[ARVADOS] updated: 2.1.0-1530-gbad2728b2

Git user git at public.arvados.org
Wed Oct 27 19:57:09 UTC 2021 

Summary of changes:

  discards  dedf333efd0dbd40ebb6d1bf41200cb9bb6cfa6b (commit)
  discards  79a442f391a68925ae56c80bcb9bae4343cb9844 (commit)
       via  bad2728b2ed147badcd67ff0d21be20d17f0c9ea (commit)
       via  b7ec820ac297bc316ef9ffa36242e7928acbc0b4 (commit)

This update added new revisions after undoing existing revisions.  That is
to say, the old revision is not a strict subset of the new revision.  This
situation occurs when you --force push a change and generate a repository
containing something like this:

 * -- * -- B -- O -- O -- O (dedf333efd0dbd40ebb6d1bf41200cb9bb6cfa6b)
            \
             N -- N -- N (bad2728b2ed147badcd67ff0d21be20d17f0c9ea)

When this happens we assume that you've already had alert emails for all
of the O revisions, and so we here report only the revisions in the N
branch from the common base, B.

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit bad2728b2ed147badcd67ff0d21be20d17f0c9ea
Author: Ward Vandewege <ward at curii.com>
Date:   Wed Oct 27 15:48:54 2021 -0400

    18183: add a database migration that deletes tokens and ssh keys that
           belong to inactive users.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/services/api/db/migrate/20211027154300_delete_disabled_user_tokens_and_keys.rb b/services/api/db/migrate/20211027154300_delete_disabled_user_tokens_and_keys.rb
new file mode 100644
index 000000000..df3db6f5f
--- /dev/null
+++ b/services/api/db/migrate/20211027154300_delete_disabled_user_tokens_and_keys.rb
@@ -0,0 +1,15 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+class DeleteDisabledUserTokensAndKeys < ActiveRecord::Migration[5.2]
+  def up
+    execute "delete from api_client_authorizations where user_id in (select id from users where is_active ='false' and uuid not like '%-tpzed-anonymouspublic' and uuid not like '%-tpzed-000000000000000')"
+    execute "delete from authorized_keys where owner_uuid in (select uuid from users where is_active ='false' and uuid not like '%-tpzed-anonymouspublic' and uuid not like '%-tpzed-000000000000000')"
+    execute "delete from authorized_keys where authorized_user_uuid in (select uuid from users where is_active ='false' and uuid not like '%-tpzed-anonymouspublic' and uuid not like '%-tpzed-000000000000000')"
+  end
+
+  def down
+    # This migration is not reversible.
+  end
+end

commit b7ec820ac297bc316ef9ffa36242e7928acbc0b4
Author: Ward Vandewege <ward at curii.com>
Date:   Wed Oct 27 15:05:00 2021 -0400

    18183: When the user unsetup api endpoint is hit, any tokens owned by
           the user should be deleted.
    
    Arvados-DCO-1.1-Signed-off-by: Ward Vandewege <ward at curii.com>

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 2e862d3ae..366c03e30 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -300,6 +300,12 @@ SELECT target_uuid, perm_level
     Link.where(link_class: 'signature',
                      tail_uuid: self.uuid).destroy_all
 
+    # delete tokens for this user
+    ApiClientAuthorization.where(user_id: self.id).destroy_all
+    # delete ssh keys for this user
+    AuthorizedKey.where(owner_uuid: self.uuid).destroy_all
+    AuthorizedKey.where(authorized_user_uuid: self.uuid).destroy_all
+
     # delete user preferences (including profile)
     self.prefs = {}
 
diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb
index b24ddc5a5..81168e15b 100644
--- a/services/api/test/integration/users_test.rb
+++ b/services/api/test/integration/users_test.rb
@@ -198,6 +198,13 @@ class UsersTest < ActionDispatch::IntegrationTest
 
     verify_link_existence created['uuid'], created['email'], true, true, true, true, false
 
+    # create a token
+    token = act_as_system_user do
+      ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token
+    end
+
+    assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found'
+
     post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin)
 
     assert_response :success
@@ -205,6 +212,7 @@ class UsersTest < ActionDispatch::IntegrationTest
     created2 = json_response
     assert_not_nil created2['uuid'], 'expected uuid for the newly created user'
     assert_equal created['uuid'], created2['uuid'], 'expected uuid not found'
+    assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup'
 
     verify_link_existence created['uuid'], created['email'], false, false, false, false, false
   end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list