X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/18c923f2e52c1bd69313c54189862c9b96a54a7b..73e1bfac301b9285f734374abe84d8146897c585:/services/api/app/controllers/application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index b3a8a7e8d5..434b09572b 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -2,11 +2,10 @@ class ApplicationController < ActionController::Base
   include CurrentApiClient
 
   protect_from_forgery
-  before_filter :uncamelcase_params_hash_keys
   around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found]
 
   before_filter :remote_ip
-  before_filter :login_required, :except => :render_not_found
+  before_filter :require_auth_scope_all, :except => :render_not_found
   before_filter :catch_redirect_hint
 
   before_filter :load_where_param, :only => :index
@@ -25,7 +24,7 @@ class ApplicationController < ActionController::Base
 
   def show
     if @object
-      render json: @object.as_api_response(:superuser)
+      render json: @object.as_api_response
     else
       render_not_found("object not found")
     end
@@ -38,7 +37,9 @@ class ApplicationController < ActionController::Base
   end
 
   def update
-    attrs_to_update = resource_attrs.reject { |k,v| [:kind,:etag].index k }
+    attrs_to_update = resource_attrs.reject { |k,v|
+      [:kind, :etag, :href].index k
+    }
     if @object.update_attributes attrs_to_update
       show
     else
@@ -59,7 +60,7 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  unless Rails.application.config.consider_all_requests_local
+  begin
     rescue_from Exception,
     :with => :render_error
     rescue_from ActiveRecord::RecordNotFound,
@@ -68,8 +69,10 @@ class ApplicationController < ActionController::Base
     :with => :render_not_found
     rescue_from ActionController::UnknownController,
     :with => :render_not_found
-    rescue_from ActionController::UnknownAction,
+    rescue_from AbstractController::ActionNotFound,
     :with => :render_not_found
+    rescue_from ArvadosModel::PermissionDeniedError,
+    :with => :render_error
   end
 
   def render_error(e)
@@ -80,7 +83,8 @@ class ApplicationController < ActionController::Base
     else
       errors = [e.inspect]
     end
-    render json: { errors: errors }, status: 422
+    status = e.respond_to?(:http_status) ? e.http_status : 422
+    render json: { errors: errors }, status: status
   end
 
   def render_not_found(e=ActionController::RoutingError.new("Path not found"))
@@ -91,8 +95,17 @@ class ApplicationController < ActionController::Base
   protected
 
   def load_where_param
-    @where = params[:where] || {}
-    @where = Oj.load(@where) if @where.is_a?(String)
+    if params[:where].nil? or params[:where] == ""
+      @where = {}
+    elsif params[:where].is_a? Hash
+      @where = params[:where]
+    elsif params[:where].is_a? String
+      begin
+        @where = Oj.load(params[:where])
+      rescue
+        raise ArgumentError.new("Could not parse \"where\" param as an object")
+      end
+    end
   end
 
   def find_objects_for_index
@@ -101,11 +114,11 @@ class ApplicationController < ActionController::Base
       collect { |uuid| model_class.sanitize(uuid) }.join(', ')
     or_references_me = ''
     if model_class == Link and current_user
-      or_references_me = "OR #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid)"
+      or_references_me = "OR (#{table_name}.link_class in (#{model_class.sanitize 'permission'}, #{model_class.sanitize 'resources'}) AND #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid))"
     end
     @objects ||= model_class.
-      joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
-      where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
+      joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner_uuid, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+      where("?=? OR #{table_name}.owner_uuid in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
             true, current_user.is_admin,
             uuid_list,
             current_user.uuid)
@@ -178,7 +191,7 @@ class ApplicationController < ActionController::Base
     return @attrs if @attrs
     @attrs = params[resource_name]
     if @attrs.is_a? String
-      @attrs = uncamelcase_hash_keys(Oj.load @attrs)
+      @attrs = Oj.load @attrs
     end
     unless @attrs.is_a? Hash
       message = "No #{resource_name}"
@@ -188,27 +201,47 @@ class ApplicationController < ActionController::Base
       message << " hash provided with request"
       raise ArgumentError.new(message)
     end
-    %w(created_at modified_by_client modified_by_user modified_at).each do |x|
+    %w(created_at modified_by_client_uuid modified_by_user_uuid modified_at).each do |x|
       @attrs.delete x
     end
     @attrs
   end
 
