services/api/app/controllers/arvados/v1/collections_controller.rb

   1 require 'locator'
   2
   3 class Arvados::V1::CollectionsController < ApplicationController
   4   def create
   5     # Collections are owned by system_user. Creating a collection has
   6     # two effects: The collection is added if it doesn't already
   7     # exist, and a "permission" Link is added (if one doesn't already
   8     # exist) giving the current user (or specified owner_uuid)
   9     # permission to read it.
  10     owner_uuid = resource_attrs.delete(:owner_uuid) || current_user.uuid
  11     unless current_user.can? write: owner_uuid
  12       logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}"
  13       raise ArvadosModel::PermissionDeniedError
  14     end
  15
  16     # Check permissions on the collection manifest.
  17     # If any signature cannot be verified, return 403 Permission denied.
  18     perms_ok = true
  19     api_token = current_api_client_authorization.andand.api_token
  20     signing_opts = {
  21       key: Rails.configuration.blob_signing_key,
  22       api_token: api_token,
  23       ttl: Rails.configuration.blob_signing_ttl,
  24     }
  25     resource_attrs[:manifest_text].lines.each do |entry|
  26       entry.split[1..-1].each do |tok|
  27         # TODO(twp): fail the request if this match fails.
  28         # Add in Phase 4 (see #2755)
  29         loc = Locator.parse(tok)
  30         if loc and loc.signature
  31           if !api_token
  32             logger.warn "No API token present; cannot verify signature on #{loc}"
  33             perms_ok = false
  34           elsif !Blob.verify_signature tok, signing_opts
  35             logger.warn "Invalid signature on locator #{loc}"
  36             perms_ok = false
  37           end
  38         end
  39       end
  40     end
  41     unless perms_ok
  42       raise ArvadosModel::PermissionDeniedError
  43     end
  44
  45     # Remove any permission signatures from the manifest.
  46     resource_attrs[:manifest_text]
  47       .gsub!(/[[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word|
  48       loc = Locator.parse(word)
  49       if loc
  50         loc.without_signature.to_s
  51       else
  52         word
  53       end
  54     }
  55
  56     # Save the collection with the stripped manifest.
  57     act_as_system_user do
  58       @object = model_class.new resource_attrs.reject { |k,v| k == :owner_uuid }
  59       begin
  60         @object.save!
  61       rescue ActiveRecord::RecordNotUnique
  62         logger.debug resource_attrs.inspect
  63         if resource_attrs[:manifest_text] and resource_attrs[:uuid]
  64           @existing_object = model_class.
  65             where('uuid=? and manifest_text=?',
  66                   resource_attrs[:uuid],
  67                   resource_attrs[:manifest_text]).
  68             first
  69           @object = @existing_object || @object
  70         end
  71       end
  72       if @object
  73         link_attrs = {
  74           owner_uuid: owner_uuid,
  75           link_class: 'permission',
  76           name: 'can_read',
  77           head_uuid: @object.uuid,
  78           tail_uuid: owner_uuid
  79         }
  80         ActiveRecord::Base.transaction do
  81           if Link.where(link_attrs).empty?
  82             Link.create! link_attrs
  83           end
  84         end
  85       end
  86     end
  87     show
  88   end
  89
  90   def show
  91     if current_api_client_authorization
  92       signing_opts = {
  93         key: Rails.configuration.blob_signing_key,
  94         api_token: current_api_client_authorization.api_token,
  95         ttl: Rails.configuration.blob_signing_ttl,
  96       }
  97       @object[:manifest_text]
  98         .gsub!(/[[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word|
  99         loc = Locator.parse(word)
 100         if loc
 101           Blob.sign_locator(word, signing_opts)
 102         else
 103           word
 104         end
 105       }
 106     end
 107     render json: @object.as_api_response(:with_data)
 108   end
 109
 110   def collection_uuid(uuid)
 111     m = /([a-f0-9]{32}(\+[0-9]+)?)(\+.*)?/.match(uuid)
 112     if m
 113       m[1]
 114     else
 115       nil
 116     end
 117   end
 118
 119   def script_param_edges(visited, sp)
 120     case sp
 121     when Hash
 122       sp.each do |k, v|
 123         script_param_edges(visited, v)
 124       end
 125     when Array
 126       sp.each do |v|
 127         script_param_edges(visited, v)
 128       end
 129     when String
 130       return if sp.empty?
