services/api/test/unit/group_test.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'test_helper'
   6 require 'fix_roles_projects'
   7
   8 class GroupTest < ActiveSupport::TestCase
   9   include DbCurrentTime
  10
  11   test "cannot set owner_uuid to object with existing ownership cycle" do
  12     set_user_from_auth :active_trustedclient
  13
  14     # First make sure we have lots of permission on the bad group by
  15     # renaming it to "{current name} is mine all mine"
  16     g = groups(:bad_group_has_ownership_cycle_b)
  17     g.name += " is mine all mine"
  18     assert g.save, "active user should be able to modify group #{g.uuid}"
  19
  20     # Use the group as the owner of a new object
  21     s = Specimen.
  22       create(owner_uuid: groups(:bad_group_has_ownership_cycle_b).uuid)
  23     assert s.valid?, "ownership should pass validation #{s.errors.messages}"
  24     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  25
  26     # Use the group as the new owner of an existing object
  27     s = specimens(:in_aproject)
  28     s.owner_uuid = groups(:bad_group_has_ownership_cycle_b).uuid
  29     assert s.valid?, "ownership should pass validation"
  30     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  31   end
  32
  33   test "cannot create a new ownership cycle" do
  34     set_user_from_auth :active_trustedclient
  35
  36     g_foo = Group.create!(name: "foo", group_class: "project")
  37     g_bar = Group.create!(name: "bar", group_class: "project")
  38
  39     g_foo.owner_uuid = g_bar.uuid
  40     assert g_foo.save, lambda { g_foo.errors.messages }
  41     g_bar.owner_uuid = g_foo.uuid
  42     assert g_bar.valid?, "ownership cycle should not prevent validation"
  43     assert_equal false, g_bar.save, "should not create an ownership loop"
  44     assert g_bar.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  45   end
  46
  47   test "cannot create a single-object ownership cycle" do
  48     set_user_from_auth :active_trustedclient
  49
  50     g_foo = Group.create!(name: "foo", group_class: "project")
  51     assert g_foo.save
  52
  53     # Ensure I have permission to manage this group even when its owner changes
  54     perm_link = Link.create!(tail_uuid: users(:active).uuid,
  55                             head_uuid: g_foo.uuid,
  56                             link_class: 'permission',
  57                             name: 'can_manage')
  58     assert perm_link.save
  59
  60     g_foo.owner_uuid = g_foo.uuid
  61     assert_equal false, g_foo.save, "should not create an ownership loop"
  62     assert g_foo.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  63   end
  64
  65   test "cannot create a group that is not a 'role' or 'project' or 'filter'" do
  66     set_user_from_auth :active_trustedclient
  67
  68     assert_raises(ActiveRecord::RecordInvalid) do
  69       Group.create!(name: "foo")
  70     end
  71
  72     assert_raises(ActiveRecord::RecordInvalid) do
  73       Group.create!(name: "foo", group_class: "")
  74     end
  75
  76     assert_raises(ActiveRecord::RecordInvalid) do
  77       Group.create!(name: "foo", group_class: "bogus")
  78     end
  79   end
  80
  81   test "cannot change group_class on an already created group" do
  82     set_user_from_auth :active_trustedclient
  83     g = Group.create!(name: "foo", group_class: "role")
  84     assert_raises(ActiveRecord::RecordInvalid) do
  85       g.update_attributes!(group_class: "project")
  86     end
  87   end
  88
  89   test "role cannot own things" do
  90     set_user_from_auth :active_trustedclient
  91     role = Group.create!(name: "foo", group_class: "role")
  92     assert_raises(ArvadosModel::PermissionDeniedError) do
  93       Collection.create!(name: "bzzz123", owner_uuid: role.uuid)
  94     end
  95
  96     c = Collection.create!(name: "bzzz124")
  97     assert_raises(ArvadosModel::PermissionDeniedError) do
  98       c.update_attributes!(owner_uuid: role.uuid)
  99     end
 100   end
 101
 102   test "trash group hides contents" do
 103     set_user_from_auth :active_trustedclient
 104
 105     g_foo = Group.create!(name: "foo", group_class: "project")
 106     col = Collection.create!(owner_uuid: g_foo.uuid)
 107
 108     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 109     g_foo.update! is_trashed: true
 110     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 111     assert Collection.readable_by(users(:active), {:include_trash => true}).where(uuid: col.uuid).any?
 112     g_foo.update! is_trashed: false
 113     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 114   end
 115
 116   test "trash group" do
 117     set_user_from_auth :active_trustedclient
 118
 119     g_foo = Group.create!(name: "foo", group_class: "project")
 120     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 121     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 122
 123     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 124     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 125     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 126     g_foo.update! is_trashed: true
 127     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 128     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 129     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 130
 131     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_foo.uuid).any?
