1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::CollectionsControllerTest < ActionController::TestCase
10 PERM_TOKEN_RE = /\+A[[:xdigit:]]+@[[:xdigit:]]{8}\b/
12 def permit_unsigned_manifests isok=true
13 # Set security model for the life of a test.
14 Rails.configuration.permit_create_collection_with_unsigned_manifest = isok
17 def assert_signed_manifest manifest_text, label='', token: false
18 assert_not_nil manifest_text, "#{label} manifest_text was nil"
19 manifest_text.scan(/ [[:xdigit:]]{32}\S*/) do |tok|
20 assert_match(PERM_TOKEN_RE, tok,
21 "Locator in #{label} manifest_text was not signed")
23 bare = tok.gsub(/\+A[^\+]*/, '').sub(/^ /, '')
24 exp = tok[/\+A[[:xdigit:]]+@([[:xdigit:]]+)/, 1].to_i(16)
25 sig = Blob.sign_locator(
27 key: Rails.configuration.blob_signing_key,
29 api_token: token)[/\+A[^\+]*/, 0]
30 assert_includes tok, sig
35 def assert_unsigned_manifest resp, label=''
36 txt = resp['unsigned_manifest_text']
37 assert_not_nil(txt, "#{label} unsigned_manifest_text was nil")
39 txt.scan(/ [[:xdigit:]]{32}\S*/) do |tok|
41 refute_match(PERM_TOKEN_RE, tok,
42 "Locator in #{label} unsigned_manifest_text was signed: #{tok}")
47 test "should get index" do
48 authorize_with :active
50 assert_response :success
51 assert(assigns(:objects).andand.any?, "no Collections returned in index")
52 refute(json_response["items"].any? { |c| c.has_key?("manifest_text") },
53 "basic Collections index included manifest_text")
54 refute(json_response["items"].any? { |c| c["uuid"] == collections(:collection_owned_by_active_past_version_1).uuid },
55 "basic Collections index included past version")
58 test "get index with include_old_versions" do
59 authorize_with :active
61 include_old_versions: true
63 assert_response :success
64 assert(assigns(:objects).andand.any?, "no Collections returned in index")
65 assert(json_response["items"].any? { |c| c["uuid"] == collections(:collection_owned_by_active_past_version_1).uuid },
66 "past version not included on index")
69 test "collections.get returns signed locators, and no unsigned_manifest_text" do
70 permit_unsigned_manifests
71 authorize_with :active
72 get :show, {id: collections(:foo_file).uuid}
73 assert_response :success
74 assert_signed_manifest json_response['manifest_text'], 'foo_file'
75 refute_includes json_response, 'unsigned_manifest_text'
78 ['v1token', 'v2token'].each do |token_method|
79 test "correct signatures are given for #{token_method}" do
80 token = api_client_authorizations(:active).send(token_method)
81 authorize_with_token token
82 get :show, {id: collections(:foo_file).uuid}
83 assert_response :success
84 assert_signed_manifest json_response['manifest_text'], 'foo_file', token: token
87 test "signatures with #{token_method} are accepted" do
88 token = api_client_authorizations(:active).send(token_method)
89 signed = Blob.sign_locator(
90 'acbd18db4cc2f85cedef654fccc4a4d8+3',
91 key: Rails.configuration.blob_signing_key,
93 authorize_with_token token
95 id: collections(:collection_owned_by_active).uuid,
97 manifest_text: ". #{signed} 0:3:foo.txt\n",
100 assert_response :success
101 assert_signed_manifest json_response['manifest_text'], 'updated', token: token
105 test "index with manifest_text selected returns signed locators" do
106 columns = %w(uuid owner_uuid manifest_text)
107 authorize_with :active
108 get :index, select: columns
109 assert_response :success
110 assert(assigns(:objects).andand.any?,
111 "no Collections returned for index with columns selected")
112 json_response["items"].each do |coll|
113 assert_equal(coll.keys - ['kind'], columns,
114 "Collections index did not respect selected columns")
115 assert_signed_manifest coll['manifest_text'], coll['uuid']
119 test "index with unsigned_manifest_text selected returns only unsigned locators" do
120 authorize_with :active
121 get :index, select: ['unsigned_manifest_text']
122 assert_response :success
123 assert_operator json_response["items"].count, :>, 0
125 json_response["items"].each do |coll|
126 assert_equal(coll.keys - ['kind'], ['unsigned_manifest_text'],
127 "Collections index did not respect selected columns")
128 locs += assert_unsigned_manifest coll, coll['uuid']
130 assert_operator locs, :>, 0, "no locators found in any manifests"
133 test 'index without select returns everything except manifest' do
134 authorize_with :active
136 assert_response :success
137 assert json_response['items'].any?
138 json_response['items'].each do |coll|
139 assert_includes(coll.keys, 'uuid')
140 assert_includes(coll.keys, 'name')
141 assert_includes(coll.keys, 'created_at')
142 refute_includes(coll.keys, 'manifest_text')
146 ['', nil, false, 'null'].each do |select|
147 test "index with select=#{select.inspect} returns everything except manifest" do
148 authorize_with :active
149 get :index, select: select
150 assert_response :success
151 assert json_response['items'].any?
