1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
6 require 'helpers/users_test_helper'
8 class UsersTest < ActionDispatch::IntegrationTest
9 include UsersTestHelper
11 test "setup user multiple times" do
12 repo_name = 'usertestrepo'
14 post "/arvados/v1/users/setup",
18 uuid: 'zzzzz-tpzed-abcdefghijklmno',
19 first_name: "in_create_test_first_name",
20 last_name: "test_last_name",
21 email: "foo@example.com"
26 assert_response :success
28 response_items = json_response['items']
30 created = find_obj_in_resp response_items, 'arvados#user', nil
32 assert_equal 'in_create_test_first_name', created['first_name']
33 assert_not_nil created['uuid'], 'expected non-null uuid for the new user'
34 assert_equal 'zzzzz-tpzed-abcdefghijklmno', created['uuid']
35 assert_not_nil created['email'], 'expected non-nil email'
36 assert_nil created['identity_url'], 'expected no identity_url'
38 # repo link and link add user to 'All users' group
40 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
41 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
43 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
44 'All users', created['uuid'], 'arvados#group', true, 'Group'
46 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
47 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
49 verify_system_group_permission_link_for created['uuid']
51 # invoke setup again with the same data
52 post "/arvados/v1/users/setup",
55 vm_uuid: virtual_machines(:testvm).uuid,
57 uuid: 'zzzzz-tpzed-abcdefghijklmno',
58 first_name: "in_create_test_first_name",
59 last_name: "test_last_name",
60 email: "foo@example.com"
64 assert_response 422 # cannot create another user with same UUID
66 # invoke setup on the same user
67 post "/arvados/v1/users/setup",
70 vm_uuid: virtual_machines(:testvm).uuid,
71 uuid: 'zzzzz-tpzed-abcdefghijklmno',
75 response_items = json_response['items']
77 created = find_obj_in_resp response_items, 'arvados#user', nil
78 assert_equal 'in_create_test_first_name', created['first_name']
79 assert_not_nil created['uuid'], 'expected non-null uuid for the new user'
80 assert_equal 'zzzzz-tpzed-abcdefghijklmno', created['uuid']
81 assert_not_nil created['email'], 'expected non-nil email'
82 assert_nil created['identity_url'], 'expected no identity_url'
84 # arvados#user, repo link and link add user to 'All users' group
85 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
86 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
88 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
89 'All users', created['uuid'], 'arvados#group', true, 'Group'
91 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
92 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
94 verify_system_group_permission_link_for created['uuid']
97 test "setup user in multiple steps and verify response" do
98 post "/arvados/v1/users/setup",
101 email: "foo@example.com"
104 headers: auth(:admin)
106 assert_response :success
107 response_items = json_response['items']
108 created = find_obj_in_resp response_items, 'arvados#user', nil
110 assert_not_nil created['uuid'], 'expected uuid for new user'
111 assert_not_nil created['email'], 'expected non-nil email'
112 assert_equal created['email'], 'foo@example.com', 'expected input email'
114 # two new links: system_group, and 'All users' group.
116 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
117 'All users', created['uuid'], 'arvados#group', true, 'Group'
119 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
120 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
122 # invoke setup with a repository
123 post "/arvados/v1/users/setup",
125 repo_name: 'newusertestrepo',
126 uuid: created['uuid']
128 headers: auth(:admin)
130 assert_response :success
132 response_items = json_response['items']
133 created = find_obj_in_resp response_items, 'arvados#user', nil
135 assert_equal 'foo@example.com', created['email'], 'expected input email'
138 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
139 'All users', created['uuid'], 'arvados#group', true, 'Group'
141 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
142 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
144 verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login',
145 nil, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
147 # invoke setup with a vm_uuid
148 post "/arvados/v1/users/setup",
150 vm_uuid: virtual_machines(:testvm).uuid,
154 uuid: created['uuid']
156 headers: auth(:admin)
158 assert_response :success
160 response_items = json_response['items']
161 created = find_obj_in_resp response_items, 'arvados#user', nil
163 assert_equal created['email'], 'foo@example.com', 'expected original email'
166 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
167 'All users', created['uuid'], 'arvados#group', true, 'Group'
169 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
170 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
173 test "setup and unsetup user" do
174 post "/arvados/v1/users/setup",
176 repo_name: 'newusertestrepo',
177 vm_uuid: virtual_machines(:testvm).uuid,
178 user: {email: 'foo@example.com'},
