X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/cc988c81ad543eb4e8ad88416e4c2fcb937abd11..09a2e88c51e5432e607f2a38466e55b4ba15e887:/services/api/app/models/collection.rb diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb index f7a715af58..901084c763 100644 --- a/services/api/app/models/collection.rb +++ b/services/api/app/models/collection.rb @@ -8,16 +8,17 @@ class Collection < ArvadosModel serialize :properties, Hash + before_validation :default_empty_manifest before_validation :check_encoding + before_validation :check_manifest_validity before_validation :check_signatures - before_validation :strip_manifest_text - before_validation :set_portable_data_hash - before_validation :maybe_clear_replication_confirmed - validate :ensure_hash_matches_manifest_text + before_validation :strip_signatures_and_update_replication_confirmed + validate :ensure_pdh_matches_manifest_text before_save :set_file_names + before_save :expires_at_not_in_past # Query only undeleted collections by default. - default_scope where("expires_at IS NULL or expires_at > CURRENT_TIMESTAMP") + default_scope where("expires_at IS NULL or expires_at > statement_timestamp()") api_accessible :user, extend: :common do |t| t.add :name @@ -28,6 +29,12 @@ class Collection < ArvadosModel t.add :replication_desired t.add :replication_confirmed t.add :replication_confirmed_at + t.add :expires_at + end + + after_initialize do + @signatures_checked = false + @computed_pdh_for_manifest_text = false end def self.attributes_required_columns @@ -37,10 +44,18 @@ class Collection < ArvadosModel # expose signed_manifest_text as manifest_text in the # API response, and never let clients select the # manifest_text column. - 'manifest_text' => ['manifest_text'], + # + # We need expires_at to determine the correct + # timestamp in signed_manifest_text. + 'manifest_text' => ['manifest_text', 'expires_at'], ) end + def self.ignored_select_attributes + super + ["updated_at", "file_names"] + end + + FILE_TOKEN = /^[[:digit:]]+:[[:digit:]]+:/ def check_signatures return false if self.manifest_text.nil? @@ -51,8 +66,9 @@ class Collection < ArvadosModel # subsequent passes without checking any signatures. This is # important because the signatures have probably been stripped off # by the time we get to a second validation pass! - computed_pdh = compute_pdh - return true if @signatures_checked and @signatures_checked == computed_pdh + if @signatures_checked && @signatures_checked == computed_pdh + return true + end if self.manifest_text_changed? # Check permissions on the collection manifest. @@ -63,9 +79,11 @@ class Collection < ArvadosModel api_token: api_token, now: db_current_time.to_i, } - self.manifest_text.lines.each do |entry| - entry.split[1..-1].each do |tok| - if /^[[:digit:]]+:[[:digit:]]+:/.match tok + self.manifest_text.each_line do |entry| + entry.split.each do |tok| + if tok == '.' or tok.starts_with? './' + # Stream name token. + elsif tok =~ FILE_TOKEN # This is a filename token, not a blob locator. Note that we # keep checking tokens after this, even though manifest # format dictates that all subsequent tokens will also be @@ -91,49 +109,56 @@ class Collection < ArvadosModel @signatures_checked = computed_pdh end - def strip_manifest_text + def strip_signatures_and_update_replication_confirmed if self.manifest_text_changed? - # Remove any permission signatures from the manifest. - self.class.munge_manifest_locators!(self[:manifest_text]) do |loc| - loc.without_signature.to_s + in_old_manifest = {} + if not self.replication_confirmed.nil? + self.class.each_manifest_locator(manifest_text_was) do |match| + in_old_manifest[match[1]] = true + end end - end - true - end - def set_portable_data_hash - if (portable_data_hash.nil? or - portable_data_hash == "" or - (manifest_text_changed? and !portable_data_hash_changed?)) - @need_pdh_validation = false - self.portable_data_hash = compute_pdh - elsif portable_data_hash_changed? - @need_pdh_validation = true - begin - loc = Keep::Locator.parse!