From: Peter Amstutz Date: Fri, 28 May 2021 19:26:03 +0000 (-0400) Subject: 17722: Update tests for adjusted MaxTokenLifetime behavior X-Git-Tag: 2.2.0~7^2~1 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/b42a11ea4126c176edb290abb61721000c59f0d2 17722: Update tests for adjusted MaxTokenLifetime behavior Arvados-DCO-1.1-Signed-off-by: Peter Amstutz --- diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 69fd11768a..655e973c2f 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -776,7 +776,7 @@ Clusters: # If false, tokens issued through login are not allowed to # viewing/creating other tokens. New tokens can only be created # by going through login again. - TrustLoginTokens: true + IssueTrustedTokens: true # When the token is returned to a client, the token itself may # be restricted from viewing/creating other tokens based on whether diff --git a/lib/config/export.go b/lib/config/export.go index 8f98258bf2..d1c71ed2dc 100644 --- a/lib/config/export.go +++ b/lib/config/export.go @@ -180,7 +180,7 @@ var whitelist = map[string]bool{ "Login.Test.Enable": true, "Login.Test.Users": false, "Login.TokenLifetime": false, - "Login.TrustLoginTokens": false, + "Login.IssueTrustedTokens": false, "Login.TrustedClients": false, "Mail": true, "Mail.EmailFrom": false, diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index d9c9af027c..0ae85461b0 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -779,12 +779,13 @@ Clusters: # If true (default) tokens issued through login are allowed to create # new tokens. - # If false, tokens issued through login are not allowed to create new tokens, - # new tokens can only be created by going through login again. - TrustLoginTokens: true + # If false, tokens issued through login are not allowed to + # viewing/creating other tokens. New tokens can only be created + # by going through login again. + IssueTrustedTokens: true # When the token is returned to a client, the token itself may - # be restricted from manipulating other tokens based on whether + # be restricted from viewing/creating other tokens based on whether # the client is "trusted" or not. The local Workbench1 and # Workbench2 are trusted by default, but if this is a # LoginCluster, you probably want to include the other Workbench diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go index 65e2ff5381..8149b93965 100644 --- a/sdk/go/arvados/config.go +++ b/sdk/go/arvados/config.go @@ -189,6 +189,7 @@ type Cluster struct { RemoteTokenRefresh Duration TokenLifetime Duration TrustedClients map[string]struct{} + IssueTrustedTokens bool } Mail struct { MailchimpAPIKey string diff --git a/services/api/app/models/api_client.rb b/services/api/app/models/api_client.rb index 6ff29c83e4..c914051a34 100644 --- a/services/api/app/models/api_client.rb +++ b/services/api/app/models/api_client.rb @@ -15,7 +15,7 @@ class ApiClient < ArvadosModel end def is_trusted - (from_trusted_url && Rails.configuration.Login.TrustLoginTokens) || super + (from_trusted_url && Rails.configuration.Login.IssueTrustedTokens) || super end protected diff --git a/services/api/test/integration/api_client_authorizations_api_test.rb b/services/api/test/integration/api_client_authorizations_api_test.rb index 14e3bb361d..a366664e0d 100644 --- a/services/api/test/integration/api_client_authorizations_api_test.rb +++ b/services/api/test/integration/api_client_authorizations_api_test.rb @@ -139,7 +139,7 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"} assert_response 200 if desired_expiration.nil? - assert json_response['expires_at'].nil? + assert_equal json_response['expires_at'].to_time.to_i, (db_current_time + Rails.configuration.API.MaxTokenLifetime).to_i else assert_equal json_response['expires_at'].to_time.to_i, desired_expiration.to_i end @@ -148,22 +148,22 @@ class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest previous_expiration = json_response['expires_at'] token_uuid = json_response['uuid'] if previous_expiration.nil? - desired_updated_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime + 1.hour + submitted_updated_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime + 1.hour else - desired_updated_expiration = nil + submitted_updated_expiration = nil end put "/arvados/v1/api_client_authorizations/#{token_uuid}", params: { :api_client_authorization => { - :expires_at => desired_updated_expiration, + :expires_at => submitted_updated_expiration, } }, headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"} assert_response 200 - if desired_updated_expiration.nil? - assert json_response['expires_at'].nil? + if submitted_updated_expiration.nil? + assert_equal json_response['expires_at'].to_time.to_i, (db_current_time + Rails.configuration.API.MaxTokenLifetime).to_i else - assert_equal json_response['expires_at'].to_time.to_i, desired_updated_expiration.to_i + assert_equal json_response['expires_at'].to_time.to_i, submitted_updated_expiration.to_i end end end diff --git a/services/api/test/unit/api_client_test.rb b/services/api/test/unit/api_client_test.rb index bf47cd175b..a0eacfd13b 100644 --- a/services/api/test/unit/api_client_test.rb +++ b/services/api/test/unit/api_client_test.rb @@ -10,6 +10,7 @@ class ApiClientTest < ActiveSupport::TestCase [true, false].each do |token_lifetime_enabled| test "configured workbench is trusted when token lifetime is#{token_lifetime_enabled ? '': ' not'} enabled" do Rails.configuration.Login.TokenLifetime = token_lifetime_enabled ? 8.hours : 0 + Rails.configuration.Login.IssueTrustedTokens = !token_lifetime_enabled; Rails.configuration.Services.Workbench1.ExternalURL = URI("http://wb1.example.com") Rails.configuration.Services.Workbench2.ExternalURL = URI("https://wb2.example.com:443") Rails.configuration.Login.TrustedClients = ActiveSupport::OrderedOptions.new