From b30548921f19177256890ad58b90dbf66d8407ef Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Wed, 22 Nov 2017 17:49:08 -0500 Subject: [PATCH] 12627: Ensure current_user relates to the token that permits scope. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- .../app/controllers/application_controller.rb | 2 +- .../api_client_authorizations_scopes_test.rb | 14 +++++++++++ .../test/integration/reader_tokens_test.rb | 23 +++++++------------ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb index 9826cf2f90..ba0efa7b53 100644 --- a/services/api/app/controllers/application_controller.rb +++ b/services/api/app/controllers/application_controller.rb @@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base end def require_auth_scope - if @read_auths.empty? + if @read_auths.empty? || @read_auths[0] != current_api_client_authorization if require_login != false send_error("Forbidden", status: 403) end diff --git a/services/api/test/integration/api_client_authorizations_scopes_test.rb b/services/api/test/integration/api_client_authorizations_scopes_test.rb index dba801920c..dfb57496a7 100644 --- a/services/api/test/integration/api_client_authorizations_scopes_test.rb +++ b/services/api/test/integration/api_client_authorizations_scopes_test.rb @@ -27,6 +27,20 @@ class ApiTokensScopeTest < ActionDispatch::IntegrationTest assert_response 403 end + test "narrow + wide scoped tokens for different users" do + get_args = [{ + reader_tokens: [api_client_authorizations(:anonymous).api_token] + }, auth(:active_userlist)] + get(v1_url('users'), *get_args) + assert_response :success + get(v1_url('users', ''), *get_args) # Add trailing slash. + assert_response :success + get(v1_url('users', 'current'), *get_args) + assert_response 403 + get(v1_url('virtual_machines'), *get_args) + assert_response 403 + end + test "specimens token can see exactly owned specimens" do get_args = [{}, auth(:active_specimens)] get(v1_url('specimens'), *get_args) diff --git a/services/api/test/integration/reader_tokens_test.rb b/services/api/test/integration/reader_tokens_test.rb index dd59f74eb4..60b06a9ec8 100644 --- a/services/api/test/integration/reader_tokens_test.rb +++ b/services/api/test/integration/reader_tokens_test.rb @@ -50,22 +50,15 @@ class ReaderTokensTest < ActionDispatch::IntegrationTest [nil, :active_noscope].each do |main_auth| [:spectator, :spectator_specimens].each do |read_auth| - test "#{main_auth} auth with reader token #{read_auth} can read" do - assert_includes(get_specimen_uuids(main_auth, read_auth), - spectator_specimen, "did not find spectator specimen") - end - - test "#{main_auth} auth with JSON read token #{read_auth} can read" do - assert_includes(get_specimen_uuids(main_auth, read_auth, :to_json), - spectator_specimen, "did not find spectator specimen") - end - - test "#{main_auth} auth with reader token #{read_auth} can't write" do - assert_post_denied(main_auth, read_auth) - end + [:to_a, :to_json].each do |formatter| + test "#{main_auth.inspect} auth with #{formatter} reader token #{read_auth} can't read" do + get_specimens(main_auth, read_auth) + assert_response(if main_auth then 403 else 302 end) + end - test "#{main_auth} auth with JSON read token #{read_auth} can't write" do - assert_post_denied(main_auth, read_auth, :to_json) + test "#{main_auth.inspect} auth with #{formatter} reader token #{read_auth} can't write" do + assert_post_denied(main_auth, read_auth, formatter) + end end end end -- 2.30.2