X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/aad9cd74e61cff985944c400c40fe3f85907a1e7..b86543493dffefb1ec245f48550cfa9e0119f4d1:/services/api/app/controllers/arvados/v1/collections_controller.rb diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb index 2844cb4c7a..922cf7dac1 100644 --- a/services/api/app/controllers/arvados/v1/collections_controller.rb +++ b/services/api/app/controllers/arvados/v1/collections_controller.rb @@ -1,235 +1,143 @@ -require 'locator' +require "arvados/keep" class Arvados::V1::CollectionsController < ApplicationController - def create - # Collections are owned by system_user. Creating a collection has - # two effects: The collection is added if it doesn't already - # exist, and a "permission" Link is added (if one doesn't already - # exist) giving the current user (or specified owner_uuid) - # permission to read it. - owner_uuid = resource_attrs.delete(:owner_uuid) || current_user.uuid - unless current_user.can? write: owner_uuid - logger.warn "User #{current_user.andand.uuid} tried to set collection owner_uuid to #{owner_uuid}" - raise ArvadosModel::PermissionDeniedError - end + def self.limit_index_columns_read + ["manifest_text"] + end - # Check permissions on the collection manifest. - # If any signature cannot be verified, return 403 Permission denied. - perms_ok = true - api_token = current_api_client_authorization.andand.api_token - signing_opts = { - key: Rails.configuration.blob_signing_key, - api_token: api_token, - ttl: Rails.configuration.blob_signing_ttl, - } - resource_attrs[:manifest_text].lines.each do |entry| - entry.split[1..-1].each do |tok| - # TODO(twp): fail the request if this match fails. - # Add in Phase 4 (see #2755) - loc = Locator.parse(tok) - if loc and loc.signature - if !api_token - logger.warn "No API token present; cannot verify signature on #{loc}" - perms_ok = false - elsif !Blob.verify_signature tok, signing_opts - logger.warn "Invalid signature on locator #{loc}" - perms_ok = false - end - end - end - end - unless perms_ok - raise ArvadosModel::PermissionDeniedError + def create + if resource_attrs[:uuid] and (loc = Keep::Locator.parse(resource_attrs[:uuid])) + resource_attrs[:portable_data_hash] = loc.to_s + resource_attrs.delete :uuid end + super + end - # Remove any permission signatures from the manifest. - resource_attrs[:manifest_text] - .gsub!(/[[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word| - loc = Locator.parse(word) - if loc - loc.without_signature.to_s - else - word - end - } - - # Save the collection with the stripped manifest. - act_as_system_user do - @object = model_class.new resource_attrs.reject { |k,v| k == :owner_uuid } - begin - @object.save! - rescue ActiveRecord::RecordNotUnique - logger.debug resource_attrs.inspect - if resource_attrs[:manifest_text] and resource_attrs[:uuid] - @existing_object = model_class. - where('uuid=? and manifest_text=?', - resource_attrs[:uuid], - resource_attrs[:manifest_text]). - first - @object = @existing_object || @object - end - end - if @object - link_attrs = { - owner_uuid: owner_uuid, - link_class: 'permission', - name: 'can_read', - head_uuid: @object.uuid, - tail_uuid: owner_uuid + def find_object_by_uuid + if loc = Keep::Locator.parse(params[:id]) + loc.strip_hints! + if c = Collection.readable_by(*@read_users).where({ portable_data_hash: loc.to_s }).limit(1).first + @object = { + uuid: c.portable_data_hash, + portable_data_hash: c.portable_data_hash, + manifest_text: c.signed_manifest_text, } - ActiveRecord::Base.transaction do - if Link.where(link_attrs).empty? - Link.create! link_attrs - end - end end + else + super end - show + true end def show - if current_api_client_authorization - signing_opts = { - key: Rails.configuration.blob_signing_key, - api_token: current_api_client_authorization.api_token, - ttl: Rails.configuration.blob_signing_ttl, - } - @object[:manifest_text] - .gsub!