X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f4ca9ad94a6bb006d1f3c7ba207837f1736d1247..ed1acd6fd780467ba69998e76e28fda61beedc0f:/services/api/app/models/user.rb

diff --git a/services/api/app/models/user.rb b/services/api/app/models/user.rb
index 2200d05099..78ec7bea1e 100644
--- a/services/api/app/models/user.rb
+++ b/services/api/app/models/user.rb
@@ -57,6 +57,14 @@ class User < ArvadosModel
 
   ALL_PERMISSIONS = {read: true, write: true, manage: true}
 
+  # Map numeric permission levels (see lib/create_permission_view.sql)
+  # back to read/write/manage flags.
+  PERMS_FOR_VAL =
+    [{},
+     {read: true},
+     {read: true, write: true},
+     {read: true, write: true, manage: true}]
+
   def full_name
     "#{first_name} #{last_name}".strip
   end
@@ -64,7 +72,7 @@ class User < ArvadosModel
   def is_invited
     !!(self.is_active ||
        Rails.configuration.new_users_are_active ||
-       self.groups_i_can(:read).select { |x| x.match /-f+$/ }.first)
+       self.groups_i_can(:read).select { |x| x.match(/-f+$/) }.first)
   end
 
   def groups_i_can(verb)
@@ -123,67 +131,68 @@ class User < ArvadosModel
     true
   end
 
-  def self.invalidate_permissions_cache
-    Rails.cache.delete_matched(/^groups_for_user_/)
+  def self.invalidate_permissions_cache(timestamp=nil)
+    if Rails.configuration.async_permissions_update
+      timestamp = DbCurrentTime::db_current_time.to_i if timestamp.nil?
+      connection.execute "NOTIFY invalidate_permissions_cache, '#{timestamp}'"
+    else
+      Rails.cache.delete_matched(/^groups_for_user_/)
+    end
+  end
+
+  # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
+  # and perm_hash[:write] are true if this user can read and write
+  # objects owned by group_uuid.
+  def calculate_group_permissions
+    conn = ActiveRecord::Base.connection
+    self.class.transaction do
+      # Check whether the temporary view has already been created
+      # during this connection. If not, create it.
+      conn.exec_query 'SAVEPOINT check_permission_view'
+      begin
+        conn.exec_query('SELECT 1 FROM permission_view LIMIT 0')
+      rescue
+        conn.exec_query 'ROLLBACK TO SAVEPOINT check_permission_view'
+        sql = File.read(Rails.root.join('lib', 'create_permission_view.sql'))
+        conn.exec_query(sql)
+      ensure
+        conn.exec_query 'RELEASE SAVEPOINT check_permission_view'
+      end
+    end
+
+    group_perms = {}
+    conn.exec_query('SELECT target_owner_uuid, max(perm_level)
+                    FROM permission_view
+                    WHERE user_uuid = $1
+                    AND target_owner_uuid IS NOT NULL
+                    GROUP BY target_owner_uuid',
+                    # "name" arg is a query label that appears in logs:
+                    "group_permissions for #{uuid}",
+                    # "binds" arg is an array of [col_id, value] for '$1' vars:
+                    [[nil, uuid]],
+                    ).rows.each do |group_uuid, max_p_val|
+      group_perms[group_uuid] = PERMS_FOR_VAL[max_p_val.to_i]
+    end
+    Rails.cache.write "groups_for_user_#{self.uuid}", group_perms
+    group_perms
   end
 
