3 class PermissionsTest < ActionDispatch::IntegrationTest
4 fixtures :users, :groups, :api_client_authorizations, :collections
6 test "adding and removing direct can_read links" do
7 # try to read collection as spectator
8 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
11 # try to add permission as spectator
12 post "/arvados/v1/links", {
15 tail_uuid: users(:spectator).uuid,
16 link_class: 'permission',
18 head_uuid: collections(:foo_file).uuid,
24 # add permission as admin
25 post "/arvados/v1/links", {
28 tail_uuid: users(:spectator).uuid,
29 link_class: 'permission',
31 head_uuid: collections(:foo_file).uuid,
35 u = json_response['uuid']
36 assert_response :success
38 # read collection as spectator
39 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
40 assert_response :success
42 # try to delete permission as spectator
43 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:spectator)
46 # delete permission as admin
47 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
48 assert_response :success
50 # try to read collection as spectator
51 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
56 test "adding can_read links from user to group, group to collection" do
57 # try to read collection as spectator
58 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
61 # add permission for spectator to read group
62 post "/arvados/v1/links", {
65 tail_uuid: users(:spectator).uuid,
66 link_class: 'permission',
68 head_uuid: groups(:private).uuid,
72 assert_response :success
74 # try to read collection as spectator
75 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
78 # add permission for group to read collection
79 post "/arvados/v1/links", {
82 tail_uuid: groups(:private).uuid,
83 link_class: 'permission',
85 head_uuid: collections(:foo_file).uuid,
89 u = json_response['uuid']
90 assert_response :success
92 # try to read collection as spectator
93 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
94 assert_response :success
96 # delete permission for group to read collection
97 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
98 assert_response :success
100 # try to read collection as spectator
101 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
107 test "adding can_read links from group to collection, user to group" do
108 # try to read collection as spectator
109 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
112 # add permission for group to read collection
113 post "/arvados/v1/links", {
116 tail_uuid: groups(:private).uuid,
117 link_class: 'permission',
119 head_uuid: collections(:foo_file).uuid,
123 assert_response :success
125 # try to read collection as spectator
126 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
129 # add permission for spectator to read group
130 post "/arvados/v1/links", {
133 tail_uuid: users(:spectator).uuid,
134 link_class: 'permission',
136 head_uuid: groups(:private).uuid,
140 u = json_response['uuid']
141 assert_response :success
143 # try to read collection as spectator
144 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
145 assert_response :success
147 # delete permission for spectator to read group
148 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
149 assert_response :success
151 # try to read collection as spectator
152 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
157 test "adding can_read links from user to group, group to group, group to collection" do
158 # try to read collection as spectator
159 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
162 # add permission for user to read group
163 post "/arvados/v1/links", {
166 tail_uuid: users(:spectator).uuid,
167 link_class: 'permission',
169 head_uuid: groups(:private).uuid,
173 assert_response :success
175 # add permission for group to read group
176 post "/arvados/v1/links", {
179 tail_uuid: groups(:private).uuid,
180 link_class: 'permission',
182 head_uuid: groups(:empty_lonely_group).uuid,
186 assert_response :success
188 # add permission for group to read collection
189 post "/arvados/v1/links", {
192 tail_uuid: groups(:empty_lonely_group).uuid,
193 link_class: 'permission',
195 head_uuid: collections(:foo_file).uuid,
199 u = json_response['uuid']
200 assert_response :success
202 # try to read collection as spectator
203 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
204 assert_response :success
206 # delete permission for group to read collection
207 delete "/arvados/v1/links/#{u}", {:format => :json}, auth(:admin)
208 assert_response :success
210 # try to read collection as spectator
211 get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
215 test "read-only group-admin sees correct subset of user list" do
216 get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
217 assert_response :success
218 resp_uuids = json_response['items'].collect { |i| i['uuid'] }
219 [[true, users(:rominiadmin).uuid],
220 [true, users(:active).uuid],
221 [false, users(:miniadmin).uuid],
222 [false, users(:spectator).uuid]].each do |should_find, uuid|
223 assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
227 test "read-only group-admin cannot modify administered user" do
228 put "/arvados/v1/users/#{users(:active).uuid}", {
230 first_name: 'KilroyWasHere'
233 }, auth(:rominiadmin)
237 test "read-only group-admin cannot read or update non-administered user" do
238 get "/arvados/v1/users/#{users(:spectator).uuid}", {
240 }, auth(:rominiadmin)
243 put "/arvados/v1/users/#{users(:spectator).uuid}", {
245 first_name: 'KilroyWasHere'
248 }, auth(:rominiadmin)
252 test "RO group-admin finds user's specimens, RW group-admin can update" do
253 [[:rominiadmin, false],
254 [:miniadmin, true]].each do |which_user, update_should_succeed|
255 get "/arvados/v1/specimens", {:format => :json}, auth(which_user)
256 assert_response :success
257 resp_uuids = json_response['items'].collect { |i| i['uuid'] }
258 [[true, specimens(:owned_by_active_user).uuid],
259 [true, specimens(:owned_by_private_group).uuid],
260 [false, specimens(:owned_by_spectator).uuid],
261 ].each do |should_find, uuid|
262 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
263 "%s should%s see %s in specimen list" %
265 should_find ? '' : 'not ',
267 put "/arvados/v1/specimens/#{uuid}", {
270 miniadmin_was_here: true
277 elsif !update_should_succeed
280 assert_response :success
286 test "get_permissions returns list" do
287 # First confirm that user :active cannot get permissions on group :public
288 get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
291 # add some permissions, including can_manage
292 # permission for user :active
293 post "/arvados/v1/links", {
296 tail_uuid: users(:spectator).uuid,
297 link_class: 'permission',
299 head_uuid: groups(:public).uuid,
303 assert_response :success
304 can_read_uuid = json_response['uuid']
306 post "/arvados/v1/links", {
309 tail_uuid: users(:inactive).uuid,
310 link_class: 'permission',
312 head_uuid: groups(:public).uuid,
316 assert_response :success
317 can_write_uuid = json_response['uuid']
319 post "/arvados/v1/links", {
322 tail_uuid: users(:active).uuid,
323 link_class: 'permission',
325 head_uuid: groups(:public).uuid,
329 assert_response :success
330 can_manage_uuid = json_response['uuid']
332 # Now user :active should be able to retrieve permissions
334 get("/arvados/v1/permissions/#{groups(:public).uuid}",
335 { :format => :json },
337 assert_response :success
339 perm_uuids = json_response['items'].map { |item| item['uuid'] }
340 assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found"
341 assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
342 assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
345 test "get_permissions returns 404 for nonexistent uuid" do
346 nonexistent = Group.generate_uuid
347 # make sure it really doesn't exist
348 get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin)
351 get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active)
355 test "get_permissions returns 404 for unreadable uuid" do
356 get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
360 test "get_permissions returns 403 if user can read but not manage" do
361 post "/arvados/v1/links", {
363 tail_uuid: users(:active).uuid,
364 link_class: 'permission',
366 head_uuid: groups(:public).uuid,
370 assert_response :success
372 get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)