152 json_response['items'].each do |coll|
153 assert_includes(coll.keys, 'uuid')
154 assert_includes(coll.keys, 'name')
155 assert_includes(coll.keys, 'created_at')
156 refute_includes(coll.keys, 'manifest_text')
162 ["uuid", "manifest_text"],
164 '["uuid", "manifest_text"]'].each do |select|
165 test "index with select=#{select.inspect} returns no name" do
166 authorize_with :active
167 get :index, select: select
168 assert_response :success
169 assert json_response['items'].any?
170 json_response['items'].each do |coll|
171 refute_includes(coll.keys, 'name')
176 [0,1,2].each do |limit|
177 test "get index with limit=#{limit}" do
178 authorize_with :active
179 get :index, limit: limit
180 assert_response :success
181 assert_equal limit, assigns(:objects).count
182 resp = JSON.parse(@response.body)
183 assert_equal limit, resp['limit']
187 test "items.count == items_available" do
188 authorize_with :active
189 get :index, limit: 100000
190 assert_response :success
191 resp = JSON.parse(@response.body)
192 assert_equal resp['items_available'], assigns(:objects).length
193 assert_equal resp['items_available'], resp['items'].count
194 unique_uuids = resp['items'].collect { |i| i['uuid'] }.compact.uniq
195 assert_equal unique_uuids.count, resp['items'].count
198 test "items.count == items_available with filters" do
199 authorize_with :active
202 filters: [['uuid','=',collections(:foo_file).uuid]]
204 assert_response :success
205 assert_equal 1, assigns(:objects).length
206 assert_equal 1, json_response['items_available']
207 assert_equal 1, json_response['items'].count
210 test "get index with limit=2 offset=99999" do
211 # Assume there are not that many test fixtures.
212 authorize_with :active
213 get :index, limit: 2, offset: 99999
214 assert_response :success
215 assert_equal 0, assigns(:objects).count
216 resp = JSON.parse(@response.body)
217 assert_equal 2, resp['limit']
218 assert_equal 99999, resp['offset']
221 def request_capped_index(params={})
222 authorize_with :user1_with_load
223 coll1 = collections(:collection_1_of_201)
224 Rails.configuration.max_index_database_read =
225 yield(coll1.manifest_text.size)
227 select: %w(uuid manifest_text),
228 filters: [["owner_uuid", "=", coll1.owner_uuid]],
233 test "index with manifest_text limited by max_index_database_read returns non-empty" do
234 request_capped_index() { |_| 1 }
235 assert_response :success
236 assert_equal(1, json_response["items"].size)
237 assert_equal(1, json_response["limit"])
238 assert_equal(201, json_response["items_available"])
241 test "max_index_database_read size check follows same order as real query" do
242 authorize_with :user1_with_load
243 txt = '.' + ' d41d8cd98f00b204e9800998ecf8427e+0'*1000 + " 0:0:empty.txt\n"
244 c = Collection.create! manifest_text: txt, name: '0000000000000000000'
245 request_capped_index(select: %w(uuid manifest_text name),
247 filters: [['name','>=',c.name]]) do |_|
250 assert_response :success
251 assert_equal(1, json_response["items"].size)
252 assert_equal(1, json_response["limit"])
253 assert_equal(c.uuid, json_response["items"][0]["uuid"])
254 # The effectiveness of the test depends on >1 item matching the filters.
255 assert_operator(1, :<, json_response["items_available"])
258 test "index with manifest_text limited by max_index_database_read" do
259 request_capped_index() { |size| (size * 3) + 1 }
260 assert_response :success
261 assert_equal(3, json_response["items"].size)
262 assert_equal(3, json_response["limit"])
263 assert_equal(201, json_response["items_available"])
266 test "max_index_database_read does not interfere with limit" do
267 request_capped_index(limit: 5) { |size| size * 20 }
268 assert_response :success
269 assert_equal(5, json_response["items"].size)
270 assert_equal(5, json_response["limit"])
271 assert_equal(201, json_response["items_available"])
274 test "max_index_database_read does not interfere with order" do
275 request_capped_index(select: %w(uuid manifest_text name),
276 order: "name DESC") { |size| (size * 11) + 1 }
277 assert_response :success
278 assert_equal(11, json_response["items"].size)
279 assert_empty(json_response["items"].reject do |coll|
280 coll["name"] =~ /^Collection_9/
282 assert_equal(11, json_response["limit"])
283 assert_equal(201, json_response["items_available"])
286 test "admin can create collection with unsigned manifest" do
287 authorize_with :admin
289 manifest_text: <<-EOS
290 . d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo.txt
291 . acbd18db4cc2f85cedef654fccc4a4d8+3 0:3:bar.txt
292 . acbd18db4cc2f85cedef654fccc4a4d8+3 0:3:bar.txt
293 ./baz acbd18db4cc2f85cedef654fccc4a4d8+3 0:3:bar.txt
296 test_collection[:portable_data_hash] =
297 Digest::MD5.hexdigest(test_collection[:manifest_text]) +
299 test_collection[:manifest_text].length.to_s
301 # post :create will modify test_collection in place, so we save a copy first.