 131       m = collection_uuid(sp)
 132       if m
 133         generate_provenance_edges(visited, m)
 134       end
 135     end
 136   end
 137
 138   def generate_provenance_edges(visited, uuid)
 139     m = collection_uuid(uuid)
 140     uuid = m if m
 141
 142     if not uuid or uuid.empty? or visited[uuid]
 143       return ""
 144     end
 145
 146     logger.debug "visiting #{uuid}"
 147
 148     if m
 149       # uuid is a collection
 150       Collection.readable_by(current_user).where(uuid: uuid).each do |c|
 151         visited[uuid] = c.as_api_response
 152         visited[uuid][:files] = []
 153         c.files.each do |f|
 154           visited[uuid][:files] << f
 155         end
 156       end
 157
 158       Job.readable_by(current_user).where(output: uuid).each do |job|
 159         generate_provenance_edges(visited, job.uuid)
 160       end
 161
 162       Job.readable_by(current_user).where(log: uuid).each do |job|
 163         generate_provenance_edges(visited, job.uuid)
 164       end
 165
 166     else
 167       # uuid is something else
 168       rsc = ArvadosModel::resource_class_for_uuid uuid
 169       if rsc == Job
 170         Job.readable_by(current_user).where(uuid: uuid).each do |job|
 171           visited[uuid] = job.as_api_response
 172           script_param_edges(visited, job.script_parameters)
 173         end
 174       elsif rsc != nil
 175         rsc.where(uuid: uuid).each do |r|
 176           visited[uuid] = r.as_api_response
 177         end
 178       end
 179     end
 180
 181     Link.readable_by(current_user).
 182       where(head_uuid: uuid, link_class: "provenance").
 183       each do |link|
 184       visited[link.uuid] = link.as_api_response
 185       generate_provenance_edges(visited, link.tail_uuid)
 186     end
 187
 188     #puts "finished #{uuid}"
 189   end
 190
 191   def provenance
 192     visited = {}
 193     generate_provenance_edges(visited, @object[:uuid])
 194     render json: visited
 195   end
 196
 197   def generate_used_by_edges(visited, uuid)
 198     m = collection_uuid(uuid)
 199     uuid = m if m
 200
 201     if not uuid or uuid.empty? or visited[uuid]
 202       return ""
 203     end
 204
 205     logger.debug "visiting #{uuid}"
 206
 207     if m
 208       # uuid is a collection
 209       Collection.readable_by(current_user).where(uuid: uuid).each do |c|
 210         visited[uuid] = c.as_api_response
 211         visited[uuid][:files] = []
 212         c.files.each do |f|
 213           visited[uuid][:files] << f
 214         end
 215       end
 216
 217       if uuid == "d41d8cd98f00b204e9800998ecf8427e+0"
 218         # special case for empty collection
 219         return
 220       end
 221
 222       Job.readable_by(current_user).where(["jobs.script_parameters like ?", "%#{uuid}%"]).each do |job|
 223         generate_used_by_edges(visited, job.uuid)
 224       end
 225
 226     else
 227       # uuid is something else
 228       rsc = ArvadosModel::resource_class_for_uuid uuid
 229       if rsc == Job
 230         Job.readable_by(current_user).where(uuid: uuid).each do |job|
 231           visited[uuid] = job.as_api_response
 232           generate_used_by_edges(visited, job.output)
 233         end
 234       elsif rsc != nil
 235         rsc.where(uuid: uuid).each do |r|
 236           visited[uuid] = r.as_api_response
 237         end
 238       end
 239     end
 240
 241     Link.readable_by(current_user).
 242       where(tail_uuid: uuid, link_class: "provenance").
 243       each do |link|
 244       visited[link.uuid] = link.as_api_response
 245       generate_used_by_edges(visited, link.head_uuid)
 246     end
 247
 248     #puts "finished #{uuid}"
 249   end
 250
 251   def used_by
 252     visited = {}
 253     generate_used_by_edges(visited, @object[:uuid])
 254     render json: visited
 255   end
 256
 257   protected
 258   def find_object_by_uuid
 259     super
 260     if !@object and !params[:uuid].match(/^[0-9a-f]+\+\d+$/)
 261       # Normalize the given uuid and search again.
 262       hash_part = params[:uuid].match(/^([0-9a-f]*)/)[1]
 263       collection = Collection.where('uuid like ?', hash_part + '+%').first
 264       if collection
 265         # We know the collection exists, and what its real uuid is in
 266         # the database. Now, throw out @objects and repeat the usual
 267         # lookup procedure. (Returning the collection at this point
 268         # would bypass permission checks.)
 269         @objects = nil
 270         @where = { uuid: collection.uuid }
 271         find_objects_for_index
 272         @object = @objects.first
 273       end
 274     end
 275   end
 276 end