X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/58b0ff2409f362e6ed5ac3666627ef390ae34004..9b0de8314d6297df506734844bb2b833ba7d022c:/services/api/app/models/arvados_model.rb diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb index ffae867c15..1ff46c3616 100644 --- a/services/api/app/models/arvados_model.rb +++ b/services/api/app/models/arvados_model.rb @@ -220,7 +220,7 @@ class ArvadosModel < ApplicationRecord end def self.default_orders - ["#{table_name}.modified_at desc", "#{table_name}.uuid"] + ["#{table_name}.modified_at desc", "#{table_name}.uuid desc"] end def self.unique_columns @@ -249,9 +249,9 @@ class ArvadosModel < ApplicationRecord # Return [] if this is a frozen project and the current user can't # unfreeze return [] if respond_to?(:frozen_by_uuid) && frozen_by_uuid && - !(Rails.configuration.API.UnfreezeProjectRequiresAdmin ? - current_user.andand.is_admin : - current_user.can?(manage: uuid)) + (Rails.configuration.API.UnfreezeProjectRequiresAdmin ? + !current_user.andand.is_admin : + !current_user.can?(manage: uuid)) # Return [] if nobody can write because this object is inside a # frozen project return [] if FrozenGroup.where(uuid: owner_uuid).any? @@ -273,6 +273,26 @@ class ArvadosModel < ApplicationRecord end.compact.uniq end + def can_write + if respond_to?(:frozen_by_uuid) && frozen_by_uuid + # This special case is needed to return the correct value from a + # "freeze project" API, during which writable status changes + # from true to false. + # + # current_user.can?(write: self) returns true (which is correct + # in the context of permission-checking hooks) but the can_write + # value we're returning to the caller here represents the state + # _after_ the update, i.e., false. + return false + else + return current_user.can?(write: self) + end + end + + def can_manage + return current_user.can?(manage: self) + end + # Return a query with read permissions restricted to the union of the # permissions of the members of users_list, i.e. if something is readable by # any user in users_list, it will be readable in the query returned by this @@ -302,6 +322,15 @@ class ArvadosModel < ApplicationRecord # For details on how the trashed_groups table is constructed, see # see db/migrate/20200501150153_permission_table.rb + # excluded_trash is a SQL expression that determines whether a row + # should be excluded from the results due to being trashed. + # Trashed items inside frozen projects are invisible to regular + # (non-admin) users even when using include_trash, so we have: + # + # (item_trashed || item_inside_trashed_project) + # && + # (!caller_requests_include_trash || + # (item_inside_frozen_project && caller_is_not_admin)) if (admin && include_trash) || sql_table == "api_client_authorizations" excluded_trash = "false" else @@ -322,7 +351,7 @@ class ArvadosModel < ApplicationRecord # on trashed items. if !include_trash && sql_table != "api_client_authorizations" # Only include records where the owner is not trashed - sql_conds = "NOT #{excluded_trash}" + sql_conds = "NOT (#{excluded_trash})" end else # The core of the permission check is a join against the @@ -422,7 +451,7 @@ class ArvadosModel < ApplicationRecord " WHERE user_uuid IN (#{user_uuids_subquery}) AND perm_level >= 3))) " end - sql_conds = "(#{owner_check} #{direct_check} #{links_cond}) AND NOT #{excluded_trash}" + sql_conds = "(#{owner_check} #{direct_check} #{links_cond}) AND NOT (#{excluded_trash})" end @@ -449,12 +478,11 @@ class ArvadosModel < ApplicationRecord conn.exec_query 'SAVEPOINT save_with_unique_name' begin save! + conn.exec_query 'RELEASE SAVEPOINT save_with_unique_name' rescue ActiveRecord::RecordNotUnique => rn raise if max_retries == 0 max_retries -= 1 - conn.exec_query 'ROLLBACK TO SAVEPOINT save_with_unique_name' - # Dig into the error to determine if it is specifically calling out a # (owner_uuid, name) uniqueness violation. In this specific case, and # the client requested a unique name with ensure_unique_name==true, @@ -472,6 +500,8 @@ class ArvadosModel < ApplicationRecord detail = err.result.error_field(PG::Result::PG_DIAG_MESSAGE_DETAIL) raise unless /^Key \(owner_uuid, name\)=\([a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{15}, .