[ARVADOS] created: 0ed6856e2dd4c057e34ba5b2079cef0158ebc53f

git at public.curoverse.com git at public.curoverse.com
Fri May 2 12:19:57 EDT 2014 

        at  0ed6856e2dd4c057e34ba5b2079cef0158ebc53f (commit)


commit 0ed6856e2dd4c057e34ba5b2079cef0158ebc53f
Author: Tom Clegg <tom at curoverse.com>
Date:   Fri May 2 12:19:42 2014 -0400

    Take into account owner_uuid and is_admin when exporting repository permissions.

diff --git a/services/api/app/controllers/arvados/v1/repositories_controller.rb b/services/api/app/controllers/arvados/v1/repositories_controller.rb
index 390aa73..8b45c56 100644
--- a/services/api/app/controllers/arvados/v1/repositories_controller.rb
+++ b/services/api/app/controllers/arvados/v1/repositories_controller.rb
@@ -28,6 +28,12 @@ class Arvados::V1::RepositoriesController < ApplicationController
           perms << {name: perm.name, user_uuid: perm.tail_uuid}
         end
       end
+      # Owner of the repository, and all admins, can RW
+      ([repo.owner_uuid] + @users.keys).each do |user_uuid|
+        %w(can_read can_write).each do |name|
+          perms << {name: name, user_uuid: user_uuid}
+        end
+      end
       perms.each do |perm|
         user_uuid = perm[:user_uuid]
         @user_aks[user_uuid] = @users[user_uuid].andand.authorized_keys.andand.
diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 1dcd9e2..9dfca2d 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -22,6 +22,9 @@ class ArvadosModel < ActiveRecord::Base
   validate :normalize_collection_uuids
   validate :ensure_valid_uuids
 
+  # Note: This only returns permission links. It does not account for
+  # permissions obtained via user.is_admin or
+  # user.uuid==object.owner_uuid.
   has_many :permissions, :foreign_key => :head_uuid, :class_name => 'Link', :primary_key => :uuid, :conditions => "link_class = 'permission'"
 
   class PermissionDeniedError < StandardError
diff --git a/services/api/test/fixtures/authorized_keys.yml b/services/api/test/fixtures/authorized_keys.yml
new file mode 100644
index 0000000..1e9e158
--- /dev/null
+++ b/services/api/test/fixtures/authorized_keys.yml
@@ -0,0 +1,15 @@
+active:
+  uuid: zzzzz-fngyi-12nc9ov4osp8nae
+  owner_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  authorized_user_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  key_type: SSH
+  name: active
+  public_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCo+8pc/xNohU3Mo2pAieLohLJcWy9OmNOnsEWlegYYoeynkczimicKRmB2iP50v2oKrtshIXwigfU26b0rGEJayFvsA7FCstz5G/tJy3YJGnQUDmrQBuB8SsQDL/O0Nnh8B8XmKSlxuv3FxLyPhUmcxxjIUIEMWVMlIKAfzmySsPby/QREJffUkFPa+luNkOVd5cyvwd6dnl0SLbrqZgcF3fbkOLDVgv3oceIYLjcy/SjqGR4wtGWHFFuna0M2/5YEvWpxD/HNO3WkFEdlAUEEWpvd/u3bmHq2p7ADbaX9ZaNDb8YbjFIOUxaJh+Vf0V6nDhEnUPylzM07F3fnvXQM53Xu5oYA6cp0Com61MBaXUDwM/w6PS2RtF8CG3ICMs5AsIy+Cnsuowj3fRlK29dgZ7K2pYRV2SlQj4vxjwpUcQCL/TFv31VnCMFKQBqmqh8iwZV3U6LLc3cwL9COXnIPF4lXjODL3geWsBNXo3hfoj6qD+2/+9/zOZUtGbQXlBmNC/wG/cK1A1L4S9docZT4QAiaSCdwcLB68hIvQMEOpffoeQhNZj0SddLLdEyjJY6rfWjbmnV68TzXoDz26hoPtagD+wvHOxz3D8BQ9RIqfNI1jNlwVkoKNVfszIPmESwJCu99+6TnyJl4923MTEXNOrJ7LgVUemWchOlkTDINuw== active-user at arvados.local
+
+admin:
+  uuid: zzzzz-fngyi-g290j3i3u701duh
+  owner_uuid: zzzzz-tpzed-d9tiejq69daie8f
+  authorized_user_uuid: zzzzz-tpzed-d9tiejq69daie8f
+  key_type: SSH
+  name: admin
+  public_key: ssh-dss AAAAB3NzaC1kc3MAAACBAKy1IDMGwa7/Yjas77vLSShBE3SzpPXqXu6nRMC9zdIoMdctjhfP+GOOyQQP12rMs16NYmfdOxX+sa2t9syI/8NhDxTmNbHVw2jHimC6SL02v8WHDIw2vaBCVN+CHdeYbZsBB/8/M+2PO3uUWbr0TjoXcxrKYScS/aTTjSAWRg4ZAAAAFQDR/xAdrewj1ORNIQs+kWWdjmiO0wAAAIBC+G92r2ZeGaHLCMI0foKnfuQzg9fKp5krEvE6tvRNju7iOqtB9xe1qsAqr6GPZQjfSrNPac6T1pxMoh+an4PfNs5xgBIpvy93oqALd4maQt6483vsIyVCw6nQD7s/8IpIHpwxFEFs5/5moYxzY64eY0ldSXJwvPsrBTruhuUdugAAAIBut96rWQYTnYUdngyUK9EoJzgKn3l7gg0IQoFC4hS96D8vUm0wIdSEQHt01pSc0KR1Nnb4JrnNz/qCH45wOy5oB9msQ/2Pq2brTDZJcIPcN1LbMCps9PetUruz1OjK1NzDuLmvsrP3GBLxJrtmrCoKHLzPZ6QSefW0OymFgaDFGg==
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index 5b89015..7d27f17 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -236,6 +236,20 @@ foo_repository_readable_by_spectator:
   head_uuid: zzzzz-2x53u-382brsig8rp3666
   properties: {}
 
