X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/fef69cced85fd6512d352791d9123f8d8449acdc..dd3172b922a00ffc1530188a7988356f376a067f:/services/api/app/models/api_client_authorization.rb diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb index 5f812191c1..53ae6af464 100644 --- a/services/api/app/models/api_client_authorization.rb +++ b/services/api/app/models/api_client_authorization.rb @@ -92,17 +92,37 @@ class ApiClientAuthorization < ArvadosModel uuid_prefix+".arvadosapi.com") end - def self.validate(token:, remote:) + def self.validate(token:, remote: nil) return nil if !token remote ||= Rails.configuration.uuid_prefix case token[0..2] when 'v2/' - _, uuid, secret = token.split('/') + _, uuid, secret, optional = token.split('/') unless uuid.andand.length == 27 && secret.andand.length.andand > 0 return nil end + if !optional.nil? + # if "optional" is a container uuid, check that it + # matches expections. + c = Container.where(uuid: optional).first + if !c.nil? + if !c.auth_uuid.nil? and c.auth_uuid != uuid + # token doesn't match the container's token + return nil + end + if !c.runtime_token.nil? and "v2/#{uuid}/#{secret}" != c.runtime_token + # token doesn't match the container's token + return nil + end + if ![Container::Locked, Container::Running].include?(c.state) + # container isn't locked or running, token shouldn't be used + return nil + end + end + end + auth = ApiClientAuthorization. includes(:user, :api_client). where('uuid=? and (expires_at is null or expires_at > CURRENT_TIMESTAMP)', uuid). @@ -153,23 +173,28 @@ class ApiClientAuthorization < ArvadosModel # validate subsequent requests faster. user = User.find_or_create_by(uuid: remote_user['uuid']) do |user| + # (this block runs for the "create" case, not for "find") user.is_admin = false + user.email = remote_user['email'] + if remote_user['username'].andand.length.andand > 0 + user.set_initial_username(requested: remote_user['username']) + end end - updates = {} - [:first_name, :last_name, :email, :prefs].each do |attr| - updates[attr] = remote_user[attr.to_s] - end - - if Rails.configuration.new_users_are_active + if Rails.configuration.new_users_are_active || + Rails.configuration.auto_activate_users_from.include?(remote_user['uuid'][0..4]) # Update is_active to whatever it is at the remote end - updates[:is_active] = remote_user['is_active'] - elsif !updates[:is_active] + user.is_active = remote_user['is_active'] + elsif !remote_user['is_active'] # Remote user is inactive; our mirror should be, too. - updates[:is_active] = false + user.is_active = false + end + + %w[first_name last_name email prefs].each do |attr| + user.send(attr+'=', remote_user[attr]) end - user.update_attributes!(updates) + user.save! auth = ApiClientAuthorization.find_or_create_by(uuid: uuid) do |auth| auth.user = user @@ -181,7 +206,10 @@ class ApiClientAuthorization < ArvadosModel # 5 minutes. TODO: Request the actual api_client_auth # record from the remote server in case it wants the token # to expire sooner. - auth.update_attributes!(expires_at: Time.now + 5.minutes) + auth.update_attributes!(user: user, + api_token: secret, + api_client_id: 0, + expires_at: Time.now + 5.minutes) end return auth else @@ -196,6 +224,18 @@ class ApiClientAuthorization < ArvadosModel return nil end + def token + v2token + end + + def v1token + api_token + end + + def v2token + 'v2/' + uuid + '/' + api_token + end + protected def permission_to_create @@ -203,10 +243,8 @@ class ApiClientAuthorization < ArvadosModel end def permission_to_update - (permission_to_create and - not uuid_changed? and - not user_id_changed? and - not owner_uuid_changed?) + permission_to_create && !uuid_changed? && + (current_user.andand.is_admin || !user_id_changed?) end def log_update