302 # Hash.deep_dup is not sufficient as it preserves references of strings (??!?)
303 post_collection = Marshal.load(Marshal.dump(test_collection))
305 collection: post_collection
308 assert_response :success
309 assert_nil assigns(:objects)
311 response_collection = assigns(:object)
313 stored_collection = Collection.select([:uuid, :portable_data_hash, :manifest_text]).
314 where(portable_data_hash: response_collection['portable_data_hash']).first
316 assert_equal test_collection[:portable_data_hash], stored_collection['portable_data_hash']
318 # The manifest in the response will have had permission hints added.
319 # Remove any permission hints in the response before comparing it to the source.
320 stripped_manifest = stored_collection['manifest_text'].gsub(/\+A[A-Za-z0-9@_-]+/, '')
321 assert_equal test_collection[:manifest_text], stripped_manifest
323 # TBD: create action should add permission signatures to manifest_text in the response,
324 # and we need to check those permission signatures here.
327 [:admin, :active].each do |user|
328 test "#{user} can get collection using portable data hash" do
331 foo_collection = collections(:foo_file)
333 # Get foo_file using its portable data hash
335 id: foo_collection[:portable_data_hash]
337 assert_response :success
338 assert_not_nil assigns(:object)
339 resp = assigns(:object)
340 assert_equal foo_collection[:portable_data_hash], resp[:portable_data_hash]
341 assert_signed_manifest resp[:manifest_text]
343 # The manifest in the response will have had permission hints added.
344 # Remove any permission hints in the response before comparing it to the source.
345 stripped_manifest = resp[:manifest_text].gsub(/\+A[A-Za-z0-9@_-]+/, '')
346 assert_equal foo_collection[:manifest_text], stripped_manifest
350 test "create with owner_uuid set to owned group" do
351 permit_unsigned_manifests
352 authorize_with :active
353 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
356 owner_uuid: 'zzzzz-j7d0g-rew6elm53kancon',
357 manifest_text: manifest_text,
358 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47"
361 assert_response :success
362 resp = JSON.parse(@response.body)
363 assert_equal 'zzzzz-j7d0g-rew6elm53kancon', resp['owner_uuid']
366 test "create fails with duplicate name" do
367 permit_unsigned_manifests
368 authorize_with :admin
369 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
372 owner_uuid: 'zzzzz-tpzed-000000000000000',
373 manifest_text: manifest_text,
374 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47",
379 response_errors = json_response['errors']
380 assert_not_nil response_errors, 'Expected error in response'
381 assert(response_errors.first.include?('duplicate key'),
382 "Expected 'duplicate key' error in #{response_errors.first}")
385 [false, true].each do |unsigned|
386 test "create with duplicate name, ensure_unique_name, unsigned=#{unsigned}" do
387 permit_unsigned_manifests unsigned
388 authorize_with :active
389 manifest_text = ". acbd18db4cc2f85cedef654fccc4a4d8+3 0:0:foo.txt\n"
391 manifest_text = Collection.sign_manifest manifest_text, api_token(:active)
395 owner_uuid: users(:active).uuid,
396 manifest_text: manifest_text,
397 name: "owned_by_active"
399 ensure_unique_name: true
401 assert_response :success
402 assert_match /^owned_by_active \(\d{4}-\d\d-\d\d.*?Z\)$/, json_response['name']
406 test "create with owner_uuid set to group i can_manage" do
407 permit_unsigned_manifests
408 authorize_with :active
409 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
412 owner_uuid: groups(:active_user_has_can_manage).uuid,
413 manifest_text: manifest_text,
414 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47"
417 assert_response :success
418 resp = JSON.parse(@response.body)
419 assert_equal groups(:active_user_has_can_manage).uuid, resp['owner_uuid']
422 test "create with owner_uuid fails on group with only can_read permission" do
423 permit_unsigned_manifests
424 authorize_with :active
425 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
428 owner_uuid: groups(:all_users).uuid,
429 manifest_text: manifest_text,
430 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47"
436 test "create with owner_uuid fails on group with no permission" do
437 permit_unsigned_manifests
438 authorize_with :active
439 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
442 owner_uuid: groups(:public).uuid,
443 manifest_text: manifest_text,
444 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47"
450 test "admin create with owner_uuid set to group with no permission" do
451 permit_unsigned_manifests
452 authorize_with :admin
453 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
456 owner_uuid: 'zzzzz-j7d0g-it30l961gq3t0oi',
457 manifest_text: manifest_text,
458 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47"
