1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class ReaderTokensTest < ActionDispatch::IntegrationTest
10 def spectator_specimen
11 specimens(:owned_by_spectator).uuid
14 def get_specimens(main_auth, read_auth, formatter=:to_a)
16 params[:reader_tokens] = [api_token(read_auth)].send(formatter) if read_auth
18 headers.merge!(auth(main_auth)) if main_auth
19 get('/arvados/v1/specimens', params, headers)
22 def get_specimen_uuids(main_auth, read_auth, formatter=:to_a)
23 get_specimens(main_auth, read_auth, formatter)
24 assert_response :success
25 json_response['items'].map { |spec| spec['uuid'] }
28 def assert_post_denied(main_auth, read_auth, formatter=:to_a)
30 headers = auth(main_auth)
36 post('/arvados/v1/specimens.json',
37 {specimen: {}, reader_tokens: [api_token(read_auth)].send(formatter)},
39 assert_response expected
42 test "active user can't see spectator specimen" do
43 # Other tests in this suite assume that the active user doesn't
44 # have read permission to the owned_by_spectator specimen.
45 # This test checks that this assumption still holds.
46 refute_includes(get_specimen_uuids(:active, nil), spectator_specimen,
47 ["active user can read the owned_by_spectator specimen",
48 "other tests will return false positives"].join(" - "))
51 [nil, :active_noscope].each do |main_auth|
52 [:spectator, :spectator_specimens].each do |read_auth|
53 test "#{main_auth} auth with reader token #{read_auth} can read" do
54 assert_includes(get_specimen_uuids(main_auth, read_auth),
55 spectator_specimen, "did not find spectator specimen")
58 test "#{main_auth} auth with JSON read token #{read_auth} can read" do
59 assert_includes(get_specimen_uuids(main_auth, read_auth, :to_json),
60 spectator_specimen, "did not find spectator specimen")
63 test "#{main_auth} auth with reader token #{read_auth} can't write" do
64 assert_post_denied(main_auth, read_auth)
67 test "#{main_auth} auth with JSON read token #{read_auth} can't write" do
68 assert_post_denied(main_auth, read_auth, :to_json)
73 test "scopes are still limited with reader tokens" do
74 get('/arvados/v1/collections',
75 {reader_tokens: [api_token(:spectator_specimens)]},
76 auth(:active_noscope))
80 test "reader tokens grant no permissions when expired" do
81 get_specimens(:active_noscope, :expired)
85 test "reader tokens grant no permissions outside their scope" do
86 refute_includes(get_specimen_uuids(:active, :admin_vm), spectator_specimen,
87 "scoped reader token granted permissions out of scope")