1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
23 "git.arvados.org/arvados.git/lib/config"
24 "git.arvados.org/arvados.git/sdk/go/arvados"
25 "git.arvados.org/arvados.git/sdk/go/arvadosclient"
26 "git.arvados.org/arvados.git/sdk/go/arvadostest"
27 "git.arvados.org/arvados.git/sdk/go/auth"
28 "git.arvados.org/arvados.git/sdk/go/ctxlog"
29 "git.arvados.org/arvados.git/sdk/go/keepclient"
30 "github.com/prometheus/client_golang/prometheus"
31 "github.com/sirupsen/logrus"
32 check "gopkg.in/check.v1"
35 var _ = check.Suite(&UnitSuite{})
38 arvados.DebugLocksPanicMode = true
41 type UnitSuite struct {
42 cluster *arvados.Cluster
46 func (s *UnitSuite) SetUpTest(c *check.C) {
47 logger := ctxlog.TestLogger(c)
48 ldr := config.NewLoader(bytes.NewBufferString("Clusters: {zzzzz: {}}"), logger)
50 cfg, err := ldr.Load()
51 c.Assert(err, check.IsNil)
52 cc, err := cfg.GetCluster("")
53 c.Assert(err, check.IsNil)
60 registry: prometheus.NewRegistry(),
65 func (s *UnitSuite) TestCORSPreflight(c *check.C) {
67 u := mustParseURL("http://keep-web.example/c=" + arvadostest.FooCollection + "/foo")
72 RequestURI: u.RequestURI(),
74 "Origin": {"https://workbench.example"},
75 "Access-Control-Request-Method": {"POST"},
79 // Check preflight for an allowed request
80 resp := httptest.NewRecorder()
81 h.ServeHTTP(resp, req)
82 c.Check(resp.Code, check.Equals, http.StatusOK)
83 c.Check(resp.Body.String(), check.Equals, "")
84 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
85 c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "COPY, DELETE, GET, LOCK, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, RMCOL, UNLOCK")
86 c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type, Range, Depth, Destination, If, Lock-Token, Overwrite, Timeout, Cache-Control")
88 // Check preflight for a disallowed request
89 resp = httptest.NewRecorder()
90 req.Header.Set("Access-Control-Request-Method", "MAKE-COFFEE")
91 h.ServeHTTP(resp, req)
92 c.Check(resp.Body.String(), check.Equals, "")
93 c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed)
96 func (s *UnitSuite) TestEmptyResponse(c *check.C) {
97 for _, trial := range []struct {
103 // If we return no content due to a Keep read error,
104 // we should emit a log message.
105 {false, false, http.StatusOK, `(?ms).*only wrote 0 bytes.*`},
107 // If we return no content because the client sent an
108 // If-Modified-Since header, our response should be
109 // 304. We still expect a "File download" log since it
110 // counts as a file access for auditing.
111 {true, true, http.StatusNotModified, `(?ms).*msg="File download".*`},
113 c.Logf("trial: %+v", trial)
114 arvadostest.StartKeep(2, true)
115 if trial.dataExists {
116 arv, err := arvadosclient.MakeArvadosClient()
117 c.Assert(err, check.IsNil)
118 arv.ApiToken = arvadostest.ActiveToken
119 kc, err := keepclient.MakeKeepClient(arv)
120 c.Assert(err, check.IsNil)
121 _, _, err = kc.PutB([]byte("foo"))
122 c.Assert(err, check.IsNil)
125 u := mustParseURL("http://" + arvadostest.FooCollection + ".keep-web.example/foo")
126 req := &http.Request{
130 RequestURI: u.RequestURI(),
132 "Authorization": {"Bearer " + arvadostest.ActiveToken},
135 if trial.sendIMSHeader {
136 req.Header.Set("If-Modified-Since", strings.Replace(time.Now().UTC().Format(time.RFC1123), "UTC", "GMT", -1))
139 var logbuf bytes.Buffer
140 logger := logrus.New()
142 req = req.WithContext(ctxlog.Context(context.Background(), logger))
144 resp := httptest.NewRecorder()
145 s.handler.ServeHTTP(resp, req)
146 c.Check(resp.Code, check.Equals, trial.expectStatus)
147 c.Check(resp.Body.String(), check.Equals, "")
149 c.Log(logbuf.String())
150 c.Check(logbuf.String(), check.Matches, trial.logRegexp)
154 func (s *UnitSuite) TestInvalidUUID(c *check.C) {
155 bogusID := strings.Replace(arvadostest.FooCollectionPDH, "+", "-", 1) + "-"
156 token := arvadostest.ActiveToken
157 for _, trial := range []string{
158 "http://keep-web/c=" + bogusID + "/foo",
159 "http://keep-web/c=" + bogusID + "/t=" + token + "/foo",
160 "http://keep-web/collections/download/" + bogusID + "/" + token + "/foo",
161 "http://keep-web/collections/" + bogusID + "/foo",
162 "http://" + bogusID + ".keep-web/" + bogusID + "/foo",
163 "http://" + bogusID + ".keep-web/t=" + token + "/" + bogusID + "/foo",
166 u := mustParseURL(trial)
167 req := &http.Request{
171 RequestURI: u.RequestURI(),
173 resp := httptest.NewRecorder()
174 s.cluster.Users.AnonymousUserToken = arvadostest.AnonymousToken
175 s.handler.ServeHTTP(resp, req)
176 c.Check(resp.Code, check.Equals, http.StatusNotFound)
180 func mustParseURL(s string) *url.URL {
181 r, err := url.Parse(s)
183 panic("parse URL: " + s)
188 func (s *IntegrationSuite) TestVhost404(c *check.C) {
189 for _, testURL := range []string{
190 arvadostest.NonexistentCollection + ".example.com/theperthcountyconspiracy",
191 arvadostest.NonexistentCollection + ".example.com/t=" + arvadostest.ActiveToken + "/theperthcountyconspiracy",
193 resp := httptest.NewRecorder()
194 u := mustParseURL(testURL)
195 req := &http.Request{
198 RequestURI: u.RequestURI(),
200 s.handler.ServeHTTP(resp, req)
201 c.Check(resp.Code, check.Equals, http.StatusNotFound)
202 c.Check(resp.Body.String(), check.Equals, notFoundMessage+"\n")
206 // An authorizer modifies an HTTP request to make use of the given
207 // token -- by adding it to a header, cookie, query param, or whatever
208 // -- and returns the HTTP status code we should expect from keep-web if
209 // the token is invalid.
