1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
6 require 'helpers/users_test_helper'
8 class Arvados::V1::UsersControllerTest < ActionController::TestCase
9 include CurrentApiClient
10 include UsersTestHelper
13 @initial_link_count = Link.count
14 @vm_uuid = virtual_machines(:testvm).uuid
15 ActionMailer::Base.deliveries = []
18 test "activate a user after signing UA" do
19 authorize_with :inactive_but_signed_user_agreement
20 post :activate, params: {id: users(:inactive_but_signed_user_agreement).uuid}
21 assert_response :success
22 assert_not_nil assigns(:object)
23 me = JSON.parse(@response.body)
24 assert_equal true, me['is_active']
27 test "refuse to activate a user before signing UA" do
29 required_uuids = Link.where("owner_uuid = ? and link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?",
34 Collection.uuid_like_pattern).
37 assert required_uuids.length > 0
39 signed_uuids = Link.where(owner_uuid: system_user_uuid,
40 link_class: 'signature',
42 tail_uuid: users(:inactive).uuid,
43 head_uuid: required_uuids).
46 assert_equal 0, signed_uuids.length
49 authorize_with :inactive
50 assert_equal false, users(:inactive).is_active
52 post :activate, params: {id: users(:inactive).uuid}
56 assert resp['errors'].first.include? 'Cannot activate without user agreements'
57 assert_nil resp['is_active']
60 test "activate an already-active user" do
61 authorize_with :active
62 post :activate, params: {id: users(:active).uuid}
63 assert_response :success
64 me = JSON.parse(@response.body)
65 assert_equal true, me['is_active']
68 test "respond 401 if given token exists but user record is missing" do
69 authorize_with :valid_token_deleted_user
70 get :current, {format: :json}
74 test "create new user with user as input" do
76 post :create, params: {
78 first_name: "test_first_name",
79 last_name: "test_last_name",
80 email: "foo@example.com"
83 assert_response :success
84 created = JSON.parse(@response.body)
85 assert_equal 'test_first_name', created['first_name']
86 assert_not_nil created['uuid'], 'expected uuid for the newly created user'
87 assert_not_nil created['email'], 'expected non-nil email'
88 assert_nil created['identity_url'], 'expected no identity_url'
91 test "create user with user, vm and repo as input" do
93 repo_name = 'usertestrepo'
95 post :setup, params: {
97 openid_prefix: 'https://www.google.com/accounts/o8/id',
99 uuid: 'zzzzz-tpzed-abcdefghijklmno',
100 first_name: "in_create_test_first_name",
101 last_name: "test_last_name",
102 email: "foo@example.com"
105 assert_response :success
106 response_items = JSON.parse(@response.body)['items']
108 created = find_obj_in_resp response_items, 'User', nil
110 assert_equal 'in_create_test_first_name', created['first_name']
111 assert_not_nil created['uuid'], 'expected non-null uuid for the new user'
112 assert_equal 'zzzzz-tpzed-abcdefghijklmno', created['uuid']
113 assert_not_nil created['email'], 'expected non-nil email'
114 assert_nil created['identity_url'], 'expected no identity_url'
116 # arvados#user, repo link and link add user to 'All users' group
119 verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
120 created['uuid'], created['email'], 'arvados#user', false, 'User'
122 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
123 "foo/#{repo_name}", created['uuid'], 'arvados#repository', true, 'Repository'
125 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
126 'All users', created['uuid'], 'arvados#group', true, 'Group'
128 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
129 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
131 verify_system_group_permission_link_for created['uuid']
134 test "setup user with bogus uuid and expect error" do
135 authorize_with :admin
137 post :setup, params: {
139 repo_name: 'usertestrepo',
142 response_body = JSON.parse(@response.body)
143 response_errors = response_body['errors']
144 assert_not_nil response_errors, 'Expected error in response'
145 assert (response_errors.first.include? 'Path not found'), 'Expected 404'
148 test "setup user with bogus uuid in user and expect error" do
