1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
6 require 'helpers/users_test_helper'
8 class UsersTest < ActionDispatch::IntegrationTest
9 include UsersTestHelper
11 test "setup user multiple times" do
12 repo_name = 'usertestrepo'
14 post "/arvados/v1/users/setup",
18 uuid: 'zzzzz-tpzed-abcdefghijklmno',
19 first_name: "in_create_test_first_name",
20 last_name: "test_last_name",
21 email: "foo@example.com"
26 assert_response :success
28 response_items = json_response['items']
30 created = find_obj_in_resp response_items, 'arvados#user', nil
32 assert_equal 'in_create_test_first_name', created['first_name']
33 assert_not_nil created['uuid'], 'expected non-null uuid for the new user'
34 assert_equal 'zzzzz-tpzed-abcdefghijklmno', created['uuid']
35 assert_not_nil created['email'], 'expected non-nil email'
36 assert_nil created['identity_url'], 'expected no identity_url'
38 # repo link and link add user to 'All users' group
40 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
41 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
43 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
44 'All users', created['uuid'], 'arvados#group', true, 'Group'
46 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
47 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
49 verify_system_group_permission_link_for created['uuid']
51 # invoke setup again with the same data
52 post "/arvados/v1/users/setup",
55 vm_uuid: virtual_machines(:testvm).uuid,
57 uuid: 'zzzzz-tpzed-abcdefghijklmno',
58 first_name: "in_create_test_first_name",
59 last_name: "test_last_name",
60 email: "foo@example.com"
64 assert_response 422 # cannot create another user with same UUID
66 # invoke setup on the same user
67 post "/arvados/v1/users/setup",
70 vm_uuid: virtual_machines(:testvm).uuid,
71 uuid: 'zzzzz-tpzed-abcdefghijklmno',
75 response_items = json_response['items']
77 created = find_obj_in_resp response_items, 'arvados#user', nil
78 assert_equal 'in_create_test_first_name', created['first_name']
79 assert_not_nil created['uuid'], 'expected non-null uuid for the new user'
80 assert_equal 'zzzzz-tpzed-abcdefghijklmno', created['uuid']
81 assert_not_nil created['email'], 'expected non-nil email'
82 assert_nil created['identity_url'], 'expected no identity_url'
84 # arvados#user, repo link and link add user to 'All users' group
85 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
86 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
88 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
89 'All users', created['uuid'], 'arvados#group', true, 'Group'
91 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
92 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
94 verify_system_group_permission_link_for created['uuid']
97 test "setup user in multiple steps and verify response" do
98 post "/arvados/v1/users/setup",
101 email: "foo@example.com"
104 headers: auth(:admin)
106 assert_response :success
107 response_items = json_response['items']
108 created = find_obj_in_resp response_items, 'arvados#user', nil
110 assert_not_nil created['uuid'], 'expected uuid for new user'
111 assert_not_nil created['email'], 'expected non-nil email'
112 assert_equal created['email'], 'foo@example.com', 'expected input email'
114 # two new links: system_group, and 'All users' group.
