X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d80be38b5be2c607d3aa0855c69b9f4e0c3fbed0..9048749c1419cf5e130a4b5d992a2b9c5bafd9cf:/services/api/app/models/collection.rb diff --git a/services/api/app/models/collection.rb b/services/api/app/models/collection.rb index 4fab364ae4..4f774d6f9c 100644 --- a/services/api/app/models/collection.rb +++ b/services/api/app/models/collection.rb @@ -1,4 +1,5 @@ require 'arvados/keep' +require 'sweep_trashed_collections' class Collection < ArvadosModel extend DbCurrentTime @@ -8,15 +9,21 @@ class Collection < ArvadosModel serialize :properties, Hash + before_validation :set_validation_timestamp + before_validation :default_empty_manifest before_validation :check_encoding + before_validation :check_manifest_validity before_validation :check_signatures before_validation :strip_signatures_and_update_replication_confirmed - before_validation :set_portable_data_hash + before_validation :ensure_trash_at_not_in_past + before_validation :sync_trash_state + before_validation :default_trash_interval validate :ensure_pdh_matches_manifest_text + validate :validate_trash_and_delete_timing before_save :set_file_names - # Query only undeleted collections by default. - default_scope where("expires_at IS NULL or expires_at > CURRENT_TIMESTAMP") + # Query only untrashed collections by default. + default_scope where("is_trashed = false") api_accessible :user, extend: :common do |t| t.add :name @@ -27,9 +34,15 @@ class Collection < ArvadosModel t.add :replication_desired t.add :replication_confirmed t.add :replication_confirmed_at + t.add :delete_at + t.add :trash_at + t.add :is_trashed end - LOCATOR_REGEXP = /^([[:xdigit:]]{32})(\+([[:digit:]]+))?(\+([[:upper:]][[:alnum:]+@_-]*))?$/ + after_initialize do + @signatures_checked = false + @computed_pdh_for_manifest_text = false + end def self.attributes_required_columns super.merge( @@ -38,10 +51,17 @@ class Collection < ArvadosModel # expose signed_manifest_text as manifest_text in the # API response, and never let clients select the # manifest_text column. - 'manifest_text' => ['manifest_text'], + # + # We need trash_at and is_trashed to determine the + # correct timestamp in signed_manifest_text. + 'manifest_text' => ['manifest_text', 'trash_at', 'is_trashed'], ) end + def self.ignored_select_attributes + super + ["updated_at", "file_names"] + end + FILE_TOKEN = /^[[:digit:]]+:[[:digit:]]+:/ def check_signatures return false if self.manifest_text.nil? @@ -53,7 +73,9 @@ class Collection < ArvadosModel # subsequent passes without checking any signatures. This is # important because the signatures have probably been stripped off # by the time we get to a second validation pass! - return true if @signatures_checked and @signatures_checked == computed_pdh + if @signatures_checked && @signatures_checked == computed_pdh + return true + end if self.manifest_text_changed? # Check permissions on the collection manifest. @@ -62,11 +84,13 @@ class Collection < ArvadosModel api_token = current_api_client_authorization.andand.api_token signing_opts = { api_token: api_token, - now: db_current_time.to_i, + now: @validation_timestamp.to_i, } - self.manifest_text.lines.each do |entry| - entry.split[1..-1].each do |tok| - if tok =~ FILE_TOKEN + self.manifest_text.each_line do |entry| + entry.split.each do |tok| + if tok == '.' or tok.starts_with? './' + # Stream name token. + elsif tok =~ FILE_TOKEN # This is a filename token, not a blob locator. Note that we # keep checking tokens after this, even though manifest # format dictates that all subsequent tokens will also be @@ -95,56 +119,53 @@ class Collection < ArvadosModel def strip_signatures_and_update_replication_confirmed if self.manifest_text_changed? in_old_manifest = {} - self.class.munge_manifest_locators(manifest_text_was) do |match| - in_old_manifest[match[1]] = true + if not self.replication_confirmed.nil? + self.class.each_manifest_locator(manifest_text_was) do |match| + in_old_manifest[match[1]] = true + end end - cleared_replication_confirmed = false - - # Remove any permission signatures from the manifest. - self[:manifest_text] = self.class.munge_manifest_locators(self[:manifest_text]) do |match| - if not cleared_replication_confirmed and not in_old_manifest[match[1]] + stripped_manifest = self.class.munge_manifest_locators(manifest_text) do |match| + if not self.replication_confirmed.nil? and not in_old_manifest[match[1]] + # If the new manifest_text contains locators whose hashes + # weren't in the old manifest_text, storage replication is no + # longer confirmed. self.replication_confirmed_at = nil self.replication_confirmed = nil - cleared_replication_confirmed = true end + + # Return the locator with all permission signatures removed, + # but otherwise intact. match[0].gsub(/\+A[^+]*/, '') end - end - @computed_pdh_for_manifest_text = self[:manifest_text] if @computed_pdh_for_manifest_text - true - end - def set_portable_data_hash - if (portable_data_hash.nil? or - portable_data_hash == "" or - (manifest_text_changed? and !portable_data_hash_changed?)) - self.portable_data_hash = computed_pdh - elsif portable_data_hash_changed? - begin - loc = Keep::Locator.parse!(self.portable_data_hash) - loc.strip_hints! - if loc.size - self.portable_data_hash = loc.to_s - else - self.portable_data_hash = "#{loc.hash}+#{portable_manifest_text.bytesize}" - end - rescue ArgumentError => e - errors.add(:portable_data_hash, "#{e}") - return false + if @computed_pdh_for_manifest_text == manifest_text + # If the cached PDH was valid before stripping, it is still + # valid after stripping. + @computed_pdh_for_manifest_text = stripped_manifest.dup end + + self[:manifest_text] = stripped_manifest end true end def ensure_pdh_matches_manifest_text - return true unless manifest_text_changed? or portable_data_hash_changed? - # No need verify it if :set_portable_data_hash just computed it! - expect_pdh = computed_pdh - if expect_pdh != portable_data_hash + if not manifest_text_changed? and not portable_data_hash_changed? + true + elsif portable_data_hash.nil? or not portable_data_hash_changed? + self.portable_data_hash = computed_pdh + elsif portable_data_hash !~ Keep::Locator::LOCATOR_REGEXP + errors.add(:portable_data_hash, "is not a valid locator") + false + elsif portable_data_hash[0..31] != computed_pdh[0..31] errors.add(:portable_data_hash, - "does not match computed hash #{expect_pdh}") - return false + "does not match computed hash #{computed_pdh}") + false + else + # Ignore the client-provided size part: always store + # computed_pdh in the database. + self.portable_data_hash = computed_pdh end end @@ -174,6 +195,10 @@ class Collection < ArvadosModel names[0,2**12] end + def default_empty_manifest + self.manifest_text ||= '' + end + def check_encoding if manifest_text.encoding.name == 'UTF-8' and manifest_text.valid_encoding? true @@ -186,7 +211,7 @@ class Collection < ArvadosModel utf8 = manifest_text utf8.force_encoding Encoding::UTF_8 if utf8.valid_encoding? and utf8 == manifest_text.encode(Encoding::UTF_8) - manifest_text = utf8 + self.manifest_text = utf8 return true end rescue @@ -196,17 +221,36 @@ class Collection < ArvadosModel end end + def check_manifest_validity + begin + Keep::Manifest.validate! manifest_text + true + rescue ArgumentError => e + errors.add :manifest_text, e.message + false + end + end + def signed_manifest_text - if has_attribute? :manifest_text + if !has_attribute? :manifest_text + return nil + elsif is_trashed + return manifest_text + else token = current_api_client_authorization.andand.api_token - @signed_manifest_text = self.class.sign_manifest manifest_text, token + exp = [db_current_time.to_i + Rails.configuration.blob_signature_ttl, + trash_at].compact.map(&:to_i).min + self.class.sign_manifest manifest_text, token, exp end end - def self.sign_manifest manifest, token + def self.sign_manifest manifest, token, exp=nil + if exp.nil? + exp = db_current_time.to_i + Rails.configuration.blob_signature_ttl + end signing_opts = { api_token: token, - expire: db_current_time.to_i + Rails.configuration.blob_signature_ttl, + expire: exp, } m = munge_manifest_locators(manifest) do |match| Blob.sign_locator(match[0], signing_opts) @@ -215,18 +259,20 @@ class Collection < ArvadosModel end def self.munge_manifest_locators manifest - # Given a manifest text and a block, yield each locator, - # and replace it with whatever the block returns. + # Given a manifest text and a block, yield the regexp MatchData + # for each locator. Return a new manifest in