1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 require 'can_be_an_owner'
8 class Group < ArvadosModel
11 include CommonApiTemplate
15 # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
16 # already know how to properly treat them.
17 attribute :properties, :jsonbHash, default: {}
19 validate :ensure_filesystem_compatible_name
20 validate :check_group_class
21 validate :check_filter_group_filters
22 validate :check_frozen_state_change_allowed
23 before_create :assign_name
24 after_create :after_ownership_change
25 after_create :update_trash
26 after_create :update_frozen
28 before_update :before_ownership_change
29 after_update :after_ownership_change
31 after_create :add_role_manage_link
33 after_update :update_trash
34 after_update :update_frozen
35 before_destroy :clear_permissions_trash_frozen
37 api_accessible :user, extend: :common do |t|
53 def self.attributes_required_columns
55 'can_write' => ['owner_uuid', 'uuid'],
56 'can_manage' => ['owner_uuid', 'uuid'],
57 'writable_by' => ['owner_uuid', 'uuid'],
61 def ensure_filesystem_compatible_name
62 # project and filter groups need filesystem-compatible names, but others
64 super if group_class == 'project' || group_class == 'filter'
68 if group_class != 'project' && group_class != 'role' && group_class != 'filter'
69 errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
71 if group_class_changed? && !group_class_was.nil?
72 errors.add :group_class, "cannot be modified after record is created"
76 def check_filter_group_filters
77 if group_class == 'filter'
78 if !self.properties.key?("filters")
79 errors.add :properties, "filters property missing, it must be an array of arrays, each with 3 elements"
82 if !self.properties["filters"].is_a?(Array)
83 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
86 self.properties["filters"].each do |filter|
87 if !filter.is_a?(Array)
88 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
91 if filter.length() != 3
92 errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
95 if !filter[0].include?(".") and filter[0].downcase != "uuid"
96 errors.add :properties, "filter attribute must be 'uuid' or contain a dot (e.g. groups.name)"
99 if (filter[0].downcase != "uuid" and filter[1].downcase == "is_a")
100 errors.add :properties, "when filter operator is 'is_a', attribute must be 'uuid'"
103 if ! ["=","<","<=",">",">=","!=","like","ilike","in","not in","is_a","exists","contains"].include?(filter[1].downcase)
104 errors.add :properties, "filter operator is not valid (must be =,<,<=,>,>=,!=,like,ilike,in,not in,is_a,exists,contains)"
111 def check_frozen_state_change_allowed
112 if frozen_by_uuid == ""
113 self.frozen_by_uuid = nil
115 if frozen_by_uuid_changed? || (new_record? && frozen_by_uuid)
116 if group_class != "project"
117 errors.add(:frozen_by_uuid, "cannot be modified on a non-project group")
120 if frozen_by_uuid_was && Rails.configuration.API.UnfreezeProjectRequiresAdmin && !current_user.is_admin
121 errors.add(:frozen_by_uuid, "can only be changed by an admin user, once set")
124 if frozen_by_uuid && frozen_by_uuid != current_user.uuid
125 errors.add(:frozen_by_uuid, "can only be set to the current user's UUID")
128 if !new_record? && !current_user.can?(manage: uuid)
129 raise PermissionDeniedError
131 if trash_at || delete_at || (!new_record? && TrashedGroup.where(group_uuid: uuid).any?)
132 errors.add(:frozen_by_uuid, "cannot be set on a trashed project")
134 if frozen_by_uuid_was.nil?
135 if Rails.configuration.API.FreezeProjectRequiresDescription && !attribute_present?(:description)
136 errors.add(:frozen_by_uuid, "can only be set if description is non-empty")
138 Rails.configuration.API.FreezeProjectRequiresProperties.andand.each do |key, _|
140 if !properties[key] || properties[key] == ""
141 errors.add(:frozen_by_uuid, "can only be set if properties[#{key}] value is non-empty")
149 return unless saved_change_to_trash_at? || saved_change_to_owner_uuid?
151 # The group was added or removed from the trash.
