X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/fb3c02b38a24cda422de95f2f8b49002b841cc72..203958b587d05ba1be437a70609a80b35f79368d:/services/api/lib/current_api_client.rb

diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 24d8b3ada9..0ea871e3da 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -11,11 +11,15 @@ module CurrentApiClient
     Thread.current[:api_client_authorization]
   end
 
+  def current_api_base
+    Thread.current[:api_url_base]
+  end
+
   def current_default_owner
-    # owner uuid for newly created objects
+    # owner_uuid for newly created objects
     ((current_api_client_authorization &&
-      current_api_client_authorization.default_owner) ||
-     (current_user && current_user.default_owner) ||
+      current_api_client_authorization.default_owner_uuid) ||
+     (current_user && current_user.default_owner_uuid) ||
      (current_user && current_user.uuid) ||
      nil)
   end
@@ -25,9 +29,51 @@ module CurrentApiClient
     Thread.current[:api_client_ip_address]
   end
 
-  # Is the current client permitted to perform ALL actions on behalf
-  # of the authenticated user?
-  def current_api_client_trusted
-    Thread.current[:api_client_trusted]
+  # Does the current API client authorization include any of ok_scopes?
+  def current_api_client_auth_has_scope(ok_scopes)
+    auth_scopes = current_api_client_authorization.andand.scopes || []
+    unless auth_scopes.index('all') or (auth_scopes & ok_scopes).any?
+      logger.warn "Insufficient auth scope: need #{ok_scopes}, #{current_api_client_authorization.inspect} has #{auth_scopes}"
+      return false
+    end
+    true
+  end
+
+  def system_user_uuid
+    [Server::Application.config.uuid_prefix,
+     User.uuid_prefix,
+     '000000000000000'].join('-')
+  end
+
+  def system_user
+    if not $system_user
+      real_current_user = Thread.current[:user]
+      Thread.current[:user] = User.new(is_admin: true, is_active: true)
+      $system_user = User.where('uuid=?', system_user_uuid).first
+      if !$system_user
+        $system_user = User.new(uuid: system_user_uuid,
+                                is_active: true,
+                                is_admin: true,
+                                email: 'root',
+                                first_name: 'root',
+                                last_name: '')
+        $system_user.save!
+        $system_user.reload
+      end
+      Thread.current[:user] = real_current_user
+    end
+    $system_user
+  end
+
+  def act_as_system_user
+    if block_given?
+      user_was = Thread.current[:user]
+      Thread.current[:user] = system_user
+      ret = yield
+      Thread.current[:user] = user_was
+      ret
+    else
+      Thread.current[:user] = system_user
+    end
   end
 end