X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1e3f8ceebd90058e902494fae84b1fd57ac6693b..644f5de63e2b8b02e054fcbb3e9af39560cffae3:/services/api/app/models/api_client_authorization.rb

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index 6ab8abd3bb..542ab8e88d 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -83,10 +83,10 @@ class ApiClientAuthorization < ArvadosModel
     ["#{table_name}.id desc"]
   end
 
-  def self.remote_host(uuid:)
-    Rails.configuration.remote_hosts[uuid[0..4]] ||
+  def self.remote_host(uuid_prefix:)
+    Rails.configuration.remote_hosts[uuid_prefix] ||
       (Rails.configuration.remote_hosts_via_dns &&
-       uuid[0..4]+".arvadosapi.com")
+       uuid_prefix+".arvadosapi.com")
   end
 
   def self.validate(token:, remote:)
@@ -104,41 +104,76 @@ class ApiClientAuthorization < ArvadosModel
          (secret == auth.api_token ||
           secret == OpenSSL::HMAC.hexdigest('sha1', auth.api_token, remote))
         return auth
-      elsif uuid[0..4] != Rails.configuration.uuid_prefix
-        # Token was issued by a different cluster. If it's expired or
-        # missing in our database, ask the originating cluster to
-        # [re]validate it.
-        arv = Arvados.new(api_host: remote_host(uuid: uuid),
-                          api_token: token)
-        begin
-          remote_user = arv.user.current(remote: Rails.configuration.uuid_prefix)
-        rescue => e
-          logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
-          return nil
+      end
+
+      uuid_prefix = uuid[0..4]
+      if uuid_prefix == Rails.configuration.uuid_prefix
+        # If the token were valid, we would have validated it above
+        return nil
+      elsif uuid_prefix.length != 5
+        # malformed
+        return nil
+      end
+
+      host = remote_host(uuid_prefix: uuid_prefix)
+      if !host
+        Rails.logger.warn "remote authentication rejected: no host for #{uuid_prefix.inspect}"
+        return nil
+      end
+
+      # Token was issued by a different cluster. If it's expired or
+      # missing in our database, ask the originating cluster to
+      # [re]validate it.
+      begin
+        clnt = HTTPClient.new
+        remote_user = SafeJSON.load(
+          clnt.get_content('https://' + host + '/arvados/v1/users/current',
+                           {'remote' => Rails.configuration.uuid_prefix},
+                           {'Authorization' => 'Bearer ' + token}))
+      rescue => e
+        Rails.logger.warn "remote authentication with token #{token.inspect} failed: #{e}"
+        return nil
+      end
+      if !remote_user.is_a?(Hash) || !remote_user['uuid'].is_a?(String) || remote_user['uuid'][0..4] != uuid[0..4]
+        Rails.logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
+        return nil
+      end
+      act_as_system_user do
+        # Add/update user and token in our database so we can
+        # validate subsequent requests faster.
+
+        user = User.find_or_create_by(uuid: remote_user['uuid']) do |user|
+          user.is_admin = false
         end
-        if !remote_user.is_a?(Hash) || !remote_user[:uuid].is_a?(String) || remote_user[:uuid][0..4] != uuid[0..4]
-          logger.warn "remote authentication rejected: remote_user=#{remote_user.inspect}"
-          return nil
+
+        updates = {}
+        [:first_name, :last_name, :email, :prefs].each do |attr|
+          updates[attr] = remote_user[attr.to_s]
         end
-        act_as_system_user do
-          # Add/update user and token in our database so we can
-          # validate subsequent requests faster.
-          user = User.find_or_create_by(uuid: remote_user[:uuid])
-          user.update_attributes!(remote_user.merge(is_admin: false))
-          auth = ApiClientAuthorization.
-                 includes(:user).
-                 find_or_create_by(uuid: uuid,
-                                   api_token: token,
-                                   user: user,
-                                   api_client_id: 0)
-          # Accept this token (and don't reload the user record) for
-          # 5 minutes. TODO: Request the actual api_client_auth
-          # record from the remote server in case it wants the token
-          # to expire sooner.
-          auth.update_attributes!(expires_at: Time.now + 5.minutes)
+
+        if Rails.configuration.new_users_are_active
+          # Update is_active to whatever it is at the remote end
+          updates[:is_active] = remote_user['is_active']
+        elsif !updates[:is_active]
+          # Remote user is inactive; our mirror should be, too.
+          updates[:is_active] = false
         end
-        return auth
+
+        user.update_attributes!(updates)
+
+        auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth|
+          auth.user = user
+          auth.api_token = token
+          auth.api_client_id = 0
+        end
+
+        # Accept this token (and don't reload the user record) for
+        # 5 minutes. TODO: Request the actual api_client_auth
+        # record from the remote server in case it wants the token
+        # to expire sooner.
+        auth.update_attributes!(expires_at: Time.now + 5.minutes)
       end
+      return auth
     else
       auth = ApiClientAuthorization.
              includes(:user, :api_client).