+require 'can_be_an_owner'
+
class User < ArvadosModel
- include AssignUuid
+ include HasUuid
include KindAndEtag
include CommonApiTemplate
+ include CanBeAnOwner
+
serialize :prefs, Hash
has_many :api_client_authorizations
before_update :prevent_privilege_escalation
before_update :prevent_inactive_admin
before_create :check_auto_admin
after_create :add_system_group_permission_link
- after_create AdminNotifier
+ after_create :send_admin_notifications
has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
ALL_PERMISSIONS = {read: true, write: true, manage: true}
def full_name
- "#{first_name} #{last_name}"
+ "#{first_name} #{last_name}".strip
end
def is_invited
end
def groups_i_can(verb)
- self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+ my_groups = self.group_permissions.select { |uuid, mask| mask[verb] }.keys
+ if verb == :read
+ my_groups << anonymous_group_uuid
+ end
+ my_groups
end
def can?(actions)
return true if is_admin
actions.each do |action, target|
- target_uuid = target
- if target.respond_to? :uuid
- target_uuid = target.uuid
+ unless target.nil?
+ if target.respond_to? :uuid
+ target_uuid = target.uuid
+ else
+ target_uuid = target
+ target = ArvadosModel.find_by_uuid(target_uuid)
+ end
end
next if target_uuid == self.uuid
next if (group_permissions[target_uuid] and
# Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
# and perm_hash[:write] are true if this user can read and write
# objects owned by group_uuid.
+ #
+ # The permission graph is built by repeatedly enumerating all
+ # permission links reachable from self.uuid, and then calling
+ # search_permissions
def group_permissions
Rails.cache.fetch "groups_for_user_#{self.uuid}" do
permissions_from = {}
todo = {self.uuid => true}
done = {}
+ # Build the equivalence class of permissions starting with
+ # self.uuid. On each iteration of this loop, todo contains
+ # the next set of uuids in the permission equivalence class
+ # to evaluate.
while !todo.empty?
lookup_uuids = todo.keys
lookup_uuids.each do |uuid| done[uuid] = true end
todo = {}
newgroups = []
+ # include all groups owned by the current set of uuids.
Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
newgroups << [group.owner_uuid, group.uuid, 'can_manage']
end
- Link.where('tail_uuid in (?) and link_class = ? and head_kind in (?)',
+ # add any permission links from the current lookup_uuids to a
+ # User or Group.
+ Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
lookup_uuids,
'permission',
- ['arvados#group', 'arvados#user']).each do |link|
+ Group.uuid_like_pattern,
+ User.uuid_like_pattern).each do |link|
newgroups << [link.tail_uuid, link.head_uuid, link.name]
end
newgroups.each do |tail_uuid, head_uuid, perm_name|
def unsetup
# delete oid_login_perms for this user
oid_login_perms = Link.where(tail_uuid: self.email,
- head_kind: 'arvados#user',
link_class: 'permission',
name: 'can_login')
oid_login_perms.each do |perm|
# delete repo_perms for this user
repo_perms = Link.where(tail_uuid: self.uuid,
- head_kind: 'arvados#repository',
link_class: 'permission',
name: 'can_write')
repo_perms.each do |perm|
# delete vm_login_perms for this user
vm_login_perms = Link.where(tail_uuid: self.uuid,
- head_kind: 'arvados#virtualMachine',
link_class: 'permission',
name: 'can_login')
vm_login_perms.each do |perm|
end.first
group_perms = Link.where(tail_uuid: self.uuid,
head_uuid: group[:uuid],
- head_kind: 'arvados#group',
link_class: 'permission',
name: 'can_read')
group_perms.each do |perm|
# delete any signatures by this user
signed_uuids = Link.where(link_class: 'signature',
- tail_kind: 'arvados#user',
tail_uuid: self.uuid)
signed_uuids.each do |sign|
Link.delete sign
protected
+ def ensure_ownership_path_leads_to_user
+ true
+ end
+
def permission_to_update
# users must be able to update themselves (even if they are
# inactive) in order to create sessions
end
def create_oid_login_perm (openid_prefix)
- login_perm_props = {identity_url_prefix: openid_prefix}
+ login_perm_props = { "identity_url_prefix" => openid_prefix}
# Check oid_login_perm
oid_login_perms = Link.where(tail_uuid: self.email,
- head_kind: 'arvados#user',
link_class: 'permission',
- name: 'can_login')
+ name: 'can_login').where("head_uuid = ?", self.uuid)
if !oid_login_perms.any?
# create openid login permission
oid_login_perm = Link.create(link_class: 'permission',
name: 'can_login',
- tail_kind: 'email',
tail_uuid: self.email,
- head_kind: 'arvados#user',
head_uuid: self.uuid,
properties: login_perm_props
)
# Look for existing repository access for this repo
repo_perms = Link.where(tail_uuid: self.uuid,
- head_kind: 'arvados#repository',
head_uuid: repo[:uuid],
link_class: 'permission',
name: 'can_write')
repo ||= Repository.create(name: repo_name)
logger.info { "repo uuid: " + repo[:uuid] }
- repo_perm = Link.create(tail_kind: 'arvados#user',
- tail_uuid: self.uuid,
- head_kind: 'arvados#repository',
+ repo_perm = Link.create(tail_uuid: self.uuid,
head_uuid: repo[:uuid],
link_class: 'permission',
name: 'can_write')
login_perms = Link.where(tail_uuid: self.uuid,
head_uuid: vm[:uuid],
- head_kind: 'arvados#virtualMachine',
link_class: 'permission',
name: 'can_login')
perm_exists = false
login_perms.each do |perm|
- if perm.properties[:username] == repo_name
- perm_exists = true
+ if perm.properties['username'] == repo_name
+ perm_exists = perm
break
end
end
- if !perm_exists
- login_perm = Link.create(tail_kind: 'arvados#user',
- tail_uuid: self.uuid,
- head_kind: 'arvados#virtualMachine',
+ if perm_exists
+ login_perm = perm_exists
+ else
+ login_perm = Link.create(tail_uuid: self.uuid,
head_uuid: vm[:uuid],
link_class: 'permission',
name: 'can_login',
- properties: {username: repo_name})
+ properties: {'username' => repo_name})
logger.info { "login permission: " + login_perm[:uuid] }
- else
- login_perm = login_perms.first
end
return login_perm
group_perms = Link.where(tail_uuid: self.uuid,
head_uuid: group[:uuid],
- head_kind: 'arvados#group',
link_class: 'permission',
name: 'can_read')
if !group_perms.any?
- group_perm = Link.create(tail_kind: 'arvados#user',
- tail_uuid: self.uuid,
- head_kind: 'arvados#group',
+ group_perm = Link.create(tail_uuid: self.uuid,
head_uuid: group[:uuid],
link_class: 'permission',
name: 'can_read')
act_as_system_user do
Link.create(link_class: 'permission',
name: 'can_manage',
- tail_kind: 'arvados#group',
tail_uuid: system_group_uuid,
- head_kind: 'arvados#user',
head_uuid: self.uuid)
end
end
+
+ # Send admin notifications
+ def send_admin_notifications
+ AdminNotifier.new_user(self).deliver
+ if not self.is_active then
+ AdminNotifier.new_inactive_user(self).deliver
+ end
+ end
end