projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
12107: Add protective comment.
[arvados.git] / services / api / app / models / user.rb
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index d944474712708b3207f28807e10349b8f34007b0..f0934104d32ca6454ec6cfcf2f4c227bc3cd4a71 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'can_be_an_owner'
 
 class User < ArvadosModel
@@ -6,6 +10,11 @@ class User < ArvadosModel
   include CommonApiTemplate
   include CanBeAnOwner
 
+  # To avoid upgrade bugs, when changing the permission cache value
+  # format, change PERM_CACHE_PREFIX too:
+  PERM_CACHE_PREFIX = "perm_v20170725_"
+  PERM_CACHE_TTL = 172800
+
   serialize :prefs, Hash
   has_many :api_client_authorizations
   validates(:username,
@@ -20,6 +29,7 @@ class User < ArvadosModel
   before_update :verify_repositories_empty, :if => Proc.new { |user|
     user.username.nil? and user.username_changed?
   }
+  before_update :setup_on_activate
   before_create :check_auto_admin
   before_create :set_initial_username, :if => Proc.new { |user|
     user.username.nil? and user.email
@@ -136,15 +146,33 @@ class User < ArvadosModel
       timestamp = DbCurrentTime::db_current_time.to_i if timestamp.nil?
       connection.execute "NOTIFY invalidate_permissions_cache, '#{timestamp}'"
     else
-      Rails.cache.delete_matched(/^groups_for_user_/)
+      Rails.cache.delete_matched(/^#{PERM_CACHE_PREFIX}/)
+    end
+  end
+
+  # Return a hash of {user_uuid: group_perms}
+  def self.all_group_permissions
+    install_view('permission')
+    all_perms = {}
+    ActiveRecord::Base.connection.
+      exec_query('SELECT user_uuid, target_owner_uuid, max(perm_level)
+                  FROM permission_view
+                  WHERE target_owner_uuid IS NOT NULL
+                  GROUP BY user_uuid, target_owner_uuid',
+                  # "name" arg is a query label that appears in logs:
+                  "all_group_permissions",
+                  ).rows.each do |user_uuid, group_uuid, max_p_val|
+      all_perms[user_uuid] ||= {}
+      all_perms[user_uuid][group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
     end
+    all_perms
   end
 
   # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
   def calculate_group_permissions
-    install_view('permission')
+    self.class.install_view('permission')
 
     group_perms = {}
     ActiveRecord::Base.connection.
@@ -160,7 +188,7 @@ class User < ArvadosModel
                   ).rows.each do |group_uuid, max_p_val|
       group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
     end
-    Rails.cache.write "groups_for_user_#{self.uuid}", group_perms
+    Rails.cache.write "#{PERM_CACHE_PREFIX}#{self.uuid}", group_perms, expires_in: PERM_CACHE_TTL
     group_perms
   end
 
@@ -168,12 +196,12 @@ class User < ArvadosModel
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
   def group_permissions
-    r = Rails.cache.read "groups_for_user_#{self.uuid}"
+    r = Rails.cache.read "#{PERM_CACHE_PREFIX}#{self.uuid}"
     if r.nil?
       if Rails.configuration.async_permissions_update
         while r.nil?
           sleep(0.1)
-          r = Rails.cache.read "groups_for_user_#{self.uuid}"
+          r = Rails.cache.read "#{PERM_CACHE_PREFIX}#{self.uuid}"
         end
       else
         r = calculate_group_permissions
@@ -182,15 +210,11 @@ class User < ArvadosModel
     r
   end
 
-  def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil)
-    return user.setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
-  end
-
   # create links
-  def setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
+  def setup(openid_prefix:, repo_name: nil, vm_uuid: nil)
     oid_login_perm = create_oid_login_perm openid_prefix
     repo_perm = create_user_repo_link repo_name
-    vm_login_perm = create_vm_login_permission_link vm_uuid, username
+    vm_login_perm = create_vm_login_permission_link(vm_uuid, username) if vm_uuid
     group_perm = create_user_group_link
 
     return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact
@@ -364,13 +388,12 @@ class User < ArvadosModel
     merged
   end
 
-  def create_oid_login_perm (openid_prefix)
-    login_perm_props = { "identity_url_prefix" => openid_prefix}
-
+  def create_oid_login_perm(openid_prefix)
     # Check oid_login_perm
     oid_login_perms = Link.where(tail_uuid: self.email,
-                                   link_class: 'permission',
-                                   name: 'can_login').where("head_uuid = ?", self.uuid)
+                                 head_uuid: self.uuid,
+                                 link_class: 'permission',
+                                 name: 'can_login')
 
     if !oid_login_perms.any?
       # create openid login permission
@@ -378,8 +401,9 @@ class User < ArvadosModel
                                    name: 'can_login',
                                    tail_uuid: self.email,
                                    head_uuid: self.uuid,
-                                   properties: login_perm_props
-                                  )
+                                   properties: {
+                                     "identity_url_prefix" => openid_prefix,
+                                   })
       logger.info { "openid login permission: " + oid_login_perm[:uuid] }
     else
       oid_login_perm = oid_login_perms.first
@@ -407,15 +431,12 @@ class User < ArvadosModel
   # create login permission for the given vm_uuid, if it does not already exist
   def create_vm_login_permission_link(vm_uuid, repo_name)
     # vm uuid is optional
-    if vm_uuid
-      vm = VirtualMachine.where(uuid: vm_uuid).first
+    return if !vm_uuid
 
-      if not vm
-        logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
-        raise "No vm found for #{vm_uuid}"
-      end
-    else
-      return
+    vm = VirtualMachine.where(uuid: vm_uuid).first
+    if !vm
+      logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
+      raise "No vm found for #{vm_uuid}"
     end
 
     logger.info { "vm uuid: " + vm[:uuid] }
@@ -468,9 +489,17 @@ class User < ArvadosModel
     end
   end
 
+  # Automatically setup if is_active flag turns on
+  def setup_on_activate
+    return if [system_user_uuid, anonymous_user_uuid].include?(self.uuid)
+    if is_active && (new_record? || is_active_changed?)
+      setup(openid_prefix: Rails.configuration.default_openid_prefix)
+    end
+  end
+
   # Automatically setup new user during creation
   def auto_setup_new_user
-    setup_repo_vm_links(nil, nil, Rails.configuration.default_openid_prefix)
+    setup(openid_prefix: Rails.configuration.default_openid_prefix)
     if username
       create_vm_login_permission_link(Rails.configuration.auto_setup_new_users_with_vm_uuid,
                                       username)