X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/df25254be20988a99061cdaced053a17b0dc9bf9..c64d7e1d5d1879187e1c4002445fab1d3c7951a0:/services/api/lib/create_superuser_token.rb diff --git a/services/api/lib/create_superuser_token.rb b/services/api/lib/create_superuser_token.rb index 54faa9a0af..da67a32c79 100755 --- a/services/api/lib/create_superuser_token.rb +++ b/services/api/lib/create_superuser_token.rb @@ -14,22 +14,30 @@ module CreateSuperUserToken api_client_auth = ApiClientAuthorization. where(api_token: supplied_token). first - if api_client_auth && !api_client_auth.user.uuid.match(/-000000000000000$/) - raise "Token already exists but is not a superuser token." + if !api_client_auth + # fall through to create a token + elsif !api_client_auth.user.uuid.match(/-000000000000000$/) + raise "Token exists but is not a superuser token." + elsif api_client_auth.scopes != ['all'] + raise "Token exists but has limited scope #{api_client_auth.scopes.inspect}." end end # need to create a token if !api_client_auth # Get (or create) trusted api client - apiClient = ApiClient.find_or_create_by_url_prefix_and_is_trusted("ssh://root@localhost/", true) + apiClient = ApiClient. + find_or_create_by(url_prefix: "ssh://root@localhost/", + is_trusted: true) # Check if there is an unexpired superuser token corresponding to this api client - api_client_auth = ApiClientAuthorization.where( - 'user_id = (?) AND - api_client_id = (?) AND - (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)', - system_user.id, apiClient.id).first + api_client_auth = + ApiClientAuthorization. + where(user_id: system_user.id). + where(api_client_id: apiClient.id). + where_serialized(:scopes, ['all']). + where('(expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)'). + first # none exist; create one with the supplied token if !api_client_auth