X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/69f592e029493afb8a0709811b5be1fefabafb4b..4b4bb33aca0e12ae06bce395f02031890d6ef8bc:/services/api/app/controllers/application_controller.rb diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb index e6a02b1e12..ba7c07d272 100644 --- a/services/api/app/controllers/application_controller.rb +++ b/services/api/app/controllers/application_controller.rb @@ -1,3 +1,10 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +require 'safe_json' +require 'request_error' + module ApiTemplateOverride def allowed_to_render?(fieldset, field, model, options) return false if !super @@ -14,19 +21,20 @@ class ActsAsApi::ApiTemplate end require 'load_param' -require 'record_filters' class ApplicationController < ActionController::Base - include CurrentApiClient include ThemesForRails::ActionController + include CurrentApiClient include LoadParam - include RecordFilters + include DbCurrentTime respond_to :json protect_from_forgery ERROR_ACTIONS = [:render_error, :render_not_found] + around_filter :set_current_request_id + before_filter :disable_api_methods before_filter :set_cors_headers before_filter :respond_with_json_by_default before_filter :remote_ip @@ -45,9 +53,9 @@ class ApplicationController < ActionController::Base before_filter(:render_404_if_no_object, except: [:index, :create] + ERROR_ACTIONS) - theme :select_theme + theme Rails.configuration.arvados_theme - attr_accessor :resource_attrs + attr_writer :resource_attrs begin rescue_from(Exception, @@ -60,6 +68,18 @@ class ApplicationController < ActionController::Base :with => :render_not_found) end + def initialize *args + super + @object = nil + @objects = nil + @offset = nil + @limit = nil + @select = nil + @distinct = nil + @response_resource_name = nil + @attrs = nil + end + def default_url_options if Rails.configuration.host {:host => Rails.configuration.host} @@ -69,7 +89,6 @@ class ApplicationController < ActionController::Base end def index - @objects.uniq!(&:id) if @select.nil? or @select.include? "id" if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) end @@ -83,41 +102,12 @@ class ApplicationController < ActionController::Base def create @object = model_class.new resource_attrs - if @object.respond_to? :name and params[:ensure_unique_name] - # Record the original name. See below. - name_stem = @object.name - counter = 1 + if @object.respond_to?(:name) && params[:ensure_unique_name] + @object.save_with_unique_name! + else + @object.save! end - begin - @object.save! - rescue ActiveRecord::RecordNotUnique => rn - raise unless params[:ensure_unique_name] - - # Dig into the error to determine if it is specifically calling out a - # (owner_uuid, name) uniqueness violation. In this specific case, and - # the client requested a unique name with ensure_unique_name==true, - # update the name field and try to save again. Loop as necessary to - # discover a unique name. It is necessary to handle name choosing at - # this level (as opposed to the client) to ensure that record creation - # never fails due to a race condition. - raise unless rn.original_exception.is_a? PG::UniqueViolation - - # Unfortunately ActiveRecord doesn't abstract out any of the - # necessary information to figure out if this the error is actually - # the specific case where we want to apply the ensure_unique_name - # behavior, so the following code is specialized to Postgres. - err = rn.original_exception - detail = err.result.error_field(PG::Result::PG_DIAG_MESSAGE_DETAIL) - raise unless /^Key \(owner_uuid, name\)=\([a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{15}, .*?\) already exists\./.match detail - - # OK, this exception really is just a unique name constraint - # violation, and we've been asked to ensure_unique_name. - counter += 1 - @object.uuid = nil - @object.name = "#{name_stem} (#{counter})" - redo - end while false show end @@ -148,7 +138,7 @@ class ApplicationController < ActionController::Base def render_error(e) logger.error e.inspect - if e.respond_to? :backtrace and e.backtrace + if !e.is_a? RequestError and (e.respond_to? :backtrace and e.backtrace) logger.error e.backtrace.collect { |x| x + "\n" }.join('') end if (@object.respond_to? :errors and @@ -186,32 +176,19 @@ class ApplicationController < ActionController::Base # The obvious render(json: ...) forces a slow JSON encoder. See # #3021 and commit logs. Might be fixed in Rails 4.1. render({ - text: Oj.dump(response, mode: :compat).html_safe, + text: SafeJSON.dump(response).html_safe, content_type: 'application/json' }.merge opts) end - def self.limit_index_columns_read - # This method returns a list of column names. - # If an index request reads that column from the database, - # find_objects_for_index will only fetch objects until it reads - # max_index_database_read bytes of data from those columns. - [] - end - def find_objects_for_index - @objects ||= model_class.readable_by(*@read_users) + @objects ||= model_class.readable_by(*@read_users, {:include_trash => (params[:include_trash] || 'untrash' == action_name)}) apply_where_limit_order_params - limit_database_read if (action_name == "index") end def apply_filters model_class=nil model_class ||= self.model_class - ft = record_filters @filters, model_class - if ft[:cond_out].any? - @objects = @objects.where('(' + ft[:cond_out].join(') AND (') + ')', - *ft[:param_out]) - end + @objects = model_class.apply_filters(@objects, @filters) end def apply_where_limit_order_params model_class=nil @@ -295,23 +272,34 @@ class ApplicationController < ActionController::Base @objects = @objects.uniq(@distinct) if not @distinct.nil? end - def limit_database_read - limit_columns = self.class.limit_index_columns_read + # limit_database_read ensures @objects (which must be an + # ActiveRelation) does not return too many results to fit in memory, + # by previewing the results and calling @objects.limit() if + # necessary. + def limit_database_read(model_class:) + return if @limit == 0 || @limit == 1 + model_class ||= self.model_class + limit_columns = model_class.limit_index_columns_read limit_columns &= model_class.columns_for_attributes(@select) if @select return if limit_columns.empty? model_class.transaction do limit_query = @objects. + except(:select, :distinct). select("(%s) as read_length" % - limit_columns.map { |s| "octet_length(#{s})" }.join(" + ")) + limit_columns.map { |s| "octet_length(#{model_class.table_name}.