116 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
117 'All users', created['uuid'], 'arvados#group', true, 'Group'
119 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
120 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
122 # invoke setup with a repository
123 post "/arvados/v1/users/setup",
125 repo_name: 'newusertestrepo',
126 uuid: created['uuid']
128 headers: auth(:admin)
130 assert_response :success
132 response_items = json_response['items']
133 created = find_obj_in_resp response_items, 'arvados#user', nil
135 assert_equal 'foo@example.com', created['email'], 'expected input email'
138 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
139 'All users', created['uuid'], 'arvados#group', true, 'Group'
141 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
142 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
144 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
145 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
147 # invoke setup with a vm_uuid
148 post "/arvados/v1/users/setup",
150 vm_uuid: virtual_machines(:testvm).uuid,
154 uuid: created['uuid']
156 headers: auth(:admin)
158 assert_response :success
160 response_items = json_response['items']
161 created = find_obj_in_resp response_items, 'arvados#user', nil
163 assert_equal created['email'], 'foo@example.com', 'expected original email'
166 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
167 'All users', created['uuid'], 'arvados#group', true, 'Group'
169 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
170 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
173 test "setup and unsetup user" do
174 post "/arvados/v1/users/setup",
176 repo_name: 'newusertestrepo',
177 vm_uuid: virtual_machines(:testvm).uuid,
178 user: {email: 'foo@example.com'},
180 headers: auth(:admin)
182 assert_response :success
183 response_items = json_response['items']
184 created = find_obj_in_resp response_items, 'arvados#user', nil
185 assert_not_nil created['uuid'], 'expected uuid for the new user'
186 assert_equal created['email'], 'foo@example.com', 'expected given email'
188 # four extra links: system_group, login, group, repo and vm
190 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
191 'All users', created['uuid'], 'arvados#group', true, 'Group'
193 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
194 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
196 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
197 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
199 verify_link_existence created['uuid'], created['email'], true, true, true, true, false
202 token = act_as_system_user do
203 ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token
206 assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found'
208 post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin)
210 assert_response :success
212 created2 = json_response
213 assert_not_nil created2['uuid'], 'expected uuid for the newly created user'
214 assert_equal created['uuid'], created2['uuid'], 'expected uuid not found'
215 assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup'
217 verify_link_existence created['uuid'], created['email'], false, false, false, false, false
220 def find_obj_in_resp (response_items, kind, head_kind=nil)
221 response_items.each do |x|
223 return x if (x['kind'] == kind && x['head_kind'] == head_kind)
229 test 'merge active into project_viewer account' do
230 post('/arvados/v1/groups',
233 group_class: 'project',
234 name: "active user's stuff",
237 headers: auth(:project_viewer))
238 assert_response(:success)
239 project_uuid = json_response['uuid']
241 post('/arvados/v1/users/merge',
243 new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
244 new_owner_uuid: project_uuid,
245 redirect_to_new_user: true,
247 headers: auth(:active_trustedclient))
248 assert_response(:success)
250 get('/arvados/v1/users/current', params: {}, headers: auth(:active))
251 assert_response(:success)
252 assert_equal(users(:project_viewer).uuid, json_response['uuid'])
254 get('/arvados/v1/authorized_keys/' + authorized_keys(:active).uuid,
256 headers: auth(:active))
257 assert_response(:success)
258 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
259 assert_equal(users(:project_viewer).uuid, json_response['authorized_user_uuid'])
261 get('/arvados/v1/repositories/' + repositories(:foo).uuid,
263 headers: auth(:active))
264 assert_response(:success)
265 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
266 assert_equal("#{users(:project_viewer).username}/foo", json_response['name'])
268 get('/arvados/v1/groups/' + groups(:aproject).uuid,
270 headers: auth(:active))
271 assert_response(:success)
272 assert_equal(project_uuid, json_response['owner_uuid'])
275 test 'pre-activate user' do
276 post '/arvados/v1/users',
279 "email" => 'foo@example.com',
281 "username" => "barney"
284 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"}
285 assert_response :success
287 assert_not_nil rp["uuid"]
288 assert_not_nil rp["is_active"]
289 assert_nil rp["is_admin"]
