From c17b10ff1d3d84feb71900bab2b48979c067b115 Mon Sep 17 00:00:00 2001
From: allegroai <>
Date: Mon, 1 Jun 2020 11:41:43 +0300
Subject: [PATCH] Revoke built-in webserver system-role credentials (used by
 the WebApp) in case we're running in fixed-mode

---
 server/mongo/initialize/__init__.py |  8 ++++++--
 server/mongo/initialize/user.py     | 11 ++++++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/server/mongo/initialize/__init__.py b/server/mongo/initialize/__init__.py
index 7ad7a2a..7f4069b 100644
--- a/server/mongo/initialize/__init__.py
+++ b/server/mongo/initialize/__init__.py
@@ -48,17 +48,21 @@ def init_mongo_data():
                 "name": "webserver",
                 "role": Role.system,
                 "email": "webserver@example.com",
+                "revoke_in_fixed_mode": True,
             },
             {"name": "tests", "role": Role.user, "email": "tests@example.com"},
         ]
 
+        fixed_mode = FixedUser.enabled()
+
         for user in users:
+            revoke = fixed_mode and user.pop("revoke_in_fixed_mode", False)
             credentials = config.get(f"secure.credentials.{user['name']}")
             user["key"] = credentials.user_key
             user["secret"] = credentials.user_secret
-            _ensure_auth_user(user, company_id, log=log)
+            _ensure_auth_user(user, company_id, log=log, revoke=revoke)
 
-        if FixedUser.enabled():
+        if fixed_mode:
             log.info("Fixed users mode is enabled")
             FixedUser.validate()
             for user in FixedUser.from_config():
diff --git a/server/mongo/initialize/user.py b/server/mongo/initialize/user.py
index 3b68ae9..0b5e491 100644
--- a/server/mongo/initialize/user.py
+++ b/server/mongo/initialize/user.py
@@ -9,7 +9,7 @@ from database.model.user import User
 from service_repo.auth.fixed_user import FixedUser
 
 
-def _ensure_auth_user(user_data: dict, company_id: str, log: Logger):
+def _ensure_auth_user(user_data: dict, company_id: str, log: Logger, revoke: bool = False):
     ensure_credentials = {"key", "secret"}.issubset(user_data)
     if ensure_credentials:
         user = AuthUser.objects(
@@ -18,17 +18,22 @@ def _ensure_auth_user(user_data: dict, company_id: str, log: Logger):
             )
         ).first()
         if user:
+            if revoke:
+                user.credentials = []
+                user.save()
             return user.id
 
+    user_id = user_data.get("id", f"__{user_data['name']}__")
+
     log.info(f"Creating user: {user_data['name']}")
     user = AuthUser(
-        id=user_data.get("id", f"__{user_data['name']}__"),
+        id=user_id,
         name=user_data["name"],
         company=company_id,
         role=user_data["role"],
         email=user_data["email"],
         created=datetime.utcnow(),
-        credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])]
+        credentials=[Credentials(key=user_data["key"], secret=user_data["secret"])] if not revoke else []
         if ensure_credentials
         else None,
     )