search

reanahub / reana-client

REANA command-line client
http://reana-client.readthedocs.io/
MIT License
10 stars 45 forks source link

cli: validate requires `access_token` but it's not checked #568

Closed mvidalgarcia closed 2 years ago

mvidalgarcia commented 2 years ago

reana-client validate is a local operation. While the logic remains local (we might move it to the server in the future), it shouldn't check credentials (REANA_SERVER_URL and REANA_ACCESS_TOKEN).

Right now it's possible to trick the system by exporting fake credentials, as no server requests are being performed:

$ reana-client validate -f reana-snakemake.yaml                                                                                                                                                                                                                           
==> ERROR: Please provide your access token by using the -t/--access-token flag, or by setting the REANA_ACCESS_TOKEN environment variable.                                                                                                                                                               
$ export REANA_ACCESS_TOKEN=foo                                                                                                                                                                                                                                 
$ reana-client validate -f reana-snakemake.yaml                                                                                                                                                                                                                           
==> ERROR: REANA client is not connected to any REANA cluster.                                                                                                                                                                                                                                            
$ export REANA_SERVER_URL=bar                                                                                                                                                                                                                                   
$ reana-client validate -f reana-snakemake.yaml                                                                                                                                                                                                                           
==> Verifying REANA specification file... /Users/marco/code/reanahub/reana-demo-root6-roofit/reana-snakemake.yaml                                                                                                                                                                                         
  -> SUCCESS: Valid REANA specification file.                                                                                                                                                                                                                                                             
Job stats:                                                                                                                                                                                                                                                                                                
job        count    min threads    max threads                                                                                                                                                                                                                                                            
-------  -------  -------------  -------------                                                                                                                                                                                                                                                            
all            1              1              1
fitdata        1              1              1                                                                                                                                                                                                                                                            
gendata        1              1              1                                                                                                                                                                                                                                                            
total          3              1              1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

==> Verifying REANA specification parameters...                                                                                                                                                                                                                                                           
  -> SUCCESS: REANA specification parameters appear valid.                                                                                                                                                                                                                                                
==> Verifying workflow parameters and commands...                                                                                                                                                                                                                                                         
  -> SUCCESS: Workflow parameters and commands appear valid.                                                                                                                                                                                                                                              
==> Verifying dangerous workflow operations...                                                                                                                                                                                                                                          
  -> SUCCESS: Workflow operations appear valid.

Somehow related to https://github.com/reanahub/reana-client/issues/567

mvidalgarcia commented 2 years ago

Just noticed that the new workspace validation introduced these new checks, that's why if one has no workspace in reana.yaml can still bypass the credentials check, as no network request is done.

This is not ideal as:

  1. It's not nice to ask for credentials when doing a local validation (no worskpace set)
  2. One can still bypass it by faking the credentials