 132     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 133     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 134   end
 135
 136
 137   test "trash subgroup" do
 138     set_user_from_auth :active_trustedclient
 139
 140     g_foo = Group.create!(name: "foo", group_class: "project")
 141     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 142     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 143
 144     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 145     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 146     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 147     g_bar.update! is_trashed: true
 148
 149     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 150     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 151     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 152
 153     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 154     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 155   end
 156
 157   test "trash subsubgroup" do
 158     set_user_from_auth :active_trustedclient
 159
 160     g_foo = Group.create!(name: "foo", group_class: "project")
 161     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 162     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 163
 164     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 165     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 166     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 167     g_baz.update! is_trashed: true
 168     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 169     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 170     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 171     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 172   end
 173
 174
 175   test "trash group propagates to subgroups" do
 176     set_user_from_auth :active_trustedclient
 177
 178     g_foo = groups(:trashed_project)
 179     g_bar = groups(:trashed_subproject)
 180     g_baz = groups(:trashed_subproject3)
 181     col = collections(:collection_in_trashed_subproject)
 182
 183     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 184     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 185     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 186     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 187
 188     set_user_from_auth :admin
 189     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 190     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 191     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 192     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 193
 194     set_user_from_auth :active_trustedclient
 195     g_foo.update! is_trashed: false
 196     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 197     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 198     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 199
 200     # this one should still be trashed.
 201     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 202
 203     g_baz.update! is_trashed: false
 204     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 205   end
 206
 207   test "trashed does not propagate across permission links" do
 208     set_user_from_auth :admin
 209
 210     g_foo = Group.create!(name: "foo", group_class: "role")
 211     u_bar = User.create!(first_name: "bar")
 212
 213     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).any?
 214     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 215     g_foo.update! is_trashed: true
 216
 217     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 218     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 219
 220     g_foo.update! is_trashed: false
 221     ln = Link.create!(tail_uuid: g_foo.uuid,
 222                       head_uuid: u_bar.uuid,
 223                       link_class: "permission",
 224                       name: "can_read")
 225     g_foo.update! is_trashed: true
 226
 227     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 228     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 229   end
 230
 231   test "project names must be displayable in a filesystem" do
 232     set_user_from_auth :active
 233     ["", "{SOLIDUS}"].each do |subst|
 234       Rails.configuration.Collections.ForwardSlashNameSubstitution = subst
 235       proj = Group.create group_class: "project"
 236       role = Group.create group_class: "role"
 237       filt = Group.create group_class: "filter", properties: {"filters":[]}
 238       [[nil, true],
 239        ["", true],
 240        [".", false],
 241        ["..", false],
 242        ["...", true],
 243        ["..z..", true],
 244        ["foo/bar", subst != ""],
 245        ["../..", subst != ""],
 246        ["/", subst != ""],
 247       ].each do |name, valid|
 248         role.name = name
 249         assert_equal true, role.valid?
 250         proj.name = name
 251         assert_equal valid, proj.valid?, "project: #{name.inspect} should be #{valid ? "valid" : "invalid"}"
 252         filt.name = name
 253         assert_equal valid, filt.valid?, "filter: #{name.inspect} should be #{valid ? "valid" : "invalid"}"
 254       end
 255     end
 256   end
 257
 258   def insert_group uuid, owner_uuid, name, group_class
 259     q = ActiveRecord::Base.connection.exec_query %{
 260 insert into groups (uuid, owner_uuid, name, group_class, created_at, updated_at)
 261        values ('#{uuid}', '#{owner_uuid}',
 262                '#{name}', #{if group_class then "'"+group_class+"'" else 'NULL' end},
 263                statement_timestamp(), statement_timestamp())
 264 }
 265     uuid
 266   end
 267
 268   test "migration to fix roles and projects" do
 269     g1 = insert_group Group.generate_uuid, system_user_uuid, 'group with no class', nil
 270     g2 = insert_group Group.generate_uuid, users(:active).uuid, 'role owned by a user', 'role'
 271
 272     g3 = insert_group Group.generate_uuid, system_user_uuid, 'role that owns a project', 'role'
 273     g4 = insert_group Group.generate_uuid, g3, 'the project', 'project'
 274
 275     g5 = insert_group Group.generate_uuid, users(:active).uuid, 'a project with an outgoing permission link', 'project'
 276
 277     g6 = insert_group Group.generate_uuid, system_user_uuid, 'name collision', 'role'
 278     g7 = insert_group Group.generate_uuid, users(:active).uuid, 'name collision', 'role'
 279