#{s})" }.join(" + ")) new_limit = 0 read_total = 0 - limit_query.find_each do |record| + limit_query.each do |record| new_limit += 1 read_total += record.read_length.to_i - break if ((read_total >= Rails.configuration.max_index_database_read) or - (new_limit >= @limit)) + if read_total >= Rails.configuration.max_index_database_read + new_limit -= 1 if new_limit > 1 + @limit = new_limit + break + elsif new_limit >= @limit + break + end end - @limit = new_limit @objects = @objects.limit(@limit) # Force @objects to run its query inside this transaction. @objects.each { |_| break } @@ -322,7 +310,7 @@ class ApplicationController < ActionController::Base return @attrs if @attrs @attrs = params[resource_name] if @attrs.is_a? String - @attrs = Oj.load @attrs, symbol_keys: true + @attrs = Oj.strict_load @attrs, symbol_keys: true end unless @attrs.is_a? Hash message = "No #{resource_name}" @@ -358,7 +346,7 @@ class ApplicationController < ActionController::Base .all end @read_auths.select! { |auth| auth.scopes_allow_request? request } - @read_users = @read_auths.map { |auth| auth.user }.uniq + @read_users = @read_auths.map(&:user).uniq end def require_login @@ -378,7 +366,7 @@ class ApplicationController < ActionController::Base end def require_auth_scope - if @read_auths.empty? + unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid } if require_login != false send_error("Forbidden", status: 403) end @@ -386,10 +374,36 @@ class ApplicationController < ActionController::Base end end + def set_current_request_id + req_id = request.headers['X-Request-Id'] + if !req_id || req_id.length < 1 || req_id.length > 1024 + # Client-supplied ID is either missing or too long to be + # considered friendly. + req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19] + end + response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id + yield + Thread.current[:request_id] = nil + end + + def append_info_to_payload(payload) + super + payload[:request_id] = response.headers['X-Request-Id'] + payload[:client_ipaddr] = @remote_ip + payload[:client_auth] = current_api_client_authorization.andand.uuid || nil + end + + def disable_api_methods + if Rails.configuration.disable_api_methods. + include?(controller_name + "." + action_name) + send_error("Disabled", status: 404) + end + end + def set_cors_headers response.headers['Access-Control-Allow-Origin'] = '*' response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE' - response.headers['Access-Control-Allow-Headers'] = 'Authorization' + response.headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type' response.headers['Access-Control-Max-Age'] = '86486400' end @@ -413,7 +427,7 @@ class ApplicationController < ActionController::Base end def find_object_by_uuid - if params[:id] and params[:id].match /\D/ + if params[:id] and params[:id].match(/\D/) params[:uuid] = params.delete :id end @where = { uuid: params[:uuid] } @@ -436,7 +450,7 @@ class ApplicationController < ActionController::Base def load_json_value(hash, key, must_be_class=nil) if hash[key].is_a? String - hash[key] = Oj.load(hash[key], symbol_keys: false) + hash[key] = SafeJSON.load(hash[key]) if must_be_class and !hash[key].is_a? must_be_class raise TypeError.new("parameter #{key.to_s} must be a #{must_be_class.to_s}") end @@ -466,7 +480,10 @@ class ApplicationController < ActionController::Base end accept_param_as_json :reader_tokens, Array - def object_list + def object_list(model_class:) + if @objects.respond_to?(:except) + limit_database_read(model_class: model_class) + end list = { :kind => "arvados##{(@response_resource_name || resource_name).camelize(:lower)}List", :etag => "", @@ -475,21 +492,27 @@ class ApplicationController < ActionController::Base :limit => @limit, :items => @objects.as_api_response(nil, {select: @select}) } - if @objects.respond_to? :except - list[:items_available] = @objects. - except(:limit).except(:offset). - count(:id, distinct: true) + case params[:count] + when nil, '', 'exact' + if @objects.respond_to? :except + list[:items_available] = @objects. + except(:limit).except(:offset). + count(:id, distinct: true) + end + when 'none' + else + raise ArgumentError.new("count parameter must be 'exact' or 'none'") end list end def render_list - send_json object_list + send_json object_list(model_class: self.model_class) end def remote_ip # Caveat: this is highly dependent on the proxy setup. YMMV. - if request.headers.has_key?('HTTP_X_REAL_IP') then + if request.headers.key?('HTTP_X_REAL_IP') then # We're behind a reverse proxy @remote_ip = request.headers['HTTP_X_REAL_IP'] else @@ -532,6 +555,10 @@ class ApplicationController < ActionController::Base } end + def self._update_requires_parameters + {} + end + def self._index_requires_parameters { filters: { type: 'array', required: false }, @@ -541,6 +568,7 @@ class ApplicationController < ActionController::Base distinct: { type: 'boolean', required: false }, limit: { type: 'integer', required: false, default: DEFAULT_LIMIT }, offset: { type: 'integer', required: false, default: 0 }, + count: { type: 'string', required: false, default: 'exact' }, } end @@ -560,10 +588,6 @@ class ApplicationController < ActionController::Base } end end - super *opts - end - - def select_theme - return Rails.configuration.arvados_theme + super(*opts) end end