149 authorize_with :admin
151 post :setup, params: {
152 user: {uuid: 'bogus_uuid'},
153 repo_name: 'usertestrepo',
155 openid_prefix: 'https://www.google.com/accounts/o8/id'
157 response_body = JSON.parse(@response.body)
158 response_errors = response_body['errors']
159 assert_not_nil response_errors, 'Expected error in response'
160 assert (response_errors.first.include? 'ArgumentError: Require user email'),
161 'Expected RuntimeError'
164 test "setup user with no uuid and user, expect error" do
165 authorize_with :admin
167 post :setup, params: {
168 repo_name: 'usertestrepo',
170 openid_prefix: 'https://www.google.com/accounts/o8/id'
172 response_body = JSON.parse(@response.body)
173 response_errors = response_body['errors']
174 assert_not_nil response_errors, 'Expected error in response'
175 assert (response_errors.first.include? 'Required uuid or user'),
176 'Expected ArgumentError'
179 test "setup user with no uuid and email, expect error" do
180 authorize_with :admin
182 post :setup, params: {
184 repo_name: 'usertestrepo',
186 openid_prefix: 'https://www.google.com/accounts/o8/id'
188 response_body = JSON.parse(@response.body)
189 response_errors = response_body['errors']
190 assert_not_nil response_errors, 'Expected error in response'
191 assert (response_errors.first.include? '<ArgumentError: Require user email'),
192 'Expected ArgumentError'
195 test "invoke setup with existing uuid, vm and repo and verify links" do
196 authorize_with :admin
197 inactive_user = users(:inactive)
199 post :setup, params: {
200 uuid: users(:inactive).uuid,
201 repo_name: 'usertestrepo',
205 assert_response :success
207 response_items = JSON.parse(@response.body)['items']
208 resp_obj = find_obj_in_resp response_items, 'User', nil
210 assert_not_nil resp_obj['uuid'], 'expected uuid for the new user'
211 assert_equal inactive_user['uuid'], resp_obj['uuid']
212 assert_equal inactive_user['email'], resp_obj['email'],
213 'expecting inactive user email'
215 # expect repo and vm links
216 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
217 'inactiveuser/usertestrepo', resp_obj['uuid'], 'arvados#repository', true, 'Repository'
219 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
220 @vm_uuid, resp_obj['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
223 test "invoke setup with existing uuid but different email, expect original email" do
224 authorize_with :admin
225 inactive_user = users(:inactive)
227 post :setup, params: {
228 uuid: inactive_user['uuid'],
229 user: {email: 'junk_email'}
232 assert_response :success
234 response_items = JSON.parse(@response.body)['items']
235 resp_obj = find_obj_in_resp response_items, 'User', nil
237 assert_not_nil resp_obj['uuid'], 'expected uuid for the new user'
238 assert_equal inactive_user['uuid'], resp_obj['uuid']
239 assert_equal inactive_user['email'], resp_obj['email'],
240 'expecting inactive user email'
243 test "setup user with valid email and repo as input" do
244 authorize_with :admin
246 post :setup, params: {
247 repo_name: 'usertestrepo',
248 user: {email: 'foo@example.com'},
249 openid_prefix: 'https://www.google.com/accounts/o8/id'
252 assert_response :success
253 response_items = JSON.parse(@response.body)['items']
254 response_object = find_obj_in_resp response_items, 'User', nil
255 assert_not_nil response_object['uuid'], 'expected uuid for the new user'
256 assert_equal response_object['email'], 'foo@example.com', 'expected given email'
258 # four extra links; system_group, login, group and repo perms
262 test "setup user with fake vm and expect error" do
263 authorize_with :admin
265 post :setup, params: {
266 repo_name: 'usertestrepo',
267 vm_uuid: 'no_such_vm',
268 user: {email: 'foo@example.com'},
269 openid_prefix: 'https://www.google.com/accounts/o8/id'
272 response_body = JSON.parse(@response.body)
273 response_errors = response_body['errors']
274 assert_not_nil response_errors, 'Expected error in response'
275 assert (response_errors.first.include? "No vm found for no_such_vm"),
276 'Expected RuntimeError: No vm found for no_such_vm'
