X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9e3bb9b984ff700fc3455f87437a8f1ac5841f0e..b12f667daa270a4e3c656d16f30620ca763f9578:/services/api/app/controllers/arvados/v1/collections_controller.rb diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb index 294e092f6c..4d0d004508 100644 --- a/services/api/app/controllers/arvados/v1/collections_controller.rb +++ b/services/api/app/controllers/arvados/v1/collections_controller.rb @@ -6,15 +6,39 @@ class Arvados::V1::CollectionsController < ApplicationController # exist) giving the current user (or specified owner_uuid) # permission to read it. owner_uuid = resource_attrs.delete(:owner_uuid) || current_user.uuid - owner_kind = if owner_uuid.match(/-(\w+)-/)[1] == User.uuid_prefix - 'arvados#user' - else - 'arvados#group' - end unless current_user.can? write: owner_uuid logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}" raise ArvadosModel::PermissionDeniedError end + + # Check permissions on the collection manifest. + # If any signature cannot be verified, return 403 Permission denied. + perms_ok = true + api_token = current_api_client_authorization.andand.api_token + signing_opts = { key: Rails.configuration.permission_key, api_token: api_token } + resource_attrs[:manifest_text].lines.each do |entry| + # TODO(twp): fail the request if this match fails. + # Add in Phase 4 (see #2755) + m = /([[:xdigit:]]{32}(\+[[:digit:]]+)?)(\+A\S*)?/.match(entry) + if m and m[3] + if !api_token + logger.warn "No API token present; cannot verify signature #{m[0]}" + perms_ok = false + elsif !Blob.verify_signature m[0], signing_opts + logger.warn "Invalid signature on locator #{m[0]}" + perms_ok = false + end + end + end + unless perms_ok + raise ArvadosModel::PermissionDeniedError + end + + # Remove any permission signatures from the manifest. + resource_attrs[:manifest_text] + .gsub!(/^(\S+\s+)([[:xdigit:]]{32}(\+[[:digit:]]+)?)(\+A\S*)/, '\1\2') + + # Save the collection with the stripped manifest. act_as_system_user do @object = model_class.new resource_attrs.reject { |k,v| k == :owner_uuid } begin @@ -36,9 +60,7 @@ class Arvados::V1::CollectionsController < ApplicationController owner_uuid: owner_uuid, link_class: 'permission', name: 'can_read', - head_kind: 'arvados#collection', head_uuid: @object.uuid, - tail_kind: owner_kind, tail_uuid: owner_uuid } ActiveRecord::Base.transaction do @@ -51,6 +73,20 @@ class Arvados::V1::CollectionsController < ApplicationController show end + def show + if current_api_client_authorization + signing_opts = { + key: Rails.configuration.permission_key, + api_token: current_api_client_authorization.api_token, + } + @object[:manifest_text] + .gsub!(/^(\S+\s+)([[:xdigit:]]{32}(\+[[:digit:]]+)?)/) { |m| + $1 + Blob.sign_locator($2, signing_opts) + } + end + render json: @object.as_api_response(:with_data) + end + def collection_uuid(uuid) m = /([a-f0-9]{32}(\+[0-9]+)?)(\+.*)?/.match(uuid) if m @@ -61,21 +97,20 @@ class Arvados::V1::CollectionsController < ApplicationController end def script_param_edges(visited, sp) - if sp and not sp.empty? - case sp - when Hash - sp.each do |k, v| - script_param_edges(visited, v) - end - when Array - sp.each do |v| - script_param_edges(visited, v) - end - else - m = collection_uuid(sp) - if m - generate_provenance_edges(visited, m) - end + case sp + when Hash + sp.each do |k, v| + script_param_edges(visited, v) + end + when Array + sp.each do |v| + script_param_edges(visited, v) + end + when String + return if sp.empty? + m = collection_uuid(sp) + if m + generate_provenance_edges(visited, m) end end end @@ -139,6 +174,65 @@ class Arvados::V1::CollectionsController < ApplicationController render json: visited end + def generate_used_by_edges(visited, uuid) + m = collection_uuid(uuid) + uuid = m if m + + if not uuid or uuid.empty? or visited[uuid] + return "" + end + + logger.debug "visiting #{uuid}" + + if m + # uuid is a collection + Collection.readable_by(current_user).where(uuid: uuid).each do |c| + visited[uuid] = c.as_api_response + visited[uuid][:files] = [] + c.files.each do |f| + visited[uuid][:files] << f + end + end + + if uuid == "d41d8cd98f00b204e9800998ecf8427e+0" + # special case for empty collection + return + end + + Job.readable_by(current_user).where(["jobs.script_parameters like ?", "%#{uuid}%"]).each do |job| + generate_used_by_edges(visited, job.uuid) + end + + else + # uuid is something else + rsc = ArvadosModel::resource_class_for_uuid uuid + if rsc == Job + Job.readable_by(current_user).where(uuid: uuid).each do |job| + visited[uuid] = job.as_api_response + generate_used_by_edges(visited, job.output) + end + elsif rsc != nil + rsc.where(uuid: uuid).each do |r| + visited[uuid] = r.as_api_response + end + end + end + + Link.readable_by(current_user). + where(tail_uuid: uuid, link_class: "provenance"). + each do |link| + visited[link.uuid] = link.as_api_response + generate_used_by_edges(visited, link.head_uuid) + end + + #puts "finished #{uuid}" + end + + def used_by + visited = {} + generate_used_by_edges(visited, @object[:uuid]) + render json: visited + end protected def find_object_by_uuid