Merged master

[arvados.git] / services / api / app / models / user.rb
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb

index e87fb3159dd966536b627d6657c2fcf383ef46dd..41858e8b3adb3cb2394c0eb55d5a3cfc24a1d42e 100644 (file)
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -5,16 +5,22 @@ class User < ArvadosModel
    serialize :prefs, Hash
    has_many :api_client_authorizations
    before_update :prevent_privilege_escalation
+  before_update :prevent_inactive_admin
+  before_create :check_auto_admin
+  after_create :add_system_group_permission_link
+  after_create AdminNotifier
  
-  has_many :authorized_keys, :foreign_key => :authorized_user, :primary_key => :uuid
+  has_many :authorized_keys, :foreign_key => :authorized_user_uuid, :primary_key => :uuid
  
-  api_accessible :superuser, :extend => :common do |t|
+  api_accessible :user, extend: :common do |t|
      t.add :email
      t.add :full_name
      t.add :first_name
      t.add :last_name
      t.add :identity_url
+    t.add :is_active
      t.add :is_admin
+    t.add :is_invited
      t.add :prefs
    end
  
@@ -24,11 +30,18 @@ class User < ArvadosModel
      "#{first_name} #{last_name}"
    end
  
+  def is_invited
+    !!(self.is_active ||
+       Rails.configuration.new_users_are_active ||
+       self.groups_i_can(:read).select { |x| x.match /-f+$/ }.first)
+  end
+
    def groups_i_can(verb)
      self.group_permissions.select { |uuid, mask| mask[verb] }.keys
    end
  
    def can?(actions)
+    return true if is_admin
      actions.each do |action, target|
        target_uuid = target
        if target.respond_to? :uuid
@@ -37,10 +50,10 @@ class User < ArvadosModel
        next if target_uuid == self.uuid
        next if (group_permissions[target_uuid] and
                 group_permissions[target_uuid][action])
-      if target.respond_to? :owner
-        next if target.owner == self.uuid
-        next if (group_permissions[target.owner] and
-                 group_permissions[target.owner][action])
+      if target.respond_to? :owner_uuid
+        next if target.owner_uuid == self.uuid
+        next if (group_permissions[target.owner_uuid] and
+                 group_permissions[target.owner_uuid][action])
        end
        return false
      end
@@ -51,25 +64,9 @@ class User < ArvadosModel
      Rails.cache.delete_matched(/^groups_for_user_/)
    end
  
-  protected
-
-  def permission_to_create
-    Thread.current[:user] == self or
-      (Thread.current[:user] and Thread.current[:user].is_admin)
-  end
-
-  def prevent_privilege_escalation
-    if self.is_admin_changed? and !current_user.is_admin
-      if current_user.uuid == self.uuid
-        if self.is_admin != self.is_admin_was
-          logger.warn "User #{self.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin}"
-          self.is_admin = self.is_admin_was
-        end
-      end
-    end
-    true
-  end
-
+  # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
+  # and perm_hash[:write] are true if this user can read and write
+  # objects owned by group_uuid.
    def group_permissions
      Rails.cache.fetch "groups_for_user_#{self.uuid}" do
        permissions_from = {}
@@ -79,15 +76,23 @@ class User < ArvadosModel
          lookup_uuids = todo.keys
          lookup_uuids.each do |uuid| done[uuid] = true end
          todo = {}
-        Link.where('tail_uuid in (?) and link_class = ? and head_kind = ?',
+        newgroups = []
+        Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
+          newgroups << [group.owner_uuid, group.uuid, 'can_manage']
+        end
+        Link.where('tail_uuid in (?) and link_class = ? and (head_uuid like ? or head_uuid like ?)',
                     lookup_uuids,
                     'permission',
-                   'arvados#group').each do |link|
-          unless done.has_key? link.head_uuid
-            todo[link.head_uuid] = true
+                   Group.uuid_like_pattern,
+                   User.uuid_like_pattern).each do |link|
+          newgroups << [link.tail_uuid, link.head_uuid, link.name]
+        end
+        newgroups.each do |tail_uuid, head_uuid, perm_name|
+          unless done.has_key? head_uuid
+            todo[head_uuid] = true
            end
            link_permissions = {}
-          case link.name
+          case perm_name
            when 'can_read'
              link_permissions = {read:true}
            when 'can_write'
@@ -95,10 +100,10 @@ class User < ArvadosModel
            when 'can_manage'
              link_permissions = ALL_PERMISSIONS
            end
-          permissions_from[link.tail_uuid] ||= {}
-          permissions_from[link.tail_uuid][link.head_uuid] ||= {}
+          permissions_from[tail_uuid] ||= {}
+          permissions_from[tail_uuid][head_uuid] ||= {}
            link_permissions.each do |k,v|
-            permissions_from[link.tail_uuid][link.head_uuid][k] ||= v
+            permissions_from[tail_uuid][head_uuid][k] ||= v
            end
          end
        end
@@ -106,6 +111,127 @@ class User < ArvadosModel
      end
    end
  