279 test "setup user with valid email, repo and real vm as input" do
280 authorize_with :admin
282 post :setup, params: {
283 repo_name: 'usertestrepo',
284 openid_prefix: 'https://www.google.com/accounts/o8/id',
286 user: {email: 'foo@example.com'}
289 assert_response :success
290 response_items = JSON.parse(@response.body)['items']
291 response_object = find_obj_in_resp response_items, 'User', nil
292 assert_not_nil response_object['uuid'], 'expected uuid for the new user'
293 assert_equal response_object['email'], 'foo@example.com', 'expected given email'
295 # five extra links; system_group, login, group, vm, repo
299 test "setup user with valid email, no vm and no repo as input" do
300 authorize_with :admin
302 post :setup, params: {
303 user: {email: 'foo@example.com'},
304 openid_prefix: 'https://www.google.com/accounts/o8/id'
307 assert_response :success
308 response_items = JSON.parse(@response.body)['items']
309 response_object = find_obj_in_resp response_items, 'User', nil
310 assert_not_nil response_object['uuid'], 'expected uuid for new user'
311 assert_equal response_object['email'], 'foo@example.com', 'expected given email'
313 # three extra links; system_group, login, and group
316 verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
317 response_object['uuid'], response_object['email'], 'arvados#user', false, 'User'
319 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
320 'All users', response_object['uuid'], 'arvados#group', true, 'Group'
322 verify_link response_items, 'arvados#repository', false, 'permission', 'can_manage',
323 'foo/usertestrepo', response_object['uuid'], 'arvados#repository', true, 'Repository'
325 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
326 nil, response_object['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
329 test "setup user with email, first name, repo name and vm uuid" do
330 authorize_with :admin
332 post :setup, params: {
333 openid_prefix: 'https://www.google.com/accounts/o8/id',
334 repo_name: 'usertestrepo',
337 first_name: 'test_first_name',
338 email: 'foo@example.com'
342 assert_response :success
343 response_items = JSON.parse(@response.body)['items']
344 response_object = find_obj_in_resp response_items, 'User', nil
345 assert_not_nil response_object['uuid'], 'expected uuid for new user'
346 assert_equal response_object['email'], 'foo@example.com', 'expected given email'
347 assert_equal 'test_first_name', response_object['first_name'],
348 'expecting first name'
350 # five extra links; system_group, login, group, repo and vm
354 test "setup user with an existing user email and check different object is created" do
355 authorize_with :admin
356 inactive_user = users(:inactive)
358 post :setup, params: {
359 openid_prefix: 'https://www.google.com/accounts/o8/id',
360 repo_name: 'usertestrepo',
362 email: inactive_user['email']
366 assert_response :success
367 response_items = JSON.parse(@response.body)['items']
368 response_object = find_obj_in_resp response_items, 'User', nil
369 assert_not_nil response_object['uuid'], 'expected uuid for new user'
370 assert_not_equal response_object['uuid'], inactive_user['uuid'],
371 'expected different uuid after create operation'
372 assert_equal inactive_user['email'], response_object['email'], 'expected given email'
373 # system_group, openid, group, and repo. No vm link.
377 test "setup user with openid prefix" do
378 authorize_with :admin
380 post :setup, params: {
381 repo_name: 'usertestrepo',
382 openid_prefix: 'http://www.example.com/account',
384 first_name: "in_create_test_first_name",
385 last_name: "test_last_name",
386 email: "foo@example.com"
390 assert_response :success
392 response_items = JSON.parse(@response.body)['items']
393 created = find_obj_in_resp response_items, 'User', nil
395 assert_equal 'in_create_test_first_name', created['first_name']
396 assert_not_nil created['uuid'], 'expected uuid for new user'
397 assert_not_nil created['email'], 'expected non-nil email'
398 assert_nil created['identity_url'], 'expected no identity_url'
401 # four new links: system_group, arvados#user, repo, and 'All users' group.
