services/api/test/unit/group_test.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'test_helper'
   6 require 'fix_roles_projects'
   7
   8 class GroupTest < ActiveSupport::TestCase
   9   include DbCurrentTime
  10
  11   test "cannot set owner_uuid to object with existing ownership cycle" do
  12     set_user_from_auth :active_trustedclient
  13
  14     # First make sure we have lots of permission on the bad group by
  15     # renaming it to "{current name} is mine all mine"
  16     g = groups(:bad_group_has_ownership_cycle_b)
  17     g.name += " is mine all mine"
  18     assert g.save, "active user should be able to modify group #{g.uuid}"
  19
  20     # Use the group as the owner of a new object
  21     s = Specimen.
  22       create(owner_uuid: groups(:bad_group_has_ownership_cycle_b).uuid)
  23     assert s.valid?, "ownership should pass validation #{s.errors.messages}"
  24     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  25
  26     # Use the group as the new owner of an existing object
  27     s = specimens(:in_aproject)
  28     s.owner_uuid = groups(:bad_group_has_ownership_cycle_b).uuid
  29     assert s.valid?, "ownership should pass validation"
  30     assert_equal false, s.save, "should not save object with #{g.uuid} as owner"
  31   end
  32
  33   test "cannot create a new ownership cycle" do
  34     set_user_from_auth :active_trustedclient
  35
  36     g_foo = Group.create!(name: "foo", group_class: "project")
  37     g_bar = Group.create!(name: "bar", group_class: "project")
  38
  39     g_foo.owner_uuid = g_bar.uuid
  40     assert g_foo.save, lambda { g_foo.errors.messages }
  41     g_bar.owner_uuid = g_foo.uuid
  42     assert g_bar.valid?, "ownership cycle should not prevent validation"
  43     assert_equal false, g_bar.save, "should not create an ownership loop"
  44     assert g_bar.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  45   end
  46
  47   test "cannot create a single-object ownership cycle" do
  48     set_user_from_auth :active_trustedclient
  49
  50     g_foo = Group.create!(name: "foo", group_class: "project")
  51     assert g_foo.save
  52
  53     # Ensure I have permission to manage this group even when its owner changes
  54     perm_link = Link.create!(tail_uuid: users(:active).uuid,
  55                             head_uuid: g_foo.uuid,
  56                             link_class: 'permission',
  57                             name: 'can_manage')
  58     assert perm_link.save
  59
  60     g_foo.owner_uuid = g_foo.uuid
  61     assert_equal false, g_foo.save, "should not create an ownership loop"
  62     assert g_foo.errors.messages[:owner_uuid].join(" ").match(/ownership cycle/)
  63   end
  64
  65   test "cannot create a group that is not a 'role' or 'project' or 'filter'" do
  66     set_user_from_auth :active_trustedclient
  67
  68     assert_raises(ActiveRecord::RecordInvalid) do
  69       Group.create!(name: "foo")
  70     end
  71
  72     assert_raises(ActiveRecord::RecordInvalid) do
  73       Group.create!(name: "foo", group_class: "")
  74     end
  75
  76     assert_raises(ActiveRecord::RecordInvalid) do
  77       Group.create!(name: "foo", group_class: "bogus")
  78     end
  79   end
  80
  81   test "cannot change group_class on an already created group" do
  82     set_user_from_auth :active_trustedclient
  83     g = Group.create!(name: "foo", group_class: "role")
  84     assert_raises(ActiveRecord::RecordInvalid) do
  85       g.update_attributes!(group_class: "project")
  86     end
  87   end
  88
  89   test "role cannot own things" do
  90     set_user_from_auth :active_trustedclient
  91     role = Group.create!(name: "foo", group_class: "role")
  92     assert_raises(ArvadosModel::PermissionDeniedError) do
  93       Collection.create!(name: "bzzz123", owner_uuid: role.uuid)
  94     end
  95
  96     c = Collection.create!(name: "bzzz124")
  97     assert_raises(ArvadosModel::PermissionDeniedError) do
  98       c.update_attributes!(owner_uuid: role.uuid)
  99     end
 100   end
 101
 102   test "trash group hides contents" do
 103     set_user_from_auth :active_trustedclient
 104
 105     g_foo = Group.create!(name: "foo", group_class: "project")
 106     col = Collection.create!(owner_uuid: g_foo.uuid)
 107
 108     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 109     g_foo.update! is_trashed: true
 110     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 111     assert Collection.readable_by(users(:active), {:include_trash => true}).where(uuid: col.uuid).any?
 112     g_foo.update! is_trashed: false
 113     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 114   end
 115
 116   test "trash group" do
 117     set_user_from_auth :active_trustedclient
 118
 119     g_foo = Group.create!(name: "foo", group_class: "project")
 120     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 121     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 122
 123     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 124     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 125     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 126     g_foo.update! is_trashed: true
 127     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 128     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 129     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 130
 131     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_foo.uuid).any?
 132     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 133     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 134   end
 135
 136
 137   test "trash subgroup" do
 138     set_user_from_auth :active_trustedclient
 139
 140     g_foo = Group.create!(name: "foo", group_class: "project")
 141     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 142     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 143
 144     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 145     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 146     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 147     g_bar.update! is_trashed: true
 148
 149     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 150     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 151     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 152
 153     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_bar.uuid).any?
 154     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 155   end
 156
 157   test "trash subsubgroup" do
 158     set_user_from_auth :active_trustedclient
 159
 160     g_foo = Group.create!(name: "foo", group_class: "project")
 161     g_bar = Group.create!(name: "bar", owner_uuid: g_foo.uuid, group_class: "project")
 162     g_baz = Group.create!(name: "baz", owner_uuid: g_bar.uuid, group_class: "project")
 163
 164     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 165     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 166     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 167     g_baz.update! is_trashed: true
 168     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 169     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 170     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 171     assert Group.readable_by(users(:active), {:include_trash => true}).where(uuid: g_baz.uuid).any?
 172   end
 173
 174
 175   test "trash group propagates to subgroups" do
 176     set_user_from_auth :active_trustedclient
 177
 178     g_foo = groups(:trashed_project)
 179     g_bar = groups(:trashed_subproject)
 180     g_baz = groups(:trashed_subproject3)
 181     col = collections(:collection_in_trashed_subproject)
 182
 183     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 184     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 185     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 186     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 187
 188     set_user_from_auth :admin
 189     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).empty?
 190     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).empty?
 191     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 192     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).empty?
 193
 194     set_user_from_auth :active_trustedclient
 195     g_foo.update! is_trashed: false
 196     assert Group.readable_by(users(:active)).where(uuid: g_foo.uuid).any?
 197     assert Group.readable_by(users(:active)).where(uuid: g_bar.uuid).any?
 198     assert Collection.readable_by(users(:active)).where(uuid: col.uuid).any?
 199
 200     # this one should still be trashed.
 201     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).empty?
 202
 203     g_baz.update! is_trashed: false
 204     assert Group.readable_by(users(:active)).where(uuid: g_baz.uuid).any?
 205   end
 206
 207   test "trashed does not propagate across permission links" do
 208     set_user_from_auth :admin
 209
 210     g_foo = Group.create!(name: "foo", group_class: "role")
 211     u_bar = User.create!(first_name: "bar")
 212
 213     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).any?
 214     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 215     g_foo.update! is_trashed: true
 216
 217     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 218     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 219
 220     g_foo.update! is_trashed: false
 221     ln = Link.create!(tail_uuid: g_foo.uuid,
 222                       head_uuid: u_bar.uuid,
 223                       link_class: "permission",
 224                       name: "can_read")
 225     g_foo.update! is_trashed: true
 226
 227     assert Group.readable_by(users(:admin)).where(uuid: g_foo.uuid).empty?
 228     assert User.readable_by(users(:admin)).where(uuid:  u_bar.uuid).any?
 229   end
 230
 231   test "project names must be displayable in a filesystem" do
 232     set_user_from_auth :active
 233     ["", "{SOLIDUS}"].each do |subst|
 234       Rails.configuration.Collections.ForwardSlashNameSubstitution = subst
 235       proj = Group.create group_class: "project"
 236       role = Group.create group_class: "role"
 237       filt = Group.create group_class: "filter", properties: {"filters":[]}
 238       [[nil, true],
 239        ["", true],
 240        [".", false],
 241        ["..", false],
 242        ["...", true],
 243        ["..z..", true],
 244        ["foo/bar", subst != ""],
 245        ["../..", subst != ""],
 246        ["/", subst != ""],
 247       ].each do |name, valid|
 248         role.name = name
 249         assert_equal true, role.valid?
 250         proj.name = name
 251         assert_equal valid, proj.valid?, "project: #{name.inspect} should be #{valid ? "valid" : "invalid"}"
 252         filt.name = name
 253         assert_equal valid, filt.valid?, "filter: #{name.inspect} should be #{valid ? "valid" : "invalid"}"
 254       end
 255     end
 256   end
 257
 258   def insert_group uuid, owner_uuid, name, group_class
 259     q = ActiveRecord::Base.connection.exec_query %{
 260 insert into groups (uuid, owner_uuid, name, group_class, created_at, updated_at)
 261        values ('#{uuid}', '#{owner_uuid}',
 262                '#{name}', #{if group_class then "'"+group_class+"'" else 'NULL' end},
 263                statement_timestamp(), statement_timestamp())
 264 }
 265     uuid
 266   end
 267
 268   test "migration to fix roles and projects" do
 269     g1 = insert_group Group.generate_uuid, system_user_uuid, 'group with no class', nil
 270     g2 = insert_group Group.generate_uuid, users(:active).uuid, 'role owned by a user', 'role'
 271
 272     g3 = insert_group Group.generate_uuid, system_user_uuid, 'role that owns a project', 'role'
 273     g4 = insert_group Group.generate_uuid, g3, 'the project', 'project'
 274
 275     g5 = insert_group Group.generate_uuid, users(:active).uuid, 'a project with an outgoing permission link', 'project'
 276
 277     g6 = insert_group Group.generate_uuid, system_user_uuid, 'name collision', 'role'
 278     g7 = insert_group Group.generate_uuid, users(:active).uuid, 'name collision', 'role'
 279
 280     g8 = insert_group Group.generate_uuid, users(:active).uuid, 'trashed with no class', nil
 281     g8obj = Group.find_by_uuid(g8)
 282     g8obj.trash_at = db_current_time
 283     g8obj.delete_at = db_current_time
 284     act_as_system_user do
 285       g8obj.save!(validate: false)
 286     end
 287
 288     refresh_permissions
 289
 290     act_as_system_user do
 291       l1 = Link.create!(link_class: 'permission', name: 'can_manage', tail_uuid: g3, head_uuid: g4)
 292       q = ActiveRecord::Base.connection.exec_query %{
 293 update links set tail_uuid='#{g5}' where uuid='#{l1.uuid}'
 294 }
 295     refresh_permissions
 296     end
 297
 298     assert_equal nil, Group.find_by_uuid(g1).group_class
 299     assert_equal nil, Group.find_by_uuid(g8).group_class
 300     assert_equal users(:active).uuid, Group.find_by_uuid(g2).owner_uuid
 301     assert_equal g3, Group.find_by_uuid(g4).owner_uuid
 302     assert !Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 303     assert !Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 304     assert Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 305
 306     fix_roles_projects
 307
 308     assert_equal 'role', Group.find_by_uuid(g1).group_class
 309     assert_equal 'role', Group.find_by_uuid(g8).group_class
 310     assert_equal system_user_uuid, Group.find_by_uuid(g2).owner_uuid
 311     assert_equal system_user_uuid, Group.find_by_uuid(g4).owner_uuid
 312     assert Link.where(tail_uuid: users(:active).uuid, head_uuid: g2, link_class: "permission", name: "can_manage").any?
 313     assert Link.where(tail_uuid: g3, head_uuid: g4, link_class: "permission", name: "can_manage").any?
 314     assert !Link.where(link_class: 'permission', name: 'can_manage', tail_uuid: g5, head_uuid: g4).any?