+  def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil)
+    return user.setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
+  end
+
+  # create links
+  def setup_repo_vm_links(repo_name, vm_uuid, openid_prefix)
+    oid_login_perm = create_oid_login_perm openid_prefix
+    repo_perm = create_user_repo_link repo_name
+    vm_login_perm = create_vm_login_permission_link vm_uuid, repo_name
+    group_perm = create_user_group_link
+
+    return [oid_login_perm, repo_perm, vm_login_perm, group_perm, self].compact
+  end
+
+  # delete user signatures, login, repo, and vm perms, and mark as inactive
+  def unsetup
+    # delete oid_login_perms for this user
+    oid_login_perms = Link.where(tail_uuid: self.email,
+                                 head_kind: 'arvados#user',
+                                 link_class: 'permission',
+                                 name: 'can_login')
+    oid_login_perms.each do |perm|
+      Link.delete perm
+    end
+
+    # delete repo_perms for this user
+    repo_perms = Link.where(tail_uuid: self.uuid,
+                            head_kind: 'arvados#repository',
+                            link_class: 'permission',
+                            name: 'can_write')
+    repo_perms.each do |perm|
+      Link.delete perm
+    end
+
+    # delete vm_login_perms for this user
+    vm_login_perms = Link.where(tail_uuid: self.uuid,
+                                head_kind: 'arvados#virtualMachine',
+                                link_class: 'permission',
+                                name: 'can_login')
+    vm_login_perms.each do |perm|
+      Link.delete perm
+    end
+
+    # delete "All users' group read permissions for this user
+    group = Group.where(name: 'All users').select do |g|
+      g[:uuid].match /-f+$/
+    end.first
+    group_perms = Link.where(tail_uuid: self.uuid,
+                             head_uuid: group[:uuid],
+                             head_kind: 'arvados#group',
+                             link_class: 'permission',
+                             name: 'can_read')
+    group_perms.each do |perm|
+      Link.delete perm
+    end
+
+    # delete any signatures by this user
+    signed_uuids = Link.where(link_class: 'signature',
+                              tail_kind: 'arvados#user',
+                              tail_uuid: self.uuid)
+    signed_uuids.each do |sign|
+      Link.delete sign
+    end
+
+    # mark the user as inactive
+    self.is_active = false
+    self.save!
+  end
+
+  protected
+
+  def permission_to_update
+    # users must be able to update themselves (even if they are
+    # inactive) in order to create sessions
+    self == current_user or super
+  end
+
+  def permission_to_create
+    current_user.andand.is_admin or
+      (self == current_user and
+       self.is_active == Rails.configuration.new_users_are_active)
+  end
+
+  def check_auto_admin
+    if User.where("uuid not like '%-000000000000000'").where(:is_admin => true).count == 0 and Rails.configuration.auto_admin_user
+      if current_user.email == Rails.configuration.auto_admin_user
+        self.is_admin = true
+        self.is_active = true
+      end
+    end
+  end
+
+  def prevent_privilege_escalation
+    if current_user.andand.is_admin
+      return true
+    end
+    if self.is_active_changed?
+      if self.is_active != self.is_active_was
+        logger.warn "User #{current_user.uuid} tried to change is_active from #{self.is_admin_was} to #{self.is_admin} for #{self.uuid}"
+        self.is_active = self.is_active_was
+      end
+    end
+    if self.is_admin_changed?
+      if self.is_admin != self.is_admin_was
+        logger.warn "User #{current_user.uuid} tried to change is_admin from #{self.is_admin_was} to #{self.is_admin} for #{self.uuid}"
+        self.is_admin = self.is_admin_was
+      end
+    end
+    true
+  end
+
+  def prevent_inactive_admin
+    if self.is_admin and not self.is_active
+      # There is no known use case for the strange set of permissions
+      # that would result from this change. It's safest to assume it's
+      # a mistake and disallow it outright.
+      raise "Admin users cannot be inactive"
+    end
+    true
+  end
+
    def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
      nextpaths = graph[start]
      return merged if !nextpaths
@@ -122,4 +248,169 @@ class User < ArvadosModel
      upstream_path.delete start
      merged
    end
+
+  def create_oid_login_perm (openid_prefix)
+    login_perm_props = {identity_url_prefix: openid_prefix}
+
+    # Check oid_login_perm
+    oid_login_perms = Link.where(tail_uuid: self.email,
+                                   head_kind: 'arvados#user',
+                                   link_class: 'permission',
+                                   name: 'can_login')
+
+    if !oid_login_perms.any?
+      # create openid login permission
+      oid_login_perm = Link.create(link_class: 'permission',
+                                   name: 'can_login',
+                                   tail_kind: 'email',
+                                   tail_uuid: self.email,
+                                   head_kind: 'arvados#user',