*?\) already exists\./.match detail + conn.exec_query 'ROLLBACK TO SAVEPOINT save_with_unique_name' + new_name = "#{name_was} (#{db_current_time.utc.iso8601(3)})" if new_name == name # If the database is fast enough to do two attempts in the @@ -489,10 +519,8 @@ class ArvadosModel < ApplicationRecord self[:current_version_uuid] = nil end end - conn.exec_query 'SAVEPOINT save_with_unique_name' + retry - ensure - conn.exec_query 'RELEASE SAVEPOINT save_with_unique_name' end end end @@ -629,8 +657,12 @@ class ArvadosModel < ApplicationRecord if check_uuid.nil? # old_owner_uuid is nil? New record, no need to check. elsif !current_user.can?(write: check_uuid) - logger.warn "User #{current_user.uuid} tried to set ownership of #{self.class.to_s} #{self.uuid} but does not have permission to write #{which} owner_uuid #{check_uuid}" - errors.add :owner_uuid, "cannot be set or changed without write permission on #{which} owner" + if FrozenGroup.where(uuid: check_uuid).any? + errors.add :owner_uuid, "cannot be set or changed because #{which} owner is frozen" + else + logger.warn "User #{current_user.uuid} tried to set ownership of #{self.class.to_s} #{self.uuid} but does not have permission to write #{which} owner_uuid #{check_uuid}" + errors.add :owner_uuid, "cannot be set or changed without write permission on #{which} owner" + end raise PermissionDeniedError elsif rsc_class == Group && Group.find_by_uuid(owner_uuid).group_class != "project" errors.add :owner_uuid, "must be a project" @@ -640,8 +672,12 @@ class ArvadosModel < ApplicationRecord else # If the object already existed and we're not changing # owner_uuid, we only need write permission on the object - # itself. - if !current_user.can?(write: self.uuid) + # itself. (If we're in the act of unfreezing, we only need + # :unfreeze permission, which means "what write permission would + # be if target weren't frozen") + unless ((respond_to?(:frozen_by_uuid) && frozen_by_uuid_was && !frozen_by_uuid) ? + current_user.can?(unfreeze: uuid) : + current_user.can?(write: uuid)) logger.warn "User #{current_user.uuid} tried to modify #{self.class.to_s} #{self.uuid} without write permission" errors.add :uuid, " #{uuid} is not writable by #{current_user.uuid}" raise PermissionDeniedError @@ -658,14 +694,7 @@ class ArvadosModel < ApplicationRecord end def permission_to_create - if !current_user.andand.is_active - return false - end - if self.respond_to?(:owner_uuid) && FrozenGroup.where(uuid: owner_uuid).any? - errors.add :owner_uuid, "#{owner_uuid} is frozen" - return false - end - return true + return current_user.andand.is_active end def permission_to_update @@ -682,13 +711,6 @@ class ArvadosModel < ApplicationRecord logger.warn "User #{current_user.uuid} tried to change uuid of #{self.class.to_s} #{self.uuid_was} to #{self.uuid}" return false end - if self.respond_to?(:owner_uuid) - frozen = FrozenGroup.where(uuid: [owner_uuid, owner_uuid_in_database]).to_a - if frozen.any? - errors.add :uuid, "#{uuid} cannot be modified in frozen project #{frozen[0]}" - return false - end - end return true end @@ -928,6 +950,10 @@ class ArvadosModel < ApplicationRecord # value in the database to an implicit zero/false value in an update # request. def fill_container_defaults + # Make sure this is correctly sorted by key, because we merge in + # whatever is in the database on top of it, this will be the order + # that gets used downstream rather than the order the keys appear + # in the database. self.runtime_constraints = { 'API' => false, 'cuda' => { @@ -935,6 +961,7 @@ class ArvadosModel < ApplicationRecord 'driver_version' => '', 'hardware_capability' => '', }, + 'keep_cache_disk' => 0, 'keep_cache_ram' => 0, 'ram' => 0, 'vcpus' => 0,