[ARVADOS] created: 1.3.0-3239-gb096358df
Git user
git at public.arvados.org
Tue Sep 29 14:55:45 UTC 2020
at b096358dfbd438e89d77b6d4899817b82aca3ca3 (commit)
commit b096358dfbd438e89d77b6d4899817b82aca3ca3
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Tue Sep 29 10:55:16 2020 -0400
16914: Make sure remote uninvited user is not invited here
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 60cdfbfd4..43fe1cc01 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -517,32 +517,7 @@ func (conn *Conn) UserGet(ctx context.Context, options arvados.GetOptions) (arva
}
func (conn *Conn) UserGetCurrent(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
- c, ok := auth.FromContext(ctx)
- if !ok || len(c.Tokens) == 0 {
- return arvados.User{}, httpErrorf(http.StatusUnauthorized, "Must supply a token")
- }
-
- tok := c.Tokens[0]
- if !strings.HasPrefix(tok, "v2/") || len(tok) < 30 {
- return conn.localOrLoginCluster().UserGetCurrent(ctx, options)
- }
-
- // Contact the cluster that issued the token to find out what
- // user it belongs to.
- remote := tok[3:8]
- resp, err := conn.chooseBackend(remote).UserGetCurrent(ctx, options)
- if err != nil {
- return resp, err
- }
-
- // If it is a remote cluster that owns the user, update the local user record.
- if remote != conn.cluster.ClusterID && remote == resp.UUID[:5] {
- err = conn.batchUpdateUsers(ctx, arvados.ListOptions{}, []arvados.User{resp})
- if err != nil {
- return arvados.User{}, err
- }
- }
- return resp, nil
+ return conn.local.UserGetCurrent(ctx, options)
}
func (conn *Conn) UserGetSystem(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index ab6fd8000..76b722694 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -268,12 +268,16 @@ class ApiClientAuthorization < ArvadosModel
end
act_as_system_user do
- if user.is_active && !remote_user['is_active']
+ user.save!
+
+ if (user.is_active && !remote_user['is_active']) or (user.is_invited && !remote_user['is_invited'])
+ # If the user is newly created and AutoSetupNewUsers is
+ # true, they will auto-setup in an after_create hook.
+ # Synchronize the user's "active/invited" state state after the record
+ # has been saved.
user.unsetup
end
- user.save!
-
# We will accept this token (and avoid reloading the user
# record) for 'RemoteTokenRefresh' (default 5 minutes).
# Possible todo:
diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb
index 8ad09894a..71f90d493 100644
--- a/services/api/test/integration/remote_user_test.rb
+++ b/services/api/test/integration/remote_user_test.rb
@@ -84,6 +84,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
username: 'barney',
is_admin: true,
is_active: true,
+ is_invited: true,
}
end
@@ -153,6 +154,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
# revoke original token
@stub_content[:is_active] = false
+ @stub_content[:is_invited] = false
# simulate cache expiry
ApiClientAuthorization.where(
@@ -323,6 +325,29 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
assert_equal 'barney', json_response['username']
end
+ test 'get inactive user from Login cluster when AutoSetupNewUsers is set' do
+ Rails.configuration.Login.LoginCluster = 'zbbbb'
+ Rails.configuration.Users.AutoSetupNewUsers = true
+ @stub_content = {
+ uuid: 'zbbbb-tpzed-000000000000001',
+ email: 'foo at example.com',
+ username: 'barney',
+ is_admin: false,
+ is_active: false,
+ is_invited: false,
+ }
+ get '/arvados/v1/users/current',
+ params: {format: 'json'},
+ headers: auth(remote: 'zbbbb')
+ assert_response :success
+ assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid']
+ assert_equal false, json_response['is_admin']
+ assert_equal false, json_response['is_active']
+ assert_equal false, json_response['is_invited']
+ assert_equal 'foo at example.com', json_response['email']
+ assert_equal 'barney', json_response['username']
+ end
+
test 'pre-activate remote user' do
@stub_content = {
uuid: 'zbbbb-tpzed-000000000001234',
@@ -330,6 +355,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
username: 'barney',
is_admin: true,
is_active: true,
+ is_invited: true,
}
post '/arvados/v1/users',
@@ -364,6 +390,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest
username: 'barney',
is_admin: true,
is_active: true,
+ is_invited: true,
}
get '/arvados/v1/users/current',
commit a1305701c34508c80f638e2c7666b255019ba9a4
Author: Peter Amstutz <peter.amstutz at curii.com>
Date: Mon Sep 28 17:00:33 2020 -0400
16914: "Get current user" is forwarded to LoginCluster
Results from "get user" and "current user" are now cached, same as
"user list".
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>
diff --git a/lib/controller/federation/conn.go b/lib/controller/federation/conn.go
index 61cac9bba..60cdfbfd4 100644
--- a/lib/controller/federation/conn.go
+++ b/lib/controller/federation/conn.go
@@ -500,11 +500,49 @@ func (conn *Conn) UserUnsetup(ctx context.Context, options arvados.GetOptions) (
}
func (conn *Conn) UserGet(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
- return conn.chooseBackend(options.UUID).UserGet(ctx, options)
+ resp, err := conn.chooseBackend(options.UUID).UserGet(ctx, options)
+ if err != nil {
+ return resp, err
+ }
+ if options.UUID != resp.UUID {
+ return arvados.User{}, httpErrorf(http.StatusBadGateway, "Had requested %v but response was for %v", options.UUID, resp.UUID)
+ }
+ if options.UUID[:5] != conn.cluster.ClusterID {
+ err = conn.batchUpdateUsers(ctx, arvados.ListOptions{}, []arvados.User{resp})
+ if err != nil {
+ return arvados.User{}, err
+ }
+ }
+ return resp, nil
}
func (conn *Conn) UserGetCurrent(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
- return conn.chooseBackend(options.UUID).UserGetCurrent(ctx, options)
+ c, ok := auth.FromContext(ctx)
+ if !ok || len(c.Tokens) == 0 {
+ return arvados.User{}, httpErrorf(http.StatusUnauthorized, "Must supply a token")
+ }
+
+ tok := c.Tokens[0]
+ if !strings.HasPrefix(tok, "v2/") || len(tok) < 30 {
+ return conn.localOrLoginCluster().UserGetCurrent(ctx, options)
+ }
+
+ // Contact the cluster that issued the token to find out what
+ // user it belongs to.
+ remote := tok[3:8]
+ resp, err := conn.chooseBackend(remote).UserGetCurrent(ctx, options)
+ if err != nil {
+ return resp, err
+ }
+
+ // If it is a remote cluster that owns the user, update the local user record.
+ if remote != conn.cluster.ClusterID && remote == resp.UUID[:5] {
+ err = conn.batchUpdateUsers(ctx, arvados.ListOptions{}, []arvados.User{resp})
+ if err != nil {
+ return arvados.User{}, err
+ }
+ }
+ return resp, nil
}
func (conn *Conn) UserGetSystem(ctx context.Context, options arvados.GetOptions) (arvados.User, error) {
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list