180 headers: auth(:admin)
182 assert_response :success
183 response_items = json_response['items']
184 created = find_obj_in_resp response_items, 'arvados#user', nil
185 assert_not_nil created['uuid'], 'expected uuid for the new user'
186 assert_equal created['email'], 'foo@example.com', 'expected given email'
188 # four extra links: system_group, login, group, repo and vm
190 verify_link response_items, 'arvados#group', true, 'permission', 'can_write',
191 'All users', created['uuid'], 'arvados#group', true, 'Group'
193 verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage',
194 'foo/newusertestrepo', created['uuid'], 'arvados#repository', true, 'Repository'
196 verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login',
197 virtual_machines(:testvm).uuid, created['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
199 verify_link_existence created['uuid'], created['email'], true, true, true, true, false
202 token = act_as_system_user do
203 ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token
206 # share project and collections with the new user
207 act_as_system_user do
208 Link.create!(tail_uuid: created['uuid'],
209 head_uuid: groups(:aproject).uuid,
210 link_class: 'permission',
212 Link.create!(tail_uuid: created['uuid'],
213 head_uuid: collections(:collection_owned_by_active).uuid,
214 link_class: 'permission',
216 Link.create!(tail_uuid: created['uuid'],
217 head_uuid: collections(:collection_owned_by_active_with_file_stats).uuid,
218 link_class: 'permission',
222 assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found'
224 post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin)
226 assert_response :success
228 created2 = json_response
229 assert_not_nil created2['uuid'], 'expected uuid for the newly created user'
230 assert_equal created['uuid'], created2['uuid'], 'expected uuid not found'
231 assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup'
232 # check permissions are deleted
233 assert_empty Link.where(tail_uuid: created['uuid'])
235 verify_link_existence created['uuid'], created['email'], false, false, false, false, false
238 def find_obj_in_resp (response_items, kind, head_kind=nil)
239 response_items.each do |x|
241 return x if (x['kind'] == kind && x['head_kind'] == head_kind)
247 test 'merge active into project_viewer account' do
248 post('/arvados/v1/groups',
251 group_class: 'project',
252 name: "active user's stuff",
255 headers: auth(:project_viewer))
256 assert_response(:success)
257 project_uuid = json_response['uuid']
259 post('/arvados/v1/users/merge',
261 new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
262 new_owner_uuid: project_uuid,
263 redirect_to_new_user: true,
265 headers: auth(:active_trustedclient))
266 assert_response(:success)
268 get('/arvados/v1/users/current', params: {}, headers: auth(:active))
269 assert_response(:success)
270 assert_equal(users(:project_viewer).uuid, json_response['uuid'])
272 get('/arvados/v1/authorized_keys/' + authorized_keys(:active).uuid,
274 headers: auth(:active))
275 assert_response(:success)
276 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
277 assert_equal(users(:project_viewer).uuid, json_response['authorized_user_uuid'])
279 get('/arvados/v1/repositories/' + repositories(:foo).uuid,
281 headers: auth(:active))
282 assert_response(:success)
283 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
284 assert_equal("#{users(:project_viewer).username}/foo", json_response['name'])
286 get('/arvados/v1/groups/' + groups(:aproject).uuid,
288 headers: auth(:active))
289 assert_response(:success)
290 assert_equal(project_uuid, json_response['owner_uuid'])
293 test 'pre-activate user' do
294 post '/arvados/v1/users',
297 "email" => 'foo@example.com',
299 "username" => "barney"
302 headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"}
303 assert_response :success
305 assert_not_nil rp["uuid"]
306 assert_not_nil rp["is_active"]
307 assert_nil rp["is_admin"]
309 get "/arvados/v1/users/#{rp['uuid']}",
310 params: {format: 'json'},
311 headers: auth(:admin)
312 assert_response :success
313 assert_equal rp["uuid"], json_response['uuid']
314 assert_nil json_response['is_admin']
315 assert_equal true, json_response['is_active']
316 assert_equal 'foo@example.com', json_response['email']
317 assert_equal 'barney', json_response['username']
320 test 'merge with repository name conflict' do
321 post('/arvados/v1/groups',
324 group_class: 'project',
325 name: "active user's stuff",
328 headers: auth(:project_viewer))
329 assert_response(:success)
330 project_uuid = json_response['uuid']
332 post('/arvados/v1/repositories/',
333 params: { :repository => { :name => "#{users(:project_viewer).username}/foo", :owner_uuid => users(:project_viewer).uuid } },
334 headers: auth(:project_viewer))
335 assert_response(:success)
337 post('/arvados/v1/users/merge',
339 new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
340 new_owner_uuid: project_uuid,
341 redirect_to_new_user: true,
343 headers: auth(:active_trustedclient))
344 assert_response(:success)
346 get('/arvados/v1/repositories/' + repositories(:foo).uuid,