461 assert_response :success
464 test "should create with collection passed as json" do
465 permit_unsigned_manifests
466 authorize_with :active
470 "manifest_text":". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n",\
471 "portable_data_hash":"d30fe8ae534397864cb96c544f4cf102+47"\
475 assert_response :success
478 test "should fail to create with checksum mismatch" do
479 permit_unsigned_manifests
480 authorize_with :active
484 "manifest_text":". d41d8cd98f00b204e9800998ecf8427e 0:0:bar.txt\n",\
485 "portable_data_hash":"d30fe8ae534397864cb96c544f4cf102+47"\
492 test "collection UUID is normalized when created" do
493 permit_unsigned_manifests
494 authorize_with :active
497 manifest_text: ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n",
498 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47+Khint+Xhint+Zhint"
501 assert_response :success
502 assert_not_nil assigns(:object)
503 resp = JSON.parse(@response.body)
504 assert_equal "d30fe8ae534397864cb96c544f4cf102+47", resp['portable_data_hash']
507 test "get full provenance for baz file" do
508 authorize_with :active
509 get :provenance, id: 'ea10d51bcf88862dbcc36eb292017dfd+45'
510 assert_response :success
511 resp = JSON.parse(@response.body)
512 assert_not_nil resp['ea10d51bcf88862dbcc36eb292017dfd+45'] # baz
513 assert_not_nil resp['fa7aeb5140e2848d39b416daeef4ffc5+45'] # bar
514 assert_not_nil resp['1f4b0bc7583c2a7f9102c395f4ffc5e3+45'] # foo
515 assert_not_nil resp['zzzzz-8i9sb-cjs4pklxxjykyuq'] # bar->baz
516 assert_not_nil resp['zzzzz-8i9sb-aceg2bnq7jt7kon'] # foo->bar
519 test "get no provenance for foo file" do
520 # spectator user cannot even see baz collection
521 authorize_with :spectator
522 get :provenance, id: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'
526 test "get partial provenance for baz file" do
527 # spectator user can see bar->baz job, but not foo->bar job
528 authorize_with :spectator
529 get :provenance, id: 'ea10d51bcf88862dbcc36eb292017dfd+45'
530 assert_response :success
531 resp = JSON.parse(@response.body)
532 assert_not_nil resp['ea10d51bcf88862dbcc36eb292017dfd+45'] # baz
533 assert_not_nil resp['fa7aeb5140e2848d39b416daeef4ffc5+45'] # bar
534 assert_not_nil resp['zzzzz-8i9sb-cjs4pklxxjykyuq'] # bar->baz
535 assert_nil resp['zzzzz-8i9sb-aceg2bnq7jt7kon'] # foo->bar
536 assert_nil resp['1f4b0bc7583c2a7f9102c395f4ffc5e3+45'] # foo
539 test "search collections with 'any' operator" do
540 expect_pdh = collections(:docker_image).portable_data_hash
541 authorize_with :active
543 where: { any: ['contains', expect_pdh[5..25]] }
545 assert_response :success
546 found = assigns(:objects)
547 assert_equal 1, found.count
548 assert_equal expect_pdh, found.first.portable_data_hash
551 [false, true].each do |permit_unsigned|
552 test "create collection with signed manifest, permit_unsigned=#{permit_unsigned}" do
553 permit_unsigned_manifests permit_unsigned
554 authorize_with :active
556 d41d8cd98f00b204e9800998ecf8427e+0
557 acbd18db4cc2f85cedef654fccc4a4d8+3
558 ea10d51bcf88862dbcc36eb292017dfd+45)
560 unsigned_manifest = locators.map { |loc|
561 ". " + loc + " 0:0:foo.txt\n"
563 manifest_uuid = Digest::MD5.hexdigest(unsigned_manifest) +
565 unsigned_manifest.length.to_s
567 # Build a manifest with both signed and unsigned locators.
569 key: Rails.configuration.blob_signing_key,
570 api_token: api_token(:active),
572 signed_locators = locators.collect do |x|
573 Blob.sign_locator x, signing_opts
576 # Leave a non-empty blob unsigned.
577 signed_locators[1] = locators[1]
579 # Leave the empty blob unsigned. This should still be allowed.
580 signed_locators[0] = locators[0]
583 ". " + signed_locators[0] + " 0:0:foo.txt\n" +
584 ". " + signed_locators[1] + " 0:0:foo.txt\n" +
585 ". " + signed_locators[2] + " 0:0:foo.txt\n"
589 manifest_text: signed_manifest,
590 portable_data_hash: manifest_uuid,
593 assert_response :success
594 assert_not_nil assigns(:object)
595 resp = JSON.parse(@response.body)
596 assert_equal manifest_uuid, resp['portable_data_hash']
597 # All of the locators in the output must be signed.
598 resp['manifest_text'].lines.each do |entry|
599 m = /([[:xdigit:]]{32}\+\S+)/.match(entry)
601 assert Blob.verify_signature m[0], signing_opts
607 test "create collection with signed manifest and explicit TTL" do
608 authorize_with :active
610 d41d8cd98f00b204e9800998ecf8427e+0
611 acbd18db4cc2f85cedef654fccc4a4d8+3
612 ea10d51bcf88862dbcc36eb292017dfd+45)
614 unsigned_manifest = locators.map { |loc|
615 ". " + loc + " 0:0:foo.txt\n"
617 manifest_uuid = Digest::MD5.hexdigest(unsigned_manifest) +
619 unsigned_manifest.length.to_s
621 # build a manifest with both signed and unsigned locators.
622 # TODO(twp): in phase 4, all locators will need to be signed, so
623 # this test should break and will need to be rewritten. Issue #2755.
