services/api/test/unit/group_test.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'test_helper'
   6 require 'fix_roles_projects'
   7
   8 class GroupTest < ActiveSupport::TestCase
   9   include DbCurrentTime
  10
  11   test "cannot set owner_uuid to object with existing ownership cycle" do
  12     set_user_from_auth :active_trustedclient
  13
  14     # First make sure we have lots of permission on the bad group by
  15     # renaming it to "{current name} is mine all mine"
  16     g = groups(:bad_group_has_ownership_cycle_b)
  17     g.name += " is mine all mine"
  18     assert g.save, "active user should be able to modify group #{g.uuid}"
  19
  20     # Use the group as the owner of a new object
  21     s = Specimen.
  22       create(owner_uuid: groups(:bad_group_has_ownership_cycle_b).uuid)
  23     assert s.valid?, "ownership should pass validation #{s.errors.messages}"
  24     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  25
  26     # Use the group as the new owner of an existing object
  27     s = specimens(:in_aproject)
  28     s.owner_uuid = groups(:bad_group_has_ownership_cycle_b).uuid
  29     assert s.valid?, "ownership should pass validation"
  30     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  31   end
  32
  33   test "cannot create a new ownership cycle" do
  34     set_user_from_auth :active_trustedclient
  35
  36     g_foo = Group.create!(name: "foo", group_class: "project")
  37     g_bar = Group.create!(name: "bar", group_class: "project")
  38
  39     g_foo.owner_uuid = g_bar.uuid
  40     assert g_foo.save, lambda { g_foo.errors.messages }
  41     g_bar.owner_uuid = g_foo.uuid
  42     assert g_bar.valid?, "ownership cycle should not prevent validation"
  43     assert_equal false, g_bar.save, "should not create an ownership loop"
  44     assert g_bar.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  45   end
  46
  47   test "cannot create a single-object ownership cycle" do
  48     set_user_from_auth :active_trustedclient
  49
  50     g_foo = Group.create!(name: "foo", group_class: "project")
  51     assert g_foo.save
  52
  53     # Ensure I have permission to manage this group even when its owner changes
  54     perm_link = Link.create!(tail_uuid: users(:active).uuid,
  55                             head_uuid: g_foo.uuid,
  56                             link_class: 'permission',
  57                             name: 'can_manage')
  58     assert perm_link.save
  59
  60     g_foo.owner_uuid = g_foo.uuid
  61     assert_equal false, g_foo.save, "should not create an ownership loop"
  62     assert g_foo.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  63   end
  64
  65   test "cannot create a group that is not a 'role' or 'project'" do
  66     set_user_from_auth :active_trustedclient
  67
  68     assert_raises(ActiveRecord::RecordInvalid) do
  69       Group.create!(name: "foo")
  70     end
  71
  72     assert_raises(ActiveRecord::RecordInvalid) do
  73       Group.create!(name: "foo", group_class: "")
  74     end
  75
  76     assert_raises(ActiveRecord::RecordInvalid) do
  77       Group.create!(name: "foo", group_class: "bogus")
  78     end
  79   end
  80
  81   test "cannot change group_class on an already created group" do
  82     set_user_from_auth :active_trustedclient
  83     g = Group.create!(name: "foo", group_class: "role")
  84     assert_raises(ActiveRecord::RecordInvalid) do
  85       g.update_attributes!(group_class: "project")
  86     end
  87   end
  88
  89   test "role cannot own things" do
  90     set_user_from_auth :active_trustedclient
  91     role = Group.create!(name: "foo", group_class: "role")
  92     assert_raises(ArvadosModel::PermissionDeniedError) do
  93       Collection.create!(name: "bzzz123", owner_uuid: role.uuid)
  94     end
  95
  96     c = Collection.create!(name: "bzzz124")
  97     assert_raises(ArvadosModel::PermissionDeniedError) do
  98       c.update_attributes!(owner_uuid: role.uuid)
  99     end
 100   end
 101
 102   test "trash group hides contents" do
 103     set_user_from_auth :active_trustedclient
 104
 105     g_foo = Group.create!(name: "foo", group_class: "project")
 106     col = Collection.create!(owner_uuid: g_foo.uuid)
 107
 108     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 109     g_foo.update! is_trashed: true
 110     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 111     assert Collection.readable_by(users(:active), {:include_trash => true}).where(uuid: col.uuid).any?
