UserGet() passes "select" option along to batch update refs #16914
[arvados.git] / services / api / test / unit / group_test.rb
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: AGPL-3.0
4
5 require 'test_helper'
6 require 'fix_roles_projects'
7
8 class GroupTest < ActiveSupport::TestCase
9   include DbCurrentTime
10
11   test "cannot set owner_uuid to object with existing ownership cycle" do
12     set_user_from_auth :active_trustedclient
13
14     # First make sure we have lots of permission on the bad group by
15     # renaming it to "{current name} is mine all mine"
16     g = groups(:bad_group_has_ownership_cycle_b)
17     g.name += " is mine all mine"
18     assert g.save, "active user should be able to modify group #{g.uuid}"
19
20     # Use the group as the owner of a new object
21     s = Specimen.
22       create(owner_uuid: groups(:bad_group_has_ownership_cycle_b).uuid)
23     assert s.valid?, "ownership should pass validation #{s.errors.messages}"
24     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
25
26     # Use the group as the new owner of an existing object
27     s = specimens(:in_aproject)
28     s.owner_uuid = groups(:bad_group_has_ownership_cycle_b).uuid
29     assert s.valid?, "ownership should pass validation"
30     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
31   end
32
33   test "cannot create a new ownership cycle" do
34     set_user_from_auth :active_trustedclient
35
36     g_foo = Group.create!(name: "foo", group_class: "project")
37     g_bar = Group.create!(name: "bar", group_class: "project")
38
39     g_foo.owner_uuid = g_bar.uuid
40     assert g_foo.save, lambda { g_foo.errors.messages }
41     g_bar.owner_uuid = g_foo.uuid
42     assert g_bar.valid?, "ownership cycle should not prevent validation"
43     assert_equal false, g_bar.save, "should not create an ownership loop"
44     assert g_bar.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
45   end
46
47   test "cannot create a single-object ownership cycle" do
48     set_user_from_auth :active_trustedclient
49
50     g_foo = Group.create!(name: "foo", group_class: "project")
51     assert g_foo.save
52
53     # Ensure I have permission to manage this group even when its owner changes
54     perm_link = Link.create!(tail_uuid: users(:active).uuid,
55                             head_uuid: g_foo.uuid,
56                             link_class: 'permission',
57                             name: 'can_manage')
58     assert perm_link.save
59
60     g_foo.owner_uuid = g_foo.uuid
61     assert_equal false, g_foo.save, "should not create an ownership loop"
62     assert g_foo.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
63   end
64
65   test "cannot create a group that is not a 'role' or 'project'" do
66     set_user_from_auth :active_trustedclient
67
68     assert_raises(ActiveRecord::RecordInvalid) do
69       Group.create!(name: "foo")
70     end
71
72     assert_raises(ActiveRecord::RecordInvalid) do
73       Group.create!(name: "foo", group_class: "")
74     end
75
76     assert_raises(ActiveRecord::RecordInvalid) do
77       Group.create!(name: "foo", group_class: "bogus")
78     end
79   end
80
81   test "cannot change group_class on an already created group" do
82     set_user_from_auth :active_trustedclient
83     g = Group.create!(name: "foo", group_class: "role")
84     assert_raises(ActiveRecord::RecordInvalid) do
85       g.update_attributes!(group_class: "project")
86     end
87   end
88
89   test "role cannot own things" do
90     set_user_from_auth :active_trustedclient
91     role = Group.create!(name: "foo", group_class: "role")
92     assert_raises(ArvadosModel::PermissionDeniedError) do
93       Collection.create!(name: "bzzz123", owner_uuid: role.uuid)
94     end
95
96     c = Collection.create!(name: "bzzz124")
97     assert_raises(ArvadosModel::PermissionDeniedError) do
98       c.update_attributes!(owner_uuid: role.uuid)
99     end
100   end
101
102   test "trash group hides contents" do
103     set_user_from_auth :active_trustedclient
104
105     g_foo = Group.create!(name: "foo", group_class: "project")
106     col = Collection.create!(owner_uuid: g_foo.uuid)
107
108     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
109     g_foo.update! is_trashed: true
110     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
111     assert Collection.readable_by(users(:active), {:include_trash => true}).where(uuid: col.uuid).any?