625 key: Rails.configuration.blob_signing_key,
626 api_token: api_token(:active),
630 ". " + locators[0] + " 0:0:foo.txt\n" +
631 ". " + Blob.sign_locator(locators[1], signing_opts) + " 0:0:foo.txt\n" +
632 ". " + Blob.sign_locator(locators[2], signing_opts) + " 0:0:foo.txt\n"
636 manifest_text: signed_manifest,
637 portable_data_hash: manifest_uuid,
640 assert_response :success
641 assert_not_nil assigns(:object)
642 resp = JSON.parse(@response.body)
643 assert_equal manifest_uuid, resp['portable_data_hash']
644 # All of the locators in the output must be signed.
645 resp['manifest_text'].lines.each do |entry|
646 m = /([[:xdigit:]]{32}\+\S+)/.match(entry)
648 assert Blob.verify_signature m[0], signing_opts
653 test "create fails with invalid signature" do
654 authorize_with :active
656 key: Rails.configuration.blob_signing_key,
657 api_token: api_token(:active),
660 # Generate a locator with a bad signature.
661 unsigned_locator = "acbd18db4cc2f85cedef654fccc4a4d8+3"
662 bad_locator = unsigned_locator + "+Affffffffffffffffffffffffffffffffffffffff@ffffffff"
663 assert !Blob.verify_signature(bad_locator, signing_opts)
665 # Creating a collection with this locator should
666 # produce 403 Permission denied.
667 unsigned_manifest = ". #{unsigned_locator} 0:0:foo.txt\n"
668 manifest_uuid = Digest::MD5.hexdigest(unsigned_manifest) +
670 unsigned_manifest.length.to_s
672 bad_manifest = ". #{bad_locator} 0:0:foo.txt\n"
675 manifest_text: bad_manifest,
676 portable_data_hash: manifest_uuid
683 test "create fails with uuid of signed manifest" do
684 authorize_with :active
686 key: Rails.configuration.blob_signing_key,
687 api_token: api_token(:active),
690 unsigned_locator = "d41d8cd98f00b204e9800998ecf8427e+0"
691 signed_locator = Blob.sign_locator(unsigned_locator, signing_opts)
692 signed_manifest = ". #{signed_locator} 0:0:foo.txt\n"
693 manifest_uuid = Digest::MD5.hexdigest(signed_manifest) +
695 signed_manifest.length.to_s
699 manifest_text: signed_manifest,
700 portable_data_hash: manifest_uuid
707 test "reject manifest with unsigned block as stream name" do
708 authorize_with :active
711 manifest_text: "00000000000000000000000000000000+1234 d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo.txt\n"
714 assert_includes [422, 403], response.code.to_i
717 test "multiple locators per line" do
718 permit_unsigned_manifests
719 authorize_with :active
721 d41d8cd98f00b204e9800998ecf8427e+0
722 acbd18db4cc2f85cedef654fccc4a4d8+3
723 ea10d51bcf88862dbcc36eb292017dfd+45)
725 manifest_text = [".", *locators, "0:0:foo.txt\n"].join(" ")
726 manifest_uuid = Digest::MD5.hexdigest(manifest_text) +
728 manifest_text.length.to_s
731 manifest_text: manifest_text,
732 portable_data_hash: manifest_uuid,
734 post_collection = Marshal.load(Marshal.dump(test_collection))
736 collection: post_collection
738 assert_response :success
739 assert_not_nil assigns(:object)
740 resp = JSON.parse(@response.body)
741 assert_equal manifest_uuid, resp['portable_data_hash']
743 # The manifest in the response will have had permission hints added.
744 # Remove any permission hints in the response before comparing it to the source.
745 stripped_manifest = resp['manifest_text'].gsub(/\+A[A-Za-z0-9@_-]+/, '')
746 assert_equal manifest_text, stripped_manifest
749 test "multiple signed locators per line" do
750 permit_unsigned_manifests
751 authorize_with :active
753 d41d8cd98f00b204e9800998ecf8427e+0
754 acbd18db4cc2f85cedef654fccc4a4d8+3
755 ea10d51bcf88862dbcc36eb292017dfd+45)
758 key: Rails.configuration.blob_signing_key,
759 api_token: api_token(:active),
762 unsigned_manifest = [".", *locators, "0:0:foo.txt\n"].join(" ")
763 manifest_uuid = Digest::MD5.hexdigest(unsigned_manifest) +
765 unsigned_manifest.length.to_s
767 signed_locators = locators.map { |loc| Blob.sign_locator loc, signing_opts }
768 signed_manifest = [".", *signed_locators, "0:0:foo.txt\n"].join(" ")
772 manifest_text: signed_manifest,
773 portable_data_hash: manifest_uuid,
776 assert_response :success
777 assert_not_nil assigns(:object)
778 resp = JSON.parse(@response.body)
779 assert_equal manifest_uuid, resp['portable_data_hash']
780 # All of the locators in the output must be signed.