210 type authorizer func(*http.Request, string) int
212 func (s *IntegrationSuite) TestVhostViaAuthzHeaderOAuth2(c *check.C) {
213 s.doVhostRequests(c, authzViaAuthzHeaderOAuth2)
215 func authzViaAuthzHeaderOAuth2(r *http.Request, tok string) int {
216 r.Header.Add("Authorization", "Bearer "+tok)
217 return http.StatusUnauthorized
219 func (s *IntegrationSuite) TestVhostViaAuthzHeaderBearer(c *check.C) {
220 s.doVhostRequests(c, authzViaAuthzHeaderBearer)
222 func authzViaAuthzHeaderBearer(r *http.Request, tok string) int {
223 r.Header.Add("Authorization", "Bearer "+tok)
224 return http.StatusUnauthorized
227 func (s *IntegrationSuite) TestVhostViaCookieValue(c *check.C) {
228 s.doVhostRequests(c, authzViaCookieValue)
230 func authzViaCookieValue(r *http.Request, tok string) int {
231 r.AddCookie(&http.Cookie{
232 Name: "arvados_api_token",
233 Value: auth.EncodeTokenCookie([]byte(tok)),
235 return http.StatusUnauthorized
238 func (s *IntegrationSuite) TestVhostViaPath(c *check.C) {
239 s.doVhostRequests(c, authzViaPath)
241 func authzViaPath(r *http.Request, tok string) int {
242 r.URL.Path = "/t=" + tok + r.URL.Path
243 return http.StatusNotFound
246 func (s *IntegrationSuite) TestVhostViaQueryString(c *check.C) {
247 s.doVhostRequests(c, authzViaQueryString)
249 func authzViaQueryString(r *http.Request, tok string) int {
250 r.URL.RawQuery = "api_token=" + tok
251 return http.StatusUnauthorized
254 func (s *IntegrationSuite) TestVhostViaPOST(c *check.C) {
255 s.doVhostRequests(c, authzViaPOST)
257 func authzViaPOST(r *http.Request, tok string) int {
259 r.Header.Add("Content-Type", "application/x-www-form-urlencoded")
260 r.Body = ioutil.NopCloser(strings.NewReader(
261 url.Values{"api_token": {tok}}.Encode()))
262 return http.StatusUnauthorized
265 func (s *IntegrationSuite) TestVhostViaXHRPOST(c *check.C) {
266 s.doVhostRequests(c, authzViaPOST)
268 func authzViaXHRPOST(r *http.Request, tok string) int {
270 r.Header.Add("Content-Type", "application/x-www-form-urlencoded")
271 r.Header.Add("Origin", "https://origin.example")
272 r.Body = ioutil.NopCloser(strings.NewReader(
275 "disposition": {"attachment"},
277 return http.StatusUnauthorized
280 // Try some combinations of {url, token} using the given authorization
281 // mechanism, and verify the result is correct.
282 func (s *IntegrationSuite) doVhostRequests(c *check.C, authz authorizer) {
283 for _, hostPath := range []string{
284 arvadostest.FooCollection + ".example.com/foo",
285 arvadostest.FooCollection + "--collections.example.com/foo",
286 arvadostest.FooCollection + "--collections.example.com/_/foo",
287 arvadostest.FooCollectionPDH + ".example.com/foo",
288 strings.Replace(arvadostest.FooCollectionPDH, "+", "-", -1) + "--collections.example.com/foo",
289 arvadostest.FooBarDirCollection + ".example.com/dir1/foo",
291 c.Log("doRequests: ", hostPath)
292 s.doVhostRequestsWithHostPath(c, authz, hostPath)
296 func (s *IntegrationSuite) doVhostRequestsWithHostPath(c *check.C, authz authorizer, hostPath string) {
297 for _, tok := range []string{
298 arvadostest.ActiveToken,
299 arvadostest.ActiveToken[:15],
300 arvadostest.SpectatorToken,
304 u := mustParseURL("http://" + hostPath)
305 req := &http.Request{
309 RequestURI: u.RequestURI(),
310 Header: http.Header{},
312 failCode := authz(req, tok)
313 req, resp := s.doReq(req)
314 code, body := resp.Code, resp.Body.String()
316 // If the initial request had a (non-empty) token
317 // showing in the query string, we should have been
318 // redirected in order to hide it in a cookie.
319 c.Check(req.URL.String(), check.Not(check.Matches), `.*api_token=.+`)
321 if tok == arvadostest.ActiveToken {
322 c.Check(code, check.Equals, http.StatusOK)
323 c.Check(body, check.Equals, "foo")
325 c.Check(code >= 400, check.Equals, true)
326 c.Check(code < 500, check.Equals, true)
327 if tok == arvadostest.SpectatorToken {
328 // Valid token never offers to retry
329 // with different credentials.
330 c.Check(code, check.Equals, http.StatusNotFound)
332 // Invalid token can ask to retry
333 // depending on the authz method.
334 c.Check(code, check.Equals, failCode)
337 c.Check(body, check.Equals, notFoundMessage+"\n")
339 c.Check(body, check.Equals, unauthorizedMessage+"\n")
345 func (s *IntegrationSuite) TestVhostPortMatch(c *check.C) {
346 for _, host := range []string{"download.example.com", "DOWNLOAD.EXAMPLE.COM"} {
347 for _, port := range []string{"80", "443", "8000"} {
348 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = fmt.Sprintf("download.example.com:%v", port)
349 u := mustParseURL(fmt.Sprintf("http://%v/by_id/%v/foo", host, arvadostest.FooCollection))
350 req := &http.Request{
354 RequestURI: u.RequestURI(),
355 Header: http.Header{"Authorization": []string{"Bearer " + arvadostest.ActiveToken}},
357 req, resp := s.doReq(req)
358 code, _ := resp.Code, resp.Body.String()
361 c.Check(code, check.Equals, 401)
363 c.Check(code, check.Equals, 200)
369 func (s *IntegrationSuite) do(method string, urlstring string, token string, hdr http.Header) (*http.Request, *httptest.ResponseRecorder) {
370 u := mustParseURL(urlstring)
371 if hdr == nil && token != "" {
372 hdr = http.Header{"Authorization": {"Bearer " + token}}
373 } else if hdr == nil {
375 } else if token != "" {
376 panic("must not pass both token and hdr")
378 return s.doReq(&http.Request{
382 RequestURI: u.RequestURI(),
387 func (s *IntegrationSuite) doReq(req *http.Request) (*http.Request, *httptest.ResponseRecorder) {
388 resp := httptest.NewRecorder()
389 s.handler.ServeHTTP(resp, req)
390 if resp.Code != http.StatusSeeOther {
393 cookies := (&http.Response{Header: resp.Header()}).Cookies()
394 u, _ := req.URL.Parse(resp.Header().Get("Location"))
399 RequestURI: u.RequestURI(),
400 Header: http.Header{},
402 for _, c := range cookies {
408 func (s *IntegrationSuite) TestVhostRedirectQueryTokenToCookie(c *check.C) {
409 s.testVhostRedirectTokenToCookie(c, "GET",
410 arvadostest.FooCollection+".example.com/foo",
411 "?api_token="+arvadostest.ActiveToken,
419 func (s *IntegrationSuite) TestSingleOriginSecretLink(c *check.C) {
420 s.testVhostRedirectTokenToCookie(c, "GET",
421 "example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.ActiveToken+"/foo",
430 func (s *IntegrationSuite) TestCollectionSharingToken(c *check.C) {
431 s.testVhostRedirectTokenToCookie(c, "GET",
432 "example.com/c="+arvadostest.FooFileCollectionUUID+"/t="+arvadostest.FooFileCollectionSharingToken+"/foo",
439 // Same valid sharing token, but requesting a different collection
440 s.testVhostRedirectTokenToCookie(c, "GET",
441 "example.com/c="+arvadostest.FooCollection+"/t="+arvadostest.FooFileCollectionSharingToken+"/foo",
446 regexp.QuoteMeta(notFoundMessage+"\n"),
450 // Bad token in URL is 404 Not Found because it doesn't make sense to
451 // retry the same URL with different authorization.
