1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
5 # The v1 API uses token scopes to control access to the REST API at the path
6 # level. This is enforced in the base ApplicationController, making it a
7 # functional test that we can run against many different controllers.
11 class ApiTokensScopeTest < ActionDispatch::IntegrationTest
15 (['', 'arvados', 'v1'] + parts).join('/')
18 test "user list token can only list users" do
19 get_args = [{}, auth(:active_userlist)]
20 get(v1_url('users'), *get_args)
21 assert_response :success
22 get(v1_url('users', ''), *get_args) # Add trailing slash.
23 assert_response :success
24 get(v1_url('users', 'current'), *get_args)
26 get(v1_url('virtual_machines'), *get_args)
30 test "specimens token can see exactly owned specimens" do
31 get_args = [{}, auth(:active_specimens)]
32 get(v1_url('specimens'), *get_args)
34 get(v1_url('specimens', specimens(:owned_by_active_user).uuid), *get_args)
35 assert_response :success
36 head(v1_url('specimens', specimens(:owned_by_active_user).uuid), *get_args)
37 assert_response :success
38 get(v1_url('specimens', specimens(:owned_by_spectator).uuid), *get_args)
39 assert_includes(403..404, @response.status)
42 test "token with multiple scopes can use them all" do
44 get(v1_url('api_client_authorizations'), {}, auth(:active_apitokens))
45 assert_response :success
46 token_count = JSON.parse(@response.body)['items_available']
47 assert_not_nil(token_count, "could not find token count")
51 token_count = get_token_count
52 # Test the POST scope.
53 post(v1_url('api_client_authorizations'),
54 {api_client_authorization: {user_id: users(:active).id}},
55 auth(:active_apitokens))
56 assert_response :success
57 assert_equal(token_count + 1, get_token_count,
58 "token count suggests POST was not accepted")
59 # Test other requests are denied.
60 get(v1_url('api_client_authorizations',
61 api_client_authorizations(:active_apitokens).uuid),
62 {}, auth(:active_apitokens))
66 test "token without scope has no access" do
67 # Logs are good for this test, because logs have relatively
68 # few access controls enforced at the model level.
69 req_args = [{}, auth(:admin_noscope)]
70 get(v1_url('logs'), *req_args)
72 get(v1_url('logs', logs(:noop).uuid), *req_args)
74 post(v1_url('logs'), *req_args)
78 test "VM login scopes work" do
79 # A system administration script makes an API token with limited scope
80 # for virtual machines to let it see logins.
81 def vm_logins_url(name)
82 v1_url('virtual_machines', virtual_machines(name).uuid, 'logins')
84 get_args = [{}, auth(:admin_vm)]
85 get(vm_logins_url(:testvm), *get_args)
86 assert_response :success
87 get(vm_logins_url(:testvm2), *get_args)
88 assert_includes(400..419, @response.status,
89 "getting testvm2 logins should have failed")