781 # Each line is of the form "path locator locator ... 0:0:file.txt"
782 # entry.split[1..-2] will yield just the tokens in the middle of the line
783 returned_locator_count = 0
784 resp['manifest_text'].lines.each do |entry|
785 entry.split[1..-2].each do |tok|
786 returned_locator_count += 1
787 assert Blob.verify_signature tok, signing_opts
790 assert_equal locators.count, returned_locator_count
793 test 'Reject manifest with unsigned blob' do
794 permit_unsigned_manifests false
795 authorize_with :active
796 unsigned_manifest = ". 0cc175b9c0f1b6a831c399e269772661+1 0:1:a.txt\n"
797 manifest_uuid = Digest::MD5.hexdigest(unsigned_manifest)
800 manifest_text: unsigned_manifest,
801 portable_data_hash: manifest_uuid,
805 "Creating a collection with unsigned blobs should respond 403"
806 assert_empty Collection.where('uuid like ?', manifest_uuid+'%'),
807 "Collection should not exist in database after failed create"
810 test 'List expired collection returns empty list' do
811 authorize_with :active
813 where: {name: 'expired_collection'},
815 assert_response :success
816 found = assigns(:objects)
817 assert_equal 0, found.count
820 test 'Show expired collection returns 404' do
821 authorize_with :active
823 id: 'zzzzz-4zz18-mto52zx1s7sn3ih',
828 test 'Update expired collection returns 404' do
829 authorize_with :active
831 id: 'zzzzz-4zz18-mto52zx1s7sn3ih',
833 name: "still expired"
839 test 'List collection with future expiration time succeeds' do
840 authorize_with :active
842 where: {name: 'collection_expires_in_future'},
844 found = assigns(:objects)
845 assert_equal 1, found.count
849 test 'Show collection with future expiration time succeeds' do
850 authorize_with :active
852 id: 'zzzzz-4zz18-padkqo7yb8d9i3j',
854 assert_response :success
857 test 'Update collection with future expiration time succeeds' do
858 authorize_with :active
860 id: 'zzzzz-4zz18-padkqo7yb8d9i3j',
862 name: "still not expired"
865 assert_response :success
868 test "get collection and verify that file_names is not included" do
869 authorize_with :active
870 get :show, {id: collections(:foo_file).uuid}
871 assert_response :success
872 assert_equal collections(:foo_file).uuid, json_response['uuid']
873 assert_nil json_response['file_names']
874 assert json_response['manifest_text']
880 ].each do |description_size, expected_response|
881 # Descriptions are not part of search indexes. Skip until
882 # full-text search is implemented, at which point replace with a
883 # search in description.
884 skip "create collection with description size #{description_size}
885 and expect response #{expected_response}" do
886 authorize_with :active
888 description = 'here is a collection with a very large description'
889 while description.length < description_size
890 description = description + description
893 post :create, collection: {
894 manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo.txt\n",
895 description: description,
898 assert_response expected_response
902 [1, 5, nil].each do |ask|
903 test "Set replication_desired=#{ask.inspect}" do
904 Rails.configuration.default_collection_replication = 2
905 authorize_with :active
907 id: collections(:replication_undesired_unconfirmed).uuid,
909 replication_desired: ask,
912 assert_response :success
913 assert_equal ask, json_response['replication_desired']
917 test "get collection with properties" do
918 authorize_with :active
919 get :show, {id: collections(:collection_with_one_property).uuid}
920 assert_response :success
921 assert_not_nil json_response['uuid']
922 assert_equal 'value1', json_response['properties']['property1']
925 test "create collection with properties" do
926 authorize_with :active
927 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
930 manifest_text: manifest_text,
931 portable_data_hash: "d30fe8ae534397864cb96c544f4cf102+47",
932 properties: {'property_1' => 'value_1'}
935 assert_response :success
936 assert_not_nil json_response['uuid']
937 assert_equal 'value_1', json_response['properties']['property_1']
941 [". d41d8cd98f00b204e9800998ecf8427e 0:34:foo.txt\n", 1, 34],
942 [". d41d8cd98f00b204e9800998ecf8427e 0:34:foo.txt 0:30:foo.txt 0:30:foo1.txt 0:30:foo2.txt 0:30:foo3.txt 0:30:foo4.txt\n", 5, 184],
943 [". d41d8cd98f00b204e9800998ecf8427e 0:0:.\n", 0, 0]
944 ].each do |manifest, count, size|
945 test "create collection with valid manifest #{manifest} and expect file stats" do
946 authorize_with :active
949 manifest_text: manifest
953 assert_equal count, json_response['file_count']
954 assert_equal size, json_response['file_size_total']
958 test "update collection manifest and expect new file stats" do
959 authorize_with :active
961 id: 'zzzzz-4zz18-bv31uwvy3neko21',
963 manifest_text: ". d41d8cd98f00b204e9800998ecf8427e 0:34:foo.txt\n"
967 assert_equal 1, json_response['file_count']
968 assert_equal 34, json_response['file_size_total']
973 ['file_size_total', 34]
974 ].each do |attribute, val|
975 test "create collection with #{attribute} and expect overwrite" do
976 authorize_with :active
