1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class LinkTest < ActiveSupport::TestCase
11 set_user_from_auth :admin_trustedclient
14 test "cannot delete an object referenced by unwritable links" do
15 ob = act_as_user users(:active) do
18 link = act_as_user users(:admin) do
19 Link.create(tail_uuid: users(:active).uuid,
24 assert_equal users(:admin).uuid, link.owner_uuid
25 assert_raises(ArvadosModel::PermissionDeniedError,
26 "should not delete #{ob.uuid} with link #{link.uuid}") do
27 act_as_user users(:active) do
31 act_as_user users(:admin) do
34 assert_empty Link.where(uuid: link.uuid)
37 def new_active_link_valid?(link_attrs)
38 set_user_from_auth :active
41 create({link_class: "permission",
43 head_uuid: groups(:aproject).uuid,
46 rescue ArvadosModel::PermissionDeniedError
51 test "non-admin project owner can make it public" do
52 assert(new_active_link_valid?(tail_uuid: groups(:anonymous_group).uuid),
53 "non-admin project owner can't make their project public")
56 test "link granting permission to nonexistent user is invalid" do
57 refute new_active_link_valid?(tail_uuid:
58 users(:active).uuid.sub(/-\w+$/, "-#{'z' * 15}"))
61 test "link granting permission to remote user is valid" do
62 refute new_active_link_valid?(tail_uuid:
63 users(:active).uuid.sub(/^\w+-/, "foooo-"))
64 Rails.configuration.RemoteClusters = Rails.configuration.RemoteClusters.merge({foooo: ActiveSupport::InheritableOptions.new({Host: "bar.com"})})
65 assert new_active_link_valid?(tail_uuid:
66 users(:active).uuid.sub(/^\w+-/, "foooo-"))
69 test "link granting non-project permission to unreadable user is invalid" do
70 refute new_active_link_valid?(tail_uuid: users(:admin).uuid,
71 head_uuid: collections(:bar_file).uuid)
74 test "user can't add a Collection to a Project without permission" do
75 refute new_active_link_valid?(link_class: "name",
76 name: "Permission denied test name",
77 tail_uuid: collections(:bar_file).uuid)
80 test "user can't add a User to a Project" do
81 # Users *can* give other users permissions to projects.
82 # This test helps ensure that that exception is specific to permissions.
83 refute new_active_link_valid?(link_class: "name",
84 name: "Permission denied test name",
85 tail_uuid: users(:admin).uuid)
88 test "link granting project permissions to unreadable user is invalid" do
89 refute new_active_link_valid?(tail_uuid: users(:admin).uuid)
92 test "permission link can't exist on past collection versions" do
93 refute new_active_link_valid?(tail_uuid: groups(:public).uuid,
94 head_uuid: collections(:w_a_z_file_version_1).uuid)
97 def create_overlapping_permissions(names=[], attrs={})
101 tail_uuid: users(:active).uuid,
102 head_uuid: collections(:baz_file).uuid,
104 }.merge(attrs).merge({name: name}))
105 ActiveRecord::Base.connection.execute "update links set link_class='permission' where uuid='#{link.uuid}'"
110 test "updating permission causes any conflicting links to be deleted" do
111 link1, link2 = create_overlapping_permissions(['can_read', 'can_manage'])
112 Link.find_by_uuid(link2).update_attributes!(name: 'can_write')
113 assert_empty Link.where(uuid: link1)
116 test "deleting permission causes any conflicting links to be deleted" do
117 rlink, wlink = create_overlapping_permissions(['can_read', 'can_write'])
118 Link.find_by_uuid(wlink).destroy
119 assert_empty Link.where(uuid: rlink)
122 test "updating login permission causes any conflicting links to be deleted" do
123 link1, link2 = create_overlapping_permissions(['can_login', 'can_login'], {properties: {username: 'foo1'}})
124 Link.find_by_uuid(link1).update_attributes!(properties: {'username' => 'foo2'})
125 Link.find_by_uuid(link2).update_attributes!(properties: {'username' => 'foo2'})
126 assert_empty Link.where(uuid: link1)
129 test "deleting login permission causes any conflicting links to be deleted" do
130 link1, link2 = create_overlapping_permissions(['can_login', 'can_login'], {properties: {username: 'foo1'}})
131 Link.find_by_uuid(link1).destroy
132 assert_empty Link.where(uuid: link2)