Revoke built-in webserver system-role credentials (used by the WebApp) in case we're running in fixed-mode

2025-04-16 21:41:37 +00:00 · 2020-06-01 11:41:43 +03:00 · 2020-06-01 11:41:43 +03:00 · c17b10ff1d
commit c17b10ff1d
parent b125a56f86
2 changed files with 14 additions and 5 deletions
--- a/server/mongo/initialize/init.py
+++ b/server/mongo/initialize/init.py
@ -48,17 +48,21 @@ def init_mongo_data():
                "name": "webserver",
                "role": Role.system,
                "email": "webserver@example.com",
+                "revoke_in_fixed_mode": True,
            },
            {"name": "tests", "role": Role.user, "email": "tests@example.com"},
        ]

+        fixed_mode = FixedUser.enabled()
+
        for user in users:
+            revoke = fixed_mode and user.pop("revoke_in_fixed_mode", False)
            credentials = config.get(f"secure.credentials.{user['name']}")
            user["key"] = credentials.user_key
            user["secret"] = credentials.user_secret
-            _ensure_auth_user(user, company_id, log=log)
+            _ensure_auth_user(user, company_id, log=log, revoke=revoke)

-        if FixedUser.enabled():
+        if fixed_mode:
            log.info("Fixed users mode is enabled")
            FixedUser.validate()
            for user in FixedUser.from_config():
--- a/server/mongo/initialize/user.py
+++ b/server/mongo/initialize/user.py
@ -9,7 +9,7 @@ from database.model.user import User
 from service_repo.auth.fixed_user import FixedUser


-def _ensure_auth_user(user_data: dict, company_id: str, log: Logger):
+def _ensure_auth_user(user_data: dict, company_id: str, log: Logger, revoke: bool = False):
    ensure_credentials = {"key", "secret"}.issubset(user_data)
    if ensure_credentials:
        user = AuthUser.objects(
@ -18,17 +18,22 @@ def _ensure_auth_user(user_data: dict, company_id: str, log: Logger):
            )
        ).first()
        if user:
+            if revoke:
+                user.credentials = []
+                user.save()
            return user.id

+    user_id = user_data.get("id", f"__{user_data['name']}__")
+
    log.info(f"Creating user: {user_data['name']}")
    user = AuthUser(
-        id=user_data.get("id", f"__{user_data['name']}__"),
+        id=user_id,
        name=user_data["name"],
        company=company_id,
        role=user_data["role"],
        email=user_data["email"],
        created=datetime.utcnow(),
-        credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])]
+        credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])] if not revoke else []
        if ensure_credentials
        else None,
    )