(err, check.IsNil) { + return + } + buf, err := fs.ReadFile(arvados.FS(fsR), "test.txt") + if !c.Check(err, check.IsNil) { + return + } + c.Check(string(buf), check.Equals, filedata) } // Tests bug #18004 diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index af553997e5..e41fa99a08 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -294,6 +294,10 @@ class ApiClientAuthorization < ArvadosModel raise "remote cluster #{upstream_cluster_id} returned invalid token uuid #{token_uuid.inspect}" end rescue HTTPClient::BadResponseError => e + if e.res.status_code == 401 + # Token is not valid. + return nil + end # CurrentApiToken#call and ApplicationController#render_error will # propagate the status code from the #http_status method, so define # that here.