   # Return a hash of {group_uuid: perm_hash} where perm_hash[:read]
   # and perm_hash[:write] are true if this user can read and write
   # objects owned by group_uuid.
-  #
-  # The permission graph is built by repeatedly enumerating all
-  # permission links reachable from self.uuid, and then calling
-  # search_permissions
   def group_permissions
-    Rails.cache.fetch "groups_for_user_#{self.uuid}" do
-      permissions_from = {}
-      todo = {self.uuid => true}
-      done = {}
-      # Build the equivalence class of permissions starting with
-      # self.uuid. On each iteration of this loop, todo contains
-      # the next set of uuids in the permission equivalence class
-      # to evaluate.
-      while !todo.empty?
-        lookup_uuids = todo.keys
-        lookup_uuids.each do |uuid| done[uuid] = true end
-        todo = {}
-        newgroups = []
-        # include all groups owned by the current set of uuids.
-        Group.where('owner_uuid in (?)', lookup_uuids).each do |group|
-          newgroups << [group.owner_uuid, group.uuid, 'can_manage']
-        end
-        # add any permission links from the current lookup_uuids to a Group.
-        Link.where('link_class = ? and tail_uuid in (?) and ' \
-                   '(head_uuid like ? or (name = ? and head_uuid like ?))',
-                   'permission',
-                   lookup_uuids,
-                   Group.uuid_like_pattern,
-                   'can_manage',
-                   User.uuid_like_pattern).each do |link|
-          newgroups << [link.tail_uuid, link.head_uuid, link.name]
-        end
-        newgroups.each do |tail_uuid, head_uuid, perm_name|
-          unless done.has_key? head_uuid
-            todo[head_uuid] = true
-          end
-          link_permissions = {}
-          case perm_name
-          when 'can_read'
-            link_permissions = {read:true}
-          when 'can_write'
-            link_permissions = {read:true,write:true}
-          when 'can_manage'
-            link_permissions = ALL_PERMISSIONS
-          end
-          permissions_from[tail_uuid] ||= {}
-          permissions_from[tail_uuid][head_uuid] ||= {}
-          link_permissions.each do |k,v|
-            permissions_from[tail_uuid][head_uuid][k] ||= v
-          end
+    r = Rails.cache.read "groups_for_user_#{self.uuid}"
+    if r.nil?
+      if Rails.configuration.async_permissions_update
+        while r.nil?
+          sleep(0.1)
+          r = Rails.cache.read "groups_for_user_#{self.uuid}"
         end
+      else
+        r = calculate_group_permissions
       end
-      search_permissions(self.uuid, permissions_from)
     end
+    r
   end
 
   def self.setup(user, openid_prefix, repo_name=nil, vm_uuid=nil)
@@ -219,7 +228,7 @@ class User < ArvadosModel
 
     # delete "All users" group read permissions for this user
     group = Group.where(name: 'All users').select do |g|
-      g[:uuid].match /-f+$/
+      g[:uuid].match(/-f+$/)
     end.first
     Link.destroy_all(tail_uuid: self.uuid,
                      head_uuid: group[:uuid],
@@ -238,6 +247,25 @@ class User < ArvadosModel
     self.save!
   end
 
+  def set_initial_username(requested: false)
+    if !requested.is_a?(String) || requested.empty?
+      email_parts = email.partition("@")
+      local_parts = email_parts.first.partition("+")
+      if email_parts.any?(&:empty?)
+        return
+      elsif not local_parts.first.empty?
+        requested = local_parts.first
+      else
+        requested = email_parts.first
+      end
+    end
+    requested.sub!(/^[^A-Za-z]+/, "")
+    requested.gsub!(/[^A-Za-z0-9]/, "")
+    unless requested.empty?
+      self.username = find_usable_username_from(requested)
+    end
+  end
+
   protected
 
   def ensure_ownership_path_leads_to_user
@@ -289,8 +317,8 @@ class User < ArvadosModel
       self.class.
           where("username like '#{pattern}'").
           select(:username).
-          order(username: :asc).
-          find_each do |other_user|
+          order('username asc').
+          each do |other_user|
         if other_user.username > next_username
           break
         elsif other_user.username == next_username
@@ -303,23 +331,6 @@ class User < ArvadosModel
     nil
   end
 
-  def set_initial_username
-    email_parts = email.partition("@")
-    local_parts = email_parts.first.partition("+")
-    if email_parts.any?(&:empty?)
-      return
-    elsif not local_parts.first.empty?
-      base_username = local_parts.first
-    else
-      base_username = email_parts.first
-    end
-    base_username.sub!(/^[^A-Za-z]+/, "")
-    base_username.gsub!(/[^A-Za-z0-9]/, "")
-    unless base_username.empty?
-      self.username = find_usable_username_from(base_username)
-    end
-  end
-
   def prevent_privilege_escalation
     if current_user.andand.is_admin
       return true