+                                   head_uuid: self.uuid,
+                                   properties: login_perm_props
+                                  )
+      logger.info { "openid login permission: " + oid_login_perm[:uuid] }
+    else
+      oid_login_perm = oid_login_perms.first
+    end
+
+    return oid_login_perm
+  end
+
+  def create_user_repo_link(repo_name)
+    # repo_name is optional
+    if not repo_name
+      logger.warn ("Repository name not given for #{self.uuid}.")
+      return
+    end
+
+    # Check for an existing repository with the same name we're about to use.
+    repo = Repository.where(name: repo_name).first
+
+    if repo
+      logger.warn "Repository exists for #{repo_name}: #{repo[:uuid]}."
+
+      # Look for existing repository access for this repo
+      repo_perms = Link.where(tail_uuid: self.uuid,
+                              head_kind: 'arvados#repository',
+                              head_uuid: repo[:uuid],
+                              link_class: 'permission',
+                              name: 'can_write')
+      if repo_perms.any?
+        logger.warn "User already has repository access " +
+            repo_perms.collect { |p| p[:uuid] }.inspect
+        return repo_perms.first
+      end
+    end
+
+    # create repo, if does not already exist
+    repo ||= Repository.create(name: repo_name)
+    logger.info { "repo uuid: " + repo[:uuid] }
+
+    repo_perm = Link.create(tail_kind: 'arvados#user',
+                            tail_uuid: self.uuid,
+                            head_kind: 'arvados#repository',
+                            head_uuid: repo[:uuid],
+                            link_class: 'permission',
+                            name: 'can_write')
+    logger.info { "repo permission: " + repo_perm[:uuid] }
+    return repo_perm
+  end
+
+  # create login permission for the given vm_uuid, if it does not already exist
+  def create_vm_login_permission_link(vm_uuid, repo_name)
+    begin
+
+      # vm uuid is optional
+      if vm_uuid
+        vm = VirtualMachine.where(uuid: vm_uuid).first
+
+        if not vm
+          logger.warn "Could not find virtual machine for #{vm_uuid.inspect}"
+          raise "No vm found for #{vm_uuid}"
+        end
+      else
+        return
+      end
+
+      logger.info { "vm uuid: " + vm[:uuid] }
+
+      login_perms = Link.where(tail_uuid: self.uuid,
+                              head_uuid: vm[:uuid],
+                              head_kind: 'arvados#virtualMachine',
+                              link_class: 'permission',
+                              name: 'can_login')
+
+      perm_exists = false
+      login_perms.each do |perm|
+        if perm.properties[:username] == repo_name
+          perm_exists = true
+          break
+        end
+      end
+
+      if !perm_exists
+        login_perm = Link.create(tail_kind: 'arvados#user',
+                                 tail_uuid: self.uuid,
+                                 head_kind: 'arvados#virtualMachine',
+                                 head_uuid: vm[:uuid],
+                                 link_class: 'permission',
+                                 name: 'can_login',
+                                 properties: {username: repo_name})
+        logger.info { "login permission: " + login_perm[:uuid] }
+      else
+        login_perm = login_perms.first
+      end
+
+      return login_perm
+    end
+  end
+
+  # add the user to the 'All users' group
+  def create_user_group_link
+    # Look up the "All users" group (we expect uuid *-*-fffffffffffffff).
+    group = Group.where(name: 'All users').select do |g|
+      g[:uuid].match /-f+$/
+    end.first
+
+    if not group
+      logger.warn "No 'All users' group with uuid '*-*-fffffffffffffff'."
+      raise "No 'All users' group with uuid '*-*-fffffffffffffff' is found"
+    else
+      logger.info { "\"All users\" group uuid: " + group[:uuid] }
+
+      group_perms = Link.where(tail_uuid: self.uuid,
+                              head_uuid: group[:uuid],
+                              head_kind: 'arvados#group',
+                              link_class: 'permission',
+                              name: 'can_read')
+
+      if !group_perms.any?
+        group_perm = Link.create(tail_kind: 'arvados#user',
+                                 tail_uuid: self.uuid,
+                                 head_kind: 'arvados#group',
+                                 head_uuid: group[:uuid],
+                                 link_class: 'permission',
+                                 name: 'can_read')
+        logger.info { "group permission: " + group_perm[:uuid] }
+      else
+        group_perm = group_perms.first
+      end
+
+      return group_perm
+    end
+  end
+
+  # Give the special "System group" permission to manage this user and
+  # all of this user's stuff.
+  #
+  def add_system_group_permission_link
+    act_as_system_user do
+      Link.create(link_class: 'permission',
+                  name: 'can_manage',
+                  tail_kind: 'arvados#group',
+                  tail_uuid: system_group_uuid,
+                  head_kind: 'arvados#user',
+                  head_uuid: self.uuid)
+    end
+  end
  end