18264: Merge branch 'main' into 18264-cwl-test-running-improvements
[arvados.git] / services / api / app / models / group.rb
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: AGPL-3.0
4
5 require 'can_be_an_owner'
6 require 'trashable'
7
8 class Group < ArvadosModel
9   include HasUuid
10   include KindAndEtag
11   include CommonApiTemplate
12   include CanBeAnOwner
13   include Trashable
14
15   # Posgresql JSONB columns should NOT be declared as serialized, Rails 5
16   # already know how to properly treat them.
17   attribute :properties, :jsonbHash, default: {}
18
19   validate :ensure_filesystem_compatible_name
20   validate :check_group_class
21   validate :check_filter_group_filters
22   before_create :assign_name
23   after_create :after_ownership_change
24   after_create :update_trash
25
26   before_update :before_ownership_change
27   after_update :after_ownership_change
28
29   after_create :add_role_manage_link
30
31   after_update :update_trash
32   before_destroy :clear_permissions_and_trash
33
34   api_accessible :user, extend: :common do |t|
35     t.add :name
36     t.add :group_class
37     t.add :description
38     t.add :writable_by
39     t.add :delete_at
40     t.add :trash_at
41     t.add :is_trashed
42     t.add :properties
43   end
44
45   def ensure_filesystem_compatible_name
46     # project and filter groups need filesystem-compatible names, but others
47     # don't.
48     super if group_class == 'project' || group_class == 'filter'
49   end
50
51   def check_group_class
52     if group_class != 'project' && group_class != 'role' && group_class != 'filter'
53       errors.add :group_class, "value must be one of 'project', 'role' or 'filter', was '#{group_class}'"
54     end
55     if group_class_changed? && !group_class_was.nil?
56       errors.add :group_class, "cannot be modified after record is created"
57     end
58   end
59
60   def check_filter_group_filters
61     if group_class == 'filter'
62       if !self.properties.key?("filters")
63         errors.add :properties, "filters property missing, it must be an array of arrays, each with 3 elements"
64         return
65       end
66       if !self.properties["filters"].is_a?(Array)
67         errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
68         return
69       end
70       self.properties["filters"].each do |filter|
71         if !filter.is_a?(Array)
72           errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
73           return
74         end
75         if filter.length() != 3
76           errors.add :properties, "filters property must be an array of arrays, each with 3 elements"
77           return
78         end
79         if !filter[0].include?(".") and filter[0].downcase != "uuid"
80           errors.add :properties, "filter attribute must be 'uuid' or contain a dot (e.g. groups.name)"
81           return
82         end
83         if (filter[0].downcase != "uuid" and filter[1].downcase == "is_a")
84           errors.add :properties, "when filter operator is 'is_a', attribute must be 'uuid'"
85           return
86         end
87         if ! ["=","<","<=",">",">=","!=","like","ilike","in","not in","is_a","exists","contains"].include?(filter[1].downcase)
88           errors.add :properties, "filter operator is not valid (must be =,<,<=,>,>=,!=,like,ilike,in,not in,is_a,exists,contains)"
89           return
90         end
91       end
92     end
93   end
94
95   def update_trash
96     if saved_change_to_trash_at? or saved_change_to_owner_uuid?
97       # The group was added or removed from the trash.
98       #
99       # Strategy:
100       #   Compute project subtree, propagating trash_at to subprojects
101       #   Remove groups that don't belong from trash
102       #   Add/update groups that do belong in the trash
103
104       temptable = "group_subtree_#{rand(2**64).to_s(10)}"
105       ActiveRecord::Base.connection.exec_query %{
106 create temporary table #{temptable} on commit drop
107 as select * from project_subtree_with_trash_at($1, LEAST($2, $3)::timestamp)
108 },
109                                                'Group.update_trash.select',
110                                                [[nil, self.uuid],
111                                                 [nil, TrashedGroup.find_by_group_uuid(self.owner_uuid).andand.trash_at],
112                                                 [nil, self.trash_at]]
113
114       ActiveRecord::Base.connection.exec_delete %{
115 delete from trashed_groups where group_uuid in (select target_uuid from #{temptable} where trash_at is NULL);
116 },
117                                             "Group.update_trash.delete"
118
119       ActiveRecord::Base.connection.exec_query %{
120 insert into trashed_groups (group_uuid, trash_at)
121   select target_uuid as group_uuid, trash_at from #{temptable} where trash_at is not NULL
122 on conflict (group_uuid) do update set trash_at=EXCLUDED.trash_at;
123 },
124                                             "Group.update_trash.insert"
125     end
126   end
127
128   def before_ownership_change
129     if owner_uuid_changed? and !self.owner_uuid_was.nil?
130       MaterializedPermission.where(user_uuid: owner_uuid_was, target_uuid: uuid).delete_all
131       update_permissions self.owner_uuid_was, self.uuid, REVOKE_PERM
132     end
133   end
134
135   def after_ownership_change
136     if saved_change_to_owner_uuid?
137       update_permissions self.owner_uuid, self.uuid, CAN_MANAGE_PERM
138     end
139   end
140
141   def clear_permissions_and_trash
142     MaterializedPermission.where(target_uuid: uuid).delete_all
143     ActiveRecord::Base.connection.exec_delete %{
144 delete from trashed_groups where group_uuid=$1
145 }, "Group.clear_permissions_and_trash", [[nil, self.uuid]]
146
147   end
148
149   def assign_name
150     if self.new_record? and (self.name.nil? or self.name.empty?)
151       self.name = self.uuid
152     end
153     true
154   end
155
156   def ensure_owner_uuid_is_permitted
157     if group_class == "role"
158       @requested_manager_uuid = nil
159       if new_record?
160         @requested_manager_uuid = owner_uuid
161         self.owner_uuid = system_user_uuid
162         return true
163       end
164       if self.owner_uuid != system_user_uuid
165         raise "Owner uuid for role must be system user"
166       end
167       raise PermissionDeniedError unless current_user.can?(manage: uuid)
168       true
169     else
170       super
171     end
172   end
173
174   def add_role_manage_link
175     if group_class == "role" && @requested_manager_uuid
176       act_as_system_user do
177        Link.create!(tail_uuid: @requested_manager_uuid,
178                     head_uuid: self.uuid,
179                     link_class: "permission",
180                     name: "can_manage")
181       end
182     end
183   end
184 end