X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5cff00f1efc7515fd0b8543f618214ecec384eb5..6951a378515a726fa178e0d1554c72044a7f5f88:/services/api/app/models/collection.rb diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb index 99a09bd8e5..f212e3358a 100644 --- a/services/api/app/models/collection.rb +++ b/services/api/app/models/collection.rb @@ -1,4 +1,5 @@ require 'arvados/keep' +require 'sweep_trashed_collections' class Collection < ArvadosModel extend DbCurrentTime @@ -8,15 +9,21 @@ class Collection < ArvadosModel serialize :properties, Hash + before_validation :set_validation_timestamp + before_validation :default_empty_manifest before_validation :check_encoding before_validation :check_manifest_validity before_validation :check_signatures before_validation :strip_signatures_and_update_replication_confirmed + before_validation :ensure_trash_at_not_in_past + before_validation :sync_trash_state + before_validation :default_trash_interval validate :ensure_pdh_matches_manifest_text + validate :validate_trash_and_delete_timing before_save :set_file_names - # Query only undeleted collections by default. - default_scope where("expires_at IS NULL or expires_at > CURRENT_TIMESTAMP") + # Query only untrashed collections by default. + default_scope where("is_trashed = false") api_accessible :user, extend: :common do |t| t.add :name @@ -24,9 +31,18 @@ class Collection < ArvadosModel t.add :properties t.add :portable_data_hash t.add :signed_manifest_text, as: :manifest_text + t.add :manifest_text, as: :unsigned_manifest_text t.add :replication_desired t.add :replication_confirmed t.add :replication_confirmed_at + t.add :delete_at + t.add :trash_at + t.add :is_trashed + end + + after_initialize do + @signatures_checked = false + @computed_pdh_for_manifest_text = false end def self.attributes_required_columns @@ -36,10 +52,18 @@ class Collection < ArvadosModel # expose signed_manifest_text as manifest_text in the # API response, and never let clients select the # manifest_text column. - 'manifest_text' => ['manifest_text'], + # + # We need trash_at and is_trashed to determine the + # correct timestamp in signed_manifest_text. + 'manifest_text' => ['manifest_text', 'trash_at', 'is_trashed'], + 'unsigned_manifest_text' => ['manifest_text'], ) end + def self.ignored_select_attributes + super + ["updated_at", "file_names"] + end + FILE_TOKEN = /^[[:digit:]]+:[[:digit:]]+:/ def check_signatures return false if self.manifest_text.nil? @@ -51,7 +75,9 @@ class Collection < ArvadosModel # subsequent passes without checking any signatures. This is # important because the signatures have probably been stripped off # by the time we get to a second validation pass! - return true if @signatures_checked and @signatures_checked == computed_pdh + if @signatures_checked && @signatures_checked == computed_pdh + return true + end if self.manifest_text_changed? # Check permissions on the collection manifest. @@ -60,7 +86,7 @@ class Collection < ArvadosModel api_token = current_api_client_authorization.andand.api_token signing_opts = { api_token: api_token, - now: db_current_time.to_i, + now: @validation_timestamp.to_i, } self.manifest_text.each_line do |entry| entry.split.each do |tok| @@ -171,6 +197,10 @@ class Collection < ArvadosModel names[0,2**12] end + def default_empty_manifest + self.manifest_text ||= '' + end + def check_encoding if manifest_text.encoding.name == 'UTF-8' and manifest_text.valid_encoding? true @@ -183,7 +213,7 @@ class Collection < ArvadosModel utf8 = manifest_text utf8.force_encoding Encoding::UTF_8 if utf8.valid_encoding? and utf8 == manifest_text.encode(Encoding::UTF_8) - manifest_text = utf8 + self.manifest_text = utf8 return true end rescue @@ -197,23 +227,32 @@ class Collection < ArvadosModel begin Keep::Manifest.validate! manifest_text true - rescue => e - logger.warn e + rescue ArgumentError => e + errors.add :manifest_text, e.message false end end def signed_manifest_text - if has_attribute? :manifest_text + if !has_attribute? :manifest_text + return nil + elsif is_trashed + return manifest_text + else token = current_api_client_authorization.andand.api_token - @signed_manifest_text = self.class.sign_manifest manifest_text, token + exp = [db_current_time.to_i + Rails.configuration.blob_signature_ttl, + trash_at].compact.map(&:to_i).min + self.class.sign_manifest manifest_text, token, exp end end - def self.sign_manifest manifest, token + def self.sign_manifest manifest, token, exp=nil + if exp.nil? + exp = db_current_time.to_i + Rails.configuration.blob_signature_ttl + end signing_opts = { api_token: token, - expire: db_current_time.to_i + Rails.configuration.blob_signature_ttl, + expire: exp, } m = munge_manifest_locators(manifest) do |match| Blob.sign_locator(match[0], signing_opts) @@ -264,10 +303,10 @@ class Collection < ArvadosModel hash_part = nil size_part = nil uuid.split('+').each do |token| - if token.match /^[0-9a-f]{32,}$/ + if token.match(/^[0-9a-f]{32,}$/) raise "uuid #{uuid} has multiple hash parts" if hash_part hash_part = token - elsif token.match /^\d+$/ + elsif token.match(/^\d+$/) raise "uuid #{uuid} has multiple size parts" if size_part size_part = token end @@ -295,7 +334,7 @@ class Collection < ArvadosModel # looks like a saved Docker image. manifest = Keep::Manifest.new(coll_match.manifest_text) if manifest.exact_file_count?(1) and - (manifest.files[0][1] =~ /^[0-9A-Fa-f]{64}\.tar$/) + (manifest.files[0][1] =~ /^(sha256:)?[0-9A-Fa-f]{64}\.tar$/) return [coll_match] end end @@ -341,6 +380,11 @@ class Collection < ArvadosModel super - ["manifest_text"] end + def self.where *args + SweepTrashedCollections.sweep_if_stale + super + end + protected def portable_manifest_text self.class.munge_manifest_locators(manifest_text) do |match| @@ -376,4 +420,66 @@ class Collection < ArvadosModel end super end + + # Use a single timestamp for all validations, even though each + # validation runs at a different time. + def set_validation_timestamp + @validation_timestamp = db_current_time + end + + # If trash_at is being changed to a time in the past, change it to + # now. This allows clients to say "expires {client-current-time}" + # without failing due to clock skew, while avoiding odd log entries + # like "expiry date changed to {1 year ago}". + def ensure_trash_at_not_in_past + if trash_at_changed? && trash_at + self.trash_at = [@validation_timestamp, trash_at].max + end + end + + # Caller can move into/out of trash by setting/clearing is_trashed + # -- however, if the caller also changes trash_at, then any changes + # to is_trashed are ignored. + def sync_trash_state + if is_trashed_changed? && !trash_at_changed? + if is_trashed + self.trash_at = @validation_timestamp + else + self.trash_at = nil + self.delete_at = nil + end + end + self.is_trashed = trash_at && trash_at <= @validation_timestamp || false + true + end + + # If trash_at is updated without touching delete_at, automatically + # update delete_at to a sensible value. + def default_trash_interval + if trash_at_changed? && !delete_at_changed? + if trash_at.nil? + self.delete_at = nil + else + self.delete_at = trash_at + Rails.configuration.default_trash_lifetime.seconds + end + end + end + + def validate_trash_and_delete_timing + if trash_at.nil? != delete_at.nil? + errors.add :delete_at, "must be set if trash_at is set, and must be nil otherwise" + end + + earliest_delete = ([@validation_timestamp, trash_at_was].compact.min + + Rails.configuration.blob_signature_ttl.seconds) + if delete_at && delete_at < earliest_delete + errors.add :delete_at, "#{delete_at} is too soon: earliest allowed is #{earliest_delete}" + end + + if delete_at && delete_at < trash_at + errors.add :delete_at, "must not be earlier than trash_at" + end + + true + end end