- elsif uuid[0..4] != Rails.configuration.uuid_prefix
- # Token was issued by a different cluster. If it's expired or
- # missing in our database, ask the originating cluster to
- # [re]validate it.
- arv = Arvados.new(api_host: remote_host(uuid: uuid),
- api_token: token)
- remote_user = arv.user.current(remote: Rails.configuration.uuid_prefix)
- if remote_user && remote_user[:uuid][0..4] == uuid[0..4]
- act_as_system_user do
- # Add/update user and token in our database so we can
- # validate subsequent requests faster.
- user = User.find_or_create_by(uuid: remote_user[:uuid])
- user.update_attributes!(remote_user)
- auth = ApiClientAuthorization.
- includes(:user).
- find_or_create_by(uuid: uuid,
- api_token: token,
- user: user,
- api_client_id: 0)
- # Accept this token (and don't reload the user record) for
- # 5 minutes. TODO: Request the actual api_client_auth
- # record from the remote server in case it wants the token
- # to expire sooner.
- auth.update_attributes!(expires_at: Time.now + 5.minutes)
- end
- return auth
+ end
+
+ token_uuid_prefix = token_uuid[0..4]
+ if token_uuid_prefix == Rails.configuration.ClusterID
+ # Token is supposedly issued by local cluster, but if the
+ # token were valid, we would have been found in the database
+ # in the above query.
+ return nil
+ elsif token_uuid_prefix.length != 5
+ # malformed
+ return nil
+ end
+
+ # Invariant: token_uuid_prefix != Rails.configuration.ClusterID
+ #
+ # In other words the remaing code in this method below is the
+ # case that determines whether to accept a token that was issued
+ # by a remote cluster when the token absent or expired in our
+ # database. To begin, we need to ask the cluster that issued
+ # the token to [re]validate it.
+ clnt = ApiClientAuthorization.make_http_client
+
+ host = remote_host(uuid_prefix: token_uuid_prefix)
+ if !host
+ Rails.logger.warn "remote authentication rejected: no host for #{token_uuid_prefix.inspect}"
+ return nil
+ end
+
+ begin
+ remote_user = SafeJSON.load(
+ clnt.get_content('https://' + host + '/arvados/v1/users/current',
+ {'remote' => Rails.configuration.ClusterID},
+ {'Authorization' => 'Bearer ' + token}))
+ rescue => e
+ Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
+ return nil
+ end
+
+ # Check the response is well formed.
+ if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String)
+ Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
+ return nil
+ end
+
+ remote_user_prefix = remote_user['uuid'][0..4]
+
+ # Clusters can only authenticate for their own users.
+ if remote_user_prefix != token_uuid_prefix
+ Rails.logger.warn "remote authentication rejected: claimed remote user #{remote_user_prefix} but token was issued by #{token_uuid_prefix}"
+ return nil
+ end
+
+ # Invariant: remote_user_prefix == token_uuid_prefix
+ # therefore: remote_user_prefix != Rails.configuration.ClusterID
+
+ # Add or update user and token in local database so we can
+ # validate subsequent requests faster.
+
+ user = User.find_by_uuid(remote_user['uuid'])
+
+ if !user
+ # Create a new record for this user.
+ user = User.new(uuid: remote_user['uuid'],
+ is_active: false,
+ is_admin: false,
+ email: remote_user['email'],
+ owner_uuid: system_user_uuid)
+ user.set_initial_username(requested: remote_user['username'])
+ end
+
+ # Sync user record.
+ if remote_user_prefix == Rails.configuration.Login.LoginCluster
+ # Remote cluster controls our user database, copy both
+ # 'is_active' and 'is_admin'
+ user.is_active = remote_user['is_active']
+ user.is_admin = remote_user['is_admin']
+ else
+ if Rails.configuration.Users.NewUsersAreActive ||
+ Rails.configuration.RemoteClusters[remote_user_prefix].andand["ActivateUsers"]
+ # Default policy is to activate users, so match activate
+ # with the remote record.
+ user.is_active = remote_user['is_active']
+ elsif !remote_user['is_active']
+ # Deactivate user if the remote is inactive, otherwise don't
+ # change 'is_active'.
+ user.is_active = false
+ end
+ end
+
+ %w[first_name last_name email prefs].each do |attr|
+ user.send(attr+'=', remote_user[attr])
+ end
+
+ act_as_system_user do
+ user.save!
+
+ # We will accept this token (and avoid reloading the user
+ # record) for 'RemoteTokenRefresh' (default 5 minutes).
+ # Possible todo:
+ # Request the actual api_client_auth record from the remote
+ # server in case it wants the token to expire sooner.
+ auth = ApiClientAuthorization.find_or_create_by(uuid: token_uuid) do |auth|
+ auth.user = user
+ auth.api_client_id = 0