 280     g8 = insert_group Group.generate_uuid, users(:active).uuid, 'trashed with no class', nil
 281     g8obj = Group.find_by_uuid(g8)
 282     g8obj.trash_at = db_current_time
 283     g8obj.delete_at = db_current_time
 284     act_as_system_user do
 285       g8obj.save!(validate: false)
 286     end
 287
 288     refresh_permissions
 289
 290     act_as_system_user do
 291       l1 = Link.create!(link_class: 'permission', name: 'can_manage', tail_uuid: g3, head_uuid: g4)
 292       q = ActiveRecord::Base.connection.exec_query %{
 293 update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
 294 }
 295     refresh_permissions
 296     end
 297
 298     assert_equal nil, Group.find_by_uuid(g1).group_class
 299     assert_equal nil, Group.find_by_uuid(g8).group_class
 300     assert_equal users(:active).uuid, Group.find_by_uuid(g2).owner_uuid
 301     assert_equal g3, Group.find_by_uuid(g4).owner_uuid
 302     assert !Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 303     assert !Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 304     assert Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 305
 306     fix_roles_projects
 307
 308     assert_equal 'role', Group.find_by_uuid(g1).group_class
 309     assert_equal 'role', Group.find_by_uuid(g8).group_class
 310     assert_equal system_user_uuid, Group.find_by_uuid(g2).owner_uuid
 311     assert_equal system_user_uuid, Group.find_by_uuid(g4).owner_uuid
 312     assert Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 313     assert Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 314     assert !Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 315   end
 316
 317   test "freeze project" do
 318     act_as_user users(:active) do
 319       Rails.configuration.API.UnfreezeProjectRequiresAdmin = false
 320       parent = Group.create!(group_class: 'project', name: 'freeze-test-parent', owner_uuid: users(:active).uuid)
 321       proj = Group.create!(group_class: 'project', name: 'freeze-test', owner_uuid: parent.uuid)
 322       proj_inner = Group.create!(group_class: 'project', name: 'freeze-test-inner', owner_uuid: proj.uuid)
 323       coll = Collection.create!(name: 'foo', manifest_text: '', owner_uuid: proj_inner.uuid)
 324
 325       # Cannot set frozen_by_uuid to a different user
 326       assert_raises do
 327         proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
 328       end
 329       proj.reload
 330
 331       # Cannot set frozen_by_uuid without can_manage permission
 332       act_as_system_user do
 333         Link.create!(link_class: 'permission', name: 'can_write', tail_uuid: users(:spectator).uuid, head_uuid: proj.uuid)
 334       end
 335       act_as_user users(:spectator) do
 336         # First confirm we have write permission
 337         assert Collection.create(name: 'bar', owner_uuid: proj.uuid)
 338         assert_raises(ArvadosModel::PermissionDeniedError) do
 339           proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
 340         end
 341       end
 342       proj.reload
 343
 344       # Cannot set frozen_by_uuid without description (if so configured)
 345       Rails.configuration.API.FreezeProjectRequiresDescription = true
 346       err = assert_raises do
 347         proj.update_attributes!(frozen_by_uuid: users(:active).uuid)
 348       end
 349       assert_match /can only be set if description is non-empty/, err.inspect
 350       proj.reload
 351       err = assert_raises do
 352         proj.update_attributes!(frozen_by_uuid: users(:active).uuid, description: '')
 353       end
 354       assert_match /can only be set if description is non-empty/, err.inspect
 355       proj.reload
 356
 357       # Cannot set frozen_by_uuid without properties (if so configured)
 358       Rails.configuration.API.FreezeProjectRequiresProperties['frobity'] = true
 359       err = assert_raises do
 360         proj.update_attributes!(
 361           frozen_by_uuid: users(:active).uuid,
 362           description: 'ready to freeze')
 363       end
 364       assert_match /can only be set if properties\[frobity\] value is non-empty/, err.inspect
 365       proj.reload
 366
 367       # Cannot set frozen_by_uuid while project or its parent is
 368       # trashed
 369       [parent, proj].each do |trashed|
 370         trashed.update_attributes!(trash_at: db_current_time)
 371         err = assert_raises do
 372           proj.update_attributes!(
 373             frozen_by_uuid: users(:active).uuid,
 374             description: 'ready to freeze',
 375             properties: {'frobity' => 'bar baz'})
 376         end
 377         assert_match /cannot be set on a trashed project/, err.inspect
 378         proj.reload
 379         trashed.update_attributes!(trash_at: nil)
 380       end
 381
 382       # Can set frozen_by_uuid if all conditions are met
 383       ok = proj.update_attributes(
 384         frozen_by_uuid: users(:active).uuid,
 385         description: 'ready to freeze',
 386         properties: {'frobity' => 'bar baz'})
 387       assert ok, proj.errors.messages.inspect
 388
 389       # Once project is frozen, cannot create new items inside it or
 390       # its descendants
 391       [proj, proj_inner].each do |frozen|
 392         assert_raises do
 393           collections(:collection_owned_by_active).update_attributes!(owner_uuid: frozen.uuid)
 394         end
 395         assert_raises do
 396           Collection.create!(owner_uuid: frozen.uuid, name: 'inside-frozen-project')
 397         end
 398         assert_raises do
 399           Group.create!(owner_uuid: frozen.uuid, group_class: 'project', name: 'inside-frozen-project')
 400         end
 401         cr = ContainerRequest.new(
 402           command: ["echo", "foo"],
 403           container_image: links(:docker_image_collection_tag).name,
 404           cwd: "/tmp",
 405           environment: {},
 406           mounts: {"/out" => {"kind" => "tmp", "capacity" => 1000000}},
 407           output_path: "/out",
 408           runtime_constraints: {"vcpus" => 1, "ram" => 2},
 409           name: "foo",
 410           description: "bar",
 411           owner_uuid: frozen.uuid,
 412         )
 413         assert_raises ArvadosModel::PermissionDeniedError do
 414           cr.save
 415         end
 416         assert_match /frozen/, cr.errors.inspect
 417         # Check the frozen-parent condition is the only reason save failed.