which each locator + # has been replaced by the block's return value. return nil if !manifest - return '' if !manifest.present? + return '' if manifest == '' new_lines = [] - lines = manifest.split("\n") - lines.each do |line| - words = line.split(' ') + manifest.each_line do |line| + line.rstrip! new_words = [] - words.each do |word| - if match = LOCATOR_REGEXP.match(word) + line.split(' ').each do |word| + if new_words.empty? + new_words << word + elsif match = Keep::Locator::LOCATOR_REGEXP.match(word) new_words << yield(match) else new_words << word @@ -234,18 +280,31 @@ class Collection < ArvadosModel end new_lines << new_words.join(' ') end + new_lines.join("\n") + "\n" + end - manifest = new_lines.join("\n") + "\n" + def self.each_manifest_locator manifest + # Given a manifest text and a block, yield the regexp match object + # for each locator. + manifest.each_line do |line| + # line will have a trailing newline, but the last token is never + # a locator, so it's harmless here. + line.split(' ').each do |word| + if match = Keep::Locator::LOCATOR_REGEXP.match(word) + yield(match) + end + end + end end def self.normalize_uuid uuid hash_part = nil size_part = nil uuid.split('+').each do |token| - if token.match /^[0-9a-f]{32,}$/ + if token.match(/^[0-9a-f]{32,}$/) raise "uuid #{uuid} has multiple hash parts" if hash_part hash_part = token - elsif token.match /^\d+$/ + elsif token.match(/^\d+$/) raise "uuid #{uuid} has multiple size parts" if size_part size_part = token end @@ -273,7 +332,7 @@ class Collection < ArvadosModel # looks like a saved Docker image. manifest = Keep::Manifest.new(coll_match.manifest_text) if manifest.exact_file_count?(1) and - (manifest.files[0][1] =~ /^[0-9A-Fa-f]{64}\.tar$/) + (manifest.files[0][1] =~ /^(sha256:)?[0-9A-Fa-f]{64}\.tar$/) return [coll_match] end end @@ -319,16 +378,20 @@ class Collection < ArvadosModel super - ["manifest_text"] end + def self.where *args + SweepTrashedCollections.sweep_if_stale + super + end + protected def portable_manifest_text - portable_manifest = self.class.munge_manifest_locators(manifest_text) do |match| + self.class.munge_manifest_locators(manifest_text) do |match| if match[2] # size match[1] + match[2] else match[1] end end - portable_manifest end def compute_pdh @@ -355,4 +418,66 @@ class Collection < ArvadosModel end super end + + # Use a single timestamp for all validations, even though each + # validation runs at a different time. + def set_validation_timestamp + @validation_timestamp = db_current_time + end + + # If trash_at is being changed to a time in the past, change it to + # now. This allows clients to say "expires {client-current-time}" + # without failing due to clock skew, while avoiding odd log entries + # like "expiry date changed to {1 year ago}". + def ensure_trash_at_not_in_past + if trash_at_changed? && trash_at + self.trash_at = [@validation_timestamp, trash_at].max + end + end + + # Caller can move into/out of trash by setting/clearing is_trashed + # -- however, if the caller also changes trash_at, then any changes + # to is_trashed are ignored. + def sync_trash_state + if is_trashed_changed? && !trash_at_changed? + if is_trashed + self.trash_at = @validation_timestamp + else + self.trash_at = nil + self.delete_at = nil + end + end + self.is_trashed = trash_at && trash_at <= @validation_timestamp || false + true + end + + # If trash_at is updated without touching delete_at, automatically + # update delete_at to a sensible value. + def default_trash_interval + if trash_at_changed? && !delete_at_changed? + if trash_at.nil? + self.delete_at = nil + else + self.delete_at = trash_at + Rails.configuration.default_trash_lifetime.seconds + end + end + end + + def validate_trash_and_delete_timing + if trash_at.nil? != delete_at.nil? + errors.add :delete_at, "must be set if trash_at is set, and must be nil otherwise" + end + + earliest_delete = ([@validation_timestamp, trash_at_was].compact.min + + Rails.configuration.blob_signature_ttl.seconds) + if delete_at && delete_at < earliest_delete + errors.add :delete_at, "#{delete_at} is too soon: earliest allowed is #{earliest_delete}" + end + + if delete_at && delete_at < trash_at + errors.add :delete_at, "must not be earlier than trash_at" + end + + true + end end