 112     g_foo.update! is_trashed: false
 113     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 114   end
 115
 116   test "trash group" do
 117     set_user_from_auth :active_trustedclient
 118
 119     g_foo = Group.create!(name: "foo", group_class: "project")
 120     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 121     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 122
 123     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 124     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 125     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 126     g_foo.update! is_trashed: true
 127     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 128     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 129     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 130
 131     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_foo.uuid).any?
 132     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 133     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 134   end
 135
 136
 137   test "trash subgroup" do
 138     set_user_from_auth :active_trustedclient
 139
 140     g_foo = Group.create!(name: "foo", group_class: "project")
 141     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 142     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 143
 144     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 145     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 146     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 147     g_bar.update! is_trashed: true
 148
 149     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 150     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 151     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 152
 153     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 154     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 155   end
 156
 157   test "trash subsubgroup" do
 158     set_user_from_auth :active_trustedclient
 159
 160     g_foo = Group.create!(name: "foo", group_class: "project")
 161     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 162     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 163
 164     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 165     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 166     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 167     g_baz.update! is_trashed: true
 168     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 169     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 170     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 171     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 172   end
 173
 174
 175   test "trash group propagates to subgroups" do
 176     set_user_from_auth :active_trustedclient
 177
 178     g_foo = groups(:trashed_project)
 179     g_bar = groups(:trashed_subproject)
 180     g_baz = groups(:trashed_subproject3)
 181     col = collections(:collection_in_trashed_subproject)
 182
 183     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 184     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 185     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 186     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 187
 188     set_user_from_auth :admin
 189     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 190     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 191     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 192     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 193
 194     set_user_from_auth :active_trustedclient
 195     g_foo.update! is_trashed: false
 196     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 197     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 198     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 199
 200     # this one should still be trashed.
 201     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 202
 203     g_baz.update! is_trashed: false
 204     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 205   end
 206
 207   test "trashed does not propagate across permission links" do
 208     set_user_from_auth :admin
 209
 210     g_foo = Group.create!(name: "foo", group_class: "role")
 211     u_bar = User.create!(first_name: "bar")
 212
 213     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).any?
 214     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 215     g_foo.update! is_trashed: true
 216
 217     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 218     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 219
 220     g_foo.update! is_trashed: false
 221     ln = Link.create!(tail_uuid: g_foo.uuid,
 222                       head_uuid: u_bar.uuid,
 223                       link_class: "permission",
 224                       name: "can_read")
 225     g_foo.update! is_trashed: true
 226
 227     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 228     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 229   end
 230
 231   test "move projects to trash in SweepTrashedObjects" do
 232     p = groups(:trashed_on_next_sweep)
 233     assert_empty Group.where('uuid=? and is_trashed=true', p.uuid)
 234     SweepTrashedObjects.sweep_now
 235     assert_not_empty Group.where('uuid=? and is_trashed=true', p.uuid)
 236   end
 237
 238   test "delete projects and their contents in SweepTrashedObjects" do
 239     g_foo = groups(:trashed_project)
 240     g_bar = groups(:trashed_subproject)
 241     g_baz = groups(:trashed_subproject3)