(/[[:xdigit:]]{32}(\+[[:digit:]]+)?(\+\S+)/) { |word| - loc = Locator.parse(word) - if loc - Blob.sign_locator(word, signing_opts) - else - word - end - } - end - render json: @object.as_api_response(:with_data) - end - - def collection_uuid(uuid) - m = /([a-f0-9]{32}(\+[0-9]+)?)(\+.*)?/.match(uuid) - if m - m[1] + if @object.is_a? Collection + super else - nil + send_json @object end end - def script_param_edges(visited, sp) + def find_collections(visited, sp, &b) case sp + when ArvadosModel + sp.class.columns.each do |c| + find_collections(visited, sp[c.name.to_sym], &b) if c.name != "log" + end when Hash sp.each do |k, v| - script_param_edges(visited, v) + find_collections(visited, v, &b) end when Array sp.each do |v| - script_param_edges(visited, v) + find_collections(visited, v, &b) end when String - return if sp.empty? - m = collection_uuid(sp) - if m - generate_provenance_edges(visited, m) + if m = /[a-f0-9]{32}\+\d+/.match(sp) + yield m[0], nil + elsif m = Collection.uuid_regex.match(sp) + yield nil, m[0] end end end - def generate_provenance_edges(visited, uuid) - m = collection_uuid(uuid) - uuid = m if m + def search_edges(visited, uuid, direction) + if uuid.nil? or uuid.empty? or visited[uuid] + return + end - if not uuid or uuid.empty? or visited[uuid] - return "" + if loc = Keep::Locator.parse(uuid) + loc.strip_hints! + return if visited[loc.to_s] end logger.debug "visiting #{uuid}" - if m - # uuid is a collection - Collection.readable_by(current_user).where(uuid: uuid).each do |c| - visited[uuid] = c.as_api_response - visited[uuid][:files] = [] - c.files.each do |f| - visited[uuid][:files] << f + if loc + # uuid is a portable_data_hash + collections = Collection.readable_by(*@read_users).where(portable_data_hash: loc.to_s) + c = collections.limit(2).all + if c.size == 1 + visited[loc.to_s] = c[0] + elsif c.size > 1 + name = collections.limit(1).where("name <> ''").first + if name + visited[loc.to_s] = { + portable_data_hash: c[0].portable_data_hash, + name: "#{name.name} + #{collections.count-1} more" + } + else + visited[loc.to_s] = { + portable_data_hash: c[0].portable_data_hash, + name: loc.to_s + } end end - Job.readable_by(current_user).where(output: uuid).each do |job| - generate_provenance_edges(visited, job.uuid) - end + if direction == :search_up + # Search upstream for jobs where this locator is the output of some job + Job.readable_by(*@read_users).where(output: loc.to_s).each do |job| + search_edges(visited, job.uuid, :search_up) + end - Job.readable_by(current_user).where(log: uuid).each do |job| - generate_provenance_edges(visited, job.uuid) - end - - else - # uuid is something else - rsc = ArvadosModel::resource_class_for_uuid uuid - if rsc == Job - Job.readable_by(current_user).where(uuid: uuid).each do |job| - visited[uuid] = job.as_api_response - script_param_edges(visited, job.script_parameters) + Job.readable_by(*@read_users).where(log: loc.to_s).each do |job| + search_edges(visited, job.uuid, :search_up) end - elsif rsc != nil - rsc.where(uuid: uuid).each do |r| - visited[uuid] = r.as_api_response + elsif direction == :search_down + if loc.to_s == "d41d8cd98f00b204e9800998ecf8427e+0" + # Special case, don't follow the empty collection. + return end - end - end - - Link.readable_by(current_user). - where(head_uuid: uuid, link_class: "provenance"). - each do |link| - visited[link.uuid] = link.as_api_response - generate_provenance_edges(visited, link.tail_uuid) - end - - #puts "finished #{uuid}" - end - - def provenance - visited = {} - generate_provenance_edges(visited, @object[:uuid]) - render json: visited - end - - def generate_used_by_edges(visited, uuid) - m = collection_uuid(uuid) - uuid = m if m - - if not uuid or uuid.empty? or visited[uuid] - return "" - end - - logger.debug "visiting #{uuid}" - if m - # uuid is a collection - Collection.readable_by(current_user).where(uuid: uuid).each do |c| - visited[uuid] = c.as_api_response - visited[uuid][:files] = [] - c.files.each do |f| - visited[uuid][:files] << f + # Search downstream for jobs where this locator is in script_parameters + Job.readable_by(*@read_users).where(["jobs.script_parameters like ?", "%#{loc.to_s}%"]).each do |job| + search_edges(visited, job.uuid, :search_down) end - end - if uuid == "d41d8cd98f00b204e9800998ecf8427e+0" - # special case for empty collection - return - end - - Job.readable_by(current_user).where(["jobs.script_parameters like ?", "%#{uuid}%"]).each do |job| - generate_used_by_edges(visited, job.uuid) + Job.readable_by(*@read_users).where(["jobs.docker_image_locator = ?", "#{loc.to_s}"]).each do |job| + search_edges(visited, job.uuid, :search_down) + end end - else - # uuid is something else + # uuid is a regular Arvados UUID rsc = ArvadosModel::resource_class_for_uuid uuid if rsc == Job - Job.readable_by(current_user).where(uuid: uuid).each do |job| + Job.readable_by(*@read_users).where(uuid: uuid).each do |job| visited[uuid] = job.as_api_response - generate_used_by_edges(visited, job.output) + if direction == :search_up + # Follow upstream collections referenced in the script parameters + find_collections(visited, job) do |hash, uuid| + search_edges(visited, hash, :search_up) if hash + search_edges(visited, uuid, :search_up) if uuid + end + elsif direction == :search_down + # Follow downstream job output + search_edges(visited, job.output, direction) + end + end + elsif rsc == Collection + if c = Collection.readable_by(*@read_users).where(uuid: uuid).limit(1).first + search_edges(visited, c.portable_data_hash, direction) + visited[c.portable_data_hash] = c.as_api_response end elsif rsc != nil rsc.where(uuid: uuid).each do |r| @@ -238,39 +146,46 @@ class Arvados::V1::CollectionsController < ApplicationController end end - Link.readable_by(current_user). - where(tail_uuid: uuid, link_class: "provenance"). - each do |link| - visited[link.uuid] = link.as_api_response - generate_used_by_edges(visited, link.head_uuid) + if direction == :search_up + # Search for provenance links pointing to the current uuid + Link.readable_by(*@read_users). + where(head_uuid: uuid, link_class: "provenance"). + each do |link| + visited[link.uuid] = link.as_api_response + search_edges(visited, link.tail_uuid, direction) + end + elsif direction == :search_down + # Search for provenance links emanating from the current uuid + Link.readable_by(current_user). + where(tail_uuid: uuid, link_class: "provenance"). + each do |link| + visited[link.uuid] = link.as_api_response + search_edges(visited, link.head_uuid, direction) + end end + end - #puts "finished #{uuid}" + def provenance + visited = {} + search_edges(visited, @object[:portable_data_hash], :search_up) + search_edges(visited, @object[:uuid], :search_up) + send_json visited end def used_by visited = {} - generate_used_by_edges(visited, @object[:uuid]) - render json: visited + search_edges(visited, @object[:uuid], :search_down) + search_edges(visited, @object[:portable_data_hash], :search_down) + send_json visited end protected - def find_object_by_uuid + + def load_limit_offset_order_params *args super - if !@object and !params[:uuid].match(/^[0-9a-f]+\+\d+$/) - # Normalize the given uuid and search again. - hash_part = params[:uuid].match(/^([0-9a-f]*)/)[1] - collection = Collection.where('uuid like ?', hash_part + '+%').first - if collection - # We know the collection exists, and what its real uuid is in - # the database. Now, throw out @objects and repeat the usual - # lookup procedure. (Returning the collection at this point - # would bypass permission checks.) - @objects = nil - @where = { uuid: collection.uuid } - find_objects_for_index - @object = @objects.first - end + if action_name == 'index' + # Omit manifest_text from index results unless expressly selected. + @select ||= model_class.selectable_attributes - ["manifest_text"] end end end