X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/fd507a52e72e992a3fd19309de65905341630396..e5164c27fbc150deba2e47d6e5143cf3cd65ee92:/services/api/app/models/api_client_authorization.rb diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index c149ffc329..af553997e5 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -10,8 +10,8 @@ class ApiClientAuthorization < ArvadosModel extend CurrentApiClient extend DbCurrentTime - belongs_to :api_client - belongs_to :user + belongs_to :api_client, optional: true + belongs_to :user, optional: true after_initialize :assign_random_api_token serialize :scopes, Array @@ -363,69 +363,17 @@ class ApiClientAuthorization < ArvadosModel if user.nil? and remote_user.nil? Rails.logger.warn "remote token #{token.inspect} rejected: cannot get owner #{remote_user_uuid} from database or remote cluster" return nil + end + # Invariant: remote_user_prefix == upstream_cluster_id # therefore: remote_user_prefix != Rails.configuration.ClusterID # Add or update user and token in local database so we can # validate subsequent requests faster. - elsif user.nil? - # Create a new record for this user. - user = User.new(uuid: remote_user['uuid'], - is_active: false, - is_admin: false, - email: remote_user['email'], - owner_uuid: system_user_uuid) - user.set_initial_username(requested: remote_user['username']) - end - # Sync user record if we loaded a remote user. act_as_system_user do - if remote_user - %w[first_name last_name email prefs].each do |attr| - user.send(attr+'=', remote_user[attr]) - end - - begin - user.save! - rescue ActiveRecord::RecordInvalid, ActiveRecord::RecordNotUnique - Rails.logger.debug("remote user #{remote_user['uuid']} already exists, retrying...") - # Some other request won the race: retry fetching the user record. - user = User.find_by_uuid(remote_user['uuid']) - if !user - Rails.logger.warn("cannot find or create remote user #{remote_user['uuid']}") - return nil - end - end - - if user.is_invited && !remote_user['is_invited'] - # Remote user is not "invited" state, they should be unsetup, which - # also makes them inactive. - user.unsetup - else - if !user.is_invited && remote_user['is_invited'] and - (remote_user_prefix == Rails.configuration.Login.LoginCluster or - Rails.configuration.Users.AutoSetupNewUsers or - Rails.configuration.Users.NewUsersAreActive or - Rails.configuration.RemoteClusters[remote_user_prefix].andand["ActivateUsers"]) - user.setup - end - - if !user.is_active && remote_user['is_active'] && user.is_invited and - (remote_user_prefix == Rails.configuration.Login.LoginCluster or - Rails.configuration.Users.NewUsersAreActive or - Rails.configuration.RemoteClusters[remote_user_prefix].andand["ActivateUsers"]) - user.update_attributes!(is_active: true) - elsif user.is_active && !remote_user['is_active'] - user.update_attributes!(is_active: false) - end - - if remote_user_prefix == Rails.configuration.Login.LoginCluster and - user.is_active and - user.is_admin != remote_user['is_admin'] - # Remote cluster controls our user database, including the - # admin flag. - user.update_attributes!(is_admin: remote_user['is_admin']) - end - end + if remote_user && remote_user_uuid != anonymous_user_uuid + # Sync user record if we loaded a remote user. + user = User.update_remote_user remote_user end # If stored_secret is set, we save stored_secret in the database @@ -459,7 +407,7 @@ class ApiClientAuthorization < ArvadosModel return nil end end - auth.update_attributes!(user: user, + auth.update!(user: user, api_token: stored_secret, api_client_id: 0, scopes: scopes,