404 verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
405 created['uuid'], created['email'], 'arvados#user', false, 'User'
407 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
408 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
410 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
411 'All users', created['uuid'], 'arvados#group', true, 'Group'
413 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
414 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
417 test "invoke setup with no openid prefix, expect error" do
418 authorize_with :admin
420 post :setup, params: {
421 repo_name: 'usertestrepo',
423 first_name: "in_create_test_first_name",
424 last_name: "test_last_name",
425 email: "foo@example.com"
429 response_body = JSON.parse(@response.body)
430 response_errors = response_body['errors']
431 assert_not_nil response_errors, 'Expected error in response'
432 assert (response_errors.first.include? 'openid_prefix parameter is missing'),
433 'Expected ArgumentError'
436 test "setup user with user, vm and repo and verify links" do
437 authorize_with :admin
439 post :setup, params: {
441 first_name: "in_create_test_first_name",
442 last_name: "test_last_name",
443 email: "foo@example.com"
446 repo_name: 'usertestrepo',
447 openid_prefix: 'https://www.google.com/accounts/o8/id'
450 assert_response :success
452 response_items = JSON.parse(@response.body)['items']
453 created = find_obj_in_resp response_items, 'User', nil
455 assert_equal 'in_create_test_first_name', created['first_name']
456 assert_not_nil created['uuid'], 'expected uuid for new user'
457 assert_not_nil created['email'], 'expected non-nil email'
458 assert_nil created['identity_url'], 'expected no identity_url'
460 # five new links: system_group, arvados#user, repo, vm and 'All
464 verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
465 created['uuid'], created['email'], 'arvados#user', false, 'User'
467 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
468 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
470 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
471 'All users', created['uuid'], 'arvados#group', true, 'Group'
473 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
474 @vm_uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
477 test "create user as non admin user and expect error" do
478 authorize_with :active
480 post :create, params: {
481 user: {email: 'foo@example.com'}
484 response_body = JSON.parse(@response.body)
485 response_errors = response_body['errors']
486 assert_not_nil response_errors, 'Expected error in response'
487 assert (response_errors.first.include? 'PermissionDenied'),
488 'Expected PermissionDeniedError'
491 test "setup user as non admin user and expect error" do
492 authorize_with :active
494 post :setup, params: {
495 openid_prefix: 'https://www.google.com/accounts/o8/id',
496 user: {email: 'foo@example.com'}
499 response_body = JSON.parse(@response.body)
500 response_errors = response_body['errors']
501 assert_not_nil response_errors, 'Expected error in response'
502 assert (response_errors.first.include? 'Forbidden'),
503 'Expected Forbidden error'
506 test "setup active user with repo and no vm" do
507 authorize_with :admin
508 active_user = users(:active)
510 # invoke setup with a repository
511 post :setup, params: {
512 repo_name: 'usertestrepo',
513 uuid: active_user['uuid']
516 assert_response :success
518 response_items = JSON.parse(@response.body)['items']
519 created = find_obj_in_resp response_items, 'User', nil
521 assert_equal active_user[:email], created['email'], 'expected input email'
524 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
525 'All users', created['uuid'], 'arvados#group', true, 'Group'
527 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
528 'active/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
530 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
531 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
534 test "setup active user with vm and no repo" do
535 authorize_with :admin
536 active_user = users(:active)
537 repos_query = Repository.where(owner_uuid: active_user.uuid)
538 repo_link_query = Link.where(tail_uuid: active_user.uuid,
539 link_class: "permission", name: "can_manage")
540 repos_count = repos_query.count
541 repo_link_count = repo_link_query.count
543 # invoke setup with a repository
544 post :setup, params: {
546 uuid: active_user['uuid'],
550 assert_response :success
552 response_items = JSON.parse(@response.body)['items']
