X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1dcd10a37c3dd8166ddf06053d895d546f8ad3d4..b3e4886cbbe195347179d0664621da9bc34e6170:/services/api/app/models/api_client_authorization.rb diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 6b308a231c..ee63c4d934 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -7,12 +7,15 @@ class ApiClientAuthorization < ArvadosModel include KindAndEtag include CommonApiTemplate extend CurrentApiClient + extend DbCurrentTime belongs_to :api_client belongs_to :user after_initialize :assign_random_api_token serialize :scopes, Array + before_validation :clamp_token_expiration + api_accessible :user, extend: :common do |t| t.add :owner_uuid t.add :user_id @@ -354,7 +357,7 @@ class ApiClientAuthorization < ArvadosModel auth.update_attributes!(user: user, api_token: stored_secret, api_client_id: 0, - expires_at: Time.now + Rails.configuration.Login.RemoteTokenRefresh) + expires_at: db_current_time + Rails.configuration.Login.RemoteTokenRefresh) Rails.logger.debug "cached remote token #{token_uuid} with secret #{stored_secret} in local db" auth.api_token = secret return auth @@ -384,6 +387,15 @@ class ApiClientAuthorization < ArvadosModel protected + def clamp_token_expiration + if !current_user.andand.is_admin && Rails.configuration.API.MaxTokenLifetime > 0 + max_token_expiration = db_current_time + Rails.configuration.API.MaxTokenLifetime + if (self.new_record? || self.expires_at_changed?) && (self.expires_at.nil? || self.expires_at > max_token_expiration) + self.expires_at = max_token_expiration + end + end + end + def permission_to_create current_user.andand.is_admin or (current_user.andand.id == self.user_id) end @@ -394,7 +406,6 @@ class ApiClientAuthorization < ArvadosModel end def log_update - super unless (saved_changes.keys - UNLOGGED_CHANGES).empty? end end