979 manifest_text: ". d41d8cd98f00b204e9800998ecf8427e 0:34:foo.txt\n",
984 assert_equal val, json_response[attribute]
990 ['file_size_total', 3]
991 ].each do |attribute, val|
992 test "update collection with #{attribute} and expect overwrite" do
993 authorize_with :active
995 id: 'zzzzz-4zz18-bv31uwvy3neko21',
1001 assert_equal val, json_response[attribute]
1007 ". d41d8cd98f00b204e9800998ecf8427e foo.txt",
1008 "d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt",
1009 ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt",
1010 ].each do |manifest_text|
1011 test "create collection with invalid manifest #{manifest_text} and expect error" do
1012 authorize_with :active
1015 manifest_text: manifest_text,
1016 portable_data_hash: "d41d8cd98f00b204e9800998ecf8427e+0"
1020 response_errors = json_response['errors']
1021 assert_not_nil response_errors, 'Expected error in response'
1022 assert(response_errors.first.include?('Invalid manifest'),
1023 "Expected 'Invalid manifest' error in #{response_errors.first}")
1028 [nil, "d41d8cd98f00b204e9800998ecf8427e+0"],
1029 ["", "d41d8cd98f00b204e9800998ecf8427e+0"],
1030 [". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n", "d30fe8ae534397864cb96c544f4cf102+47"],
1031 ].each do |manifest_text, pdh|
1032 test "create collection with valid manifest #{manifest_text.inspect} and expect success" do
1033 authorize_with :active
1036 manifest_text: manifest_text,
1037 portable_data_hash: pdh
1046 ". d41d8cd98f00b204e9800998ecf8427e foo.txt",
1047 "d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt",
1048 ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt",
1049 ].each do |manifest_text|
1050 test "update collection with invalid manifest #{manifest_text} and expect error" do
1051 authorize_with :active
1053 id: 'zzzzz-4zz18-bv31uwvy3neko21',
1055 manifest_text: manifest_text,
1059 response_errors = json_response['errors']
1060 assert_not_nil response_errors, 'Expected error in response'
1061 assert(response_errors.first.include?('Invalid manifest'),
1062 "Expected 'Invalid manifest' error in #{response_errors.first}")
1069 ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n",
1070 ].each do |manifest_text|
1071 test "update collection with valid manifest #{manifest_text.inspect} and expect success" do
1072 authorize_with :active
1074 id: 'zzzzz-4zz18-bv31uwvy3neko21',
1076 manifest_text: manifest_text,
1083 test 'get trashed collection with include_trash' do
1084 uuid = 'zzzzz-4zz18-mto52zx1s7sn3ih' # expired_collection
1085 authorize_with :active
1088 include_trash: true,
1093 [:admin, :active].each do |user|
1094 test "get trashed collection via filters and #{user} user" do
1095 uuid = 'zzzzz-4zz18-mto52zx1s7sn3ih' # expired_collection
1098 filters: [["current_version_uuid", "=", uuid]],
1099 include_trash: true,
1102 # Only the current version is returned
1103 assert_equal 1, json_response["items"].size
1107 [:admin, :active].each do |user|
1108 test "get trashed collection via filters and #{user} user, including its past versions" do
1109 uuid = 'zzzzz-4zz18-mto52zx1s7sn3ih' # expired_collection
1110 authorize_with :admin
1112 filters: [["current_version_uuid", "=", uuid]],
1113 include_trash: true,
1114 include_old_versions: true,
1117 # Both current & past version are returned
1118 assert_equal 2, json_response["items"].size
1122 test "trash collection also trash its past versions" do
1123 uuid = collections(:collection_owned_by_active).uuid
1124 authorize_with :active
1125 versions = Collection.where(current_version_uuid: uuid)
1126 assert_equal 2, versions.size
1127 versions.each do |col|
1128 refute col.is_trashed
1134 versions = Collection.where(current_version_uuid: uuid)
1135 assert_equal 2, versions.size
1136 versions.each do |col|
1137 assert col.is_trashed
1141 test 'get trashed collection without include_trash' do
1142 uuid = 'zzzzz-4zz18-mto52zx1s7sn3ih' # expired_collection
1143 authorize_with :active
1150 test 'trash collection using http DELETE verb' do
1151 uuid = collections(:collection_owned_by_active).uuid
1152 authorize_with :active
1157 c = Collection.find_by_uuid(uuid)
1158 assert_operator c.trash_at, :<, db_current_time
1159 assert_equal c.delete_at, c.trash_at + Rails.configuration.blob_signature_ttl
1162 test 'delete long-trashed collection immediately using http DELETE verb' do
1163 uuid = 'zzzzz-4zz18-mto52zx1s7sn3ih' # expired_collection
1164 authorize_with :active
1169 c = Collection.find_by_uuid(uuid)
1170 assert_operator c.trash_at, :<, db_current_time
1171 assert_operator c.delete_at, :<, db_current_time
1174 ['zzzzz-4zz18-mto52zx1s7sn3ih', # expired_collection
1175 :empty_collection_name_in_active_user_home_project,
1177 test "trash collection #{fixture} via trash action with grace period" do
1178 if fixture.is_a? String
1181 uuid = collections(fixture).uuid
1183 authorize_with :active
1184 time_before_trashing = db_current_time
1189 c = Collection.find_by_uuid(uuid)
1190 assert_operator c.trash_at, :<, db_current_time