553 created = find_obj_in_resp response_items, 'User', nil
555 assert_equal active_user['email'], created['email'], 'expected original email'
558 verify_link response_items, 'arvados#group', true, 'permission', 'can_read',
559 'All users', created['uuid'], 'arvados#group', true, 'Group'
561 assert_equal(repos_count, repos_query.count)
562 assert_equal(repo_link_count, repo_link_query.count)
564 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
565 @vm_uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
568 test "unsetup active user" do
569 active_user = users(:active)
570 assert_not_nil active_user['uuid'], 'expected uuid for the active user'
571 assert active_user['is_active'], 'expected is_active for active user'
573 verify_link_existence active_user['uuid'], active_user['email'],
574 false, true, true, true, true
576 authorize_with :admin
578 # now unsetup this user
579 post :unsetup, params: {id: active_user['uuid']}
580 assert_response :success
582 response_user = JSON.parse(@response.body)
583 assert_not_nil response_user['uuid'], 'expected uuid for the upsetup user'
584 assert_equal active_user['uuid'], response_user['uuid'], 'expected uuid not found'
585 assert !response_user['is_active'], 'expected user to be inactive'
586 assert !response_user['is_invited'], 'expected user to be uninvited'
588 verify_link_existence response_user['uuid'], response_user['email'],
589 false, false, false, false, false
591 active_user = User.find_by_uuid(users(:active).uuid)
592 readable_groups = active_user.groups_i_can(:read)
593 all_users_group = Group.all.collect(&:uuid).select { |g| g.match(/-f+$/) }
594 refute_includes(readable_groups, all_users_group,
595 "active user can read All Users group after being deactivated")
596 assert_equal(false, active_user.is_invited,
597 "active user is_invited after being deactivated & reloaded")
600 test "setup user with send notification param false and verify no email" do
601 authorize_with :admin
603 post :setup, params: {
604 openid_prefix: 'http://www.example.com/account',
605 send_notification_email: 'false',
607 email: "foo@example.com"
611 assert_response :success
612 response_items = JSON.parse(@response.body)['items']
613 created = find_obj_in_resp response_items, 'User', nil
614 assert_not_nil created['uuid'], 'expected uuid for the new user'
615 assert_equal created['email'], 'foo@example.com', 'expected given email'
617 setup_email = ActionMailer::Base.deliveries.last
618 assert_nil setup_email, 'expected no setup email'
621 test "setup user with send notification param true and verify email" do
622 authorize_with :admin
624 post :setup, params: {
625 openid_prefix: 'http://www.example.com/account',
626 send_notification_email: 'true',
628 email: "foo@example.com"
632 assert_response :success
633 response_items = JSON.parse(@response.body)['items']
634 created = find_obj_in_resp response_items, 'User', nil
635 assert_not_nil created['uuid'], 'expected uuid for the new user'
636 assert_equal created['email'], 'foo@example.com', 'expected given email'
638 setup_email = ActionMailer::Base.deliveries.last
639 assert_not_nil setup_email, 'Expected email after setup'
641 assert_equal Rails.configuration.user_notifier_email_from, setup_email.from[0]
642 assert_equal 'foo@example.com', setup_email.to[0]
643 assert_equal 'Welcome to Arvados - shell account enabled', setup_email.subject
644 assert (setup_email.body.to_s.include? 'Your Arvados shell account has been set up'),
645 'Expected Your Arvados shell account has been set up in email body'
646 assert (setup_email.body.to_s.include? "#{Rails.configuration.workbench_address}users/#{created['uuid']}/virtual_machines"), 'Expected virtual machines url in email body'
649 test "setup inactive user by changing is_active to true" do
650 authorize_with :admin
651 active_user = users(:active)
653 # invoke setup with a repository
654 put :update, params: {
655 id: active_user['uuid'],
660 assert_response :success
661 assert_equal active_user['uuid'], json_response['uuid']
662 updated = User.where(uuid: active_user['uuid']).first
663 assert_equal(true, updated.is_active)
664 assert_equal({read: true}, updated.group_permissions[all_users_group_uuid])
667 test "non-admin user can get basic information about readable users" do
668 authorize_with :spectator
670 check_non_admin_index
671 check_readable_users_index [:spectator], [:inactive, :active]
674 test "non-admin user gets only safe attributes from users#show" do
675 g = act_as_system_user do