452 func (s *IntegrationSuite) TestSingleOriginSecretLinkBadToken(c *check.C) {
453 s.testVhostRedirectTokenToCookie(c, "GET",
454 "example.com/c="+arvadostest.FooCollection+"/t=bogus/foo",
459 regexp.QuoteMeta(notFoundMessage+"\n"),
463 // Bad token in a cookie (even if it got there via our own
464 // query-string-to-cookie redirect) is, in principle, retryable via
465 // wb2-login-and-redirect flow.
466 func (s *IntegrationSuite) TestVhostRedirectQueryTokenToBogusCookie(c *check.C) {
468 resp := s.testVhostRedirectTokenToCookie(c, "GET",
469 arvadostest.FooCollection+".example.com/foo",
470 "?api_token=thisisabogustoken",
471 http.Header{"Sec-Fetch-Mode": {"navigate"}},
476 u, err := url.Parse(resp.Header().Get("Location"))
477 c.Assert(err, check.IsNil)
478 c.Logf("redirected to %s", u)
479 c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
480 c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
481 c.Check(u.Query().Get("redirectToDownload"), check.Equals, "")
483 // Download/attachment indicated by ?disposition=attachment
484 resp = s.testVhostRedirectTokenToCookie(c, "GET",
485 arvadostest.FooCollection+".example.com/foo",
486 "?api_token=thisisabogustoken&disposition=attachment",
487 http.Header{"Sec-Fetch-Mode": {"navigate"}},
492 u, err = url.Parse(resp.Header().Get("Location"))
493 c.Assert(err, check.IsNil)
494 c.Logf("redirected to %s", u)
495 c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
496 c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
497 c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
499 // Download/attachment indicated by vhost
500 resp = s.testVhostRedirectTokenToCookie(c, "GET",
501 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
502 "?api_token=thisisabogustoken",
503 http.Header{"Sec-Fetch-Mode": {"navigate"}},
508 u, err = url.Parse(resp.Header().Get("Location"))
509 c.Assert(err, check.IsNil)
510 c.Logf("redirected to %s", u)
511 c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
512 c.Check(u.Query().Get("redirectToPreview"), check.Equals, "")
513 c.Check(u.Query().Get("redirectToDownload"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
515 // Without "Sec-Fetch-Mode: navigate" header, just 401.
516 s.testVhostRedirectTokenToCookie(c, "GET",
517 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
518 "?api_token=thisisabogustoken",
519 http.Header{"Sec-Fetch-Mode": {"cors"}},
521 http.StatusUnauthorized,
522 regexp.QuoteMeta(unauthorizedMessage+"\n"),
524 s.testVhostRedirectTokenToCookie(c, "GET",
525 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host+"/c="+arvadostest.FooCollection+"/foo",
526 "?api_token=thisisabogustoken",
529 http.StatusUnauthorized,
530 regexp.QuoteMeta(unauthorizedMessage+"\n"),
534 func (s *IntegrationSuite) TestVhostRedirectWithNoCache(c *check.C) {
535 resp := s.testVhostRedirectTokenToCookie(c, "GET",
536 arvadostest.FooCollection+".example.com/foo",
537 "?api_token=thisisabogustoken",
539 "Sec-Fetch-Mode": {"navigate"},
540 "Cache-Control": {"no-cache"},
546 u, err := url.Parse(resp.Header().Get("Location"))
547 c.Assert(err, check.IsNil)
548 c.Logf("redirected to %s", u)
549 c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
550 c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
551 c.Check(u.Query().Get("redirectToDownload"), check.Equals, "")
554 func (s *IntegrationSuite) TestNoTokenWorkbench2LoginFlow(c *check.C) {
555 for _, trial := range []struct {
560 {cacheControl: "no-cache"},
562 {anonToken: true, cacheControl: "no-cache"},
564 c.Logf("trial: %+v", trial)
567 s.handler.Cluster.Users.AnonymousUserToken = arvadostest.AnonymousToken
569 s.handler.Cluster.Users.AnonymousUserToken = ""
571 req, err := http.NewRequest("GET", "http://"+arvadostest.FooCollection+".example.com/foo", nil)
572 c.Assert(err, check.IsNil)
573 req.Header.Set("Sec-Fetch-Mode", "navigate")
574 if trial.cacheControl != "" {
575 req.Header.Set("Cache-Control", trial.cacheControl)
577 resp := httptest.NewRecorder()
578 s.handler.ServeHTTP(resp, req)
579 c.Check(resp.Code, check.Equals, http.StatusSeeOther)
580 u, err := url.Parse(resp.Header().Get("Location"))
581 c.Assert(err, check.IsNil)
582 c.Logf("redirected to %q", u)
583 c.Check(u.Host, check.Equals, s.handler.Cluster.Services.Workbench2.ExternalURL.Host)
584 c.Check(u.Query().Get("redirectToPreview"), check.Equals, "/c="+arvadostest.FooCollection+"/foo")
585 c.Check(u.Query().Get("redirectToDownload"), check.Equals, "")
589 func (s *IntegrationSuite) TestVhostRedirectQueryTokenSingleOriginError(c *check.C) {
590 s.testVhostRedirectTokenToCookie(c, "GET",
591 "example.com/c="+arvadostest.FooCollection+"/foo",
592 "?api_token="+arvadostest.ActiveToken,
595 http.StatusBadRequest,
596 regexp.QuoteMeta("cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n"),
600 // If client requests an attachment by putting ?disposition=attachment
601 // in the query string, and gets redirected, the redirect target
602 // should respond with an attachment.
