1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
26 "git.arvados.org/arvados.git/lib/boot"
27 "git.arvados.org/arvados.git/lib/config"
28 "git.arvados.org/arvados.git/lib/controller/rpc"
29 "git.arvados.org/arvados.git/lib/service"
30 "git.arvados.org/arvados.git/sdk/go/arvados"
31 "git.arvados.org/arvados.git/sdk/go/arvadosclient"
32 "git.arvados.org/arvados.git/sdk/go/arvadostest"
33 "git.arvados.org/arvados.git/sdk/go/auth"
34 "git.arvados.org/arvados.git/sdk/go/ctxlog"
35 "git.arvados.org/arvados.git/sdk/go/keepclient"
36 check "gopkg.in/check.v1"
39 var _ = check.Suite(&IntegrationSuite{})
41 type testCluster struct {
44 controllerURL *url.URL
47 type IntegrationSuite struct {
48 testClusters map[string]*testCluster
49 oidcprovider *arvadostest.OIDCProvider
52 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
54 c.Skip("heavy integration tests don't run with forceLegacyAPI14")
60 s.oidcprovider = arvadostest.NewOIDCProvider(c)
61 s.oidcprovider.AuthEmail = "user@example.com"
62 s.oidcprovider.AuthEmailVerified = true
63 s.oidcprovider.AuthName = "Example User"
64 s.oidcprovider.ValidClientID = "clientid"
65 s.oidcprovider.ValidClientSecret = "clientsecret"
67 s.testClusters = map[string]*testCluster{
72 hostport := map[string]string{}
73 for id := range s.testClusters {
74 hostport[id] = func() string {
75 // TODO: Instead of expecting random ports on
76 // 127.0.0.11, 22, 33 to be race-safe, try
77 // different 127.x.y.z until finding one that
79 ln, err := net.Listen("tcp", ":0")
80 c.Assert(err, check.IsNil)
82 _, port, err := net.SplitHostPort(ln.Addr().String())
83 c.Assert(err, check.IsNil)
84 return "127.0.0." + id[3:] + ":" + port
87 for id := range s.testClusters {
92 ExternalURL: https://` + hostport[id] + `
101 Host: ` + hostport["z1111"] + `
109 Host: ` + hostport["z2222"] + `
118 Host: ` + hostport["z3333"] + `
131 Issuer: ` + s.oidcprovider.Issuer.URL + `
132 ClientID: ` + s.oidcprovider.ValidClientID + `
133 ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
135 EmailVerifiedClaim: email_verified
144 loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
146 loader.SkipLegacy = true
147 loader.SkipAPICalls = true
148 cfg, err := loader.Load()
149 c.Assert(err, check.IsNil)
150 s.testClusters[id] = &testCluster{
151 super: boot.Supervisor{
152 SourcePath: filepath.Join(cwd, "..", ".."),
154 ListenHost: "127.0.0." + id[3:],
155 ControllerAddr: ":0",
156 OwnTemporaryDatabase: true,
157 Stderr: &service.LogPrefixer{Writer: ctxlog.LogWriter(c.Log), Prefix: []byte("[" + id + "] ")},
161 s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-")
163 for _, tc := range s.testClusters {
164 au, ok := tc.super.WaitReady()
165 c.Assert(ok, check.Equals, true)
167 tc.controllerURL = &u
171 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
172 for _, c := range s.testClusters {
177 // Get rpc connection struct initialized to communicate with the
178 // specified cluster.
179 func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn {
180 return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider)
183 // Return Context, Arvados.Client and keepclient structs initialized
184 // to connect to the specified cluster (by clusterID) using with the supplied
186 func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
187 cl := s.testClusters[clusterID].config.Clusters[clusterID]
188 ctx := auth.NewContext(context.Background(), auth.NewCredentials(token))
189 ac, err := arvados.NewClientFromConfig(&cl)
194 arv, err := arvadosclient.New(ac)
198 kc := keepclient.New(arv)
202 // Log in as a user called "example", get the user's API token,
203 // initialize clients with the API token, set up the user and
204 // optionally activate the user. Return client structs for
205 // communicating with the cluster on behalf of the 'example' user.