678 users = create_list :active_user, 2, join_groups: [g]
679 token = create :token, user: users[0]
680 authorize_with_token token
681 get :show, params: {id: users[1].uuid}
685 [2, 4].each do |limit|
686 test "non-admin user can limit index to #{limit}" do
687 g = act_as_system_user do
690 users = create_list :active_user, 4, join_groups: [g]
691 token = create :token, user: users[0]
693 authorize_with_token token
694 get(:index, params: {limit: limit})
695 check_non_admin_index
696 assert_equal(limit, json_response["items"].size,
697 "non-admin index limit was ineffective")
701 test "admin has full index powers" do
702 authorize_with :admin
703 check_inactive_user_findable
706 test "reader token can grant admin index powers" do
707 authorize_with :spectator
708 check_inactive_user_findable(reader_tokens: [api_token(:admin)])
711 test "admin can filter on user.is_active" do
712 authorize_with :admin
713 get(:index, params: {filters: [["is_active", "=", "true"]]})
714 assert_response :success
715 check_readable_users_index [:active, :spectator], [:inactive]
718 test "admin can search where user.is_active" do
719 authorize_with :admin
720 get(:index, params: {where: {is_active: true}})
721 assert_response :success
722 check_readable_users_index [:active, :spectator], [:inactive]
725 test "update active_no_prefs user profile and expect notification email" do
726 authorize_with :admin
728 put :update, params: {
729 id: users(:active_no_prefs).uuid,
731 prefs: {:profile => {'organization' => 'example.com'}}
734 assert_response :success
737 ActionMailer::Base.deliveries.andand.each do |email|
738 if email.subject == "Profile created by #{users(:active_no_prefs).email}"
743 assert_equal true, found_email, 'Expected email after creating profile'
746 test "update active_no_prefs_profile user profile and expect notification email" do
747 authorize_with :admin
750 user[:prefs] = users(:active_no_prefs_profile_no_getting_started_shown).prefs
751 user[:prefs][:profile] = {:profile => {'organization' => 'example.com'}}
752 put :update, params: {
753 id: users(:active_no_prefs_profile_no_getting_started_shown).uuid,
756 assert_response :success
759 ActionMailer::Base.deliveries.andand.each do |email|
760 if email.subject == "Profile created by #{users(:active_no_prefs_profile_no_getting_started_shown).email}"
765 assert_equal true, found_email, 'Expected email after creating profile'
768 test "update active user profile and expect no notification email" do
769 authorize_with :admin
771 put :update, params: {
772 id: users(:active).uuid,
774 prefs: {:profile => {'organization' => 'anotherexample.com'}}
777 assert_response :success
780 ActionMailer::Base.deliveries.andand.each do |email|
781 if email.subject == "Profile created by #{users(:active).email}"
786 assert_equal false, found_email, 'Expected no email after updating profile'
789 test "user API response includes writable_by" do
790 authorize_with :active
792 assert_response :success
793 assert_includes(json_response["writable_by"], users(:active).uuid,
794 "user's writable_by should include self")
795 assert_includes(json_response["writable_by"], users(:active).owner_uuid,
796 "user's writable_by should include its owner_uuid")
802 ].each do |auth_user, expect_success|
803 test "update_uuid as #{auth_user}" do
804 authorize_with auth_user
805 orig_uuid = users(:active).uuid
806 post :update_uuid, params: {
808 new_uuid: 'zbbbb-tpzed-abcde12345abcde',
811 assert_response :success
812 assert_empty User.where(uuid: orig_uuid)
815 assert_not_empty User.where(uuid: orig_uuid)
820 test "refuse to merge with redirect_to_user_uuid=false (not yet supported)" do
821 authorize_with :project_viewer_trustedclient
822 post :merge, params: {
823 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
824 new_owner_uuid: users(:active).uuid,
825 redirect_to_new_user: false,
830 test "refuse to merge user into self" do
831 authorize_with(:active_trustedclient)
832 post(:merge, params: {
833 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
834 new_owner_uuid: users(:active).uuid,
835 redirect_to_new_user: true,
840 [[:active, :project_viewer_trustedclient],
841 [:active_trustedclient, :project_viewer]].each do |src, dst|
842 test "refuse to merge with untrusted token (#{src} -> #{dst})" do
844 post(:merge, params: {
845 new_user_token: api_client_authorizations(dst).api_token,
846 new_owner_uuid: api_client_authorizations(dst).user.uuid,
847 redirect_to_new_user: true,
853 [[:expired_trustedclient, :project_viewer_trustedclient],