603 func (s *IntegrationSuite) TestVhostRedirectQueryTokenRequestAttachment(c *check.C) {
604 resp := s.testVhostRedirectTokenToCookie(c, "GET",
605 arvadostest.FooCollection+".example.com/foo",
606 "?disposition=attachment&api_token="+arvadostest.ActiveToken,
612 c.Check(resp.Header().Get("Content-Disposition"), check.Matches, "attachment(;.*)?")
615 func (s *IntegrationSuite) TestVhostRedirectQueryTokenSiteFS(c *check.C) {
616 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
617 resp := s.testVhostRedirectTokenToCookie(c, "GET",
618 "download.example.com/by_id/"+arvadostest.FooCollection+"/foo",
619 "?api_token="+arvadostest.ActiveToken,
625 c.Check(resp.Header().Get("Content-Disposition"), check.Matches, "attachment(;.*)?")
628 func (s *IntegrationSuite) TestPastCollectionVersionFileAccess(c *check.C) {
629 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
630 resp := s.testVhostRedirectTokenToCookie(c, "GET",
631 "download.example.com/c="+arvadostest.WazVersion1Collection+"/waz",
632 "?api_token="+arvadostest.ActiveToken,
638 c.Check(resp.Header().Get("Content-Disposition"), check.Matches, "attachment(;.*)?")
639 resp = s.testVhostRedirectTokenToCookie(c, "GET",
640 "download.example.com/by_id/"+arvadostest.WazVersion1Collection+"/waz",
641 "?api_token="+arvadostest.ActiveToken,
647 c.Check(resp.Header().Get("Content-Disposition"), check.Matches, "attachment(;.*)?")
650 func (s *IntegrationSuite) TestVhostRedirectQueryTokenTrustAllContent(c *check.C) {
651 s.handler.Cluster.Collections.TrustAllContent = true
652 s.testVhostRedirectTokenToCookie(c, "GET",
653 "example.com/c="+arvadostest.FooCollection+"/foo",
654 "?api_token="+arvadostest.ActiveToken,
662 func (s *IntegrationSuite) TestVhostRedirectQueryTokenAttachmentOnlyHost(c *check.C) {
663 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "example.com:1234"
665 s.testVhostRedirectTokenToCookie(c, "GET",
666 "example.com/c="+arvadostest.FooCollection+"/foo",
667 "?api_token="+arvadostest.ActiveToken,
670 http.StatusBadRequest,
671 regexp.QuoteMeta("cannot serve inline content at this URL (possible configuration error; see https://doc.arvados.org/install/install-keep-web.html#dns)\n"),
674 resp := s.testVhostRedirectTokenToCookie(c, "GET",
675 "example.com:1234/c="+arvadostest.FooCollection+"/foo",
676 "?api_token="+arvadostest.ActiveToken,
682 c.Check(resp.Header().Get("Content-Disposition"), check.Equals, "attachment")
685 func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie(c *check.C) {
686 s.testVhostRedirectTokenToCookie(c, "POST",
687 arvadostest.FooCollection+".example.com/foo",
689 http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
690 url.Values{"api_token": {arvadostest.ActiveToken}}.Encode(),
696 func (s *IntegrationSuite) TestVhostRedirectPOSTFormTokenToCookie404(c *check.C) {
697 s.testVhostRedirectTokenToCookie(c, "POST",
698 arvadostest.FooCollection+".example.com/foo",
700 http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
701 url.Values{"api_token": {arvadostest.SpectatorToken}}.Encode(),
703 regexp.QuoteMeta(notFoundMessage+"\n"),
707 func (s *IntegrationSuite) TestAnonymousTokenOK(c *check.C) {
708 s.handler.Cluster.Users.AnonymousUserToken = arvadostest.AnonymousToken
709 s.testVhostRedirectTokenToCookie(c, "GET",
710 "example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
719 func (s *IntegrationSuite) TestAnonymousTokenError(c *check.C) {
720 s.handler.Cluster.Users.AnonymousUserToken = "anonymousTokenConfiguredButInvalid"
721 s.testVhostRedirectTokenToCookie(c, "GET",
722 "example.com/c="+arvadostest.HelloWorldCollection+"/Hello%20world.txt",
726 http.StatusUnauthorized,
727 "Authorization tokens are not accepted here: .*\n",
731 func (s *IntegrationSuite) TestSpecialCharsInPath(c *check.C) {
732 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
734 client := arvados.NewClientFromEnv()
735 client.AuthToken = arvadostest.ActiveToken
736 fs, err := (&arvados.Collection{}).FileSystem(client, nil)
737 c.Assert(err, check.IsNil)
738 f, err := fs.OpenFile("https:\\\"odd' path chars", os.O_CREATE, 0777)
739 c.Assert(err, check.IsNil)
741 mtxt, err := fs.MarshalManifest(".")
742 c.Assert(err, check.IsNil)
743 var coll arvados.Collection
744 err = client.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, map[string]interface{}{
745 "collection": map[string]string{
746 "manifest_text": mtxt,
749 c.Assert(err, check.IsNil)
751 u, _ := url.Parse("http://download.example.com/c=" + coll.UUID + "/")
752 req := &http.Request{
756 RequestURI: u.RequestURI(),
758 "Authorization": {"Bearer " + client.AuthToken},
761 resp := httptest.NewRecorder()
762 s.handler.ServeHTTP(resp, req)
763 c.Check(resp.Code, check.Equals, http.StatusOK)
764 c.Check(resp.Body.String(), check.Matches, `(?ms).*href="./https:%5c%22odd%27%20path%20chars"\S+https:\\"odd' path chars.*`)
767 func (s *IntegrationSuite) TestForwardSlashSubstitution(c *check.C) {
768 arv := arvados.NewClientFromEnv()
769 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
770 s.handler.Cluster.Collections.ForwardSlashNameSubstitution = "{SOLIDUS}"
771 name := "foo/bar/baz"
772 nameShown := strings.Replace(name, "/", "{SOLIDUS}", -1)
773 nameShownEscaped := strings.Replace(name, "/", "%7bSOLIDUS%7d", -1)
775 client := arvados.NewClientFromEnv()
776 client.AuthToken = arvadostest.ActiveToken
777 fs, err := (&arvados.Collection{}).FileSystem(client, nil)
778 c.Assert(err, check.IsNil)
779 f, err := fs.OpenFile("filename", os.O_CREATE, 0777)
780 c.Assert(err, check.IsNil)
782 mtxt, err := fs.MarshalManifest(".")