206 func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient, arvados.User) {
207 login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{
208 ReturnTo: ",https://example.com",
209 AuthInfo: rpc.UserSessionAuthInfo{
210 Email: "user@example.com",
211 FirstName: "Example",
214 ExpiresAt: time.Now().Add(1 * time.Hour),
217 c.Assert(err, check.IsNil)
218 redirURL, err := url.Parse(login.RedirectLocation)
219 c.Assert(err, check.IsNil)
220 userToken := redirURL.Query().Get("api_token")
221 c.Logf("user token: %q", userToken)
222 ctx, ac, kc := s.clientsWithToken(clusterID, userToken)
223 user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
224 c.Assert(err, check.IsNil)
225 _, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID})
226 c.Assert(err, check.IsNil)
228 _, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID})
229 c.Assert(err, check.IsNil)
230 user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
231 c.Assert(err, check.IsNil)
232 c.Logf("user UUID: %q", user.UUID)
234 c.Fatalf("failed to activate user -- %#v", user)
237 return ctx, ac, kc, user
240 // Return Context, arvados.Client and keepclient structs initialized
241 // to communicate with the cluster as the system root user.
242 func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
243 return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken)
246 // Return Context, arvados.Client and keepclient structs initialized
247 // to communicate with the cluster as the anonymous user.
248 func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
249 return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken)
252 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
253 conn1 := s.conn("z1111")
254 rootctx1, _, _ := s.rootClients("z1111")
255 conn3 := s.conn("z3333")
256 userctx1, ac1, kc1, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
258 // Create the collection to find its PDH (but don't save it
260 var coll1 arvados.Collection
261 fs1, err := coll1.FileSystem(ac1, kc1)
262 c.Assert(err, check.IsNil)
263 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
264 c.Assert(err, check.IsNil)
265 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
266 c.Assert(err, check.IsNil)
268 c.Assert(err, check.IsNil)
269 mtxt, err := fs1.MarshalManifest(".")
270 c.Assert(err, check.IsNil)
271 pdh := arvados.PortableDataHash(mtxt)
273 // Looking up the PDH before saving returns 404 if cycle
274 // detection is working.
275 _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
276 c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
278 // Save the collection on cluster z1111.
279 coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
280 "manifest_text": mtxt,
282 c.Assert(err, check.IsNil)
284 // Retrieve the collection from cluster z3333.
285 coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
286 c.Check(err, check.IsNil)
287 c.Check(coll.PortableDataHash, check.Equals, pdh)
290 func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) {
291 if _, err := exec.LookPath("s3cmd"); err != nil {
292 c.Skip("s3cmd not in PATH")
296 testText := "IntegrationSuite.TestS3WithFederatedToken"
298 conn1 := s.conn("z1111")
299 rootctx1, _, _ := s.rootClients("z1111")
300 userctx1, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
301 conn3 := s.conn("z3333")
303 createColl := func(clusterID string) arvados.Collection {
304 _, ac, kc := s.clientsWithToken(clusterID, ac1.AuthToken)
305 var coll arvados.Collection
306 fs, err := coll.FileSystem(ac, kc)
307 c.Assert(err, check.IsNil)
308 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
309 c.Assert(err, check.IsNil)
310 _, err = io.WriteString(f, testText)
311 c.Assert(err, check.IsNil)
313 c.Assert(err, check.IsNil)
314 mtxt, err := fs.MarshalManifest(".")
315 c.Assert(err, check.IsNil)
316 coll, err = s.conn(clusterID).CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
317 "manifest_text": mtxt,
319 c.Assert(err, check.IsNil)
323 for _, trial := range []struct {
324 clusterID string // create the collection on this cluster (then use z3333 to access it)
327 // Try the hardest test first: z3333 hasn't seen
328 // z1111's token yet, and we're just passing the
329 // opaque secret part, so z3333 has to guess that it
331 {"z1111", strings.Split(ac1.AuthToken, "/")[2]},
332 {"z3333", strings.Split(ac1.AuthToken, "/")[2]},
333 {"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)},
334 {"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)},
336 c.Logf("================ %v", trial)
337 coll := createColl(trial.clusterID)
339 cfgjson, err := conn3.ConfigGet(userctx1)
340 c.Assert(err, check.IsNil)
341 var cluster arvados.Cluster
342 err = json.Unmarshal(cfgjson, &cluster)
343 c.Assert(err, check.IsNil)
345 c.Logf("TokenV2 is %s", ac1.AuthToken)
346 host := cluster.Services.WebDAV.ExternalURL.Host
348 "--ssl", "--no-check-certificate",
349 "--host=" + host, "--host-bucket=" + host,
350 "--access_key=" + trial.token, "--secret_key=" + trial.token,
352 buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput()
353 c.Check(err, check.IsNil)
354 c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`)
356 buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput()
357 // Command fails because we don't return Etag header.
