X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/a17b176ea55dc3820ef1bde4b99cf33c628ffbbe..20fe67d073424f5c277fbd13557ffe5ae2b15fd9:/services/api/app/models/collection.rb diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb index d25536ec43..f1e7b4f1e1 100644 --- a/services/api/app/models/collection.rb +++ b/services/api/app/models/collection.rb @@ -1,54 +1,80 @@ +require 'arvados/keep' + class Collection < ArvadosModel + extend DbCurrentTime include HasUuid include KindAndEtag include CommonApiTemplate + serialize :properties, Hash + + before_validation :default_empty_manifest + before_validation :check_encoding + before_validation :check_manifest_validity before_validation :check_signatures - before_validation :strip_manifest_text - before_validation :set_portable_data_hash - validate :ensure_hash_matches_manifest_text + before_validation :strip_signatures_and_update_replication_confirmed + validate :ensure_pdh_matches_manifest_text + before_save :set_file_names + + # Query only undeleted collections by default. + default_scope where("expires_at IS NULL or expires_at > CURRENT_TIMESTAMP") api_accessible :user, extend: :common do |t| - t.add :data_size - t.add :files t.add :name t.add :description t.add :properties t.add :portable_data_hash - t.add :manifest_text + t.add :signed_manifest_text, as: :manifest_text + t.add :replication_desired + t.add :replication_confirmed + t.add :replication_confirmed_at end def self.attributes_required_columns - super.merge({ "data_size" => ["manifest_text"], - "files" => ["manifest_text"], - }) + super.merge( + # If we don't list manifest_text explicitly, the + # params[:select] code gets confused by the way we + # expose signed_manifest_text as manifest_text in the + # API response, and never let clients select the + # manifest_text column. + 'manifest_text' => ['manifest_text'], + ) end + FILE_TOKEN = /^[[:digit:]]+:[[:digit:]]+:/ def check_signatures return false if self.manifest_text.nil? return true if current_user.andand.is_admin + # Provided the manifest_text hasn't changed materially since an + # earlier validation, it's safe to pass this validation on + # subsequent passes without checking any signatures. This is + # important because the signatures have probably been stripped off + # by the time we get to a second validation pass! + return true if @signatures_checked and @signatures_checked == computed_pdh + if self.manifest_text_changed? # Check permissions on the collection manifest. # If any signature cannot be verified, raise PermissionDeniedError # which will return 403 Permission denied to the client. api_token = current_api_client_authorization.andand.api_token signing_opts = { - key: Rails.configuration.blob_signing_key, api_token: api_token, - ttl: Rails.configuration.blob_signing_ttl, + now: db_current_time.to_i, } - self.manifest_text.lines.each do |entry| - entry.split[1..-1].each do |tok| - if /^[[:digit:]]+:[[:digit:]]+:/.match tok + self.manifest_text.each_line do |entry| + entry.split.each do |tok| + if tok == '.' or tok.starts_with? './' + # Stream name token. + elsif tok =~ FILE_TOKEN # This is a filename token, not a blob locator. Note that we # keep checking tokens after this, even though manifest # format dictates that all subsequent tokens will also be # filenames. Safety first! elsif Blob.verify_signature tok, signing_opts # OK. - elsif Locator.parse(tok).andand.signature + elsif Keep::Locator.parse(tok).andand.signature # Signature provided, but verify_signature did not like it. logger.warn "Invalid signature on locator #{tok}" raise ArvadosModel::PermissionDeniedError @@ -64,145 +90,177 @@ class Collection < ArvadosModel end end end - true + @signatures_checked = computed_pdh end - def strip_manifest_text + def strip_signatures_and_update_replication_confirmed if self.manifest_text_changed? - # Remove any permission signatures from the manifest. - Collection.munge_manifest_locators(self[:manifest_text]) do |loc| - loc.without_signature.to_s + in_old_manifest = {} + if not self.replication_confirmed.nil? + self.class.each_manifest_locator(manifest_text_was) do |match| + in_old_manifest[match[1]] = true + end end - end - true - end - def set_portable_data_hash - if (self.portable_data_hash.nil? or (self.portable_data_hash == "") or (manifest_text_changed? and !portable_data_hash_changed?)) - self.portable_data_hash = "#{Digest::MD5.hexdigest(manifest_text)}+#{manifest_text.length}" - elsif portable_data_hash_changed? - begin - loc = Locator.parse!