783 c.Assert(err, check.IsNil)
784 var coll arvados.Collection
785 err = client.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, map[string]interface{}{
786 "collection": map[string]string{
787 "manifest_text": mtxt,
789 "owner_uuid": arvadostest.AProjectUUID,
792 c.Assert(err, check.IsNil)
793 defer arv.RequestAndDecode(&coll, "DELETE", "arvados/v1/collections/"+coll.UUID, nil, nil)
795 base := "http://download.example.com/by_id/" + coll.OwnerUUID + "/"
796 for tryURL, expectRegexp := range map[string]string{
797 base: `(?ms).*href="./` + nameShownEscaped + `/"\S+` + nameShown + `.*`,
798 base + nameShownEscaped + "/": `(?ms).*href="./filename"\S+filename.*`,
800 u, _ := url.Parse(tryURL)
801 req := &http.Request{
805 RequestURI: u.RequestURI(),
807 "Authorization": {"Bearer " + client.AuthToken},
810 resp := httptest.NewRecorder()
811 s.handler.ServeHTTP(resp, req)
812 c.Check(resp.Code, check.Equals, http.StatusOK)
813 c.Check(resp.Body.String(), check.Matches, expectRegexp)
817 // XHRs can't follow redirect-with-cookie so they rely on method=POST
818 // and disposition=attachment (telling us it's acceptable to respond
819 // with content instead of a redirect) and an Origin header that gets
820 // added automatically by the browser (telling us it's desirable to do
822 func (s *IntegrationSuite) TestXHRNoRedirect(c *check.C) {
823 u, _ := url.Parse("http://example.com/c=" + arvadostest.FooCollection + "/foo")
824 req := &http.Request{
828 RequestURI: u.RequestURI(),
830 "Origin": {"https://origin.example"},
831 "Content-Type": {"application/x-www-form-urlencoded"},
833 Body: ioutil.NopCloser(strings.NewReader(url.Values{
834 "api_token": {arvadostest.ActiveToken},
835 "disposition": {"attachment"},
838 resp := httptest.NewRecorder()
839 s.handler.ServeHTTP(resp, req)
840 c.Check(resp.Code, check.Equals, http.StatusOK)
841 c.Check(resp.Body.String(), check.Equals, "foo")
842 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
844 // GET + Origin header is representative of both AJAX GET
845 // requests and inline images via <IMG crossorigin="anonymous"
847 u.RawQuery = "api_token=" + url.QueryEscape(arvadostest.ActiveTokenV2)
852 RequestURI: u.RequestURI(),
854 "Origin": {"https://origin.example"},
857 resp = httptest.NewRecorder()
858 s.handler.ServeHTTP(resp, req)
859 c.Check(resp.Code, check.Equals, http.StatusOK)
860 c.Check(resp.Body.String(), check.Equals, "foo")
861 c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
864 func (s *IntegrationSuite) testVhostRedirectTokenToCookie(c *check.C, method, hostPath, queryString string, reqHeader http.Header, reqBody string, expectStatus int, matchRespBody string) *httptest.ResponseRecorder {
865 if reqHeader == nil {
866 reqHeader = http.Header{}
868 u, _ := url.Parse(`http://` + hostPath + queryString)
869 c.Logf("requesting %s", u)
870 req := &http.Request{
874 RequestURI: u.RequestURI(),
876 Body: ioutil.NopCloser(strings.NewReader(reqBody)),
879 resp := httptest.NewRecorder()
881 c.Check(resp.Code, check.Equals, expectStatus)
882 c.Check(resp.Body.String(), check.Matches, matchRespBody)
885 s.handler.ServeHTTP(resp, req)
886 if resp.Code != http.StatusSeeOther {
889 c.Check(resp.Body.String(), check.Matches, `.*href="http://`+regexp.QuoteMeta(html.EscapeString(hostPath))+`(\?[^"]*)?".*`)
890 c.Check(strings.Split(resp.Header().Get("Location"), "?")[0], check.Equals, "http://"+hostPath)
891 cookies := (&http.Response{Header: resp.Header()}).Cookies()
893 u, err := u.Parse(resp.Header().Get("Location"))
894 c.Assert(err, check.IsNil)
895 c.Logf("following redirect to %s", u)
900 RequestURI: u.RequestURI(),
903 for _, c := range cookies {
907 resp = httptest.NewRecorder()
908 s.handler.ServeHTTP(resp, req)
910 if resp.Code != http.StatusSeeOther {
911 c.Check(resp.Header().Get("Location"), check.Equals, "")
916 func (s *IntegrationSuite) TestDirectoryListingWithAnonymousToken(c *check.C) {
917 s.handler.Cluster.Users.AnonymousUserToken = arvadostest.AnonymousToken
918 s.testDirectoryListing(c)
921 func (s *IntegrationSuite) TestDirectoryListingWithNoAnonymousToken(c *check.C) {
922 s.handler.Cluster.Users.AnonymousUserToken = ""
923 s.testDirectoryListing(c)
926 func (s *IntegrationSuite) testDirectoryListing(c *check.C) {
927 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
928 authHeader := http.Header{
929 "Authorization": {"OAuth2 " + arvadostest.ActiveToken},
931 for _, trial := range []struct {
939 uri: strings.Replace(arvadostest.FooAndBarFilesInDirPDH, "+", "-", -1) + ".example.com/",
941 expect: []string{"dir1/foo", "dir1/bar"},
945 uri: strings.Replace(arvadostest.FooAndBarFilesInDirPDH, "+", "-", -1) + ".example.com/dir1/",
947 expect: []string{"foo", "bar"},
951 // URLs of this form ignore authHeader, and
952 // FooAndBarFilesInDirUUID isn't public, so
954 uri: "download.example.com/collections/" + arvadostest.FooAndBarFilesInDirUUID + "/",
959 uri: "download.example.com/users/active/foo_file_in_dir/",
961 expect: []string{"dir1/"},
965 uri: "download.example.com/users/active/foo_file_in_dir/dir1/",
967 expect: []string{"bar"},
971 uri: "download.example.com/",
973 expect: []string{"users/"},
977 uri: "download.example.com/users",
980 expect: []string{"active/"},
984 uri: "download.example.com/users/",
986 expect: []string{"active/"},
990 uri: "download.example.com/users/active",
992 redirect: "/users/active/",
993 expect: []string{"foo_file_in_dir/"},
997 uri: "download.example.com/users/active/",
999 expect: []string{"foo_file_in_dir/"},
1003 uri: "collections.example.com/collections/download/" + arvadostest.FooAndBarFilesInDirUUID + "/" + arvadostest.ActiveToken + "/",
1005 expect: []string{"dir1/foo", "dir1/bar"},
1009 uri: "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/t=" + arvadostest.ActiveToken + "/",
1011 expect: []string{"dir1/foo", "dir1/bar"},
1015 uri: "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/t=" + arvadostest.ActiveToken,
1017 expect: []string{"dir1/foo", "dir1/bar"},