112     g_foo.update! is_trashed: false
113     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
114   end
115
116   test "trash group" do
117     set_user_from_auth :active_trustedclient
118
119     g_foo = Group.create!(name: "foo", group_class: "project")
120     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
121     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
122
123     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
124     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
125     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
126     g_foo.update! is_trashed: true
127     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
128     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
129     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
130
131     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_foo.uuid).any?
132     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
133     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
134   end
135
136
137   test "trash subgroup" do
138     set_user_from_auth :active_trustedclient
139
140     g_foo = Group.create!(name: "foo", group_class: "project")
141     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
142     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
143
144     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
145     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
146     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
147     g_bar.update! is_trashed: true
148
149     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
150     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
151     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
152
153     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
154     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
155   end
156
157   test "trash subsubgroup" do
158     set_user_from_auth :active_trustedclient
159
160     g_foo = Group.create!(name: "foo", group_class: "project")
161     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
162     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
163
164     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
165     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
166     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
167     g_baz.update! is_trashed: true
168     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
169     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
170     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
171     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
172   end
173
174
175   test "trash group propagates to subgroups" do
176     set_user_from_auth :active_trustedclient
177
178     g_foo = groups(:trashed_project)
179     g_bar = groups(:trashed_subproject)
180     g_baz = groups(:trashed_subproject3)
181     col = collections(:collection_in_trashed_subproject)
182
183     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
184     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
185     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
186     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
187
188     set_user_from_auth :admin
189     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
190     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
191     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
192     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
193
194     set_user_from_auth :active_trustedclient
195     g_foo.update! is_trashed: false
196     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
197     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
198     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
199
200     # this one should still be trashed.
201     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
202
203     g_baz.update! is_trashed: false
204     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
205   end
206
207   test "trashed does not propagate across permission links" do
208     set_user_from_auth :admin
209
210     g_foo = Group.create!(name: "foo", group_class: "role")
211     u_bar = User.create!(first_name: "bar")
212
213     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).any?
214     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
215     g_foo.update! is_trashed: true
216
217     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
218     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
219
220     g_foo.update! is_trashed: false
221     ln = Link.create!(tail_uuid: g_foo.uuid,
222                       head_uuid: u_bar.uuid,
223                       link_class: "permission",
224                       name: "can_read")
225     g_foo.update! is_trashed: true
226
227     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
228     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
229   end
230
231   test "move projects to trash in SweepTrashedObjects" do
232     p = groups(:trashed_on_next_sweep)
233     assert_empty Group.where('uuid=? and is_trashed=true', p.uuid)
234     SweepTrashedObjects.sweep_now
235     assert_not_empty Group.where('uuid=? and is_trashed=true', p.uuid)
236   end
237
238   test "delete projects and their contents in SweepTrashedObjects" do
239     g_foo = groups(:trashed_project)
240     g_bar = groups(:trashed_subproject)
241     g_baz = groups(:trashed_subproject3)
