1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
10 test "create system auth" do
11 post "/arvados/v1/api_client_authorizations/create_system_auth",
12 params: {:format => :json, :scopes => ['test'].to_json},
13 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
14 assert_response :success
17 [:admin_trustedclient, :SystemRootToken].each do |tk|
18 test "create token for different user using #{tk}" do
19 if tk == :SystemRootToken
20 token = "xyzzy-SystemRootToken"
21 Rails.configuration.SystemRootToken = token
23 token = api_client_authorizations(tk).api_token
26 post "/arvados/v1/api_client_authorizations",
29 :api_client_authorization => {
30 :owner_uuid => users(:spectator).uuid
33 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
34 assert_response :success
36 get "/arvados/v1/users/current",
37 params: {:format => :json},
38 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{json_response['api_token']}"}
40 assert_equal json_response['uuid'], users(:spectator).uuid
44 test "System root token is system user" do
45 token = "xyzzy-SystemRootToken"
46 Rails.configuration.SystemRootToken = token
47 get "/arvados/v1/users/current",
48 params: {:format => :json},
49 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{token}"}
50 assert_equal json_response['uuid'], system_user_uuid
53 test "refuse to create token for different user if not trusted client" do
54 post "/arvados/v1/api_client_authorizations",
57 :api_client_authorization => {
58 :owner_uuid => users(:spectator).uuid
61 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin).api_token}"}
65 test "refuse to create token for different user if not admin" do
66 post "/arvados/v1/api_client_authorizations",
69 :api_client_authorization => {
70 :owner_uuid => users(:spectator).uuid
73 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
77 [nil, Time.now + 2.hours].each do |desired_expiration|
78 test "expires_at gets clamped on non-admins when API.MaxTokenLifetime is set and desired expires_at #{desired_expiration.nil? ? 'is not set' : 'exceeds the limit'}" do
79 Rails.configuration.API.MaxTokenLifetime = 1.hour
83 post "/arvados/v1/api_client_authorizations",
86 :api_client_authorization => {
87 :owner_uuid => users(:active).uuid,
88 :expires_at => desired_expiration,
91 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
94 expiration_t = json_response['expires_at'].to_time
95 assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
96 if !desired_expiration.nil?
97 assert_operator expiration_t.to_f, :<, desired_expiration.to_f
99 assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
103 previous_expiration = expiration_t
104 token_uuid = json_response["uuid"]
106 put "/arvados/v1/api_client_authorizations/#{token_uuid}",
108 :api_client_authorization => {
109 :expires_at => desired_expiration
112 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
115 expiration_t = json_response['expires_at'].to_time
116 assert_operator previous_expiration.to_f, :<, expiration_t.to_f
117 assert_operator expiration_t.to_f, :>, (start_t + Rails.configuration.API.MaxTokenLifetime).to_f
118 if !desired_expiration.nil?
119 assert_operator expiration_t.to_f, :<, desired_expiration.to_f
121 assert_operator expiration_t.to_f, :<, (end_t + Rails.configuration.API.MaxTokenLifetime).to_f
125 test "expires_at can be set to #{desired_expiration.nil? ? 'nil' : 'exceed the limit'} by admins when API.MaxTokenLifetime is set" do
126 Rails.configuration.API.MaxTokenLifetime = 1.hour
128 # Test token creation
129 post "/arvados/v1/api_client_authorizations",
132 :api_client_authorization => {
133 :owner_uuid => users(:admin).uuid,
134 :expires_at => desired_expiration,
137 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
139 if desired_expiration.nil?
140 assert json_response['expires_at'].nil?
142 assert_equal json_response['expires_at'].to_time.to_i, desired_expiration.to_i
145 # Test token update (reverse the above behavior)
146 previous_expiration = json_response['expires_at']
147 token_uuid = json_response['uuid']
148 if previous_expiration.nil?
149 desired_updated_expiration = Time.now + Rails.configuration.API.MaxTokenLifetime + 1.hour
151 desired_updated_expiration = nil
153 put "/arvados/v1/api_client_authorizations/#{token_uuid}",
155 :api_client_authorization => {
156 :expires_at => desired_updated_expiration,
159 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
161 if desired_updated_expiration.nil?
162 assert json_response['expires_at'].nil?
164 assert_equal json_response['expires_at'].to_time.to_i, desired_updated_expiration.to_i