 242     col = collections(:collection_in_trashed_subproject)
 243     job = jobs(:job_in_trashed_project)
 244     cr = container_requests(:cr_in_trashed_project)
 245     # Save how many objects were before the sweep
 246     user_nr_was = User.all.length
 247     coll_nr_was = Collection.all.length
 248     group_nr_was = Group.where('group_class<>?', 'project').length
 249     project_nr_was = Group.where(group_class: 'project').length
 250     cr_nr_was = ContainerRequest.all.length
 251     job_nr_was = Job.all.length
 252     assert_not_empty Group.where(uuid: g_foo.uuid)
 253     assert_not_empty Group.where(uuid: g_bar.uuid)
 254     assert_not_empty Group.where(uuid: g_baz.uuid)
 255     assert_not_empty Collection.where(uuid: col.uuid)
 256     assert_not_empty Job.where(uuid: job.uuid)
 257     assert_not_empty ContainerRequest.where(uuid: cr.uuid)
 258     SweepTrashedObjects.sweep_now
 259     assert_empty Group.where(uuid: g_foo.uuid)
 260     assert_empty Group.where(uuid: g_bar.uuid)
 261     assert_empty Group.where(uuid: g_baz.uuid)
 262     assert_empty Collection.where(uuid: col.uuid)
 263     assert_empty Job.where(uuid: job.uuid)
 264     assert_empty ContainerRequest.where(uuid: cr.uuid)
 265     # No unwanted deletions should have happened
 266     assert_equal user_nr_was, User.all.length
 267     assert_equal coll_nr_was-2,        # collection_in_trashed_subproject
 268                  Collection.all.length # & deleted_on_next_sweep collections
 269     assert_equal group_nr_was, Group.where('group_class<>?', 'project').length
 270     assert_equal project_nr_was-3, Group.where(group_class: 'project').length
 271     assert_equal cr_nr_was-1, ContainerRequest.all.length
 272     assert_equal job_nr_was-1, Job.all.length
 273   end
 274
 275   test "project names must be displayable in a filesystem" do
 276     set_user_from_auth :active
 277     ["", "{SOLIDUS}"].each do |subst|
 278       Rails.configuration.Collections.ForwardSlashNameSubstitution = subst
 279       proj = Group.create group_class: "project"
 280       role = Group.create group_class: "role"
 281       [[nil, true],
 282        ["", true],
 283        [".", false],
 284        ["..", false],
 285        ["...", true],
 286        ["..z..", true],
 287        ["foo/bar", subst != ""],
 288        ["../..", subst != ""],
 289        ["/", subst != ""],
 290       ].each do |name, valid|
 291         role.name = name
 292         assert_equal true, role.valid?
 293         proj.name = name
 294         assert_equal valid, proj.valid?, "#{name.inspect} should be #{valid ? "valid" : "invalid"}"
 295       end
 296     end
 297   end
 298
 299   def insert_group uuid, owner_uuid, name, group_class
 300     q = ActiveRecord::Base.connection.exec_query %{
 301 insert into groups (uuid, owner_uuid, name, group_class, created_at, updated_at)
 302        values ('#{uuid}', '#{owner_uuid}',
 303                '#{name}', #{if group_class then "'"+group_class+"'" else 'NULL' end},
 304                statement_timestamp(), statement_timestamp())
 305 }
 306     uuid
 307   end
 308
 309   test "migration to fix roles and projects" do
 310     g1 = insert_group Group.generate_uuid, system_user_uuid, 'group with no class', nil
 311     g2 = insert_group Group.generate_uuid, users(:active).uuid, 'role owned by a user', 'role'
 312
 313     g3 = insert_group Group.generate_uuid, system_user_uuid, 'role that owns a project', 'role'
 314     g4 = insert_group Group.generate_uuid, g3, 'the project', 'project'
 315
 316     g5 = insert_group Group.generate_uuid, users(:active).uuid, 'a project with an outgoing permission link', 'project'
 317
 318     g6 = insert_group Group.generate_uuid, system_user_uuid, 'name collision', 'role'
 319     g7 = insert_group Group.generate_uuid, users(:active).uuid, 'name collision', 'role'
 320
 321     g8 = insert_group Group.generate_uuid, users(:active).uuid, 'trashed with no class', nil
 322     g8obj = Group.find_by_uuid(g8)
 323     g8obj.trash_at = db_current_time
 324     g8obj.delete_at = db_current_time
 325     act_as_system_user do
 326       g8obj.save!(validate: false)
 327     end
 328
 329     refresh_permissions
 330
 331     act_as_system_user do
 332       l1 = Link.create!(link_class: 'permission', name: 'can_manage', tail_uuid: g3, head_uuid: g4)
 333       q = ActiveRecord::Base.connection.exec_query %{
 334 update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
 335 }
 336     refresh_permissions
 337     end
 338
 339     assert_equal nil, Group.find_by_uuid(g1).group_class
 340     assert_equal nil, Group.find_by_uuid(g8).group_class
 341     assert_equal users(:active).uuid, Group.find_by_uuid(g2).owner_uuid
 342     assert_equal g3, Group.find_by_uuid(g4).owner_uuid
 343     assert !Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 344     assert !Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 345     assert Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 346
 347     fix_roles_projects
 348
 349     assert_equal 'role', Group.find_by_uuid(g1).group_class
 350     assert_equal 'role', Group.find_by_uuid(g8).group_class
 351     assert_equal system_user_uuid, Group.find_by_uuid(g2).owner_uuid
 352     assert_equal system_user_uuid, Group.find_by_uuid(g4).owner_uuid
 353     assert Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 354     assert Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 355     assert !Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 356   end
 357 end