1021 uri: "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID,
1023 expect: []string{"dir1/foo", "dir1/bar"},
1027 uri: "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/dir1",
1029 redirect: "/c=" + arvadostest.FooAndBarFilesInDirUUID + "/dir1/",
1030 expect: []string{"foo", "bar"},
1034 uri: "download.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/_/dir1/",
1036 expect: []string{"foo", "bar"},
1040 uri: arvadostest.FooAndBarFilesInDirUUID + ".example.com/dir1?api_token=" + arvadostest.ActiveToken,
1043 expect: []string{"foo", "bar"},
1047 uri: "collections.example.com/c=" + arvadostest.FooAndBarFilesInDirUUID + "/theperthcountyconspiracydoesnotexist/",
1052 uri: "download.example.com/c=" + arvadostest.WazVersion1Collection,
1054 expect: []string{"waz"},
1058 uri: "download.example.com/by_id/" + arvadostest.WazVersion1Collection,
1060 expect: []string{"waz"},
1064 comment := check.Commentf("HTML: %q => %q", trial.uri, trial.expect)
1065 resp := httptest.NewRecorder()
1066 u := mustParseURL("//" + trial.uri)
1067 req := &http.Request{
1071 RequestURI: u.RequestURI(),
1072 Header: copyHeader(trial.header),
1074 s.handler.ServeHTTP(resp, req)
1075 var cookies []*http.Cookie
1076 for resp.Code == http.StatusSeeOther {
1077 u, _ := req.URL.Parse(resp.Header().Get("Location"))
1078 req = &http.Request{
1082 RequestURI: u.RequestURI(),
1083 Header: copyHeader(trial.header),
1085 cookies = append(cookies, (&http.Response{Header: resp.Header()}).Cookies()...)
1086 for _, c := range cookies {
1089 resp = httptest.NewRecorder()
1090 s.handler.ServeHTTP(resp, req)
1092 if trial.redirect != "" {
1093 c.Check(req.URL.Path, check.Equals, trial.redirect, comment)
1095 if trial.expect == nil {
1096 c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment)
1098 c.Check(resp.Code, check.Equals, http.StatusOK, comment)
1099 for _, e := range trial.expect {
1100 c.Check(resp.Body.String(), check.Matches, `(?ms).*href="./`+e+`".*`, comment)
1102 c.Check(resp.Body.String(), check.Matches, `(?ms).*--cut-dirs=`+fmt.Sprintf("%d", trial.cutDirs)+` .*`, comment)
1105 comment = check.Commentf("WebDAV: %q => %q", trial.uri, trial.expect)
1106 req = &http.Request{
1110 RequestURI: u.RequestURI(),
1111 Header: copyHeader(trial.header),
1112 Body: ioutil.NopCloser(&bytes.Buffer{}),
1114 resp = httptest.NewRecorder()
1115 s.handler.ServeHTTP(resp, req)
1116 if trial.expect == nil {
1117 c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment)
1119 c.Check(resp.Code, check.Equals, http.StatusOK, comment)
1122 req = &http.Request{
1126 RequestURI: u.RequestURI(),
1127 Header: copyHeader(trial.header),
1128 Body: ioutil.NopCloser(&bytes.Buffer{}),
1130 resp = httptest.NewRecorder()
1131 s.handler.ServeHTTP(resp, req)
1132 if trial.expect == nil {
1133 c.Check(resp.Code, check.Equals, http.StatusUnauthorized, comment)
1135 c.Check(resp.Code, check.Equals, http.StatusMultiStatus, comment)
1136 for _, e := range trial.expect {
1137 if strings.HasSuffix(e, "/") {
1138 e = filepath.Join(u.Path, e) + "/"
1140 e = filepath.Join(u.Path, e)
1142 c.Check(resp.Body.String(), check.Matches, `(?ms).*<D:href>`+e+`</D:href>.*`, comment)
1148 func (s *IntegrationSuite) TestDeleteLastFile(c *check.C) {
1149 arv := arvados.NewClientFromEnv()
1150 var newCollection arvados.Collection
1151 err := arv.RequestAndDecode(&newCollection, "POST", "arvados/v1/collections", nil, map[string]interface{}{
1152 "collection": map[string]string{
1153 "owner_uuid": arvadostest.ActiveUserUUID,
1154 "manifest_text": ". acbd18db4cc2f85cedef654fccc4a4d8+3 0:3:foo.txt 0:3:bar.txt\n",
1155 "name": "keep-web test collection",
1157 "ensure_unique_name": true,
1159 c.Assert(err, check.IsNil)
1160 defer arv.RequestAndDecode(&newCollection, "DELETE", "arvados/v1/collections/"+newCollection.UUID, nil, nil)
1162 var updated arvados.Collection
1163 for _, fnm := range []string{"foo.txt", "bar.txt"} {
1164 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "example.com"
1165 u, _ := url.Parse("http://example.com/c=" + newCollection.UUID + "/" + fnm)
1166 req := &http.Request{
1170 RequestURI: u.RequestURI(),
1171 Header: http.Header{
1172 "Authorization": {"Bearer " + arvadostest.ActiveToken},
1175 resp := httptest.NewRecorder()
1176 s.handler.ServeHTTP(resp, req)
1177 c.Check(resp.Code, check.Equals, http.StatusNoContent)
1179 updated = arvados.Collection{}
1180 err = arv.RequestAndDecode(&updated, "GET", "arvados/v1/collections/"+newCollection.UUID, nil, nil)
1181 c.Check(err, check.IsNil)
1182 c.Check(updated.ManifestText, check.Not(check.Matches), `(?ms).*\Q`+fnm+`\E.*`)
1183 c.Logf("updated manifest_text %q", updated.ManifestText)
1185 c.Check(updated.ManifestText, check.Equals, "")
1188 func (s *IntegrationSuite) TestFileContentType(c *check.C) {
1189 s.handler.Cluster.Services.WebDAVDownload.ExternalURL.Host = "download.example.com"
1191 client := arvados.NewClientFromEnv()
1192 client.AuthToken = arvadostest.ActiveToken
1193 arv, err := arvadosclient.New(client)
1194 c.Assert(err, check.Equals, nil)
1195 kc, err := keepclient.MakeKeepClient(arv)
1196 c.Assert(err, check.Equals, nil)
1198 fs, err := (&arvados.Collection{}).FileSystem(client, kc)
1199 c.Assert(err, check.IsNil)
1201 trials := []struct {
1206 {"picture.txt", "BMX bikes are small this year\n", "text/plain; charset=utf-8"},
1207 {"picture.bmp", "BMX bikes are small this year\n", "image/(x-ms-)?bmp"},
1208 {"picture.jpg", "BMX bikes are small this year\n", "image/jpeg"},
1209 {"picture1", "BMX bikes are small this year\n", "image/bmp"}, // content sniff; "BM" is the magic signature for .bmp
1210 {"picture2", "Cars are small this year\n", "text/plain; charset=utf-8"}, // content sniff
1212 for _, trial := range trials {
1213 f, err := fs.OpenFile(trial.filename, os.O_CREATE|os.O_WRONLY, 0777)
1214 c.Assert(err, check.IsNil)
1215 _, err = f.Write([]byte(trial.content))
1216 c.Assert(err, check.IsNil)
1217 c.Assert(f.Close(), check.IsNil)
1219 mtxt, err := fs.MarshalManifest(".")
