X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c8b119d10b41cd507a6677d4feab7974362a153e..4a1735427d84743f6c2f3576263fdcae397cf9e9:/services/api/app/models/link.rb diff --git a/services/api/app/models/link.rb b/services/api/app/models/link.rb index 21d89767c7..4d4c2832bb 100644 --- a/services/api/app/models/link.rb +++ b/services/api/app/models/link.rb @@ -12,11 +12,15 @@ class Link < ArvadosModel attribute :properties, :jsonbHash, default: {} validate :name_links_are_obsolete - before_create :permission_to_attach_to_objects - before_update :permission_to_attach_to_objects + validate :permission_to_attach_to_objects + before_update :restrict_alter_permissions + before_update :apply_max_overlapping_permissions + before_create :apply_max_overlapping_permissions + after_update :delete_overlapping_permissions after_update :call_update_permissions after_create :call_update_permissions before_destroy :clear_permissions + after_destroy :delete_overlapping_permissions after_destroy :check_permissions api_accessible :user, extend: :common do |t| @@ -29,6 +33,58 @@ class Link < ArvadosModel t.add :properties end + PermLevel = { + 'can_read' => 0, + 'can_write' => 1, + 'can_manage' => 2, + } + + def apply_max_overlapping_permissions + return if self.link_class != 'permission' || !PermLevel[self.name] + Link. + lock. # select ... for update + where(link_class: 'permission', + tail_uuid: self.tail_uuid, + head_uuid: self.head_uuid, + name: PermLevel.keys). + where('uuid <> ?', self.uuid).each do |other| + if PermLevel[other.name] > PermLevel[self.name] + self.name = other.name + end + end + end + + def delete_overlapping_permissions + return if self.link_class != 'permission' + redundant = nil + if PermLevel[self.name] + redundant = Link. + lock. # select ... for update + where(link_class: 'permission', + tail_uuid: self.tail_uuid, + head_uuid: self.head_uuid, + name: PermLevel.keys). + where('uuid <> ?', self.uuid) + elsif self.name == 'can_login' && + self.properties.respond_to?(:has_key?) && + self.properties.has_key?('username') + redundant = Link. + lock. # select ... for update + where(link_class: 'permission', + tail_uuid: self.tail_uuid, + head_uuid: self.head_uuid, + name: 'can_login'). + where('properties @> ?', SafeJSON.dump({'username' => self.properties['username']})). + where('uuid <> ?', self.uuid) + end + if redundant + redundant.each do |link| + link.clear_permissions + end + redundant.delete_all + end + end + def head_kind if k = ArvadosModel::resource_class_for_uuid(head_uuid) k.kind @@ -43,6 +99,28 @@ class Link < ArvadosModel protected + def check_readable_uuid attr, attr_value + if attr == 'tail_uuid' && + !attr_value.nil? && + self.link_class == 'permission' && + attr_value[0..4] != Rails.configuration.ClusterID && + ApiClientAuthorization.remote_host(uuid_prefix: attr_value[0..4]) && + ArvadosModel::resource_class_for_uuid(attr_value) == User + # Permission link tail is a remote user (the user permissions + # are being granted to), so bypass the standard check that a + # referenced object uuid is readable by current user. + # + # We could do a call to the remote cluster to check if the user + # in tail_uuid exists. This would detect copy-and-paste errors, + # but add another way for the request to fail, and I don't think + # it would improve security. It doesn't seem to be worth the + # complexity tradeoff. + true + else + super + end + end + def permission_to_attach_to_objects # Anonymous users cannot write links return false if !current_user @@ -50,13 +128,42 @@ class Link < ArvadosModel # All users can write links that don't affect permissions return true if self.link_class != 'permission' + if PERM_LEVEL[self.name].nil? + errors.add(:name, "is invalid permission, must be one of 'can_read', 'can_write', 'can_manage', 'can_login'") + return false + end + + rsc_class = ArvadosModel::resource_class_for_uuid tail_uuid + if rsc_class == Group + tail_obj = Group.find_by_uuid(tail_uuid) + if tail_obj.nil? + errors.add(:tail_uuid, "does not exist") + return false + end + if tail_obj.group_class != "role" + errors.add(:tail_uuid, "must be a user or role, was group with group_class #{tail_obj.group_class}") + return false + end + elsif rsc_class != User + errors.add(:tail_uuid, "must be a user or role") + return false + end + # Administrators can grant permissions return true if current_user.is_admin head_obj = ArvadosModel.find_by_uuid(head_uuid) + if head_obj.nil? + errors.add(:head_uuid, "does not exist") + return false + end + # No permission links can be pointed to past collection versions - return false if head_obj.is_a?(Collection) && head_obj.current_version_uuid != head_uuid + if head_obj.is_a?(Collection) && head_obj.current_version_uuid != head_uuid + errors.add(:head_uuid, "cannot point to a past version of a collection") + return false + end # All users can grant permissions on objects they own or can manage return true if current_user.can?(manage: head_obj) @@ -65,6 +172,16 @@ class Link < ArvadosModel false end + def restrict_alter_permissions + return true if self.link_class != 'permission' && self.link_class_was != 'permission' + + return true if current_user.andand.uuid == system_user.uuid + + if link_class_changed? || tail_uuid_changed? || head_uuid_changed? + raise "Can only alter permission link level" + end + end + PERM_LEVEL = { 'can_read' => 1, 'can_login' => 1, @@ -75,12 +192,14 @@ class Link < ArvadosModel def call_update_permissions if self.link_class == 'permission' update_permissions tail_uuid, head_uuid, PERM_LEVEL[name], self.uuid + current_user.forget_cached_group_perms end end def clear_permissions if self.link_class == 'permission' update_permissions tail_uuid, head_uuid, REVOKE_PERM, self.uuid + current_user.forget_cached_group_perms end end