fix(config): ensure AnonymousUserToken is set

* added tests to verify it's set either in the `tokens` or the `Users` dicts

diff --git a/arvados/config/file.sls b/arvados/config/file.sls
index 5a9c1f0f8ecd4b6a5573d924e407f5f509ef848f..fb9ab6733548ca251c241700431226d35ab7c731 100644 (file)
--- a/arvados/config/file.sls
+++ b/arvados/config/file.sls
@@ -6,6 +6,8 @@
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 {%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
 
+{%- do arvados.cluster.Users.update({'AnonymousUserToken': arvados.cluster.tokens.anonymous_user }) if arvados.cluster.Users.AnonymousUserToken is not defined %}
+
 include:
   - .package
 

diff --git a/kitchen.yml b/kitchen.yml
index e47ea24f13819a476b739e43402fe619231e6d12..cb3531930e8153f2ad7bfd575c497f2f6279a52e 100644 (file)
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -325,6 +325,7 @@ suites:
         # yamllint enable rule:line-length
     verifier:
       inspec_tests:
+        - path: test/integration/repo
         - path: test/integration/workbench
         - path: test/integration/workbench2
   #### shell
@@ -360,15 +361,13 @@ suites:
             - arvados._mapdata
             - arvados.repo
             - arvados.keepstore
-            # - arvados.clean
       pillars:
         top.sls:
           base:
             '*':
               - arvados
       pillars_from_files:
-        arvados.sls: test/salt/pillar/arvados.sls
+        arvados.sls: test/salt/pillar/arvados_dev.sls
     verifier:
       inspec_tests:
-        - path: test/integration/repo
         - path: test/integration/keepstore

diff --git a/pillar.example b/pillar.example
index 233b492cb0b52ee20d112d1ab184ef55913ab556..b8acf4514745c336e45e6dfb0fd8ef516e05bcbd 100644 (file)
--- a/pillar.example
+++ b/pillar.example
@@ -86,6 +86,8 @@ arvados:
       # See https://dev.arvados.org/issues/17150
       system_root: changemesystemroottoken
       management: changememanagementtoken
+      # The AnonymousUserToken can be set here or in the
+      # USers dictionary below. The latter will be used if set.
       anonymous_user: changemeanonymoususertoken
 
     ### KEYS

diff --git a/test/integration/api/controls/config_spec.rb b/test/integration/api/controls/config_spec.rb
index 0f64cb2db41911054254551a694875bea9d053e0..7131096fae3d065250ff982bedb3935105c0888f 100644 (file)
--- a/test/integration/api/controls/config_spec.rb
+++ b/test/integration/api/controls/config_spec.rb
@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+users_stanza = <<-USERS_STANZA
+    Users:
+      AnonymousUserToken: anonymoususertokensetinthetokensdict
+USERS_STANZA
+
 api_stanza = <<-API_STANZA
     API:
 API_STANZA
@@ -47,5 +52,6 @@ control 'arvados configuration' do
     its('content') { should include(api_stanza) }
     its('content') { should include(rails_stanza) }
     its('content') { should include(database_stanza) }
+    its('content') { should include(users_stanza) }
   end
 end

diff --git a/test/integration/keepstore/controls/config_spec.rb b/test/integration/keepstore/controls/config_spec.rb
index d44e6737b1be25537b67cc8de3712502d09b74fc..7113e2b21e6de5ad953fd94b279fea7543302f20 100644 (file)
--- a/test/integration/keepstore/controls/config_spec.rb
+++ b/test/integration/keepstore/controls/config_spec.rb
@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+users_stanza = <<-USERS_STANZA
+    Users:
+      AnonymousUserToken: anonymoususertokensetintheusersdict
+USERS_STANZA
+
 keepstore_stanza = <<-KEEPSTORE_STANZA
       Keepstore:
         InternalURLs:
@@ -33,5 +38,6 @@ control 'arvados configuration' do
     end
     its('content') { should include(keepstore_stanza) }
     its('content') { should include(volumes_stanza) }
+    its('content') { should include(users_stanza) }
   end
 end

diff --git a/test/integration/shell/controls/config_spec.rb b/test/integration/shell/controls/config_spec.rb
index 603e337fe1fe60236bcf8ec1ea975623fdecd80a..f0e8a7ef14b3765f71680af5fc59bc0d8dd2f8f4 100644 (file)
--- a/test/integration/shell/controls/config_spec.rb
+++ b/test/integration/shell/controls/config_spec.rb
@@ -1,5 +1,13 @@
 # frozen_string_literal: true
 
+control 'arvados configuration file' do
+  title 'should not exist'
+
+  describe file('/etc/arvados/config.yml') do
+    it { should_not exist}
+  end
+end
+
 control 'shellinabox configuration' do
   title 'should match desired lines'
 

diff --git a/test/salt/pillar/arvados.sls b/test/salt/pillar/arvados.sls
index a063823956a4c139978e7057b7aa451706e33c4f..635b894e759ca0b87a361e8d5e61570e328b88d6 100644 (file)
--- a/test/salt/pillar/arvados.sls
+++ b/test/salt/pillar/arvados.sls
@@ -59,7 +59,7 @@ arvados:
     tokens:
       system_root: changemesystemroottoken
       management: changememanagementtoken
-      anonymous_user: changemeanonymoususertoken
+      anonymous_user: anonymoususertokensetinthetokensdict
 
     ### KEYS
     secrets:

diff --git a/test/salt/pillar/arvados_dev.sls b/test/salt/pillar/arvados_dev.sls
index 35a5bffc154b169f586e67778007b38fbf03ffaa..1dcc78b8844db43c9b547f8de49806599fb47f5e 100644 (file)
--- a/test/salt/pillar/arvados_dev.sls
+++ b/test/salt/pillar/arvados_dev.sls
@@ -67,6 +67,13 @@ arvados:
       user: arvados
       extra_conn_params:
         client_encoding: UTF8
+      # Centos7 does not enable SSL by default, so we disable
+      # it here just for testing of the formula purposes only.
+      # You should not do this in production, and should
+      # configure Postgres certificates correctly
+      {%- if grains.os_family in ('RedHat',) %}
+        sslmode: disable
+      {%- endif %}
 
     tls:
       # certificate: ''
@@ -78,7 +85,6 @@ arvados:
     tokens:
       system_root: changemesystemroottoken
       management: changememanagementtoken
-      anonymous_user: changemeanonymoususertoken
 
     ### KEYS
     secrets:
@@ -108,6 +114,7 @@ arvados:
           Root: /tmp
 
     Users:
+      AnonymousUserToken: anonymoususertokensetintheusersdict
       NewUsersAreActive: true
       AutoAdminFirstUser: true
       AutoSetupNewUsers: true