Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Remove staging user/pass

Inclusion of a user/pass used to authenticate stagers was redundant, since
we generate a random token that is only valid while the staging task is
active on the CC. Use only the token to authenticate stagers.

Test plan:
- Unit tests pass
- Deployed an app locally

Change-Id: I032749c4c3518fefef240f1a45c23e08693c6474
  • Loading branch information...
commit 61aae1b7f112f8eccddb4099bb73696321d826bf 1 parent 4261875
mpage authored
View
26 cloud_controller/app/controllers/staging_controller.rb
@@ -8,17 +8,10 @@ class StagingController < ApplicationController
# Handles a droplet upload from a stager
def upload_droplet
- task = nil
src_path = nil
app = App.find_by_id(params[:id])
raise CloudError.new(CloudError::APP_NOT_FOUND) unless app
- task = StagingTask.find_task(params[:staging_task_id])
- unless task
- CloudController.logger.error("No task associated with id #{params[:staging_task_id]}")
- raise CloudError.new(CloudError::BAD_REQUEST)
- end
-
if CloudController.use_nginx
src_path = params[:droplet_path]
else
@@ -30,15 +23,15 @@ def upload_droplet
end
begin
- CloudController.logger.debug("Renaming staged droplet from '#{src_path}' to '#{task.upload_path}'")
- File.rename(src_path, task.upload_path)
+ CloudController.logger.debug("Renaming staged droplet from '#{src_path}' to '#{@task.upload_path}'")
+ File.rename(src_path, @task.upload_path)
rescue => e
CloudController.logger.error("Failed uploading staged droplet: #{e}", :tags => [:staging])
CloudController.logger.error(e)
- FileUtils.rm_f(task.upload_path)
+ FileUtils.rm_f(@task.upload_path)
raise e
end
- CloudController.logger.debug("Stager (#{request.remote_ip}) uploaded droplet to #{task.upload_path}", :tags => [:staging])
+ CloudController.logger.debug("Stager (#{request.remote_ip}) uploaded droplet to #{@task.upload_path}", :tags => [:staging])
render :nothing => true, :status => 200
ensure
FileUtils.rm_f(src_path) if src_path
@@ -71,13 +64,10 @@ def download_app
private
def authenticate_stager
- authenticate_or_request_with_http_basic do |user, pass|
- if (user == AppConfig[:staging][:auth][:user]) && (pass == AppConfig[:staging][:auth][:password])
- true
- else
- CloudController.logger.error("Stager auth failed (user=#{user}, pass=#{pass} from #{request.remote_ip}", :tags => [:auth_failure, :staging])
- false
- end
+ @task = StagingTask.find_task(params[:staging_task_id])
+ unless @task
+ CloudController.logger.warn("Unknown or invalid staging task id: '#{params[:staging_task_id]}'")
+ raise CloudError.new(CloudError::FORBIDDEN)
end
end
View
7 cloud_controller/app/models/staging_task.rb
@@ -32,7 +32,7 @@ def initialize(app, opts={})
@app = app
@task_id = VCAP.secure_uuid
@download_uri = staging_uri("/staging/app/#{app.id}")
- @upload_uri = staging_uri("/staging/droplet/#{app.id}", "staging_task_id=#{@task_id}")
+ @upload_uri = staging_uri("/staging/droplet/#{app.id}")
tmpdir = opts[:tmpdir] || AppConfig[:directories][:tmpdir]
@upload_path = File.join(tmpdir, "staged_upload_#{app.id}_#{@task_id}.tgz")
@nats = opts[:nats] || NATS.client
@@ -60,13 +60,12 @@ def cleanup
private
- def staging_uri(path, query=nil)
+ def staging_uri(path)
uri = URI::HTTP.build(
:host => CloudController.bind_address,
:port => CloudController.external_port,
- :userinfo => [AppConfig[:staging][:auth][:user], AppConfig[:staging][:auth][:password]],
:path => path,
- :query => query,
+ :query => "staging_task_id=#{@task_id}"
)
uri.to_s
end
View
3  cloud_controller/config/cloud_controller.yml
@@ -97,9 +97,6 @@ staging:
# Create a secure environment for staging
secure: false
new_stager_percent: 100
- auth:
- user: zxsfhgjg
- password: ZNVfdase9
allow_debug: false
View
29 cloud_controller/spec/controllers/staging_controller_spec.rb
@@ -1,36 +1,11 @@
require 'spec_helper'
describe StagingController do
- before :all do
- VCAP::Logging.setup_from_config({'level' => 'debug2'})
- AppConfig[:staging][:auth] = {
- :user => 'test',
- :password => 'test',
- }
- @auth = ActionController::HttpAuthentication::Basic.encode_credentials('test', 'test')
- end
-
describe '#upload_droplet' do
-
- before :each do
- request.env["HTTP_AUTHORIZATION"] = @auth
- end
-
- it 'should return 401 for incorrect credentials' do
- request.env["HTTP_AUTHORIZATION"] = nil
- post :upload_droplet, {:id => 1, :staging_task_id => 'foo'}
- response.status.should == 401
- end
-
- it 'should return 404 for unknown apps' do
- post :upload_droplet, {:id => 1, :staging_task_id => 'foo'}
- response.status.should == 404
- end
-
- it 'should return 400 for unknown tasks' do
+ it 'should return 403 for unknown task ids' do
App.stubs(:find_by_id).with(1).returns('test')
post :upload_droplet, {:id => 1, :staging_task_id => 'foo'}
- response.status.should == 400
+ response.status.should == 403
end
it 'should rename the uploaded file correctly' do
Please sign in to comment.
Something went wrong with that request. Please try again.