1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class PermissionsTest < ActionDispatch::IntegrationTest
9 include CurrentApiClient # for empty_collection
10 fixtures :users, :groups, :api_client_authorizations, :collections
13 User.invalidate_permissions_cache db_current_time.to_i
16 test "adding and removing direct can_read links" do
17 # try to read collection as spectator
18 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
21 # try to add permission as spectator
22 post "/arvados/v1/links", {
25 tail_uuid: users(:spectator).uuid,
26 link_class: 'permission',
28 head_uuid: collections(:foo_file).uuid,
34 # add permission as admin
35 post "/arvados/v1/links", {
38 tail_uuid: users(:spectator).uuid,
39 link_class: 'permission',
41 head_uuid: collections(:foo_file).uuid,
45 u = json_response['uuid']
46 assert_response :success
48 # read collection as spectator
49 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
50 assert_response :success
52 # try to delete permission as spectator
53 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator)
56 # delete permission as admin
57 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
58 assert_response :success
60 # try to read collection as spectator
61 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
66 test "adding can_read links from user to group, group to collection" do
67 # try to read collection as spectator
68 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
71 # add permission for spectator to read group
72 post "/arvados/v1/links", {
75 tail_uuid: users(:spectator).uuid,
76 link_class: 'permission',
78 head_uuid: groups(:private).uuid,
82 assert_response :success
84 # try to read collection as spectator
85 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
88 # add permission for group to read collection
89 post "/arvados/v1/links", {
92 tail_uuid: groups(:private).uuid,
93 link_class: 'permission',
95 head_uuid: collections(:foo_file).uuid,
99 u = json_response['uuid']
100 assert_response :success
102 # try to read collection as spectator
103 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
104 assert_response :success
106 # delete permission for group to read collection
107 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
108 assert_response :success
110 # try to read collection as spectator
111 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
117 test "adding can_read links from group to collection, user to group" do
118 # try to read collection as spectator
119 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
122 # add permission for group to read collection
123 post "/arvados/v1/links", {
126 tail_uuid: groups(:private).uuid,
127 link_class: 'permission',
129 head_uuid: collections(:foo_file).uuid,
133 assert_response :success
135 # try to read collection as spectator
136 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
139 # add permission for spectator to read group
140 post "/arvados/v1/links", {
143 tail_uuid: users(:spectator).uuid,
144 link_class: 'permission',
146 head_uuid: groups(:private).uuid,
150 u = json_response['uuid']
151 assert_response :success
153 # try to read collection as spectator
154 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
155 assert_response :success
157 # delete permission for spectator to read group
158 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
159 assert_response :success
161 # try to read collection as spectator
162 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
167 test "adding can_read links from user to group, group to group, group to collection" do
168 # try to read collection as spectator
169 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
172 # add permission for user to read group
173 post "/arvados/v1/links", {
176 tail_uuid: users(:spectator).uuid,
177 link_class: 'permission',
179 head_uuid: groups(:private).uuid,
183 assert_response :success
185 # add permission for group to read group
186 post "/arvados/v1/links", {
189 tail_uuid: groups(:private).uuid,
190 link_class: 'permission',
192 head_uuid: groups(:empty_lonely_group).uuid,
196 assert_response :success
198 # add permission for group to read collection
199 post "/arvados/v1/links", {
202 tail_uuid: groups(:empty_lonely_group).uuid,
203 link_class: 'permission',
205 head_uuid: collections(:foo_file).uuid,
209 u = json_response['uuid']
210 assert_response :success
212 # try to read collection as spectator
213 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
214 assert_response :success
216 # delete permission for group to read collection
217 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
218 assert_response :success
220 # try to read collection as spectator
221 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
225 test "read-only group-admin cannot modify administered user" do
226 put "/arvados/v1/users/#{users(:active).uuid}", {
228 first_name: 'KilroyWasHere'
231 }, auth(:rominiadmin)
235 test "read-only group-admin cannot read or update non-administered user" do
236 get "/arvados/v1/users/#{users(:spectator).uuid}", {
238 }, auth(:rominiadmin)
241 put "/arvados/v1/users/#{users(:spectator).uuid}", {
243 first_name: 'KilroyWasHere'
246 }, auth(:rominiadmin)
250 test "RO group-admin finds user's specimens, RW group-admin can update" do
251 [[:rominiadmin, false],
252 [:miniadmin, true]].each do |which_user, update_should_succeed|
253 get "/arvados/v1/specimens", {:format => :json}, auth(which_user)
254 assert_response :success
255 resp_uuids = json_response['items'].collect { |i| i['uuid'] }
256 [[true, specimens(:owned_by_active_user).uuid],
257 [true, specimens(:owned_by_private_group).uuid],
258 [false, specimens(:owned_by_spectator).uuid],
259 ].each do |should_find, uuid|
260 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
261 "%s should%s see %s in specimen list" %
263 should_find ? '' : 'not ',
265 put "/arvados/v1/specimens/#{uuid}", {
268 miniadmin_was_here: true
275 elsif !update_should_succeed
278 assert_response :success
284 test "get_permissions returns list" do
285 # First confirm that user :active cannot get permissions on group :public
286 get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
289 # add some permissions, including can_manage
290 # permission for user :active
291 post "/arvados/v1/links", {
294 tail_uuid: users(:spectator).uuid,
295 link_class: 'permission',
297 head_uuid: groups(:public).uuid,
301 assert_response :success
302 can_read_uuid = json_response['uuid']
304 post "/arvados/v1/links", {
307 tail_uuid: users(:inactive).uuid,
308 link_class: 'permission',
310 head_uuid: groups(:public).uuid,
314 assert_response :success
315 can_write_uuid = json_response['uuid']
317 post "/arvados/v1/links", {
320 tail_uuid: users(:active).uuid,
321 link_class: 'permission',
323 head_uuid: groups(:public).uuid,
327 assert_response :success
328 can_manage_uuid = json_response['uuid']
330 # Now user :active should be able to retrieve permissions
332 get("/arvados/v1/permissions/#{groups(:public).uuid}",
333 { :format => :json },
335 assert_response :success
337 perm_uuids = json_response['items'].map { |item| item['uuid'] }
338 assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found"
339 assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
340 assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
343 test "get_permissions returns 404 for nonexistent uuid" do
344 nonexistent = Group.generate_uuid
345 # make sure it really doesn't exist
346 get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin)
349 get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active)
353 test "get_permissions returns 403 if user can read but not manage" do
354 post "/arvados/v1/links", {
356 tail_uuid: users(:active).uuid,
357 link_class: 'permission',
359 head_uuid: groups(:public).uuid,
363 assert_response :success
365 get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
369 test "active user can read the empty collection" do
370 # The active user should be able to read the empty collection.
372 get("/arvados/v1/collections/#{empty_collection_uuid}",
373 { :format => :json },
375 assert_response :success
376 assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty"