1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::GroupsControllerTest < ActionController::TestCase
9 test "attempt to delete group without read or write access" do
10 authorize_with :active
11 post :destroy, params: {id: groups(:empty_lonely_group).uuid}
15 test "attempt to delete group without write access" do
16 authorize_with :active
17 post :destroy, params: {id: groups(:all_users).uuid}
21 test "get list of projects" do
22 authorize_with :active
23 get :index, params: {filters: [['group_class', '=', 'project']], format: :json}
24 assert_response :success
26 json_response['items'].each do |group|
27 assert_equal 'project', group['group_class']
28 group_uuids << group['uuid']
30 assert_includes group_uuids, groups(:aproject).uuid
31 assert_includes group_uuids, groups(:asubproject).uuid
32 assert_includes group_uuids, groups(:private).uuid
33 assert_not_includes group_uuids, groups(:system_group).uuid
34 assert_not_includes group_uuids, groups(:private_and_can_read_foofile).uuid
37 test "get list of groups that are not projects" do
38 authorize_with :active
39 get :index, params: {filters: [['group_class', '!=', 'project']], format: :json}
40 assert_response :success
42 json_response['items'].each do |group|
43 assert_not_equal 'project', group['group_class']
44 group_uuids << group['uuid']
46 assert_not_includes group_uuids, groups(:aproject).uuid
47 assert_not_includes group_uuids, groups(:asubproject).uuid
50 test "get list of groups with bogus group_class" do
51 authorize_with :active
53 filters: [['group_class', '=', 'nogrouphasthislittleclass']],
56 assert_response :success
57 assert_equal [], json_response['items']
58 assert_equal 0, json_response['items_available']
61 def check_project_contents_response disabled_kinds=[]
62 assert_response :success
63 assert_operator 2, :<=, json_response['items_available']
64 assert_operator 2, :<=, json_response['items'].count
65 kinds = json_response['items'].collect { |i| i['kind'] }.uniq
66 expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' - disabled_kinds
67 assert_equal expect_kinds, (expect_kinds & kinds)
69 json_response['items'].each do |i|
70 if i['kind'] == 'arvados#group'
71 assert(i['group_class'] == 'project',
72 "group#contents returned a non-project group")
76 disabled_kinds.each do |d|
77 assert_equal true, !kinds.include?(d)
81 test 'get group-owned objects' do
82 authorize_with :active
83 get :contents, params: {
84 id: groups(:aproject).uuid,
87 check_project_contents_response
90 test "user with project read permission can see project objects" do
91 authorize_with :project_viewer
92 get :contents, params: {
93 id: groups(:aproject).uuid,
96 check_project_contents_response
99 test "list objects across projects" do
100 authorize_with :project_viewer
101 get :contents, params: {
103 filters: [['uuid', 'is_a', 'arvados#specimen']]
105 assert_response :success
106 found_uuids = json_response['items'].collect { |i| i['uuid'] }
107 [[:in_aproject, true],
108 [:in_asubproject, true],
109 [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
111 assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
113 refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
118 test "list trashed collections and projects" do
119 authorize_with :active
120 get(:contents, params: {
124 ['uuid', 'is_a', ['arvados#collection', 'arvados#group']],
125 ['is_trashed', '=', true],
129 assert_response :success
130 found_uuids = json_response['items'].collect { |i| i['uuid'] }
131 assert_includes found_uuids, groups(:trashed_project).uuid
132 refute_includes found_uuids, groups(:aproject).uuid
133 assert_includes found_uuids, collections(:expired_collection).uuid
134 refute_includes found_uuids, collections(:w_a_z_file).uuid
137 test "list objects in home project" do
138 authorize_with :active
139 get :contents, params: {
142 id: users(:active).uuid
144 assert_response :success
145 found_uuids = json_response['items'].collect { |i| i['uuid'] }
146 assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project"
147 refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project"
150 test "user with project read permission can see project collections" do
151 authorize_with :project_viewer
152 get :contents, params: {
153 id: groups(:asubproject).uuid,
156 ids = json_response['items'].map { |item| item["uuid"] }
157 assert_includes ids, collections(:baz_file_in_asubproject).uuid
161 ['collections.name', 'asc', :<=, "name"],
162 ['collections.name', 'desc', :>=, "name"],
163 ['name', 'asc', :<=, "name"],
164 ['name', 'desc', :>=, "name"],
165 ['collections.created_at', 'asc', :<=, "created_at"],
166 ['collections.created_at', 'desc', :>=, "created_at"],
167 ['created_at', 'asc', :<=, "created_at"],
168 ['created_at', 'desc', :>=, "created_at"],
169 ].each do |column, order, operator, field|
170 test "user with project read permission can sort projects on #{column} #{order}" do
171 authorize_with :project_viewer
172 get :contents, params: {
173 id: groups(:asubproject).uuid,
175 filters: [['uuid', 'is_a', "arvados#collection"]],
176 order: "#{column} #{order}"
178 sorted_values = json_response['items'].collect { |item| item[field] }
180 # Here we avoid assuming too much about the database
181 # collation. Both "alice"<"Bob" and "alice">"Bob" can be
182 # correct. Hopefully it _is_ safe to assume that if "a" comes
183 # before "b" in the ascii alphabet, "aX">"bY" is never true for
184 # any strings X and Y.
185 reliably_sortable_names = sorted_values.select do |name|
186 name[0] >= 'a' && name[0] <= 'z'
190 # Preserve order of sorted_values. But do not use &=. If
191 # sorted_values has out-of-order duplicates, we want to preserve
192 # them here, so we can detect them and fail the test below.
193 sorted_values.select! do |name|
194 reliably_sortable_names.include? name
197 assert_sorted(operator, sorted_values)
201 def assert_sorted(operator, sorted_items)
202 actually_checked_anything = false
204 sorted_items.each do |entry|
206 assert_operator(previous, operator, entry,
207 "Entries sorted incorrectly.")
208 actually_checked_anything = true
212 assert actually_checked_anything, "Didn't even find two items to compare."
215 # Even though the project_viewer tests go through other controllers,
216 # I'm putting them here so they're easy to find alongside the other
218 def check_new_project_link_fails(link_attrs)
219 @controller = Arvados::V1::LinksController.new
220 post :create, params: {
222 link_class: "permission",
224 head_uuid: groups(:aproject).uuid,
227 assert_includes(403..422, response.status)
230 test "user with project read permission can't add users to it" do
231 authorize_with :project_viewer
232 check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
235 test "user with project read permission can't add items to it" do
236 authorize_with :project_viewer
237 check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
240 test "user with project read permission can't rename items in it" do
241 authorize_with :project_viewer
242 @controller = Arvados::V1::LinksController.new
243 post :update, params: {
244 id: jobs(:running).uuid,
245 name: "Denied test name",
247 assert_includes(403..404, response.status)
250 test "user with project read permission can't remove items from it" do
251 @controller = Arvados::V1::PipelineTemplatesController.new
252 authorize_with :project_viewer
253 post :update, params: {
254 id: pipeline_templates(:two_part).uuid,
256 owner_uuid: users(:project_viewer).uuid,
262 test "user with project read permission can't delete it" do
263 authorize_with :project_viewer
264 post :destroy, params: {id: groups(:aproject).uuid}
268 test 'get group-owned objects with limit' do
269 authorize_with :active
270 get :contents, params: {
271 id: groups(:aproject).uuid,
275 assert_response :success
276 assert_operator 1, :<, json_response['items_available']
277 assert_equal 1, json_response['items'].count
280 test 'get group-owned objects with limit and offset' do
281 authorize_with :active
282 get :contents, params: {
283 id: groups(:aproject).uuid,
288 assert_response :success
289 assert_operator 1, :<, json_response['items_available']
290 assert_equal 0, json_response['items'].count
293 test 'get group-owned objects with additional filter matching nothing' do
294 authorize_with :active
295 get :contents, params: {
296 id: groups(:aproject).uuid,
297 filters: [['uuid', 'in', ['foo_not_a_uuid','bar_not_a_uuid']]],
300 assert_response :success
301 assert_equal [], json_response['items']
302 assert_equal 0, json_response['items_available']
305 %w(offset limit).each do |arg|
306 ['foo', '', '1234five', '0x10', '-8'].each do |val|
307 test "Raise error on bogus #{arg} parameter #{val.inspect}" do
308 authorize_with :active
309 get :contents, params: {
310 :id => groups(:aproject).uuid,
319 test "Collection contents don't include manifest_text" do
320 authorize_with :active
321 get :contents, params: {
322 id: groups(:aproject).uuid,
323 filters: [["uuid", "is_a", "arvados#collection"]],
326 assert_response :success
327 refute(json_response["items"].any? { |c| not c["portable_data_hash"] },
328 "response included an item without a portable data hash")
329 refute(json_response["items"].any? { |c| c.include?("manifest_text") },
330 "response included an item with a manifest text")
333 test 'get writable_by list for owned group' do
334 authorize_with :active
336 id: groups(:aproject).uuid,
339 assert_response :success
340 assert_not_nil(json_response['writable_by'],
341 "Should receive uuid list in 'writable_by' field")
342 assert_includes(json_response['writable_by'], users(:active).uuid,
343 "owner should be included in writable_by list")
346 test 'no writable_by list for group with read-only access' do
347 authorize_with :rominiadmin
349 id: groups(:testusergroup_admins).uuid,
352 assert_response :success
353 assert_equal([json_response['owner_uuid']],
354 json_response['writable_by'],
355 "Should only see owner_uuid in 'writable_by' field")
358 test 'get writable_by list by admin user' do
359 authorize_with :admin
361 id: groups(:testusergroup_admins).uuid,
364 assert_response :success
365 assert_not_nil(json_response['writable_by'],
366 "Should receive uuid list in 'writable_by' field")
367 assert_includes(json_response['writable_by'],
369 "Current user should be included in 'writable_by' field")
372 test 'creating subproject with duplicate name fails' do
373 authorize_with :active
374 post :create, params: {
377 owner_uuid: users(:active).uuid,
378 group_class: 'project',
382 response_errors = json_response['errors']
383 assert_not_nil response_errors, 'Expected error in response'
384 assert(response_errors.first.include?('duplicate key'),
385 "Expected 'duplicate key' error in #{response_errors.first}")
388 test 'creating duplicate named subproject succeeds with ensure_unique_name' do
389 authorize_with :active
390 post :create, params: {
393 owner_uuid: users(:active).uuid,
394 group_class: 'project',
396 ensure_unique_name: true
398 assert_response :success
399 new_project = json_response
400 assert_not_equal(new_project['uuid'],
401 groups(:aproject).uuid,
402 "create returned same uuid as existing project")
403 assert_match(/^A Project \(\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}Z\)$/,
408 [['owner_uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 200,
409 'zzzzz-d1hrv-subprojpipeline', 'zzzzz-d1hrv-1xfj6xkicf2muk2'],
410 [["pipeline_instances.state", "not in", ["Complete", "Failed"]], 200,
411 'zzzzz-d1hrv-1xfj6xkicf2muk2', 'zzzzz-d1hrv-i3e77t9z5y8j9cc'],
412 [['container_requests.requesting_container_uuid', '=', nil], 200,
413 'zzzzz-xvhdp-cr4queuedcontnr', 'zzzzz-xvhdp-cr4requestercn2'],
414 [['container_requests.no_such_column', '=', nil], 422],
415 [['container_requests.', '=', nil], 422],
416 [['.requesting_container_uuid', '=', nil], 422],
417 [['no_such_table.uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 422],
418 ].each do |filter, expect_code, expect_uuid, not_expect_uuid|
419 test "get contents with '#{filter}' filter" do
420 authorize_with :active
421 get :contents, params: {filters: [filter], format: :json}
422 assert_response expect_code
423 if expect_code == 200
424 assert_not_empty json_response['items']
425 item_uuids = json_response['items'].collect {|item| item['uuid']}
426 assert_includes(item_uuids, expect_uuid)
427 assert_not_includes(item_uuids, not_expect_uuid)
432 test 'get contents with jobs and pipeline instances disabled' do
433 Rails.configuration.API.DisabledAPIs = ConfigLoader.to_OrderedOptions(
434 {'jobs.index'=>{}, 'pipeline_instances.index'=>{}})
436 authorize_with :active
437 get :contents, params: {
438 id: groups(:aproject).uuid,
441 check_project_contents_response %w'arvados#pipelineInstance arvados#job'
444 test 'get contents with low max_index_database_read' do
445 # Some result will certainly have at least 12 bytes in a
447 Rails.configuration.API.MaxIndexDatabaseRead = 12
448 authorize_with :active
449 get :contents, params: {
450 id: groups(:aproject).uuid,
453 assert_response :success
454 assert_not_empty(json_response['items'])
455 assert_operator(json_response['items'].count,
456 :<, json_response['items_available'])
459 test 'get contents, recursive=true' do
460 authorize_with :active
462 id: groups(:aproject).uuid,
466 get :contents, params: params
467 owners = json_response['items'].map do |item|
470 assert_includes(owners, groups(:aproject).uuid)
471 assert_includes(owners, groups(:asubproject).uuid)
474 [false, nil].each do |recursive|
475 test "get contents, recursive=#{recursive.inspect}" do
476 authorize_with :active
478 id: groups(:aproject).uuid,
481 params[:recursive] = false if recursive == false
482 get :contents, params: params
483 owners = json_response['items'].map do |item|
486 assert_includes(owners, groups(:aproject).uuid)
487 refute_includes(owners, groups(:asubproject).uuid)
491 test 'get home project contents, recursive=true' do
492 authorize_with :active
493 get :contents, params: {
494 id: users(:active).uuid,
498 owners = json_response['items'].map do |item|
501 assert_includes(owners, users(:active).uuid)
502 assert_includes(owners, groups(:aproject).uuid)
503 assert_includes(owners, groups(:asubproject).uuid)
506 ### trashed project tests ###
511 # trashed_project (zzzzz-j7d0g-trashedproject1)
512 # trashed_subproject (zzzzz-j7d0g-trashedproject2)
513 # trashed_subproject3 (zzzzz-j7d0g-trashedproject3)
514 # zzzzz-xvhdp-cr5trashedcontr
517 :admin].each do |auth|
518 # project: to query, to untrash, is visible, parent contents listing success
520 [:trashed_project, [], false, true],
521 [:trashed_project, [:trashed_project], true, true],
522 [:trashed_subproject, [], false, false],
523 [:trashed_subproject, [:trashed_project], true, true],
524 [:trashed_subproject3, [:trashed_project], false, true],
525 [:trashed_subproject3, [:trashed_subproject3], false, false],
526 [:trashed_subproject3, [:trashed_project, :trashed_subproject3], true, true],
527 ].each do |project, untrash, visible, success|
529 test "contents listing #{project} #{untrash} as #{auth}" do
532 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
534 get :contents, params: {
535 id: groups(project).owner_uuid,
539 assert_response :success
540 item_uuids = json_response['items'].map do |item|
544 assert_includes(item_uuids, groups(project).uuid)
546 assert_not_includes(item_uuids, groups(project).uuid)
553 test "contents of #{project} #{untrash} as #{auth}" do
556 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
558 get :contents, params: {
559 id: groups(project).uuid,
563 assert_response :success
569 test "index #{project} #{untrash} as #{auth}" do
572 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
574 get :index, params: {
577 assert_response :success
578 item_uuids = json_response['items'].map do |item|
582 assert_includes(item_uuids, groups(project).uuid)
584 assert_not_includes(item_uuids, groups(project).uuid)
588 test "show #{project} #{untrash} as #{auth}" do
591 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
594 id: groups(project).uuid,
598 assert_response :success
604 test "show include_trash=false #{project} #{untrash} as #{auth}" do
607 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
610 id: groups(project).uuid,
615 assert_response :success
621 test "show include_trash #{project} #{untrash} as #{auth}" do
624 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
627 id: groups(project).uuid,
631 assert_response :success
634 test "index include_trash #{project} #{untrash} as #{auth}" do
637 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
639 get :index, params: {
643 assert_response :success
644 item_uuids = json_response['items'].map do |item|
647 assert_includes(item_uuids, groups(project).uuid)
651 test "delete project #{auth}" do
653 [:trashed_project].each do |pr|
654 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
656 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
657 post :destroy, params: {
658 id: groups(:trashed_project).uuid,
661 assert_response :success
662 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
665 test "untrash project #{auth}" do
667 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
668 post :untrash, params: {
669 id: groups(:trashed_project).uuid,
672 assert_response :success
673 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
676 test "untrash project with name conflict #{auth}" do
678 [:trashed_project].each do |pr|
679 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
681 gc = Group.create!({owner_uuid: "zzzzz-j7d0g-trashedproject1",
682 name: "trashed subproject 3",
683 group_class: "project"})
684 post :untrash, params: {
685 id: groups(:trashed_subproject3).uuid,
687 ensure_unique_name: true
689 assert_response :success
690 assert_match /^trashed subproject 3 \(\d{4}-\d\d-\d\d.*?Z\)$/, json_response['name']
693 test "move trashed subproject to new owner #{auth}" do
695 assert_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
696 put :update, params: {
697 id: groups(:trashed_subproject).uuid,
699 owner_uuid: users(:active).uuid
704 assert_response :success
705 assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
709 test 'get shared owned by another user' do
710 authorize_with :user_bar_in_sharing_group
712 act_as_system_user do
714 tail_uuid: users(:user_bar_in_sharing_group).uuid,
715 link_class: 'permission',
717 head_uuid: groups(:project_owned_by_foo).uuid)
720 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
722 assert_equal 1, json_response['items'].length
723 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
725 assert_equal 1, json_response['included'].length
726 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
729 test 'get shared, owned by unreadable project' do
730 authorize_with :user_bar_in_sharing_group
732 act_as_system_user do
733 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
735 tail_uuid: users(:user_bar_in_sharing_group).uuid,
736 link_class: 'permission',
738 head_uuid: groups(:project_owned_by_foo).uuid)
741 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
743 assert_equal 1, json_response['items'].length
744 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
746 assert_equal 0, json_response['included'].length
749 test 'get shared, add permission link' do
750 authorize_with :user_bar_in_sharing_group
752 act_as_system_user do
753 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
754 head_uuid: groups(:project_owned_by_foo).uuid,
755 link_class: 'permission',
759 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
761 assert_equal 1, json_response['items'].length
762 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
764 assert_equal 1, json_response['included'].length
765 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
768 ### contents with exclude_home_project
770 test 'contents, exclude home owned by another user' do
771 authorize_with :user_bar_in_sharing_group
773 act_as_system_user do
775 tail_uuid: users(:user_bar_in_sharing_group).uuid,
776 link_class: 'permission',
778 head_uuid: groups(:project_owned_by_foo).uuid)
780 tail_uuid: users(:user_bar_in_sharing_group).uuid,
781 link_class: 'permission',
783 head_uuid: collections(:collection_owned_by_foo).uuid)
786 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
788 assert_equal 2, json_response['items'].length
789 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
790 assert_equal json_response['items'][1]["uuid"], collections(:collection_owned_by_foo).uuid
792 assert_equal 1, json_response['included'].length
793 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
796 test 'contents, exclude home, owned by unreadable project' do
797 authorize_with :user_bar_in_sharing_group
799 act_as_system_user do
800 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
802 tail_uuid: users(:user_bar_in_sharing_group).uuid,
803 link_class: 'permission',
805 head_uuid: groups(:project_owned_by_foo).uuid)
808 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
810 assert_equal 1, json_response['items'].length
811 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
813 assert_equal 0, json_response['included'].length
816 test 'contents, exclude home, add permission link' do
817 authorize_with :user_bar_in_sharing_group
819 act_as_system_user do
820 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
821 head_uuid: groups(:project_owned_by_foo).uuid,
822 link_class: 'permission',
826 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
828 assert_equal 1, json_response['items'].length
829 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
831 assert_equal 1, json_response['included'].length
832 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
835 test 'contents, exclude home, with parent specified' do
836 authorize_with :active
838 get :contents, params: {id: groups(:aproject).uuid, :include => "owner_uuid", :exclude_home_project => true}