242     col = collections(:collection_in_trashed_subproject)
243     job = jobs(:job_in_trashed_project)
244     cr = container_requests(:cr_in_trashed_project)
245     # Save how many objects were before the sweep
246     user_nr_was = User.all.length
247     coll_nr_was = Collection.all.length
248     group_nr_was = Group.where('group_class<>?', 'project').length
249     project_nr_was = Group.where(group_class: 'project').length
250     cr_nr_was = ContainerRequest.all.length
251     job_nr_was = Job.all.length
252     assert_not_empty Group.where(uuid: g_foo.uuid)
253     assert_not_empty Group.where(uuid: g_bar.uuid)
254     assert_not_empty Group.where(uuid: g_baz.uuid)
255     assert_not_empty Collection.where(uuid: col.uuid)
256     assert_not_empty Job.where(uuid: job.uuid)
257     assert_not_empty ContainerRequest.where(uuid: cr.uuid)
258     SweepTrashedObjects.sweep_now
259     assert_empty Group.where(uuid: g_foo.uuid)
260     assert_empty Group.where(uuid: g_bar.uuid)
261     assert_empty Group.where(uuid: g_baz.uuid)
262     assert_empty Collection.where(uuid: col.uuid)
263     assert_empty Job.where(uuid: job.uuid)
264     assert_empty ContainerRequest.where(uuid: cr.uuid)
265     # No unwanted deletions should have happened
266     assert_equal user_nr_was, User.all.length
267     assert_equal coll_nr_was-2,        # collection_in_trashed_subproject
268                  Collection.all.length # & deleted_on_next_sweep collections
269     assert_equal group_nr_was, Group.where('group_class<>?', 'project').length
270     assert_equal project_nr_was-3, Group.where(group_class: 'project').length
271     assert_equal cr_nr_was-1, ContainerRequest.all.length
272     assert_equal job_nr_was-1, Job.all.length
273   end
274
275   test "project names must be displayable in a filesystem" do
276     set_user_from_auth :active
277     ["", "{SOLIDUS}"].each do |subst|
278       Rails.configuration.Collections.ForwardSlashNameSubstitution = subst
279       proj = Group.create group_class: "project"
280       role = Group.create group_class: "role"
281       [[nil, true],
282        ["", true],
283        [".", false],
284        ["..", false],
285        ["...", true],
286        ["..z..", true],
287        ["foo/bar", subst != ""],
288        ["../..", subst != ""],
289        ["/", subst != ""],
290       ].each do |name, valid|
291         role.name = name
292         assert_equal true, role.valid?
293         proj.name = name
294         assert_equal valid, proj.valid?, "#{name.inspect} should be #{valid ? "valid" : "invalid"}"
295       end
296     end
297   end
298
299   def insert_group uuid, owner_uuid, name, group_class
300     q = ActiveRecord::Base.connection.exec_query %{
301 insert into groups (uuid, owner_uuid, name, group_class, created_at, updated_at)
302        values ('#{uuid}', '#{owner_uuid}',
303                '#{name}', #{if group_class then "'"+group_class+"'" else 'NULL' end},
304                statement_timestamp(), statement_timestamp())
305 }
306     uuid
307   end
308
309   test "migration to fix roles and projects" do
310     g1 = insert_group Group.generate_uuid, system_user_uuid, 'group with no class', nil
311     g2 = insert_group Group.generate_uuid, users(:active).uuid, 'role owned by a user', 'role'
312
313     g3 = insert_group Group.generate_uuid, system_user_uuid, 'role that owns a project', 'role'
314     g4 = insert_group Group.generate_uuid, g3, 'the project', 'project'
315
316     g5 = insert_group Group.generate_uuid, users(:active).uuid, 'a project with an outgoing permission link', 'project'
317
318     g6 = insert_group Group.generate_uuid, system_user_uuid, 'name collision', 'role'
319     g7 = insert_group Group.generate_uuid, users(:active).uuid, 'name collision', 'role'
320
321     g8 = insert_group Group.generate_uuid, users(:active).uuid, 'trashed with no class', nil
322     g8obj = Group.find_by_uuid(g8)
323     g8obj.trash_at = db_current_time
324     g8obj.delete_at = db_current_time
325     act_as_system_user do
326       g8obj.save!(validate: false)
327     end
328
329     refresh_permissions
330
331     act_as_system_user do
332       l1 = Link.create!(link_class: 'permission', name: 'can_manage', tail_uuid: g3, head_uuid: g4)
333       q = ActiveRecord::Base.connection.exec_query %{
334 update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
335 }
336     refresh_permissions
337     end
338
339     assert_equal nil, Group.find_by_uuid(g1).group_class
340     assert_equal nil, Group.find_by_uuid(g8).group_class
341     assert_equal users(:active).uuid, Group.find_by_uuid(g2).owner_uuid
342     assert_equal g3, Group.find_by_uuid(g4).owner_uuid
343     assert !Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
344     assert !Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
345     assert Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
346
347     fix_roles_projects
348
349     assert_equal 'role', Group.find_by_uuid(g1).group_class
350     assert_equal 'role', Group.find_by_uuid(g8).group_class
351     assert_equal system_user_uuid, Group.find_by_uuid(g2).owner_uuid
352     assert_equal system_user_uuid, Group.find_by_uuid(g4).owner_uuid
353     assert Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
354     assert Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
355     assert !Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
356   end
357 end