1 # The v1 API uses token scopes to control access to the REST API at the path
2 # level. This is enforced in the base ApplicationController, making it a
3 # functional test that we can run against many different controllers.
7 class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest
15 @token = {api_token: api_client_authorizations(name).api_token}
19 (['arvados', 'v1'] + parts).join('/')
22 def request_with_auth(method, path, params={})
24 send(method, path, @token.merge(params))
27 def get_with_auth(*args)
28 request_with_auth(:get_via_redirect, *args)
31 def post_with_auth(*args)
32 request_with_auth(:post_via_redirect, *args)
35 test "token without scope has no access" do
36 # Logs are good for this test, because logs have relatively
37 # few access controls enforced at the model level.
38 auth_with :admin_noscope
39 get_with_auth v1_url('logs')
41 get_with_auth v1_url('logs', logs(:log1).uuid)
43 post_with_auth(v1_url('logs'), log: {})
47 test "VM login scopes work" do
48 # A system administration script makes an API token with limited scope
49 # for virtual machines to let it see logins.
50 def vm_logins_url(name)
51 v1_url('virtual_machines', virtual_machines(name).uuid, 'logins')
54 get_with_auth vm_logins_url(:testvm)
55 assert_response :success
56 get_with_auth vm_logins_url(:testvm2)
57 assert(@response.status >= 400, "getting testvm2 logins should have failed")