 418         cr.owner_uuid = users(:active).uuid
 419         assert cr.save
 420         cr.destroy
 421       end
 422
 423       # Once project is frozen, cannot change name/contents, move,
 424       # trash, or delete the project or anything beneath it
 425       [proj, proj_inner, coll].each do |frozen|
 426         assert_raises(StandardError, "should reject rename of #{frozen.uuid} with parent #{frozen.owner_uuid}") do
 427           frozen.update_attributes!(name: 'foo2')
 428         end
 429         frozen.reload
 430
 431         if frozen.is_a?(Collection)
 432           assert_raises(StandardError, "should reject manifest change of #{frozen.uuid}") do
 433             frozen.update_attributes!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n")
 434           end
 435         else
 436           assert_raises(StandardError, "should reject moving a project into #{frozen.uuid}") do
 437             groups(:private).update_attributes!(owner_uuid: frozen.uuid)
 438           end
 439         end
 440         frozen.reload
 441
 442         assert_raises(StandardError, "should reject moving #{frozen.uuid} to a different parent project") do
 443           frozen.update_attributes!(owner_uuid: groups(:private).uuid)
 444         end
 445         frozen.reload
 446         assert_raises(StandardError, "should reject setting trash_at of #{frozen.uuid}") do
 447           frozen.update_attributes!(trash_at: db_current_time)
 448         end
 449         frozen.reload
 450         assert_raises(StandardError, "should reject setting delete_at of #{frozen.uuid}") do
 451           frozen.update_attributes!(delete_at: db_current_time)
 452         end
 453         frozen.reload
 454         assert_raises(StandardError, "should reject delete of #{frozen.uuid}") do
 455           frozen.destroy
 456         end
 457         frozen.reload
 458         if frozen != proj
 459           assert_equal [], frozen.writable_by
 460         end
 461       end
 462
 463       # User with manage permission can unfreeze, then create items
 464       # inside it and its children
 465       assert proj.update_attributes(frozen_by_uuid: nil)
 466       assert Collection.create!(owner_uuid: proj.uuid, name: 'inside-unfrozen-project')
 467       assert Collection.create!(owner_uuid: proj_inner.uuid, name: 'inside-inner-unfrozen-project')
 468
 469       # Re-freeze, and reconfigure so only admins can unfreeze.
 470       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
 471       Rails.configuration.API.UnfreezeProjectRequiresAdmin = true
 472
 473       # Owner cannot unfreeze, because not admin.
 474       err = assert_raises do
 475         proj.update_attributes!(frozen_by_uuid: nil)
 476       end
 477       assert_match /can only be changed by an admin user, once set/, err.inspect
 478       proj.reload
 479
 480       # Cannot trash or delete a frozen project's ancestor
 481       assert_raises(StandardError, "should not be able to set trash_at on parent of frozen project") do
 482         parent.update_attributes!(trash_at: db_current_time)
 483       end
 484       parent.reload
 485       assert_raises(StandardError, "should not be able to set delete_at on parent of frozen project") do
 486         parent.update_attributes!(delete_at: db_current_time)
 487       end
 488       parent.reload
 489
 490       act_as_user users(:admin) do
 491         # Even admin cannot change frozen_by_uuid to someone else's UUID.
 492         err = assert_raises do
 493           proj.update_attributes!(frozen_by_uuid: users(:project_viewer).uuid)
 494         end
 495         assert_match /can only be set to the current user's UUID/, err.inspect
 496         proj.reload
 497
 498         # Admin can unfreeze.
 499         assert proj.update_attributes(frozen_by_uuid: nil), proj.errors.messages
 500       end
 501     end
 502   end
 503 end