   # Authentication
-  def login_required
-    if !current_user
+  def require_login
+    if current_user
+      true
+    else
       respond_to do |format|
+        format.json {
+          render :json => { errors: ['Not logged in'] }.to_json, status: 401
+        }
         format.html  {
           redirect_to '/auth/joshid'
         }
-        format.json {
-          render :json => { errors: ['Not logged in'] }.to_json
-        }
       end
+      false
+    end
+  end
+
+  def admin_required
+    unless current_user and current_user.is_admin
+      render :json => { errors: ['Forbidden'] }.to_json, status: 403
+    end
+  end
+
+  def require_auth_scope_all
+    require_login and require_auth_scope(['all'])
+  end
+
+  def require_auth_scope(ok_scopes)
+    unless current_api_client_auth_has_scope(ok_scopes)
+      render :json => { errors: ['Forbidden'] }.to_json, status: 403
     end
   end
 
   def thread_with_auth_info
+    Thread.current[:api_url_base] = root_url.sub(/\/$/,'') + '/arvados/v1'
     begin
       user = nil
       api_client = nil
@@ -220,11 +253,11 @@ class ApplicationController < ActionController::Base
       if supplied_token
         api_client_auth = ApiClientAuthorization.
           includes(:api_client, :user).
-          where('api_token=?', supplied_token).
+          where('api_token=? and (expires_at is null or expires_at > now())', supplied_token).
           first
-        if api_client_auth
+        if api_client_auth.andand.user
           session[:user_id] = api_client_auth.user.id
-          session[:api_client_uuid] = api_client_auth.api_client.uuid
+          session[:api_client_uuid] = api_client_auth.api_client.andand.uuid
           session[:api_client_authorization_id] = api_client_auth.id
           user = api_client_auth.user
           api_client = api_client_auth.api_client
@@ -239,15 +272,18 @@ class ApplicationController < ActionController::Base
             find session[:api_client_authorization_id]
         end
       end
-      Thread.current[:api_client_trusted] = session[:api_client_trusted]
       Thread.current[:api_client_ip_address] = remote_ip
       Thread.current[:api_client_authorization] = api_client_auth
-      Thread.current[:api_client_uuid] = api_client && api_client.uuid
+      Thread.current[:api_client_uuid] = api_client.andand.uuid
       Thread.current[:api_client] = api_client
       Thread.current[:user] = user
+      if api_client_auth
+        api_client_auth.last_used_at = Time.now
+        api_client_auth.last_used_by_ip_address = remote_ip
+        api_client_auth.save validate: false
+      end
       yield
     ensure
-      Thread.current[:api_client_trusted] = nil
       Thread.current[:api_client_ip_address] = nil
       Thread.current[:api_client_authorization] = nil
       Thread.current[:api_client_uuid] = nil
@@ -290,27 +326,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
-  def uncamelcase_params_hash_keys
-    self.params = uncamelcase_hash_keys(params)
-  end
-  def uncamelcase_hash_keys(h, max_depth=-1)
-    if h.is_a? Hash and max_depth != 0
-      nh = Hash.new
-      h.each do |k,v|
-        if k.class == String
-          nk = k.underscore
-        elsif k.class == Symbol
-          nk = k.to_s.underscore.to_sym
-        else
-          nk = k
-        end
-        nh[nk] = uncamelcase_hash_keys(v, max_depth-1)
-      end
-      h.replace(nh)
-    end
-    h
-  end
-
   def render_list
     @object_list = {
       :kind  => "arvados##{resource_name}List",
@@ -318,7 +333,7 @@ class ApplicationController < ActionController::Base
       :self_link => "",
       :next_page_token => "",
       :next_link => "",
-      :items => @objects.as_api_response(:superuser)
+      :items => @objects.as_api_response(nil)
     }
     render json: @object_list
   end
@@ -340,4 +355,9 @@ class ApplicationController < ActionController::Base
       order: { type: 'string', required: false }
     }
   end
+  
+  def client_accepts_plain_text_stream
+    (request.headers['Accept'].split(' ') &
+     ['text/plain', '*/*']).count > 0
+  end
 end