1220 c.Assert(err, check.IsNil)
1221 var coll arvados.Collection
1222 err = client.RequestAndDecode(&coll, "POST", "arvados/v1/collections", nil, map[string]interface{}{
1223 "collection": map[string]string{
1224 "manifest_text": mtxt,
1227 c.Assert(err, check.IsNil)
1229 for _, trial := range trials {
1230 u, _ := url.Parse("http://download.example.com/by_id/" + coll.UUID + "/" + trial.filename)
1231 req := &http.Request{
1235 RequestURI: u.RequestURI(),
1236 Header: http.Header{
1237 "Authorization": {"Bearer " + client.AuthToken},
1240 resp := httptest.NewRecorder()
1241 s.handler.ServeHTTP(resp, req)
1242 c.Check(resp.Code, check.Equals, http.StatusOK)
1243 c.Check(resp.Header().Get("Content-Type"), check.Matches, trial.contentType)
1244 c.Check(resp.Body.String(), check.Equals, trial.content)
1248 func (s *IntegrationSuite) TestKeepClientBlockCache(c *check.C) {
1249 s.handler.Cluster.Collections.WebDAVCache.MaxBlockEntries = 42
1250 c.Check(keepclient.DefaultBlockCache.MaxBlocks, check.Not(check.Equals), 42)
1251 u := mustParseURL("http://keep-web.example/c=" + arvadostest.FooCollection + "/t=" + arvadostest.ActiveToken + "/foo")
1252 req := &http.Request{
1256 RequestURI: u.RequestURI(),
1258 resp := httptest.NewRecorder()
1259 s.handler.ServeHTTP(resp, req)
1260 c.Check(resp.Code, check.Equals, http.StatusOK)
1261 c.Check(keepclient.DefaultBlockCache.MaxBlocks, check.Equals, 42)
1264 // Writing to a collection shouldn't affect its entry in the
1265 // PDH-to-manifest cache.
1266 func (s *IntegrationSuite) TestCacheWriteCollectionSamePDH(c *check.C) {
1267 arv, err := arvadosclient.MakeArvadosClient()
1268 c.Assert(err, check.Equals, nil)
1269 arv.ApiToken = arvadostest.ActiveToken
1271 u := mustParseURL("http://x.example/testfile")
1272 req := &http.Request{
1276 RequestURI: u.RequestURI(),
1277 Header: http.Header{"Authorization": {"Bearer " + arv.ApiToken}},
1280 checkWithID := func(id string, status int) {
1281 req.URL.Host = strings.Replace(id, "+", "-", -1) + ".example"
1282 req.Host = req.URL.Host
1283 resp := httptest.NewRecorder()
1284 s.handler.ServeHTTP(resp, req)
1285 c.Check(resp.Code, check.Equals, status)
1288 var colls [2]arvados.Collection
1289 for i := range colls {
1290 err := arv.Create("collections",
1291 map[string]interface{}{
1292 "ensure_unique_name": true,
1293 "collection": map[string]interface{}{
1294 "name": "test collection",
1297 c.Assert(err, check.Equals, nil)
1300 // Populate cache with empty collection
1301 checkWithID(colls[0].PortableDataHash, http.StatusNotFound)
1303 // write a file to colls[0]
1305 reqPut.Method = "PUT"
1306 reqPut.URL.Host = colls[0].UUID + ".example"
1307 reqPut.Host = req.URL.Host
1308 reqPut.Body = ioutil.NopCloser(bytes.NewBufferString("testdata"))
1309 resp := httptest.NewRecorder()
1310 s.handler.ServeHTTP(resp, &reqPut)
1311 c.Check(resp.Code, check.Equals, http.StatusCreated)
1313 // new file should not appear in colls[1]
1314 checkWithID(colls[1].PortableDataHash, http.StatusNotFound)
1315 checkWithID(colls[1].UUID, http.StatusNotFound)
1317 checkWithID(colls[0].UUID, http.StatusOK)
1320 func copyHeader(h http.Header) http.Header {
1322 for k, v := range h {
1323 hc[k] = append([]string(nil), v...)
