X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2d4263c16812a906589cbc13be26535a85691bd8..035b113f60302f6d9c265e6e3a63dbb3c5873153:/services/api/lib/current_api_client.rb

diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 24d8b3ada9..49638677b1 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -1,3 +1,15 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+$system_user = nil
+$system_group = nil
+$all_users_group = nil
+$anonymous_user = nil
+$anonymous_group = nil
+$anonymous_group_read_permission = nil
+$empty_collection = nil
+
 module CurrentApiClient
   def current_user
     Thread.current[:user]
@@ -11,11 +23,15 @@ module CurrentApiClient
     Thread.current[:api_client_authorization]
   end
 
+  def current_api_base
+    Thread.current[:api_url_base]
+  end
+
   def current_default_owner
-    # owner uuid for newly created objects
+    # owner_uuid for newly created objects
     ((current_api_client_authorization &&
-      current_api_client_authorization.default_owner) ||
-     (current_user && current_user.default_owner) ||
+      current_api_client_authorization.default_owner_uuid) ||
+     (current_user && current_user.default_owner_uuid) ||
      (current_user && current_user.uuid) ||
      nil)
   end
@@ -25,9 +41,194 @@ module CurrentApiClient
     Thread.current[:api_client_ip_address]
   end
 
-  # Is the current client permitted to perform ALL actions on behalf
-  # of the authenticated user?
-  def current_api_client_trusted
-    Thread.current[:api_client_trusted]
+  def system_user_uuid
+    [Server::Application.config.uuid_prefix,
+     User.uuid_prefix,
+     '000000000000000'].join('-')
+  end
+
+  def system_group_uuid
+    [Server::Application.config.uuid_prefix,
+     Group.uuid_prefix,
+     '000000000000000'].join('-')
+  end
+
+  def anonymous_group_uuid
+    [Server::Application.config.uuid_prefix,
+     Group.uuid_prefix,
+     'anonymouspublic'].join('-')
+  end
+
+  def anonymous_user_uuid
+    [Server::Application.config.uuid_prefix,
+     User.uuid_prefix,
+     'anonymouspublic'].join('-')
+  end
+
+  def system_user
+    $system_user = check_cache $system_user do
+      real_current_user = Thread.current[:user]
+      begin
+        Thread.current[:user] = User.new(is_admin: true,
+                                         is_active: true,
+                                         uuid: system_user_uuid)
+        User.where(uuid: system_user_uuid).
+          first_or_create!(is_active: true,
+                           is_admin: true,
+                           email: 'root',
+                           first_name: 'root',
+                           last_name: '')
+      ensure
+        Thread.current[:user] = real_current_user
+      end
+    end
+  end
+
+  def system_group
+    $system_group = check_cache $system_group do
+      act_as_system_user do
+        ActiveRecord::Base.transaction do
+          Group.where(uuid: system_group_uuid).
+            first_or_create!(name: "System group",
+                             description: "System group") do |g|
+            g.save!
+            User.all.collect(&:uuid).each do |user_uuid|
+              Link.create!(link_class: 'permission',
+                           name: 'can_manage',
+                           tail_uuid: system_group_uuid,
+                           head_uuid: user_uuid)
+            end
+          end
+        end
+      end
+    end
+  end
+
+  def all_users_group_uuid
+    [Server::Application.config.uuid_prefix,
+     Group.uuid_prefix,
+     'fffffffffffffff'].join('-')
+  end
+
+  def all_users_group
+    $all_users_group = check_cache $all_users_group do
+      act_as_system_user do
+        ActiveRecord::Base.transaction do
+          Group.where(uuid: all_users_group_uuid).
+            first_or_create!(name: "All users",
+                             description: "All users",
+                             group_class: "role")
+        end
+      end
+    end
+  end
+
+  def act_as_system_user
+    if block_given?
+      act_as_user system_user do
+        yield
+      end
+    else
+      Thread.current[:user] = system_user
+    end
+  end
+
+  def act_as_user user
+    user_was = Thread.current[:user]
+    Thread.current[:user] = user
+    begin
+      yield
+    ensure
+      Thread.current[:user] = user_was
+    end
+  end
+
+  def anonymous_group
+    $anonymous_group = check_cache $anonymous_group do
+      act_as_system_user do
+        ActiveRecord::Base.transaction do
+          Group.where(uuid: anonymous_group_uuid).
+            first_or_create!(group_class: "role",
+                             name: "Anonymous users",
+                             description: "Anonymous users")
+        end
+      end
+    end
+  end
+
+  def anonymous_group_read_permission
+    $anonymous_group_read_permission =
+        check_cache $anonymous_group_read_permission do
+      act_as_system_user do
+        Link.where(tail_uuid: all_users_group.uuid,
+                   head_uuid: anonymous_group.uuid,
+                   link_class: "permission",
+                   name: "can_read").first_or_create!
+      end
+    end
+  end
+
+  def anonymous_user
+    $anonymous_user = check_cache $anonymous_user do
+      act_as_system_user do
+        User.where(uuid: anonymous_user_uuid).
+          first_or_create!(is_active: false,
+                           is_admin: false,
+                           email: 'anonymous',
+                           first_name: 'Anonymous',
+                           last_name: '') do |u|
+          u.save!
+          Link.where(tail_uuid: anonymous_user_uuid,
+                     head_uuid: anonymous_group.uuid,
+                     link_class: 'permission',
+                     name: 'can_read').
+            first_or_create!
+        end
+      end
+    end
+  end
+
+  def empty_collection_uuid
+    'd41d8cd98f00b204e9800998ecf8427e+0'
+  end
+
+  def empty_collection
+    $empty_collection = check_cache $empty_collection do
+      act_as_system_user do
+        ActiveRecord::Base.transaction do
+          Collection.
+            where(portable_data_hash: empty_collection_uuid).
+            first_or_create!(manifest_text: '', owner_uuid: anonymous_group.uuid)
+        end
+      end
+    end
+  end
+
+  private
+
+  # If the given value is nil, or the cache has been cleared since it
+  # was set, yield. Otherwise, return the given value.
+  def check_cache value
+    if not Rails.env.test? and
+        ActionController::Base.cache_store.is_a? ActiveSupport::Cache::FileStore and
+        not File.owned? ActionController::Base.cache_store.cache_path
+      # If we don't own the cache dir, we're probably
+      # crunch-dispatch. Whoever we are, using this cache is likely to
+      # either fail or screw up the cache for someone else. So we'll
+      # just assume the $globals are OK to live forever.
+      #
+      # The reason for making the globals expire with the cache in the
+      # first place is to avoid leaking state between test cases: in
+      # production, we don't expect the database seeds to ever go away
+      # even when the cache is cleared, so there's no particular
+      # reason to expire our global variables.
+    else
+      Rails.cache.fetch "CurrentApiClient.$globals" do
+        value = nil
+        true
+      end
+    end
+    return value unless value.nil?
+    yield
   end
 end