[ARVADOS] updated: 1.1.4-501-g6df0096f2

Git user git at public.curoverse.com
Fri Jun 22 16:16:27 EDT 2018


Summary of changes:
 doc/admin/activation.html.textile.liquid          | 38 ++++++++++++++++++-----
 services/api/app/models/user.rb                   |  4 +--
 services/api/test/integration/remote_user_test.rb | 22 ++++++++++++-
 services/api/test/unit/user_test.rb               |  4 +--
 4 files changed, 56 insertions(+), 12 deletions(-)

       via  6df0096f2b246959bb9449a0940e9c539bcc9100 (commit)
      from  0bcbbb13f9e278347e500fa344ee600891a9bcb8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit 6df0096f2b246959bb9449a0940e9c539bcc9100
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date:   Fri Jun 22 16:16:03 2018 -0400

    13255: Add documentation & test that remote users can be pre-activated.
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>

diff --git a/doc/admin/activation.html.textile.liquid b/doc/admin/activation.html.textile.liquid
index 732af81c4..4a08e509c 100644
--- a/doc/admin/activation.html.textile.liquid
+++ b/doc/admin/activation.html.textile.liquid
@@ -99,12 +99,21 @@ h3. User profile
 
 The user profile is checked by workbench after checking if user agreements need to be signed.  The requirement to fill out the user profile is not enforced by the API server.
 
-h3(#pre-activated). Pre-activated user accounts
+h3(#pre-activated). Pre-activate user by email address
 
-It is possible to create a user account for a user that has not yet logged in.
+You may create a user account for a user that has not yet logged in, and identify the user by email address.
 
-1. As an admin, create a user object.
-2. Create a link object, where 'xxxxx' is the @uuid_prefix@ of the SSO server.
+1. As an admin, create a user object:
+
+<pre>
+{
+  "email": "foo at example.com",
+  "username": "barney",
+  "is_active": true
+}
+</pre>
+
+2. Create a link object, where @tail_uuid@ is the user's email address, @head_uuid@ is the user object created in the previous step, and @xxxxx@ is the value of @uuid_prefix@ of the SSO server.
 
 <pre>
 {
@@ -118,11 +127,26 @@ It is possible to create a user account for a user that has not yet logged in.
 }
 </pre>
 
-3. When the user logs in the first time, the email address will be recognized and the user will be associated with the existing user uuid.
+3. When the user logs in the first time, the email address will be recognized and the user will be associated with the linked user object.
+
+h3. Pre-activate federated user
+
+1. As admin, create a user object with the @uuid@ of the federated user (this is the user's uuid on their home cluster):
+
+<pre>
+{
+  "uuid": "home1-tpzed-000000000000000",
+  "email": "foo at example.com",
+  "username": "barney",
+  "is_active": true
+}
+</pre>
+
+2. When the user logs in, they will be associated with the existing user object.
 
-h3. Federated users
+h3. Auto-activate federated users from trusted clusters
 
-In the API server config, set @auto_activate_users_from@ with a list of cluster ids.  A federated users from one of the listed clusters which @is_active@ on the home cluster will be automatically set up and activated on this cluster.
+In the API server config, configure @auto_activate_users_from@ with a list of one or more five-character cluster ids.  A federated user from one of the listed clusters which @is_active@ on the home cluster will be automatically set up and activated on this cluster.
 
 h3(#deactivating_users). Deactivating users
 
diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index a69dc7e92..cc3a22cbf 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -26,11 +26,11 @@ class User < ArvadosModel
     user.username.nil? and user.username_changed?
   }
   before_update :setup_on_activate
-  before_create :setup_on_activate
   before_create :check_auto_admin
   before_create :set_initial_username, :if => Proc.new { |user|
     user.username.nil? and user.email
   }
+  after_create :setup_on_activate
   after_create :add_system_group_permission_link
   after_create :invalidate_permissions_cache
   after_create :auto_setup_new_user, :if => Proc.new { |user|
@@ -464,7 +464,7 @@ class User < ArvadosModel
 
     if !oid_login_perms.any?
       # create openid login permission
-      oid_login_perm = Link.create(link_class: 'permission',
+      oid_login_perm = Link.create!(link_class: 'permission',
                                    name: 'can_login',
                                    tail_uuid: self.email,
                                    head_uuid: self.uuid,
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 7749951a8..c38c230b2 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -220,7 +220,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     refute_includes(group_uuids, groups(:testusergroup_admins).uuid)
   end
 
-  test 'auto-activate with remote token' do
+  test 'auto-activate user from trusted cluster' do
     Rails.configuration.auto_activate_users_from = ['zbbbb']
     get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
     assert_response :success
@@ -231,4 +231,24 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
     assert_equal 'barney', json_response['username']
   end
 
+  test 'pre-activate remote user' do
+    post '/arvados/v1/users', {
+           "user" => {
+             "uuid" => "zbbbb-tpzed-000000000000000",
+             "email" => 'foo at example.com',
+             "username" => 'barney',
+             "is_active" => true
+           }
+    }, {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"}
+    assert_response :success
+
+    get '/arvados/v1/users/current', {format: 'json'}, auth(remote: 'zbbbb')
+    assert_response :success
+    assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid']
+    assert_equal nil, json_response['is_admin']
+    assert_equal true, json_response['is_active']
+    assert_equal 'foo at example.com', json_response['email']
+    assert_equal 'barney', json_response['username']
+  end
+
 end
diff --git a/services/api/test/unit/user_test.rb b/services/api/test/unit/user_test.rb
index 72beca6c7..67c410047 100644
--- a/services/api/test/unit/user_test.rb
+++ b/services/api/test/unit/user_test.rb
@@ -643,11 +643,11 @@ class UserTest < ActiveSupport::TestCase
     assert_equal(expect_username, user.username)
 
     # check user setup
-    verify_link_exists(Rails.configuration.auto_setup_new_users,
+    verify_link_exists(Rails.configuration.auto_setup_new_users || active,
                        groups(:all_users).uuid, user.uuid,
                        "permission", "can_read")
     # Check for OID login link.
-    verify_link_exists(Rails.configuration.auto_setup_new_users,
+    verify_link_exists(Rails.configuration.auto_setup_new_users || active,
                        user.uuid, user.email, "permission", "can_login")
     # Check for repository.
     if named_repo = (prior_repo or

-----------------------------------------------------------------------


hooks/post-receive
-- 




More information about the arvados-commits mailing list