1328 func (s *IntegrationSuite) checkUploadDownloadRequest(c *check.C, req *http.Request,
1329 successCode int, direction string, perm bool, userUuid, collectionUuid, collectionPDH, filepath string) {
1331 client := arvados.NewClientFromEnv()
1332 client.AuthToken = arvadostest.AdminToken
1333 var logentries arvados.LogList
1335 err := client.RequestAndDecode(&logentries, "GET", "arvados/v1/logs", nil,
1336 arvados.ResourceListParams{
1338 Order: "created_at desc"})
1339 c.Check(err, check.IsNil)
1340 c.Check(logentries.Items, check.HasLen, 1)
1341 lastLogId := logentries.Items[0].ID
1342 c.Logf("lastLogId: %d", lastLogId)
1344 var logbuf bytes.Buffer
1345 logger := logrus.New()
1346 logger.Out = &logbuf
1347 resp := httptest.NewRecorder()
1348 req = req.WithContext(ctxlog.Context(context.Background(), logger))
1349 s.handler.ServeHTTP(resp, req)
1352 c.Check(resp.Result().StatusCode, check.Equals, successCode)
1353 c.Check(logbuf.String(), check.Matches, `(?ms).*msg="File `+direction+`".*`)
1354 c.Check(logbuf.String(), check.Not(check.Matches), `(?ms).*level=error.*`)
1356 deadline := time.Now().Add(time.Second)
1358 c.Assert(time.Now().After(deadline), check.Equals, false, check.Commentf("timed out waiting for log entry"))
1359 logentries = arvados.LogList{}
1360 err = client.RequestAndDecode(&logentries, "GET", "arvados/v1/logs", nil,
1361 arvados.ResourceListParams{
1362 Filters: []arvados.Filter{
1363 {Attr: "event_type", Operator: "=", Operand: "file_" + direction},
1364 {Attr: "object_uuid", Operator: "=", Operand: userUuid},
1367 Order: "created_at desc",
1369 c.Assert(err, check.IsNil)
1370 if len(logentries.Items) > 0 &&
1371 logentries.Items[0].ID > lastLogId &&
1372 logentries.Items[0].ObjectUUID == userUuid &&
1373 logentries.Items[0].Properties["collection_uuid"] == collectionUuid &&
1374 (collectionPDH == "" || logentries.Items[0].Properties["portable_data_hash"] == collectionPDH) &&
1375 logentries.Items[0].Properties["collection_file_path"] == filepath {
1378 c.Logf("logentries.Items: %+v", logentries.Items)
1379 time.Sleep(50 * time.Millisecond)
1382 c.Check(resp.Result().StatusCode, check.Equals, http.StatusForbidden)
1383 c.Check(logbuf.String(), check.Equals, "")
1387 func (s *IntegrationSuite) TestDownloadLoggingPermission(c *check.C) {
1388 u := mustParseURL("http://" + arvadostest.FooCollection + ".keep-web.example/foo")
1390 s.handler.Cluster.Collections.TrustAllContent = true
1392 for _, adminperm := range []bool{true, false} {
1393 for _, userperm := range []bool{true, false} {
1394 s.handler.Cluster.Collections.WebDAVPermission.Admin.Download = adminperm
1395 s.handler.Cluster.Collections.WebDAVPermission.User.Download = userperm
1397 // Test admin permission
1398 req := &http.Request{
1402 RequestURI: u.RequestURI(),
1403 Header: http.Header{
1404 "Authorization": {"Bearer " + arvadostest.AdminToken},
1407 s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", adminperm,
1408 arvadostest.AdminUserUUID, arvadostest.FooCollection, arvadostest.FooCollectionPDH, "foo")
1410 // Test user permission
1411 req = &http.Request{
1415 RequestURI: u.RequestURI(),
1416 Header: http.Header{
1417 "Authorization": {"Bearer " + arvadostest.ActiveToken},
1420 s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", userperm,
1421 arvadostest.ActiveUserUUID, arvadostest.FooCollection, arvadostest.FooCollectionPDH, "foo")
1425 s.handler.Cluster.Collections.WebDAVPermission.User.Download = true
1427 for _, tryurl := range []string{"http://" + arvadostest.MultilevelCollection1 + ".keep-web.example/dir1/subdir/file1",
1428 "http://keep-web/users/active/multilevel_collection_1/dir1/subdir/file1"} {
1430 u = mustParseURL(tryurl)
1431 req := &http.Request{
1435 RequestURI: u.RequestURI(),
1436 Header: http.Header{
1437 "Authorization": {"Bearer " + arvadostest.ActiveToken},
1440 s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", true,
1441 arvadostest.ActiveUserUUID, arvadostest.MultilevelCollection1, arvadostest.MultilevelCollection1PDH, "dir1/subdir/file1")
1444 u = mustParseURL("http://" + strings.Replace(arvadostest.FooCollectionPDH, "+", "-", 1) + ".keep-web.example/foo")
1445 req := &http.Request{
1449 RequestURI: u.RequestURI(),
1450 Header: http.Header{
1451 "Authorization": {"Bearer " + arvadostest.ActiveToken},
1454 s.checkUploadDownloadRequest(c, req, http.StatusOK, "download", true,
1455 arvadostest.ActiveUserUUID, "", arvadostest.FooCollectionPDH, "foo")
1458 func (s *IntegrationSuite) TestUploadLoggingPermission(c *check.C) {
1459 for _, adminperm := range []bool{true, false} {
1460 for _, userperm := range []bool{true, false} {
1462 arv := arvados.NewClientFromEnv()
1463 arv.AuthToken = arvadostest.ActiveToken
1465 var coll arvados.Collection
1466 err := arv.RequestAndDecode(&coll,
1468 "/arvados/v1/collections",
1470 map[string]interface{}{
1471 "ensure_unique_name": true,
1472 "collection": map[string]interface{}{
1473 "name": "test collection",
1476 c.Assert(err, check.Equals, nil)
1478 u := mustParseURL("http://" + coll.UUID + ".keep-web.example/bar")
1480 s.handler.Cluster.Collections.WebDAVPermission.Admin.Upload = adminperm
1481 s.handler.Cluster.Collections.WebDAVPermission.User.Upload = userperm
1483 // Test admin permission
1484 req := &http.Request{
1488 RequestURI: u.RequestURI(),
1489 Header: http.Header{
1490 "Authorization": {"Bearer " + arvadostest.AdminToken},
1492 Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
1494 s.checkUploadDownloadRequest(c, req, http.StatusCreated, "upload", adminperm,
1495 arvadostest.AdminUserUUID, coll.UUID, "", "bar")
1497 // Test user permission
1498 req = &http.Request{
1502 RequestURI: u.RequestURI(),
1503 Header: http.Header{
1504 "Authorization": {"Bearer " + arvadostest.ActiveToken},
1506 Body: io.NopCloser(bytes.NewReader([]byte("bar"))),
1508 s.checkUploadDownloadRequest(c, req, http.StatusCreated, "upload", userperm,
1509 arvadostest.ActiveUserUUID, coll.UUID, "", "bar")