854 [:project_viewer_trustedclient, :expired_trustedclient]].each do |src, dst|
855 test "refuse to merge with expired token (#{src} -> #{dst})" do
857 post(:merge, params: {
858 new_user_token: api_client_authorizations(dst).api_token,
859 new_owner_uuid: api_client_authorizations(dst).user.uuid,
860 redirect_to_new_user: true,
866 [['src', :active_trustedclient],
867 ['dst', :project_viewer_trustedclient]].each do |which_scoped, auth|
868 test "refuse to merge with scoped #{which_scoped} token" do
869 act_as_system_user do
870 api_client_authorizations(auth).update_attributes(scopes: ["GET /", "POST /", "PUT /"])
872 authorize_with(:active_trustedclient)
873 post(:merge, params: {
874 new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
875 new_owner_uuid: users(:project_viewer).uuid,
876 redirect_to_new_user: true,
882 test "refuse to merge if new_owner_uuid is not writable" do
883 authorize_with(:project_viewer_trustedclient)
884 post(:merge, params: {
885 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
886 new_owner_uuid: groups(:anonymously_accessible_project).uuid,
887 redirect_to_new_user: true,
892 test "refuse to merge if new_owner_uuid is empty" do
893 authorize_with(:project_viewer_trustedclient)
894 post(:merge, params: {
895 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
897 redirect_to_new_user: true,
902 test "refuse to merge if new_owner_uuid is not provided" do
903 authorize_with(:project_viewer_trustedclient)
904 post(:merge, params: {
905 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
906 redirect_to_new_user: true,
911 test "refuse to update redirect_to_user_uuid directly" do
912 authorize_with(:active_trustedclient)
913 patch(:update, params: {
914 id: users(:active).uuid,
916 redirect_to_user_uuid: users(:active).uuid,
922 test "merge 'project_viewer' account into 'active' account" do
923 authorize_with(:project_viewer_trustedclient)
924 post(:merge, params: {
925 new_user_token: api_client_authorizations(:active_trustedclient).api_token,
926 new_owner_uuid: users(:active).uuid,
927 redirect_to_new_user: true,
929 assert_response(:success)
930 assert_equal(users(:project_viewer).redirect_to_user_uuid, users(:active).uuid)
932 auth = ApiClientAuthorization.validate(token: api_client_authorizations(:project_viewer).api_token)
934 assert_not_nil(auth.user)
935 assert_equal(users(:active).uuid, auth.user.uuid)
938 NON_ADMIN_USER_DATA = ["uuid", "kind", "is_active", "email", "first_name",
939 "last_name", "username"].sort
941 def check_non_admin_index
942 assert_response :success
943 response_items = json_response["items"]
944 assert_not_nil response_items
945 response_items.each do |user_data|
946 check_non_admin_item user_data
947 assert(user_data["is_active"], "non-admin index returned inactive user")
951 def check_non_admin_show
952 assert_response :success
953 check_non_admin_item json_response
956 def check_non_admin_item user_data
957 assert_equal(NON_ADMIN_USER_DATA, user_data.keys.sort,
958 "data in response had missing or extra attributes")
959 assert_equal("arvados#user", user_data["kind"])
963 def check_readable_users_index expect_present, expect_missing
964 response_uuids = json_response["items"].map { |u| u["uuid"] }
965 expect_present.each do |user_key|
966 assert_includes(response_uuids, users(user_key).uuid,
967 "#{user_key} missing from index")
969 expect_missing.each do |user_key|
970 refute_includes(response_uuids, users(user_key).uuid,
971 "#{user_key} included in index")
975 def check_inactive_user_findable(params={})
976 inactive_user = users(:inactive)
977 get(:index, params: params.merge(filters: [["email", "=", inactive_user.email]]))
978 assert_response :success
979 user_list = json_response["items"]
980 assert_equal(1, user_list.andand.count)
981 # This test needs to check a column non-admins have no access to,
982 # to ensure that admins see all user information.
983 assert_equal(inactive_user.identity_url, user_list.first["identity_url"],
984 "admin's filtered index did not return inactive user")
987 def verify_links_added more
988 assert_equal @initial_link_count+more, Link.count,
989 "Started with #{@initial_link_count} links, expected #{more} more"
992 def find_obj_in_resp (response_items, object_type, head_kind=nil)
994 response_items.each { |x|
999 if object_type == 'User'
1000 if ArvadosModel::resource_class_for_uuid(x['uuid']) == User
1004 else # looking for a link
1005 if x['head_uuid'] and ArvadosModel::resource_class_for_uuid(x['head_uuid']).kind == head_kind