358 flen := strconv.Itoa(len(testText))
359 c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`)
363 func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
364 conn1 := s.conn("z1111")
365 conn3 := s.conn("z3333")
366 rootctx1, rootac1, rootkc1 := s.rootClients("z1111")
367 anonctx3, anonac3, _ := s.anonymousClients("z3333")
369 // Make sure anonymous token was set
370 c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
372 // Create the collection to find its PDH (but don't save it
374 var coll1 arvados.Collection
375 fs1, err := coll1.FileSystem(rootac1, rootkc1)
376 c.Assert(err, check.IsNil)
377 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
378 c.Assert(err, check.IsNil)
379 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
380 c.Assert(err, check.IsNil)
382 c.Assert(err, check.IsNil)
383 mtxt, err := fs1.MarshalManifest(".")
384 c.Assert(err, check.IsNil)
385 pdh := arvados.PortableDataHash(mtxt)
387 // Save the collection on cluster z1111.
388 coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
389 "manifest_text": mtxt,
391 c.Assert(err, check.IsNil)
393 // Share it with the anonymous users group.
394 var outLink arvados.Link
395 err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
396 map[string]interface{}{"link": map[string]interface{}{
397 "link_class": "permission",
399 "tail_uuid": "z1111-j7d0g-anonymouspublic",
400 "head_uuid": coll1.UUID,
403 c.Check(err, check.IsNil)
405 // Current user should be z3 anonymous user
406 outUser, err := anonac3.CurrentUser()
407 c.Check(err, check.IsNil)
408 c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")
410 // Get the token uuid
411 var outAuth arvados.APIClientAuthorization
412 err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
413 c.Check(err, check.IsNil)
415 // Make a v2 token of the z3 anonymous user, and use it on z1
416 _, anonac1, _ := s.clientsWithToken("z1111", outAuth.TokenV2())
417 outUser2, err := anonac1.CurrentUser()
418 c.Check(err, check.IsNil)
419 // z3 anonymous user will be mapped to the z1 anonymous user
420 c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
422 // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
423 coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
424 c.Check(err, check.IsNil)
425 c.Check(coll.PortableDataHash, check.Equals, pdh)
428 // Get a token from the login cluster (z1111), use it to submit a
429 // container request on z2222.
430 func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
431 conn1 := s.conn("z1111")
432 rootctx1, _, _ := s.rootClients("z1111")
433 _, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
435 // Use ac2 to get the discovery doc with a blank token, so the
436 // SDK doesn't magically pass the z1111 token to z2222 before
437 // we're ready to start our test.
438 _, ac2, _ := s.clientsWithToken("z2222", "")
439 var dd map[string]interface{}
440 err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
441 c.Assert(err, check.IsNil)
448 cr arvados.ContainerRequest
450 json.NewEncoder(&body).Encode(map[string]interface{}{
451 "container_request": map[string]interface{}{
452 "command": []string{"echo"},
453 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
458 ac2.AuthToken = ac1.AuthToken
460 c.Log("...post CR with good (but not yet cached) token")
461 cr = arvados.ContainerRequest{}
462 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
463 c.Assert(err, check.IsNil)
464 req.Header.Set("Content-Type", "application/json")
465 err = ac2.DoAndDecode(&cr, req)
466 c.Assert(err, check.IsNil)
467 c.Logf("err == %#v", err)
469 c.Log("...get user with good token")
471 req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
472 c.Assert(err, check.IsNil)
473 err = ac2.DoAndDecode(&u, req)
474 c.Check(err, check.IsNil)
475 c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
477 c.Log("...post CR with good cached token")
478 cr = arvados.ContainerRequest{}
479 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
480 c.Assert(err, check.IsNil)
481 req.Header.Set("Content-Type", "application/json")
482 err = ac2.DoAndDecode(&cr, req)
483 c.Check(err, check.IsNil)
484 c.Check(cr.UUID, check.Matches, "z2222-.*")
486 c.Log("...post with good cached token ('OAuth2 ...')")