+foo_repository_writable_by_active:
+  uuid: zzzzz-o0j2j-8tdfjd8g0s4rn1k
+  owner_uuid: zzzzz-tpzed-000000000000000
+  created_at: 2014-01-24 20:42:26 -0800
+  modified_by_client_uuid: zzzzz-ozdt8-brczlopd8u8d0jr
+  modified_by_user_uuid: zzzzz-tpzed-000000000000000
+  modified_at: 2014-01-24 20:42:26 -0800
+  updated_at: 2014-01-24 20:42:26 -0800
+  tail_uuid: zzzzz-tpzed-xurymjxw79nv3jz
+  link_class: permission
+  name: can_write
+  head_uuid: zzzzz-2x53u-382brsig8rp3666
+  properties: {}
+
 miniadmin_user_is_a_testusergroup_admin:
   uuid: zzzzz-o0j2j-38vvkciz7qc12j9
   owner_uuid: zzzzz-tpzed-000000000000000
diff --git a/services/api/test/functional/arvados/v1/repositories_controller_test.rb b/services/api/test/functional/arvados/v1/repositories_controller_test.rb
index f6280ec..4b1381e 100644
--- a/services/api/test/functional/arvados/v1/repositories_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/repositories_controller_test.rb
@@ -12,4 +12,46 @@ class Arvados::V1::RepositoriesControllerTest < ActionController::TestCase
     get :get_all_permissions
     assert_response 403
   end
+
+  test "get_all_permissions gives RW to repository owner" do
+    authorize_with :admin
+    get :get_all_permissions
+    assert_response :success
+    ok = false
+    json_response['repositories'].each do |repo|
+      if repo['uuid'] == repositories(:repository2).uuid
+        if repo['user_permissions'][users(:active).uuid]['can_write']
+          ok = true
+        end
+      end
+    end
+    assert_equal(true, ok,
+                 "No permission on own repo '@{repositories(:repository2).uuid}'")
+  end
+
+  test "get_all_permissions takes into account is_admin flag" do
+    authorize_with :admin
+    get :get_all_permissions
+    assert_response :success
+    json_response['repositories'].each do |repo|
+      assert_not_nil(repo['user_permissions'][users(:admin).uuid],
+                     "Admin user is not listed in perms for #{repo['uuid']}")
+      assert_equal(true,
+                   repo['user_permissions'][users(:admin).uuid]['can_write'],
+                   "Admin has no perms for #{repo['uuid']}")
+    end
+  end
+
+  test "get_all_permissions provides admin and active user keys" do
+    authorize_with :admin
+    get :get_all_permissions
+    assert_response :success
+    [:active, :admin].each do |u|
+      assert_equal(1, json_response['user_keys'][users(u).uuid].andand.count,
+                   "expected 1 key for #{u} (#{users(u).uuid})")
+      assert_equal(json_response['user_keys'][users(u).uuid][0]['public_key'],
+                   authorized_keys(u).public_key,
+                   "response public_key does not match fixture #{u}.")
+    end
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list