(self.portable_data_hash) - loc.strip_hints! - if loc.size - self.portable_data_hash = loc.to_s - else - self.portable_data_hash = "#{loc.hash}+#{portable_manifest_text.bytesize}" + stripped_manifest = self.class.munge_manifest_locators(manifest_text) do |match| + if not self.replication_confirmed.nil? and not in_old_manifest[match[1]] + # If the new manifest_text contains locators whose hashes + # weren't in the old manifest_text, storage replication is no + # longer confirmed. + self.replication_confirmed_at = nil + self.replication_confirmed = nil end - rescue ArgumentError => e - errors.add(:portable_data_hash, "#{e}") - return false + + # Return the locator with all permission signatures removed, + # but otherwise intact. + match[0].gsub(/\+A[^+]*/, '') + end + + if @computed_pdh_for_manifest_text == manifest_text + # If the cached PDH was valid before stripping, it is still + # valid after stripping. + @computed_pdh_for_manifest_text = stripped_manifest.dup end + + self[:manifest_text] = stripped_manifest end true end - def ensure_hash_matches_manifest_text - return true unless manifest_text_changed? or portable_data_hash_changed? - # No need verify it if :set_portable_data_hash just computed it! - return true if not @need_pdh_validation - expect_pdh = compute_pdh - if expect_pdh != portable_data_hash + def ensure_pdh_matches_manifest_text + if not manifest_text_changed? and not portable_data_hash_changed? + true + elsif portable_data_hash.nil? or not portable_data_hash_changed? + self.portable_data_hash = computed_pdh + elsif portable_data_hash !~ Keep::Locator::LOCATOR_REGEXP + errors.add(:portable_data_hash, "is not a valid locator") + false + elsif portable_data_hash[0..31] != computed_pdh[0..31] errors.add(:portable_data_hash, - "does not match computed hash #{expect_pdh}") - return false + "does not match computed hash #{computed_pdh}") + false + else + # Ignore the client-provided size part: always store + # computed_pdh in the database. + self.portable_data_hash = computed_pdh end end @@ -163,6 +188,10 @@ class Collection < ArvadosModel names[0,2**12] end + def default_empty_manifest + self.manifest_text ||= '' + end + def check_encoding if manifest_text.encoding.name == 'UTF-8' and manifest_text.valid_encoding? true @@ -175,7 +204,7 @@ class Collection < ArvadosModel utf8 = manifest_text utf8.force_encoding Encoding::UTF_8 if utf8.valid_encoding? and utf8 == manifest_text.encode(Encoding::UTF_8) - manifest_text = utf8 + self.manifest_text = utf8 return true end rescue @@ -185,42 +214,74 @@ class Collection < ArvadosModel end end + def check_manifest_validity + begin + Keep::Manifest.validate! manifest_text + true + rescue ArgumentError => e + errors.add :manifest_text, e.message + false + end + end + def signed_manifest_text if has_attribute? :manifest_text token = current_api_client_authorization.andand.api_token - @signed_manifest_text = self.class.sign_manifest manifest_text, token + exp = [db_current_time.to_i + Rails.configuration.blob_signature_ttl, + expires_at].compact.map(&:to_i).min + @signed_manifest_text = self.class.sign_manifest manifest_text, token, exp end end - def self.sign_manifest manifest, token + def self.sign_manifest manifest, token, exp=nil + if exp.nil? + exp = db_current_time.to_i + Rails.configuration.blob_signature_ttl + end signing_opts = { api_token: token, - expire: db_current_time.to_i + Rails.configuration.blob_signature_ttl, + expire: exp, } - m = manifest.dup - munge_manifest_locators!(m) do |loc| - Blob.sign_locator(loc.to_s, signing_opts) + m = munge_manifest_locators(manifest) do |match| + Blob.sign_locator(match[0], signing_opts) end return m end - def self.munge_manifest_locators! manifest - # Given a manifest text and a block, yield each locator, - # and replace it with whatever the block returns. - manifest.andand.gsub!