487 cr = arvados.ContainerRequest{}
488 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
489 c.Assert(err, check.IsNil)
490 req.Header.Set("Content-Type", "application/json")
491 req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
492 resp, err = arvados.InsecureHTTPClient.Do(req)
493 c.Assert(err, check.IsNil)
494 err = json.NewDecoder(resp.Body).Decode(&cr)
495 c.Check(err, check.IsNil)
496 c.Check(cr.UUID, check.Matches, "z2222-.*")
499 func (s *IntegrationSuite) TestCreateContainerRequestWithBadToken(c *check.C) {
500 conn1 := s.conn("z1111")
501 rootctx1, _, _ := s.rootClients("z1111")
502 _, ac1, _, au := s.userClients(rootctx1, c, conn1, "z1111", true)
509 {"Good token", ac1.AuthToken, http.StatusOK},
510 {"Bogus token", "abcdef", http.StatusUnauthorized},
511 {"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
512 {"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
515 body, _ := json.Marshal(map[string]interface{}{
516 "container_request": map[string]interface{}{
517 "command": []string{"echo"},
518 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
524 for _, tt := range tests {
525 c.Log(c.TestName() + " " + tt.name)
526 ac1.AuthToken = tt.token
527 req, err := http.NewRequest("POST", "https://"+ac1.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body))
528 c.Assert(err, check.IsNil)
529 req.Header.Set("Content-Type", "application/json")
530 resp, err := ac1.Do(req)
531 c.Assert(err, check.IsNil)
532 c.Assert(resp.StatusCode, check.Equals, tt.expectedCode)
536 // We test the direct access to the database
537 // normally an integration test would not have a database access, but in this case we need
538 // to test tokens that are secret, so there is no API response that will give them back
539 func (s *IntegrationSuite) dbConn(c *check.C, clusterID string) (*sql.DB, *sql.Conn) {
540 ctx := context.Background()
541 db, err := sql.Open("postgres", s.testClusters[clusterID].super.Cluster().PostgreSQL.Connection.String())
542 c.Assert(err, check.IsNil)
544 conn, err := db.Conn(ctx)
545 c.Assert(err, check.IsNil)
547 rows, err := conn.ExecContext(ctx, `SELECT 1`)
548 c.Assert(err, check.IsNil)
549 n, err := rows.RowsAffected()
550 c.Assert(err, check.IsNil)
551 c.Assert(n, check.Equals, int64(1))
555 // TestRuntimeTokenInCR will test several different tokens in the runtime attribute
556 // and check the expected results accessing directly to the database if needed.
557 func (s *IntegrationSuite) TestRuntimeTokenInCR(c *check.C) {
558 db, dbconn := s.dbConn(c, "z1111")
561 conn1 := s.conn("z1111")
562 rootctx1, _, _ := s.rootClients("z1111")
563 userctx1, ac1, _, au := s.userClients(rootctx1, c, conn1, "z1111", true)
568 expectAToGetAValidCR bool
569 expectedToken *string
571 {"Good token z1111 user", ac1.AuthToken, true, &ac1.AuthToken},
572 {"Bogus token", "abcdef", false, nil},
573 {"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", false, nil},
574 {"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", false, nil},
577 for _, tt := range tests {
578 c.Log(c.TestName() + " " + tt.name)
580 rq := map[string]interface{}{
581 "command": []string{"echo"},
582 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
585 "runtime_token": tt.token,
587 cr, err := conn1.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: rq})
588 if tt.expectAToGetAValidCR {
589 c.Check(err, check.IsNil)
590 c.Check(cr, check.NotNil)
591 c.Check(cr.UUID, check.Not(check.Equals), "")
594 if tt.expectedToken == nil {
598 c.Logf("cr.UUID: %s", cr.UUID)
599 row := dbconn.QueryRowContext(rootctx1, `SELECT runtime_token from container_requests where uuid=$1`, cr.UUID)
600 c.Check(row, check.NotNil)
601 var token sql.NullString
603 if c.Check(token.Valid, check.Equals, true) {
604 c.Check(token.String, check.Equals, *tt.expectedToken)
609 // TestIntermediateCluster will send a container request to
610 // one cluster with another cluster as the destination
611 // and check the tokens are being handled properly
612 func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) {
613 conn1 := s.conn("z1111")
614 rootctx1, _, _ := s.rootClients("z1111")
615 uctx1, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
620 expectedRuntimeToken string
621 expectedUUIDprefix string
623 {"Good token z1111 user sending a CR to z2222", ac1.AuthToken, "", "z2222-xvhdp-"},
626 for _, tt := range tests {
627 c.Log(c.TestName() + " " + tt.name)
628 rq := map[string]interface{}{
629 "command": []string{"echo"},
630 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
633 "runtime_token": tt.token,
635 cr, err := conn1.ContainerRequestCreate(uctx1, arvados.CreateOptions{ClusterID: "z2222", Attrs: rq})
637 c.Check(err, check.IsNil)
638 c.Check(strings.HasPrefix(cr.UUID, tt.expectedUUIDprefix), check.Equals, true)
639 c.Check(cr.RuntimeToken, check.Equals, tt.expectedRuntimeToken)
643 // Test for bug #16263
644 func (s *IntegrationSuite) TestListUsers(c *check.C) {