(self.portable_data_hash) - loc.strip_hints! - if loc.size - self.portable_data_hash = loc.to_s - else - self.portable_data_hash = "#{loc.hash}+#{self.manifest_text.length}" + stripped_manifest = self.class.munge_manifest_locators(manifest_text) do |match| + if not self.replication_confirmed.nil? and not in_old_manifest[match[1]] + # If the new manifest_text contains locators whose hashes + # weren't in the old manifest_text, storage replication is no + # longer confirmed. + self.replication_confirmed_at = nil + self.replication_confirmed = nil end - rescue ArgumentError => e - errors.add(:portable_data_hash, "#{e}") - return false + + # Return the locator with all permission signatures removed, + # but otherwise intact. + match[0].gsub(/\+A[^+]*/, '') end + + if @computed_pdh_for_manifest_text == manifest_text + # If the cached PDH was valid before stripping, it is still + # valid after stripping. + @computed_pdh_for_manifest_text = stripped_manifest.dup + end + + self[:manifest_text] = stripped_manifest end true end - def ensure_hash_matches_manifest_text - if manifest_text_changed? or portable_data_hash_changed? - computed_hash = "#{Digest::MD5.hexdigest(manifest_text)}+#{manifest_text.length}" - unless computed_hash == portable_data_hash - logger.debug "(computed) '#{computed_hash}' != '#{portable_data_hash}' (provided)" - errors.add(:portable_data_hash, "does not match hash of manifest_text") - return false - end + def ensure_pdh_matches_manifest_text + if not manifest_text_changed? and not portable_data_hash_changed? + true + elsif portable_data_hash.nil? or not portable_data_hash_changed? + self.portable_data_hash = computed_pdh + elsif portable_data_hash !~ Keep::Locator::LOCATOR_REGEXP + errors.add(:portable_data_hash, "is not a valid locator") + false + elsif portable_data_hash[0..31] != computed_pdh[0..31] + errors.add(:portable_data_hash, + "does not match computed hash #{computed_pdh}") + false + else + # Ignore the client-provided size part: always store + # computed_pdh in the database. + self.portable_data_hash = computed_pdh + end + end + + def set_file_names + if self.manifest_text_changed? + self.file_names = manifest_files end true end - def redundancy_status - if redundancy_confirmed_as.nil? - 'unconfirmed' - elsif redundancy_confirmed_as < redundancy - 'degraded' - else - if redundancy_confirmed_at.nil? - 'unconfirmed' - elsif Time.now - redundancy_confirmed_at < 7.days - 'OK' - else - 'stale' + def manifest_files + names = '' + if self.manifest_text + self.manifest_text.scan(/ \d+:\d+:(\S+)/) do |name| + names << name.first.gsub('\040',' ') + "\n" + break if names.length > 2**12 + end + end + + if self.manifest_text and names.length < 2**12 + self.manifest_text.scan(/^\.\/(\S+)/m) do |stream_name| + names << stream_name.first.gsub('\040',' ') + "\n" + break if names.length > 2**12 end end + + names[0,2**12] end - def data_size - inspect_manifest_text if @data_size.nil? or manifest_text_changed? - @data_size + def default_empty_manifest + self.manifest_text ||= '' end - def files - inspect_manifest_text if @files.nil? or manifest_text_changed? - @files + def check_encoding + if manifest_text.encoding.name == 'UTF-8' and manifest_text.valid_encoding? + true + else + begin + # If Ruby thinks the encoding is something else, like 7-bit + # ASCII, but its stored bytes are equal to the (valid) UTF-8 + # encoding of the same string, we declare it to be a UTF-8 + # string. + utf8 = manifest_text + utf8.force_encoding Encoding::UTF_8 + if utf8.valid_encoding? and utf8 == manifest_text.encode(Encoding::UTF_8) + manifest_text = utf8 + return true + end + rescue + end + errors.add :manifest_text, "must use UTF-8 encoding" + false + end end - def inspect_manifest_text - if !manifest_text - @data_size = false - @files = [] - return + def check_manifest_validity + begin + Keep::Manifest.validate! manifest_text + true + rescue ArgumentError => e + errors.add :manifest_text, e.message + false end + end - @data_size = 0 - tmp = {} + def signed_manifest_text + if has_attribute? :manifest_text + token = current_api_client_authorization.andand.api_token + @signed_manifest_text = self.class.sign_manifest manifest_text, token + end + end - manifest_text.split("\n").each do |stream| - toks = stream.split(" ") + def self.sign_manifest manifest, token + signing_opts = { + api_token: token, + expire: db_current_time.to_i + Rails.configuration.blob_signature_ttl, + } + m = munge_manifest_locators(manifest) do |match| + Blob.sign_locator(match[0], signing_opts) + end + return m + end - stream = toks[0].gsub /\\(\\|[0-7]{3})/ do |escape_sequence| - case $1 - when '\\' '\\' - else $1.to_i(8).chr - end - end + def self.munge_manifest_locators manifest + # Given a manifest text and a block, yield the regexp MatchData + # for each locator. Return a new manifest in which each locator + # has been replaced by the block's return value. + return nil if !manifest + return '' if manifest == '' - toks[1..