[arvados] created: 2.1.0-2700-g4e8873ba0

git repository hosting git at public.arvados.org
Wed Jul 13 20:39:12 UTC 2022 

        at  4e8873ba05e44e49284e05e6fdc0913c525269b3 (commit)


commit 4e8873ba05e44e49284e05e6fdc0913c525269b3
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Wed Jul 13 17:38:26 2022 -0300

    19206: Avoids disabling or setting system root user as non-admin.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 52d36ac57..d39695e27 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -24,6 +24,7 @@ class User < ArvadosModel
   validate :identity_url_nil_if_empty
   before_update :prevent_privilege_escalation
   before_update :prevent_inactive_admin
+  before_update :prevent_nonadmin_system_root
   before_update :verify_repositories_empty, :if => Proc.new {
     username.nil? and username_changed?
   }
@@ -301,6 +302,10 @@ SELECT target_uuid, perm_level
 
   # delete user signatures, login, repo, and vm perms, and mark as inactive
   def unsetup
+    if self.uuid == system_user_uuid
+      raise "System root user cannot be deactivated"
+    end
+
     # delete oid_login_perms for this user
     #
     # note: these permission links are obsolete, they have no effect
@@ -702,6 +707,13 @@ SELECT target_uuid, perm_level
     true
   end
 
+  def prevent_nonadmin_system_root
+    if self.uuid == system_user_uuid and self.is_admin_changed? and !self.is_admin
+      raise "System root user cannot be non-admin"
+    end
+    true
+  end
+
   def search_permissions(start, graph, merged={}, upstream_mask=nil, upstream_path={})
     nextpaths = graph[start]
     return merged if !nextpaths

commit 41a378b99c8c4411a66c19e878b7535c67de2ba3
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date:   Wed Jul 13 17:21:28 2022 -0300

    19206: Adds test exposing the bug.
    
    Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>

diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb
index f3e787e3d..3660d35ba 100644
--- a/services/api/test/integration/users_test.rb
+++ b/services/api/test/integration/users_test.rb
@@ -480,4 +480,17 @@ class UsersTest < ActionDispatch::IntegrationTest
     assert_response 403
   end
 
+  test "disabling system root user not permitted" do
+    put("/arvados/v1/users/#{users(:system_user).uuid}",
+      params: {
+        user: {is_admin: false}
+      },
+      headers: auth(:admin))
+    assert_response 422
+
+    post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup",
+      params: {},
+      headers: auth(:admin))
+    assert_response 422
+  end
 end

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list