 315   end
 316
 317   test "freeze project" do
 318     act_as_user users(:active) do
 319       Rails.configuration.API.UnfreezeProjectRequiresAdmin = false
 320
 321       test_cr_attrs = {
 322         command: ["echo", "foo"],
 323         container_image: links(:docker_image_collection_tag).name,
 324         cwd: "/tmp",
 325         environment: {},
 326         mounts: {"/out" => {"kind" => "tmp", "capacity" => 1000000}},
 327         output_path: "/out",
 328         runtime_constraints: {"vcpus" => 1, "ram" => 2},
 329         name: "foo",
 330         description: "bar",
 331       }
 332       parent = Group.create!(group_class: 'project', name: 'freeze-test-parent', owner_uuid: users(:active).uuid)
 333       proj = Group.create!(group_class: 'project', name: 'freeze-test', owner_uuid: parent.uuid)
 334       proj_inner = Group.create!(group_class: 'project', name: 'freeze-test-inner', owner_uuid: proj.uuid)
 335       coll = Collection.create!(name: 'freeze-test-collection', manifest_text: '', owner_uuid: proj_inner.uuid)
 336
 337       # Cannot set frozen_by_uuid to a different user
 338       assert_raises do
 339         proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
 340       end
 341       proj.reload
 342
 343       # Cannot set frozen_by_uuid without can_manage permission
 344       act_as_system_user do
 345         Link.create!(link_class: 'permission', name: 'can_write', tail_uuid: users(:spectator).uuid, head_uuid: proj.uuid)
 346       end
 347       act_as_user users(:spectator) do
 348         # First confirm we have write permission
 349         assert Collection.create(name: 'bar', owner_uuid: proj.uuid)
 350         assert_raises(ArvadosModel::PermissionDeniedError) do
 351           proj.update_attributes!(frozen_by_uuid: users(:spectator).uuid)
 352         end
 353       end
 354       proj.reload
 355
 356       # Cannot set frozen_by_uuid without description (if so configured)
 357       Rails.configuration.API.FreezeProjectRequiresDescription = true
 358       err = assert_raises do
 359         proj.update_attributes!(frozen_by_uuid: users(:active).uuid)
 360       end
 361       assert_match /can only be set if description is non-empty/, err.inspect
 362       proj.reload
 363       err = assert_raises do
 364         proj.update_attributes!(frozen_by_uuid: users(:active).uuid, description: '')
 365       end
 366       assert_match /can only be set if description is non-empty/, err.inspect
 367       proj.reload
 368
 369       # Cannot set frozen_by_uuid without properties (if so configured)
 370       Rails.configuration.API.FreezeProjectRequiresProperties['frobity'] = true
 371       err = assert_raises do
 372         proj.update_attributes!(
 373           frozen_by_uuid: users(:active).uuid,
 374           description: 'ready to freeze')
 375       end
 376       assert_match /can only be set if properties\[frobity\] value is non-empty/, err.inspect
 377       proj.reload
 378
 379       # Cannot set frozen_by_uuid while project or its parent is
 380       # trashed
 381       [parent, proj].each do |trashed|
 382         trashed.update_attributes!(trash_at: db_current_time)
 383         err = assert_raises do
 384           proj.update_attributes!(
 385             frozen_by_uuid: users(:active).uuid,
 386             description: 'ready to freeze',
 387             properties: {'frobity' => 'bar baz'})
 388         end
 389         assert_match /cannot be set on a trashed project/, err.inspect
 390         proj.reload
 391         trashed.update_attributes!(trash_at: nil)
 392       end
 393
 394       # Can set frozen_by_uuid if all conditions are met
 395       ok = proj.update_attributes(
 396         frozen_by_uuid: users(:active).uuid,
 397         description: 'ready to freeze',
 398         properties: {'frobity' => 'bar baz'})
 399       assert ok, proj.errors.messages.inspect
 400
 401       [:active, :admin].each do |u|
 402         act_as_user users(u) do
 403           # Once project is frozen, cannot create new items inside it or
 404           # its descendants
 405           [proj, proj_inner].each do |frozen|
 406             assert_raises do
 407               collections(:collection_owned_by_active).update_attributes!(owner_uuid: frozen.uuid)
 408             end
 409             assert_raises do
 410               Collection.create!(owner_uuid: frozen.uuid, name: 'inside-frozen-project')
 411             end
 412             assert_raises do
 413               Group.create!(owner_uuid: frozen.uuid, group_class: 'project', name: 'inside-frozen-project')
 414             end
 415             cr = ContainerRequest.new(test_cr_attrs.merge(owner_uuid: frozen.uuid))
 416             assert_raises ArvadosModel::PermissionDeniedError do
 417               cr.save
 418             end
 419             assert_match /frozen/, cr.errors.inspect
 420             # Check the frozen-parent condition is the only reason save failed.