645 rootctx1, _, _ := s.rootClients("z1111")
646 conn1 := s.conn("z1111")
647 conn3 := s.conn("z3333")
648 userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
650 // Make sure LoginCluster is properly configured
651 for cls := range s.testClusters {
653 s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
654 check.Equals, "z1111",
655 check.Commentf("incorrect LoginCluster config on cluster %q", cls))
657 // Make sure z1111 has users with NULL usernames
658 lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
659 Limit: math.MaxInt64, // check that large limit works (see #16263)
661 nullUsername := false
662 c.Assert(err, check.IsNil)
663 c.Assert(len(lst.Items), check.Not(check.Equals), 0)
664 for _, user := range lst.Items {
665 if user.Username == "" {
669 c.Assert(nullUsername, check.Equals, true)
671 user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
672 c.Assert(err, check.IsNil)
673 c.Check(user1.IsActive, check.Equals, true)
675 // Ask for the user list on z3333 using z1111's system root token
676 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
677 c.Assert(err, check.IsNil)
679 for _, user := range lst.Items {
680 if user.UUID == user1.UUID {
681 c.Check(user.IsActive, check.Equals, true)
686 c.Check(found, check.Equals, true)
688 // Deactivate user acct on z1111
689 _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
690 c.Assert(err, check.IsNil)
692 // Get user list from z3333, check the returned z1111 user is
694 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
695 c.Assert(err, check.IsNil)
697 for _, user := range lst.Items {
698 if user.UUID == user1.UUID {
699 c.Check(user.IsActive, check.Equals, false)
704 c.Check(found, check.Equals, true)
706 // Deactivated user can see is_active==false via "get current
708 user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
709 c.Assert(err, check.IsNil)
710 c.Check(user1.IsActive, check.Equals, false)
713 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
714 conn1 := s.conn("z1111")
715 conn3 := s.conn("z3333")
716 rootctx1, rootac1, _ := s.rootClients("z1111")
718 // Create user on LoginCluster z1111
719 _, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false)
721 // Make a new root token (because rootClients() uses SystemRootToken)
722 var outAuth arvados.APIClientAuthorization
723 err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
724 c.Check(err, check.IsNil)
726 // Make a v2 root token to communicate with z3333
727 rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2())
729 // Create VM on z3333
730 var outVM arvados.VirtualMachine
731 err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
732 map[string]interface{}{"virtual_machine": map[string]interface{}{
733 "hostname": "example",
736 c.Check(outVM.UUID[0:5], check.Equals, "z3333")
737 c.Check(err, check.IsNil)
739 // Make sure z3333 user list is up to date
740 _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
741 c.Check(err, check.IsNil)
743 // Try to set up user on z3333 with the VM
744 _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
745 c.Check(err, check.IsNil)
747 var outLinks arvados.LinkList
748 err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
751 Filters: []arvados.Filter{
765 Operand: "can_login",
770 Operand: "permission",
772 c.Check(err, check.IsNil)
774 c.Check(len(outLinks.Items), check.Equals, 1)
777 func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
778 conn1 := s.conn("z1111")
779 rootctx1, _, _ := s.rootClients("z1111")
780 s.userClients(rootctx1, c, conn1, "z1111", true)
782 accesstoken := s.oidcprovider.ValidAccessToken()
784 for _, clusterid := range []string{"z1111", "z2222"} {
785 c.Logf("trying clusterid %s", clusterid)
787 conn := s.conn(clusterid)
788 ctx, ac, kc := s.clientsWithToken(clusterid, accesstoken)
790 var coll arvados.Collection
792 // Write some file data and create a collection
794 fs, err := coll.FileSystem(ac, kc)
795 c.Assert(err, check.IsNil)
796 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
797 c.Assert(err, check.IsNil)
798 _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
799 c.Assert(err, check.IsNil)
801 c.Assert(err, check.IsNil)
802 mtxt, err := fs.MarshalManifest(".")
803 c.Assert(err, check.IsNil)
804 coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
805 "manifest_text": mtxt,
807 c.Assert(err, check.IsNil)
810 // Read the collection & file data
812 user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
813 c.Assert(err, check.IsNil)
814 c.Check(user.FullName, check.Equals, "Example User")
815 coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
816 c.Assert(err, check.IsNil)
817 c.Check(coll.ManifestText, check.Not(check.Equals), "")
818 fs, err := coll.FileSystem(ac, kc)
819 c.Assert(err, check.IsNil)
820 f, err := fs.Open("test.txt")
821 c.Assert(err, check.IsNil)
822 buf, err := ioutil.ReadAll(f)
823 c.Assert(err, check.IsNil)
824 c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))