2411: Add copyright notices to everything.

[arvados.git] / services / api / app / models / user.rb

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 742db4c9b02282aecbf824bf087c7f2eb2c76dc8..26c714eb4a39bda9ec1df0f6f69d488c64adf7c6 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'can_be_an_owner'
 
 class User < ArvadosModel
@@ -20,6 +24,7 @@ class User < ArvadosModel
   before_update :verify_repositories_empty, :if => Proc.new { |user|
     user.username.nil? and user.username_changed?
   }
+  before_update :setup_on_activate
   before_create :check_auto_admin
   before_create :set_initial_username, :if => Proc.new { |user|
     user.username.nil? and user.email
@@ -140,37 +145,42 @@ class User < ArvadosModel
     end
   end
 
+  # Return a hash of {user_uuid: group_perms}
+  def self.all_group_permissions
+    install_view('permission')
+    all_perms = {}
+    ActiveRecord::Base.connection.
+      exec_query('SELECT user_uuid, target_owner_uuid, max(perm_level)
+                  FROM permission_view
+                  WHERE target_owner_uuid IS NOT NULL
+                  GROUP BY user_uuid, target_owner_uuid',
+                  # "name" arg is a query label that appears in logs:
+                  "all_group_permissions",
+                  ).rows.each do |user_uuid, group_uuid, max_p_val|
+      all_perms[user_uuid] ||= {}
+      all_perms[user_uuid][group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
+    end
+    all_perms
+  end
+
   # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
   def calculate_group_permissions
-    conn = ActiveRecord::Base.connection
-    self.class.transaction do
-      # Check whether the temporary view has already been created
-      # during this connection. If not, create it.
-      conn.exec_query 'SAVEPOINT check_permission_view'
-      begin
-        conn.exec_query('SELECT 1 FROM permission_view LIMIT 0')
-      rescue
-        conn.exec_query 'ROLLBACK TO SAVEPOINT check_permission_view'
-        sql = File.read(Rails.root.join('lib', 'create_permission_view.sql'))
-        conn.exec_query(sql)
-      ensure
-        conn.exec_query 'RELEASE SAVEPOINT check_permission_view'
-      end
-    end
+    self.class.install_view('permission')
 
     group_perms = {}
-    conn.exec_query('SELECT target_owner_uuid, max(perm_level)
-                    FROM permission_view
-                    WHERE user_uuid = $1
-                    AND target_owner_uuid IS NOT NULL
-                    GROUP BY target_owner_uuid',
-                    # "name" arg is a query label that appears in logs:
-                    "group_permissions for #{uuid}",
-                    # "binds" arg is an array of [col_id, value] for '$1' vars:
-                    [[nil, uuid]],
-                    ).rows.each do |group_uuid, max_p_val|
+    ActiveRecord::Base.connection.
+      exec_query('SELECT target_owner_uuid, max(perm_level)
+                  FROM permission_view
+                  WHERE user_uuid = $1
+                  AND target_owner_uuid IS NOT NULL
+                  GROUP BY target_owner_uuid',
+                  # "name" arg is a query label that appears in logs:
+                  "group_permissions for #{uuid}",
+                  # "binds" arg is an array of [col_id, value] for '$1' vars:
+                  [[nil, uuid]],
+                  ).rows.each do |group_uuid, max_p_val|
       group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
     end
     Rails.cache.write "groups_for_user_#{self.uuid}", group_perms
@@ -195,15 +205,11 @@ class User < ArvadosModel
     r
   end
 
-  def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil)
-    return user.setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
-  end
-
   # create links
-  def setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
+  def setup(openid_prefix:, repo_name: nil, vm_uuid: nil)
     oid_login_perm = create_oid_login_perm openid_prefix
     repo_perm = create_user_repo_link repo_name
-    vm_login_perm = create_vm_login_permission_link vm_uuid, username
+    vm_login_perm = create_vm_login_permission_link(vm_uuid, username) if vm_uuid
     group_perm = create_user_group_link
 
     return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact
@@ -377,13 +383,12 @@ class User < ArvadosModel
     merged
   end
 
-  def create_oid_login_perm (openid_prefix)
-    login_perm_props = { "identity_url_prefix" => openid_prefix}
-
+  def create_oid_login_perm(openid_prefix)
     # Check oid_login_perm
     oid_login_perms = Link.where(tail_uuid: self.email,
-                                   link_class: 'permission',
-                                   name: 'can_login').where("head_uuid = ?", self.uuid)
+                                 head_uuid: self.uuid,
+                                 link_class: 'permission',
+                                 name: 'can_login')
 
     if !oid_login_perms.any?
       # create openid login permission
@@ -391,8 +396,9 @@ class User < ArvadosModel
                                    name: 'can_login',
                                    tail_uuid: self.email,
                                    head_uuid: self.uuid,
-                                   properties: login_perm_props
-                                  )
+                                   properties: {
+                                     "identity_url_prefix" => openid_prefix,
+                                   })
       logger.info { "openid login permission: " + oid_login_perm[:uuid] }
     else
       oid_login_perm = oid_login_perms.first
@@ -420,15 +426,12 @@ class User < ArvadosModel
   # create login permission for the given vm_uuid, if it does not already exist
   def create_vm_login_permission_link(vm_uuid, repo_name)
     # vm uuid is optional
-    if vm_uuid
-      vm = VirtualMachine.where(uuid: vm_uuid).first
+    return if !vm_uuid
 
-      if not vm
-        logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
-        raise "No vm found for #{vm_uuid}"
-      end
-    else
-      return
+    vm = VirtualMachine.where(uuid: vm_uuid).first
+    if !vm
+      logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
+      raise "No vm found for #{vm_uuid}"
     end
 
     logger.info { "vm uuid: " + vm[:uuid] }
@@ -481,9 +484,17 @@ class User < ArvadosModel
     end
   end
 
+  # Automatically setup if is_active flag turns on
+  def setup_on_activate
+    return if [system_user_uuid, anonymous_user_uuid].include?(self.uuid)
+    if is_active && (new_record? || is_active_changed?)
+      setup(openid_prefix: Rails.configuration.default_openid_prefix)
+    end
+  end
+
   # Automatically setup new user during creation
   def auto_setup_new_user
-    setup_repo_vm_links(nil, nil, Rails.configuration.default_openid_prefix)
+    setup(openid_prefix: Rails.configuration.default_openid_prefix)
     if username
       create_vm_login_permission_link(Rails.configuration.auto_setup_new_users_with_vm_uuid,
                                       username)