291 get "/arvados/v1/users/#{rp['uuid']}",
292 params: {format: 'json'},
293 headers: auth(:admin)
294 assert_response :success
295 assert_equal rp["uuid"], json_response['uuid']
296 assert_nil json_response['is_admin']
297 assert_equal true, json_response['is_active']
298 assert_equal 'foo@example.com', json_response['email']
299 assert_equal 'barney', json_response['username']
302 test 'merge with repository name conflict' do
303 post('/arvados/v1/groups',
306 group_class: 'project',
307 name: "active user's stuff",
310 headers: auth(:project_viewer))
311 assert_response(:success)
312 project_uuid = json_response['uuid']
314 post('/arvados/v1/repositories/',
315 params: { :repository => { :name => "#{users(:project_viewer).username}/foo", :owner_uuid => users(:project_viewer).uuid } },
316 headers: auth(:project_viewer))
317 assert_response(:success)
319 post('/arvados/v1/users/merge',
321 new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
322 new_owner_uuid: project_uuid,
323 redirect_to_new_user: true,
325 headers: auth(:active_trustedclient))
326 assert_response(:success)
328 get('/arvados/v1/repositories/' + repositories(:foo).uuid,
330 headers: auth(:active))
331 assert_response(:success)
332 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
333 assert_equal("#{users(:project_viewer).username}/migratedfoo", json_response['name'])
337 test "cannot set is_active to false directly" do
338 post('/arvados/v1/users',
341 email: "bob@example.com",
345 headers: auth(:admin))
346 assert_response(:success)
348 assert_equal false, user['is_active']
350 token = act_as_system_user do
351 ApiClientAuthorization.create!(user: User.find_by_uuid(user['uuid']), api_client: ApiClient.all.first).api_token
353 post("/arvados/v1/user_agreements/sign",
354 params: {uuid: 'zzzzz-4zz18-t68oksiu9m80s4y'},
355 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
356 assert_response :success
358 post("/arvados/v1/users/#{user['uuid']}/activate",
360 headers: auth(:admin))
361 assert_response(:success)
363 assert_equal true, user['is_active']
365 put("/arvados/v1/users/#{user['uuid']}",
367 user: {is_active: false}
369 headers: auth(:admin))
373 test "cannot self activate when AutoSetupNewUsers is false" do
374 Rails.configuration.Users.NewUsersAreActive = false
375 Rails.configuration.Users.AutoSetupNewUsers = false
379 act_as_system_user do
380 user = User.create!(email: "bob@example.com", username: "bobby")
381 ap = ApiClientAuthorization.create!(user: user, api_client: ApiClient.all.first)
385 get("/arvados/v1/users/#{user['uuid']}",
387 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
388 assert_response(:success)
390 assert_equal false, user['is_active']
392 post("/arvados/v1/users/#{user['uuid']}/activate",
394 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
396 assert_match(/Cannot activate without being invited/, json_response['errors'][0])
400 test "cannot self activate after unsetup" do
401 Rails.configuration.Users.NewUsersAreActive = false
402 Rails.configuration.Users.AutoSetupNewUsers = false
406 act_as_system_user do
407 user = User.create!(email: "bob@example.com", username: "bobby")
408 ap = ApiClientAuthorization.create!(user: user, api_client_id: 0)
412 post("/arvados/v1/users/setup",
413 params: {uuid: user['uuid']},
414 headers: auth(:admin))
415 assert_response :success
417 post("/arvados/v1/users/#{user['uuid']}/activate",
419 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
421 assert_match(/Cannot activate without user agreements/, json_response['errors'][0])
423 post("/arvados/v1/user_agreements/sign",
424 params: {uuid: 'zzzzz-4zz18-t68oksiu9m80s4y'},
425 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
426 assert_response :success
428 post("/arvados/v1/users/#{user['uuid']}/activate",
430 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
431 assert_response :success
433 get("/arvados/v1/users/#{user['uuid']}",
435 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
436 assert_response(:success)
437 userJSON = json_response
438 assert_equal true, userJSON['is_active']
440 post("/arvados/v1/users/#{user['uuid']}/unsetup",
442 headers: auth(:admin))
443 assert_response :success
445 # Need to get a new token, the old one was invalidated by the unsetup call
446 act_as_system_user do
447 ap = ApiClientAuthorization.create!(user: user, api_client_id: 0)
451 get("/arvados/v1/users/#{user['uuid']}",
453 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
454 assert_response(:success)
455 userJSON = json_response
456 assert_equal false, userJSON['is_active']
458 post("/arvados/v1/users/#{user['uuid']}/activate",
460 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
462 assert_match(/Cannot activate without being invited/, json_response['errors'][0])
465 test "bypass_federation only accepted for admins" do
466 get "/arvados/v1/users",
468 bypass_federation: true
470 headers: auth(:admin)
472 assert_response :success
474 get "/arvados/v1/users",
476 bypass_federation: true
478 headers: auth(:active)