X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c9a361f7fd3b1cf7f4959e9b0292d0f495d82771..b20e9017fae4dc9876f4ffee56add1c58f3e3f21:/services/api/app/controllers/application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 71fb365fc6..c4f64f6039 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'safe_json'
 
 module ApiTemplateOverride
@@ -18,8 +22,8 @@ end
 require 'load_param'
 
 class ApplicationController < ActionController::Base
-  include CurrentApiClient
   include ThemesForRails::ActionController
+  include CurrentApiClient
   include LoadParam
   include DbCurrentTime
 
@@ -28,6 +32,7 @@ class ApplicationController < ActionController::Base
 
   ERROR_ACTIONS = [:render_error, :render_not_found]
 
+  around_filter :set_current_request_id
   before_filter :disable_api_methods
   before_filter :set_cors_headers
   before_filter :respond_with_json_by_default
@@ -47,7 +52,7 @@ class ApplicationController < ActionController::Base
   before_filter(:render_404_if_no_object,
                 except: [:index, :create] + ERROR_ACTIONS)
 
-  theme :select_theme
+  theme Rails.configuration.arvados_theme
 
   attr_writer :resource_attrs
 
@@ -83,7 +88,6 @@ class ApplicationController < ActionController::Base
   end
 
   def index
-    @objects.uniq!(&:id) if @select.nil? or @select.include? "id"
     if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != ''
       @objects.each(&:eager_load_associations)
     end
@@ -176,18 +180,9 @@ class ApplicationController < ActionController::Base
            }.merge opts)
   end
 
-  def self.limit_index_columns_read
-    # This method returns a list of column names.
-    # If an index request reads that column from the database,
-    # find_objects_for_index will only fetch objects until it reads
-    # max_index_database_read bytes of data from those columns.
-    []
-  end
-
   def find_objects_for_index
-    @objects ||= model_class.readable_by(*@read_users)
+    @objects ||= model_class.readable_by(*@read_users, {:include_trash => (params[:include_trash] || 'untrash' == action_name)})
     apply_where_limit_order_params
-    limit_database_read if (action_name == "index")
   end
 
   def apply_filters model_class=nil
@@ -276,15 +271,21 @@ class ApplicationController < ActionController::Base
     @objects = @objects.uniq(@distinct) if not @distinct.nil?
   end
 
-  def limit_database_read
-    limit_columns = self.class.limit_index_columns_read
+  # limit_database_read ensures @objects (which must be an
+  # ActiveRelation) does not return too many results to fit in memory,
+  # by previewing the results and calling @objects.limit() if
+  # necessary.
+  def limit_database_read(model_class:)
+    return if @limit == 0 || @limit == 1
+    model_class ||= self.model_class
+    limit_columns = model_class.limit_index_columns_read
     limit_columns &= model_class.columns_for_attributes(@select) if @select
     return if limit_columns.empty?
     model_class.transaction do
       limit_query = @objects.
-        except(:select).
+        except(:select, :distinct).
         select("(%s) as read_length" %
-               limit_columns.map { |s| "octet_length(#{s})" }.join(" + "))
+               limit_columns.map { |s| "octet_length(#{model_class.table_name}.#{s})" }.join(" + "))
       new_limit = 0
       read_total = 0
       limit_query.each do |record|
@@ -292,12 +293,12 @@ class ApplicationController < ActionController::Base
         read_total += record.read_length.to_i
         if read_total >= Rails.configuration.max_index_database_read
           new_limit -= 1 if new_limit > 1
+          @limit = new_limit
           break
         elsif new_limit >= @limit
           break
         end
       end
-      @limit = new_limit
       @objects = @objects.limit(@limit)
       # Force @objects to run its query inside this transaction.
       @objects.each { |_| break }
@@ -344,7 +345,7 @@ class ApplicationController < ActionController::Base
         .all
     end
     @read_auths.select! { |auth| auth.scopes_allow_request? request }
-    @read_users = @read_auths.map { |auth| auth.user }.uniq
+    @read_users = @read_auths.map(&:user).uniq
   end
 
   def require_login
@@ -364,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty?
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end
@@ -372,6 +373,25 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def set_current_request_id
+    req_id = request.headers['X-Request-Id']
+    if !req_id || req_id.length < 1 || req_id.length > 1024
+      # Client-supplied ID is either missing or too long to be
+      # considered friendly.
+      req_id = "req-" + Random::DEFAULT.rand(2**128).to_s(36)[0..19]
+    end
+    response.headers['X-Request-Id'] = Thread.current[:request_id] = req_id
+    yield
+    Thread.current[:request_id] = nil
+  end
+
+  def append_info_to_payload(payload)
+    super
+    payload[:request_id] = response.headers['X-Request-Id']
+    payload[:client_ipaddr] = @remote_ip
+    payload[:client_auth] = current_api_client_authorization.andand.uuid || nil
+  end
+
   def disable_api_methods
     if Rails.configuration.disable_api_methods.
         include?(controller_name + "." + action_name)
@@ -382,7 +402,7 @@ class ApplicationController < ActionController::Base
   def set_cors_headers
     response.headers['Access-Control-Allow-Origin'] = '*'
     response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE'
-    response.headers['Access-Control-Allow-Headers'] = 'Authorization'
+    response.headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type'
     response.headers['Access-Control-Max-Age'] = '86486400'
   end
 
@@ -459,7 +479,10 @@ class ApplicationController < ActionController::Base
   end
   accept_param_as_json :reader_tokens, Array
 
-  def object_list
+  def object_list(model_class:)
+    if @objects.respond_to?(:except)
+      limit_database_read(model_class: model_class)
+    end
     list = {
       :kind  => "arvados##{(@response_resource_name || resource_name).camelize(:lower)}List",
       :etag => "",
@@ -483,12 +506,12 @@ class ApplicationController < ActionController::Base
   end
 
   def render_list
-    send_json object_list
+    send_json object_list(model_class: self.model_class)
   end
 
   def remote_ip
     # Caveat: this is highly dependent on the proxy setup. YMMV.
-    if request.headers.has_key?('HTTP_X_REAL_IP') then
+    if request.headers.key?('HTTP_X_REAL_IP') then
       # We're behind a reverse proxy
       @remote_ip = request.headers['HTTP_X_REAL_IP']
     else
@@ -531,6 +554,10 @@ class ApplicationController < ActionController::Base
     }
   end
 
+  def self._update_requires_parameters
+    {}
+  end
+
   def self._index_requires_parameters
     {
       filters: { type: 'array', required: false },
@@ -562,8 +589,4 @@ class ApplicationController < ActionController::Base
     end
     super(*opts)
   end
-
-  def select_theme
-    return Rails.configuration.arvados_theme
-  end
 end