-1].each do |tok| - if (re = tok.match /^[0-9a-f]{32}/) - blocksize = nil - tok.split('+')[1..-1].each do |hint| - if !blocksize and hint.match /^\d+$/ - blocksize = hint.to_i - end - if (re = hint.match /^GS(\d+)$/) - blocksize = re[1].to_i - end - end - @data_size = false if !blocksize - @data_size += blocksize if @data_size + new_lines = [] + manifest.each_line do |line| + line.rstrip! + new_words = [] + line.split(' ').each do |word| + if new_words.empty? + new_words << word + elsif match = Keep::Locator::LOCATOR_REGEXP.match(word) + new_words << yield(match) else - if (re = tok.match /^(\d+):(\d+):(\S+)$/) - filename = re[3].gsub /\\(\\|[0-7]{3})/ do |escape_sequence| - case $1 - when '\\' '\\' - else $1.to_i(8).chr - end - end - fn = stream + '/' + filename - i = re[2].to_i - if tmp[fn] - tmp[fn] += i - else - tmp[fn] = i - end - end + new_words << word end end + new_lines << new_words.join(' ') end - - @files = [] - tmp.each do |k, v| - re = k.match(/^(.+)\/(.+)/) - @files << [re[1], re[2], v] - end + new_lines.join("\n") + "\n" end - def self.munge_manifest_locators(manifest) - # Given a manifest text and a block, yield each locator, - # and replace it with whatever the block returns. - manifest.andand.gsub!(/ [[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) do |word| - if loc = Locator.parse(word.strip) - " " + yield(loc) - else - " " + word + def self.each_manifest_locator manifest + # Given a manifest text and a block, yield the regexp match object + # for each locator. + manifest.each_line do |line| + # line will have a trailing newline, but the last token is never + # a locator, so it's harmless here. + line.split(' ').each do |word| + if match = Keep::Locator::LOCATOR_REGEXP.match(word) + yield(match) + end end end end @@ -234,12 +292,17 @@ class Collection < ArvadosModel # If the search term is a Collection locator that contains one file # that looks like a Docker image, return it. - if loc = Locator.parse(search_term) + if loc = Keep::Locator.parse(search_term) loc.strip_hints! coll_match = readable_by(*readers).where(portable_data_hash: loc.to_s).limit(1).first - if coll_match and (coll_match.files.size == 1) and - (coll_match.files[0][1] =~ /^[0-9A-Fa-f]{64}\.tar$/) - return [coll_match] + if coll_match + # Check if the Collection contains exactly one file whose name + # looks like a saved Docker image. + manifest = Keep::Manifest.new(coll_match.manifest_text) + if manifest.exact_file_count?(1) and + (manifest.files[0][1] =~ /^[0-9A-Fa-f]{64}\.tar$/) + return [coll_match] + end end end @@ -274,4 +337,48 @@ class Collection < ArvadosModel def self.for_latest_docker_image(search_term, search_tag=nil, readers=nil) find_all_for_docker_image(search_term, search_tag, readers).first end + + def self.searchable_columns operator + super - ["manifest_text"] + end + + def self.full_text_searchable_columns + super - ["manifest_text"] + end + + protected + def portable_manifest_text + self.class.munge_manifest_locators(manifest_text) do |match| + if match[2] # size + match[1] + match[2] + else + match[1] + end + end + end + + def compute_pdh + portable_manifest = portable_manifest_text + (Digest::MD5.hexdigest(portable_manifest) + + '+' + + portable_manifest.bytesize.to_s) + end + + def computed_pdh + if @computed_pdh_for_manifest_text == manifest_text + return @computed_pdh + end + @computed_pdh = compute_pdh + @computed_pdh_for_manifest_text = manifest_text.dup + @computed_pdh + end + + def ensure_permission_to_save + if (not current_user.andand.is_admin and + (replication_confirmed_at_changed? or replication_confirmed_changed?) and + not (replication_confirmed_at.nil? and replication_confirmed.nil?)) + raise ArvadosModel::PermissionDeniedError.new("replication_confirmed and replication_confirmed_at attributes cannot be changed, except by setting both to nil") + end + super + end end