(/ [[:xdigit:]]{32}(\+\S+)?/) do |word| - if loc = Keep::Locator.parse(word.strip) - " " + yield(loc) - else - " " + word + def self.munge_manifest_locators manifest + # Given a manifest text and a block, yield the regexp MatchData + # for each locator. Return a new manifest in which each locator + # has been replaced by the block's return value. + return nil if !manifest + return '' if manifest == '' + + new_lines = [] + manifest.each_line do |line| + line.rstrip! + new_words = [] + line.split(' ').each do |word| + if new_words.empty? + new_words << word + elsif match = Keep::Locator::LOCATOR_REGEXP.match(word) + new_words << yield(match) + else + new_words << word + end end + new_lines << new_words.join(' ') end + new_lines.join("\n") + "\n" end def self.each_manifest_locator manifest - # Given a manifest text and a block, yield each locator. - manifest.andand.scan(/ ([[:xdigit:]]{32}(\+\S+)?)/) do |word, _| - if loc = Keep::Locator.parse(word) - yield loc + # Given a manifest text and a block, yield the regexp match object + # for each locator. + manifest.each_line do |line| + # line will have a trailing newline, but the last token is never + # a locator, so it's harmless here. + line.split(' ').each do |word| + if match = Keep::Locator::LOCATOR_REGEXP.match(word) + yield(match) + end end end end @@ -229,10 +290,10 @@ class Collection < ArvadosModel hash_part = nil size_part = nil uuid.split('+').each do |token| - if token.match /^[0-9a-f]{32,}$/ + if token.match(/^[0-9a-f]{32,}$/) raise "uuid #{uuid} has multiple hash parts" if hash_part hash_part = token - elsif token.match /^\d+$/ + elsif token.match(/^\d+$/) raise "uuid #{uuid} has multiple size parts" if size_part size_part = token end @@ -260,7 +321,7 @@ class Collection < ArvadosModel # looks like a saved Docker image. manifest = Keep::Manifest.new(coll_match.manifest_text) if manifest.exact_file_count?(1) and - (manifest.files[0][1] =~ /^[0-9A-Fa-f]{64}\.tar$/) + (manifest.files[0][1] =~ /^(sha256:)?[0-9A-Fa-f]{64}\.tar$/) return [coll_match] end end @@ -308,15 +369,13 @@ class Collection < ArvadosModel protected def portable_manifest_text - portable_manifest = self[:manifest_text].dup - self.class.munge_manifest_locators!(portable_manifest) do |loc| - if loc.size - loc.hash + '+' + loc.size.to_s + self.class.munge_manifest_locators(manifest_text) do |match| + if match[2] # size + match[1] + match[2] else - loc.hash + match[1] end end - portable_manifest end def compute_pdh @@ -326,23 +385,13 @@ class Collection < ArvadosModel portable_manifest.bytesize.to_s) end - def maybe_clear_replication_confirmed - if manifest_text_changed? - # If the new manifest_text contains locators whose hashes - # weren't in the old manifest_text, storage replication is no - # longer confirmed. - in_old_manifest = {} - self.class.each_manifest_locator(manifest_text_was) do |loc| - in_old_manifest[loc.hash] = true - end - self.class.each_manifest_locator(manifest_text) do |loc| - if not in_old_manifest[loc.hash] - self.replication_confirmed_at = nil - self.replication_confirmed = nil - break - end - end + def computed_pdh + if @computed_pdh_for_manifest_text == manifest_text + return @computed_pdh end + @computed_pdh = compute_pdh + @computed_pdh_for_manifest_text = manifest_text.dup + @computed_pdh end def ensure_permission_to_save @@ -353,4 +402,14 @@ class Collection < ArvadosModel end super end + + # If expires_at is being changed to a time in the past, change it to + # now. This allows clients to say "expires {client-current-time}" + # without failing due to clock skew, while avoiding odd log entries + # like "expiry date changed to {1 year ago}". + def expires_at_not_in_past + if expires_at_changed? and expires_at + self.expires_at = [db_current_time, expires_at].max + end + end end