1191 assert_operator c.delete_at, :>=, time_before_trashing + Rails.configuration.default_trash_lifetime
1195 test 'untrash a trashed collection' do
1196 authorize_with :active
1198 id: collections(:expired_collection).uuid,
1201 assert_equal false, json_response['is_trashed']
1202 assert_nil json_response['trash_at']
1205 test 'untrash error on not trashed collection' do
1206 authorize_with :active
1208 id: collections(:collection_owned_by_active).uuid,
1213 [:active, :admin].each do |user|
1214 test "get trashed collections as #{user}" do
1217 filters: [["is_trashed", "=", true]],
1218 include_trash: true,
1220 assert_response :success
1223 json_response["items"].each do |coll|
1224 items << coll['uuid']
1227 assert_includes(items, collections('unique_expired_collection')['uuid'])
1229 assert_includes(items, collections('unique_expired_collection2')['uuid'])
1231 assert_not_includes(items, collections('unique_expired_collection2')['uuid'])
1236 test 'untrash collection with same name as another with no ensure unique name' do
1237 authorize_with :active
1239 id: collections(:trashed_collection_to_test_name_conflict_on_untrash).uuid,
1244 test 'untrash collection with same name as another with ensure unique name' do
1245 authorize_with :active
1247 id: collections(:trashed_collection_to_test_name_conflict_on_untrash).uuid,
1248 ensure_unique_name: true
1251 assert_equal false, json_response['is_trashed']
1252 assert_nil json_response['trash_at']
1253 assert_nil json_response['delete_at']
1254 assert_match /^same name for trashed and persisted collections \(\d{4}-\d\d-\d\d.*?Z\)$/, json_response['name']
1257 test 'cannot show collection in trashed subproject' do
1258 authorize_with :active
1260 id: collections(:collection_in_trashed_subproject).uuid,
1266 test 'can show collection in untrashed subproject' do
1267 authorize_with :active
1268 Group.find_by_uuid(groups(:trashed_project).uuid).update! is_trashed: false
1270 id: collections(:collection_in_trashed_subproject).uuid,
1273 assert_response :success
1276 test 'cannot index collection in trashed subproject' do
1277 authorize_with :active
1278 get :index, { limit: 1000 }
1279 assert_response :success
1280 item_uuids = json_response['items'].map do |item|
1283 assert_not_includes(item_uuids, collections(:collection_in_trashed_subproject).uuid)
1286 test 'can index collection in untrashed subproject' do
1287 authorize_with :active
1288 Group.find_by_uuid(groups(:trashed_project).uuid).update! is_trashed: false
1289 get :index, { limit: 1000 }
1290 assert_response :success
1291 item_uuids = json_response['items'].map do |item|
1294 assert_includes(item_uuids, collections(:collection_in_trashed_subproject).uuid)
1297 test 'can index trashed subproject collection with include_trash' do
1298 authorize_with :active
1300 include_trash: true,
1303 assert_response :success
1304 item_uuids = json_response['items'].map do |item|
1307 assert_includes(item_uuids, collections(:collection_in_trashed_subproject).uuid)
1310 test 'can get collection with past versions' do
1311 authorize_with :active
1313 filters: [['current_version_uuid','=',collections(:collection_owned_by_active).uuid]],
1314 include_old_versions: true
1316 assert_response :success
1317 assert_equal 2, assigns(:objects).length
1318 assert_equal 2, json_response['items_available']
1319 assert_equal 2, json_response['items'].count
1320 json_response['items'].each do |c|
1321 assert_equal collections(:collection_owned_by_active).uuid,
1322 c['current_version_uuid'],
1323 'response includes a version from a different collection'
1327 test 'can get old version collection by uuid' do
1328 authorize_with :active
1330 id: collections(:collection_owned_by_active_past_version_1).uuid,
1332 assert_response :success
1333 assert_equal collections(:collection_owned_by_active_past_version_1).name,
1334 json_response['name']
1337 test 'version and current_version_uuid are ignored at creation time' do
1338 permit_unsigned_manifests
1339 authorize_with :active
1340 manifest_text = ". d41d8cd98f00b204e9800998ecf8427e 0:0:foo.txt\n"
1343 name: 'Test collection',
1345 current_version_uuid: collections(:collection_owned_by_active).uuid,
1346 manifest_text: manifest_text,
1349 assert_response :success
1350 resp = JSON.parse(@response.body)
1351 assert_equal 1, resp['version']
1352 assert_equal resp['uuid'], resp['current_version_uuid']
1355 test "update collection with versioning enabled" do
1356 Rails.configuration.collection_versioning = true
1357 Rails.configuration.preserve_version_if_idle = 1 # 1 second
1359 col = collections(:collection_owned_by_active)
1360 assert_equal 2, col.version
1361 assert col.modified_at < Time.now - 1.second
1363 token = api_client_authorizations(:active).v2token
1364 signed = Blob.sign_locator(
1365 'acbd18db4cc2f85cedef654fccc4a4d8+3',
1366 key: Rails.configuration.blob_signing_key,
1368 authorize_with_token token
1372 manifest_text: ". #{signed} 0:3:foo.txt\n",
1375 assert_response :success
1376 assert_equal 3, json_response['version']
projects / arvados.git / blob