X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6f6f108d9d5bcb2e2a033bb16ac5dd78e108291f..30d63b582ed093d235ae4a9efdeda5de1d4e2f24:/services/api/app/controllers/arvados/v1/collections_controller.rb diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb index 65d5276a3e..6c9d41e3f1 100644 --- a/services/api/app/controllers/arvados/v1/collections_controller.rb +++ b/services/api/app/controllers/arvados/v1/collections_controller.rb @@ -6,14 +6,53 @@ class Arvados::V1::CollectionsController < ApplicationController # exist) giving the current user (or specified owner_uuid) # permission to read it. owner_uuid = resource_attrs.delete(:owner_uuid) || current_user.uuid - owner_kind = if owner_uuid.match(/-(\w+)-/)[1] == User.uuid_prefix - 'arvados#user' - else - 'arvados#group' - end unless current_user.can? write: owner_uuid + logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}" raise ArvadosModel::PermissionDeniedError end + + # Check permissions on the collection manifest. + # If any signature cannot be verified, return 403 Permission denied. + perms_ok = true + api_token = current_api_client_authorization.andand.api_token + signing_opts = { + key: Rails.configuration.blob_signing_key, + api_token: api_token, + ttl: Rails.configuration.blob_signing_ttl, + } + resource_attrs[:manifest_text].lines.each do |entry| + entry.split[1..-1].each do |tok| + # TODO(twp): in Phase 4, fail the request if the locator + # lacks a permission signature. (see #2755) + loc = Locator.parse(tok) + if loc and loc.signature + if !api_token + logger.warn "No API token present; cannot verify signature on #{loc}" + perms_ok = false + elsif !Blob.verify_signature tok, signing_opts + logger.warn "Invalid signature on locator #{loc}" + perms_ok = false + end + end + end + end + unless perms_ok + raise ArvadosModel::PermissionDeniedError + end + + # Remove any permission signatures from the manifest. + resource_attrs[:manifest_text] + .gsub!(/ [[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word| + word.strip! + loc = Locator.parse(word) + if loc + " " + loc.without_signature.to_s + else + " " + word + end + } + + # Save the collection with the stripped manifest. act_as_system_user do @object = model_class.new resource_attrs.reject { |k,v| k == :owner_uuid } begin @@ -29,15 +68,12 @@ class Arvados::V1::CollectionsController < ApplicationController @object = @existing_object || @object end end - if @object link_attrs = { owner_uuid: owner_uuid, link_class: 'permission', name: 'can_read', - head_kind: 'arvados#collection', head_uuid: @object.uuid, - tail_kind: owner_kind, tail_uuid: owner_uuid } ActiveRecord::Base.transaction do @@ -50,6 +86,27 @@ class Arvados::V1::CollectionsController < ApplicationController show end + def show + if current_api_client_authorization + signing_opts = { + key: Rails.configuration.blob_signing_key, + api_token: current_api_client_authorization.api_token, + ttl: Rails.configuration.blob_signing_ttl, + } + @object[:manifest_text] + .gsub!(/ [[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word| + word.strip! + loc = Locator.parse(word) + if loc + " " + Blob.sign_locator(word, signing_opts) + else + " " + word + end + } + end + render json: @object.as_api_response(:with_data) + end + def collection_uuid(uuid) m = /([a-f0-9]{32}(\+[0-9]+)?)(\+.*)?/.match(uuid) if m @@ -60,21 +117,20 @@ class Arvados::V1::CollectionsController < ApplicationController end def script_param_edges(visited, sp) - if sp and not sp.empty? - case sp - when Hash - sp.each do |k, v| - script_param_edges(visited, v) - end - when Array - sp.each do |v| - script_param_edges(visited, v) - end - else - m = collection_uuid(sp) - if m - generate_provenance_edges(visited, m) - end + case sp + when Hash + sp.each do |k, v| + script_param_edges(visited, v) + end + when Array + sp.each do |v| + script_param_edges(visited, v) + end + when String + return if sp.empty? + m = collection_uuid(sp) + if m + generate_provenance_edges(visited, m) end end end @@ -138,6 +194,65 @@ class Arvados::V1::CollectionsController < ApplicationController render json: visited end + def generate_used_by_edges(visited, uuid) + m = collection_uuid(uuid) + uuid = m if m + + if not uuid or uuid.empty? or visited[uuid] + return "" + end + + logger.debug "visiting #{uuid}" + + if m + # uuid is a collection + Collection.readable_by(current_user).where(uuid: uuid).each do |c| + visited[uuid] = c.as_api_response + visited[uuid][:files] = [] + c.files.each do |f| + visited[uuid][:files] << f + end + end + + if uuid == "d41d8cd98f00b204e9800998ecf8427e+0" + # special case for empty collection + return + end + + Job.readable_by(current_user).where(["jobs.script_parameters like ?", "%#{uuid}%"]).each do |job| + generate_used_by_edges(visited, job.uuid) + end + + else + # uuid is something else + rsc = ArvadosModel::resource_class_for_uuid uuid + if rsc == Job + Job.readable_by(current_user).where(uuid: uuid).each do |job| + visited[uuid] = job.as_api_response + generate_used_by_edges(visited, job.output) + end + elsif rsc != nil + rsc.where(uuid: uuid).each do |r| + visited[uuid] = r.as_api_response + end + end + end + + Link.readable_by(current_user). + where(tail_uuid: uuid, link_class: "provenance"). + each do |link| + visited[link.uuid] = link.as_api_response + generate_used_by_edges(visited, link.head_uuid) + end + + #puts "finished #{uuid}" + end + + def used_by + visited = {} + generate_used_by_edges(visited, @object[:uuid]) + render json: visited + end protected def find_object_by_uuid @@ -158,5 +273,4 @@ class Arvados::V1::CollectionsController < ApplicationController end end end - end