154 # Compute project subtree, propagating trash_at to subprojects
155 # Ensure none of the newly trashed descendants were frozen (if so, bail out)
156 # Remove groups that don't belong from trash
157 # Add/update groups that do belong in the trash
159 temptable = "group_subtree_#{rand(2**64).to_s(10)}"
160 ActiveRecord::Base.connection.exec_query(
161 "create temporary table #{temptable} on commit drop " +
162 "as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)",
163 "Group.update_trash.select",
165 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
166 [nil, self.trash_at]])
167 frozen_descendants = ActiveRecord::Base.connection.exec_query(
168 "select uuid from frozen_groups, #{temptable} where uuid = target_uuid",
169 "Group.update_trash.check_frozen")
170 if frozen_descendants.any?
171 raise ArgumentError.new("cannot trash project containing frozen project #{frozen_descendants[0]["uuid"]}")
173 ActiveRecord::Base.connection.exec_delete(
174 "delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL)",
175 "Group.update_trash.delete")
176 ActiveRecord::Base.connection.exec_query(
177 "insert into trashed_groups (group_uuid, trash_at) "+
178 "select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL " +
179 "on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at",
180 "Group.update_trash.insert")
184 return unless saved_change_to_frozen_by_uuid? || saved_change_to_owner_uuid?
185 temptable = "group_subtree_#{rand(2**64).to_s(10)}"
186 ActiveRecord::Base.connection.exec_query(
187 "create temporary table #{temptable} on commit drop as select * from project_subtree_with_is_frozen($1,$2)",
188 "Group.update_frozen.select",
190 [nil, !self.frozen_by_uuid.nil?]])
192 rows = ActiveRecord::Base.connection.exec_query(
193 "select cr.uuid, cr.state from container_requests cr, #{temptable} frozen " +
194 "where cr.owner_uuid = frozen.uuid and frozen.is_frozen " +
195 "and cr.state not in ($1, $2) limit 1",
196 "Group.update_frozen.check_container_requests",
197 [[nil, ContainerRequest::Uncommitted],
198 [nil, ContainerRequest::Final]])
200 raise ArgumentError.new("cannot freeze project containing container request #{rows.first['uuid']} with state = #{rows.first['state']}")
203 ActiveRecord::Base.connection.exec_delete(
204 "delete from frozen_groups where uuid in (select uuid from #{temptable} where not is_frozen)",
205 "Group.update_frozen.delete")
206 ActiveRecord::Base.connection.exec_query(
207 "insert into frozen_groups (uuid) select uuid from #{temptable} where is_frozen on conflict do nothing",
208 "Group.update_frozen.insert")
211 def before_ownership_change
212 if owner_uuid_changed? and !self.owner_uuid_was.nil?
213 MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
214 update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
218 def after_ownership_change
219 if saved_change_to_owner_uuid?
220 update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
224 def clear_permissions_trash_frozen
225 MaterializedPermission.where(target_uuid: uuid).delete_all
226 ActiveRecord::Base.connection.exec_delete(
227 "delete from trashed_groups where group_uuid=$1",
228 "Group.clear_permissions_trash_frozen",
230 ActiveRecord::Base.connection.exec_delete(
231 "delete from frozen_groups where uuid=$1",
232 "Group.clear_permissions_trash_frozen",
237 if self.new_record? and (self.name.nil? or self.name.empty?)
238 self.name = self.uuid
243 def ensure_owner_uuid_is_permitted
244 if group_class == "role"
245 @requested_manager_uuid = nil
247 @requested_manager_uuid = owner_uuid
248 self.owner_uuid = system_user_uuid
251 if self.owner_uuid != system_user_uuid
252 raise "Owner uuid for role must be system user"
254 raise PermissionDeniedError.new("role group cannot be modified without can_manage permission") unless current_user.can?(manage: uuid)
261 def add_role_manage_link
262 if group_class == "role" && @requested_manager_uuid
263 act_as_system_user do
264 Link.create!(tail_uuid: @requested_manager_uuid,
265 head_uuid: self.uuid,
266 link_class: "permission",
272 def permission_to_create
275 elsif group_class == "role" &&
276 !Rails.configuration.Users.CanCreateRoleGroups &&
277 !current_user.andand.is_admin
278 raise PermissionDeniedError.new("this cluster does not allow users to create role groups")
284 def permission_to_update
287 elsif frozen_by_uuid && frozen_by_uuid_was
288 errors.add :uuid, "#{uuid} is frozen and cannot be modified"
295 def self.full_text_searchable_columns
296 super - ["frozen_by_uuid"]