From: Ward Vandewege <ward@curii.com>
Date: Thu, 12 Aug 2021 20:22:51 +0000 (-0400)
Subject: Merge branch '18013-token-rake-task-fix'
X-Git-Tag: 2.3.0~110
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/b190f9b18bdbd38f167050058c70e014da0a9bdf?hp=e99f026d040c6020dfcc51c6d988cf18d325a530

Merge branch '18013-token-rake-task-fix'

closes #18013

Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward@curii.com>
---

diff --git a/services/api/lib/tasks/manage_long_lived_tokens.rake b/services/api/lib/tasks/manage_long_lived_tokens.rake
index 7bcf315b04..d83c2b6030 100644
--- a/services/api/lib/tasks/manage_long_lived_tokens.rake
+++ b/services/api/lib/tasks/manage_long_lived_tokens.rake
@@ -11,30 +11,54 @@ require 'current_api_client'
 namespace :db do
   desc "Apply expiration policy on long lived tokens"
   task fix_long_lived_tokens: :environment do
-    if Rails.configuration.Login.TokenLifetime == 0
-      puts("No expiration policy set on Login.TokenLifetime.")
-    else
-      exp_date = Time.now + Rails.configuration.Login.TokenLifetime
-      puts("Setting token expiration to: #{exp_date}")
-      token_count = 0
-      ll_tokens.each do |auth|
-        if (auth.user.uuid =~ /-tpzed-000000000000000/).nil?
-          CurrentApiClientHelper.act_as_system_user do
-            auth.update_attributes!(expires_at: exp_date)
-          end
-          token_count += 1
+    lifetime = Rails.configuration.API.MaxTokenLifetime
+    if lifetime.nil? or lifetime == 0
+      lifetime = Rails.configuration.Login.TokenLifetime
+    end
+    if lifetime.nil? or lifetime == 0
+      puts("No expiration policy set (API.MaxTokenLifetime nor Login.TokenLifetime is set), nothing to do.")
+      # abort the rake task
+      next
+    end
+    exp_date = Time.now + lifetime
+    puts("Setting token expiration to: #{exp_date}")
+    token_count = 0
+    ll_tokens(lifetime).each do |auth|
+      if auth.user.nil?
+        printf("*** WARNING, found ApiClientAuthorization with invalid user: auth id: %d, user id: %d\n", auth.id, auth.user_id)
+        # skip this token
+        next
+      end
+      if (auth.user.uuid =~ /-tpzed-000000000000000/).nil?
+        CurrentApiClientHelper.act_as_system_user do
+          auth.update_attributes!(expires_at: exp_date)
         end
+        token_count += 1
       end
-      puts("#{token_count} tokens updated.")
     end
+    puts("#{token_count} tokens updated.")
   end
 
   desc "Show users with long lived tokens"
   task check_long_lived_tokens: :environment do
+    lifetime = Rails.configuration.API.MaxTokenLifetime
+    if lifetime.nil? or lifetime == 0
+      lifetime = Rails.configuration.Login.TokenLifetime
+    end
+    if lifetime.nil? or lifetime == 0
+      puts("No expiration policy set (API.MaxTokenLifetime nor Login.TokenLifetime is set), nothing to do.")
+      # abort the rake task
+      next
+    end
     user_ids = Set.new()
     token_count = 0
-    ll_tokens.each do |auth|
-      if (auth.user.uuid =~ /-tpzed-000000000000000/).nil?
+    ll_tokens(lifetime).each do |auth|
+      if auth.user.nil?
+        printf("*** WARNING, found ApiClientAuthorization with invalid user: auth id: %d, user id: %d\n", auth.id, auth.user_id)
+        # skip this token
+        next
+      end
+      if not auth.user.nil? and (auth.user.uuid =~ /-tpzed-000000000000000/).nil?
         user_ids.add(auth.user_id)
         token_count += 1
       end
@@ -51,11 +75,9 @@ namespace :db do
     end
   end
 
-  def ll_tokens
+  def ll_tokens(lifetime)
     query = ApiClientAuthorization.where(expires_at: nil)
-    if Rails.configuration.Login.TokenLifetime > 0
-      query = query.or(ApiClientAuthorization.where("expires_at > ?", Time.now + Rails.configuration.Login.TokenLifetime))
-    end
+    query = query.or(ApiClientAuthorization.where("expires_at > ?", Time.now + lifetime))
     query
   end
 end