 421             cr.owner_uuid = users(u).uuid
 422             assert cr.save
 423             cr.destroy
 424           end
 425
 426           # Once project is frozen, cannot change name/contents, move,
 427           # trash, or delete the project or anything beneath it
 428           [proj, proj_inner, coll].each do |frozen|
 429             assert_raises(StandardError, "should reject rename of #{frozen.uuid} (#{frozen.name}) with parent #{frozen.owner_uuid}") do
 430               frozen.update_attributes!(name: 'foo2')
 431             end
 432             frozen.reload
 433
 434             if frozen.is_a?(Collection)
 435               assert_raises(StandardError, "should reject manifest change of #{frozen.uuid}") do
 436                 frozen.update_attributes!(manifest_text: ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:foo\n")
 437               end
 438             else
 439               assert_raises(StandardError, "should reject moving a project into #{frozen.uuid}") do
 440                 groups(:private).update_attributes!(owner_uuid: frozen.uuid)
 441               end
 442             end
 443             frozen.reload
 444
 445             assert_raises(StandardError, "should reject moving #{frozen.uuid} to a different parent project") do
 446               frozen.update_attributes!(owner_uuid: groups(:private).uuid)
 447             end
 448             frozen.reload
 449             assert_raises(StandardError, "should reject setting trash_at of #{frozen.uuid}") do
 450               frozen.update_attributes!(trash_at: db_current_time)
 451             end
 452             frozen.reload
 453             assert_raises(StandardError, "should reject setting delete_at of #{frozen.uuid}") do
 454               frozen.update_attributes!(delete_at: db_current_time)
 455             end
 456             frozen.reload
 457             assert_raises(StandardError, "should reject delete of #{frozen.uuid}") do
 458               frozen.destroy
 459             end
 460             frozen.reload
 461             if frozen != proj
 462               assert_equal [], frozen.writable_by
 463             end
 464           end
 465         end
 466       end
 467
 468       # User with write permission (but not manage) cannot unfreeze
 469       act_as_user users(:spectator) do
 470         # First confirm we have write permission on the parent project
 471         assert Collection.create(name: 'bar', owner_uuid: parent.uuid)
 472         assert_raises(ArvadosModel::PermissionDeniedError) do
 473           proj.update_attributes!(frozen_by_uuid: nil)
 474         end
 475       end
 476       proj.reload
 477
 478       # User with manage permission can unfreeze, then create items
 479       # inside it and its children
 480       assert proj.update_attributes(frozen_by_uuid: nil)
 481       assert Collection.create!(owner_uuid: proj.uuid, name: 'inside-unfrozen-project')
 482       assert Collection.create!(owner_uuid: proj_inner.uuid, name: 'inside-inner-unfrozen-project')
 483
 484       # Re-freeze, and reconfigure so only admins can unfreeze.
 485       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
 486       Rails.configuration.API.UnfreezeProjectRequiresAdmin = true
 487
 488       # Owner cannot unfreeze, because not admin.
 489       err = assert_raises do
 490         proj.update_attributes!(frozen_by_uuid: nil)
 491       end
 492       assert_match /can only be changed by an admin user, once set/, err.inspect
 493       proj.reload
 494
 495       # Cannot trash or delete a frozen project's ancestor
 496       assert_raises(StandardError, "should not be able to set trash_at on parent of frozen project") do
 497         parent.update_attributes!(trash_at: db_current_time)
 498       end
 499       parent.reload
 500       assert_raises(StandardError, "should not be able to set delete_at on parent of frozen project") do
 501         parent.update_attributes!(delete_at: db_current_time)
 502       end
 503       parent.reload
 504       assert_nil parent.frozen_by_uuid
 505
 506       act_as_user users(:admin) do
 507         # Even admin cannot change frozen_by_uuid to someone else's UUID.
 508         err = assert_raises do
 509           proj.update_attributes!(frozen_by_uuid: users(:project_viewer).uuid)
 510         end
 511         assert_match /can only be set to the current user's UUID/, err.inspect
 512         proj.reload
 513
 514         # Admin can unfreeze.
 515         assert proj.update_attributes(frozen_by_uuid: nil), proj.errors.messages
 516       end
 517
 518       # Cannot freeze a project if it contains container requests in
 519       # Committed state (this would cause operations on the relevant
 520       # Containers to fail when syncing container request state)
 521       creq_uncommitted = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid))
 522       creq_committed = ContainerRequest.create!(test_cr_attrs.merge(owner_uuid: proj_inner.uuid, state: 'Committed'))
 523       err = assert_raises do
 524         proj.update_attributes!(frozen_by_uuid: users(:active).uuid)
 525       end
 526       assert_match /container request zzzzz-xvhdp-.* with state = Committed/, err.inspect
 527       proj.reload
 528
 529       # Can freeze once all container requests are in Uncommitted or
 530       # Final state
 531       creq_committed.update_attributes!(state: ContainerRequest::Final)
 532       assert proj.update_attributes(frozen_by_uuid: users(:active).uuid)
 533     end
 534   end
 535 end