348 headers: auth(:active))
349 assert_response(:success)
350 assert_equal(users(:project_viewer).uuid, json_response['owner_uuid'])
351 assert_equal("#{users(:project_viewer).username}/migratedfoo", json_response['name'])
355 test "cannot set is_active to false directly" do
356 post('/arvados/v1/users',
359 email: "bob@example.com",
363 headers: auth(:admin))
364 assert_response(:success)
366 assert_equal false, user['is_active']
368 token = act_as_system_user do
369 ApiClientAuthorization.create!(user: User.find_by_uuid(user['uuid']), api_client: ApiClient.all.first).api_token
371 post("/arvados/v1/user_agreements/sign",
372 params: {uuid: 'zzzzz-4zz18-t68oksiu9m80s4y'},
373 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
374 assert_response :success
376 post("/arvados/v1/users/#{user['uuid']}/activate",
378 headers: auth(:admin))
379 assert_response(:success)
381 assert_equal true, user['is_active']
383 put("/arvados/v1/users/#{user['uuid']}",
385 user: {is_active: false}
387 headers: auth(:admin))
391 test "cannot self activate when AutoSetupNewUsers is false" do
392 Rails.configuration.Users.NewUsersAreActive = false
393 Rails.configuration.Users.AutoSetupNewUsers = false
397 act_as_system_user do
398 user = User.create!(email: "bob@example.com", username: "bobby")
399 ap = ApiClientAuthorization.create!(user: user, api_client: ApiClient.all.first)
403 get("/arvados/v1/users/#{user['uuid']}",
405 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
406 assert_response(:success)
408 assert_equal false, user['is_active']
410 post("/arvados/v1/users/#{user['uuid']}/activate",
412 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
414 assert_match(/Cannot activate without being invited/, json_response['errors'][0])
418 test "cannot self activate after unsetup" do
419 Rails.configuration.Users.NewUsersAreActive = false
420 Rails.configuration.Users.AutoSetupNewUsers = false
424 act_as_system_user do
425 user = User.create!(email: "bob@example.com", username: "bobby")
426 ap = ApiClientAuthorization.create!(user: user, api_client_id: 0)
430 post("/arvados/v1/users/setup",
431 params: {uuid: user['uuid']},
432 headers: auth(:admin))
433 assert_response :success
435 post("/arvados/v1/users/#{user['uuid']}/activate",
437 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
439 assert_match(/Cannot activate without user agreements/, json_response['errors'][0])
441 post("/arvados/v1/user_agreements/sign",
442 params: {uuid: 'zzzzz-4zz18-t68oksiu9m80s4y'},
443 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
444 assert_response :success
446 post("/arvados/v1/users/#{user['uuid']}/activate",
448 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
449 assert_response :success
451 get("/arvados/v1/users/#{user['uuid']}",
453 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
454 assert_response(:success)
455 userJSON = json_response
456 assert_equal true, userJSON['is_active']
458 post("/arvados/v1/users/#{user['uuid']}/unsetup",
460 headers: auth(:admin))
461 assert_response :success
463 # Need to get a new token, the old one was invalidated by the unsetup call
464 act_as_system_user do
465 ap = ApiClientAuthorization.create!(user: user, api_client_id: 0)
469 get("/arvados/v1/users/#{user['uuid']}",
471 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
472 assert_response(:success)
473 userJSON = json_response
474 assert_equal false, userJSON['is_active']
476 post("/arvados/v1/users/#{user['uuid']}/activate",
478 headers: {"HTTP_AUTHORIZATION" => "Bearer #{token}"})
480 assert_match(/Cannot activate without being invited/, json_response['errors'][0])
483 test "bypass_federation only accepted for admins" do
484 get "/arvados/v1/users",
486 bypass_federation: true
488 headers: auth(:admin)
490 assert_response :success
492 get "/arvados/v1/users",
494 bypass_federation: true
496 headers: auth(:active)
501 test "disabling system root user not permitted" do
502 put("/arvados/v1/users/#{users(:system_user).uuid}",
504 user: {is_admin: false}
506 headers: auth(:admin))
509 post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup",
511 headers: auth(:admin))
515 test "creating users only accepted for admins" do
516 assert_equal false, users(:active).is_admin
517 post '/arvados/v1/users',
520 "email" => 'foo@example.com',
521 "username" => "barney"
524 headers: auth(:active)
528 test "create users assigns the system root user as their owner" do
529 post '/arvados/v1/users',
532 "email" => 'foo@example.com',
533 "username" => "barney"
536 headers: auth(:admin)
537 assert_response :success
538 assert_not_nil json_response["uuid"]
539 assert_equal users(:system_user).uuid, json_response["owner_uuid"]
542 test "create users ignores provided owner_uuid field" do
543 assert_equal false, users(:admin).uuid == users(:system_user).uuid
544 post '/arvados/v1/users',
547 "email" => 'foo@example.com',
548 "owner_uuid" => users(:admin).uuid,
549 "username" => "barney"
552 headers: auth(:admin)
553 assert_response :success
554 assert_not_nil json_response["uuid"]
555 assert_equal users(:system_user).uuid, json_response["owner_uuid"]