3 class Arvados::V1::RepositoriesControllerTest < ActionController::TestCase
4 test "should get_all_logins with admin token" do
6 get :get_all_permissions
7 assert_response :success
10 test "should get_all_logins with non-admin token" do
11 authorize_with :active
12 get :get_all_permissions
16 test "get_all_permissions gives RW to repository owner" do
18 get :get_all_permissions
19 assert_response :success
21 json_response['repositories'].each do |repo|
22 if repo['uuid'] == repositories(:repository2).uuid
23 if repo['user_permissions'][users(:active).uuid]['can_write']
28 assert_equal(true, ok,
29 "No permission on own repo '@{repositories(:repository2).uuid}'")
32 test "get_all_permissions takes into account is_admin flag" do
34 get :get_all_permissions
35 assert_response :success
36 json_response['repositories'].each do |repo|
37 assert_not_nil(repo['user_permissions'][users(:admin).uuid],
38 "Admin user is not listed in perms for #{repo['uuid']}")
40 repo['user_permissions'][users(:admin).uuid]['can_write'],
41 "Admin has no perms for #{repo['uuid']}")
45 test "get_all_permissions takes into account is_active flag" do
47 act_as_user users(:active) do
48 r = Repository.create! name: 'active/testrepo'
56 get :get_all_permissions
57 assert_response :success
58 json_response['repositories'].each do |r|
59 r['user_permissions'].each do |user_uuid, perms|
60 refute_equal user_uuid, users(:active).uuid
65 test "get_all_permissions does not give any access to user without permission" do
66 viewer_uuid = users(:project_viewer).uuid
67 assert_equal(authorized_keys(:project_viewer).authorized_user_uuid,
69 "project_viewer must have an authorized_key for this test to work")
71 get :get_all_permissions
72 assert_response :success
73 readable_repos = json_response["repositories"].select do |repo|
74 repo["user_permissions"].has_key?(viewer_uuid)
76 assert_equal(["arvados"], readable_repos.map { |r| r["name"] },
77 "project_viewer should only have permissions on public repos")
80 test "get_all_permissions gives gitolite R to user with read-only access" do
82 get :get_all_permissions
83 assert_response :success
85 assert_equal(authorized_keys(:spectator).authorized_user_uuid,
86 users(:spectator).uuid,
87 "spectator must have an authorized_key for this test to work")
88 json_response['repositories'].each do |repo|
89 next unless repo['uuid'] == repositories(:foo).uuid
91 repo['user_permissions'][users(:spectator).uuid]['gitolite_permissions'],
92 "spectator user should have just R access to #{repo['uuid']}")
95 assert_equal true, found_it, "spectator user does not have R on foo repo"
98 test "get_all_permissions provides admin and active user keys" do
100 get :get_all_permissions
101 assert_response :success
102 [:active, :admin].each do |u|
103 assert_equal(1, json_response['user_keys'][users(u).uuid].andand.count,
104 "expected 1 key for #{u} (#{users(u).uuid})")
105 assert_equal(json_response['user_keys'][users(u).uuid][0]['public_key'],
106 authorized_keys(u).public_key,
107 "response public_key does not match fixture #{u}.")
111 test "get_all_permissions lists all repos regardless of permissions" do
112 act_as_system_user do
113 # Create repos that could potentially be left out of the
114 # permission list by accident.
116 # No authorized_key, no username (this can't even be done
117 # without skipping validations)
118 r = Repository.create name: 'root/testrepo'
119 assert r.save validate: false
121 r = Repository.create name: 'invalid username / repo name', owner_uuid: users(:inactive).uuid
122 assert r.save validate: false
124 authorize_with :admin
125 get :get_all_permissions
126 assert_response :success
127 assert_equal(Repository.count, json_response["repositories"].size)
130 test "get_all_permissions lists user permissions for users with no authorized keys" do
131 authorize_with :admin
132 AuthorizedKey.destroy_all
133 get :get_all_permissions
134 assert_response :success
135 assert_equal(Repository.count, json_response["repositories"].size)
136 repos_with_perms = []
137 json_response['repositories'].each do |repo|
138 if repo['user_permissions'].any?
139 repos_with_perms << repo['uuid']
142 assert_not_empty repos_with_perms, 'permissions are missing'
145 # Ensure get_all_permissions correctly describes what the normal
146 # permission system would do.
147 test "get_all_permissions obeys group permissions" do
148 act_as_user system_user do
149 r = Repository.create!(name: 'admin/groupcanwrite', owner_uuid: users(:admin).uuid)
150 g = Group.create!(group_class: 'group', name: 'repo-writers')
152 u2 = users(:spectator)
153 Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_manage')
154 Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write')
155 Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read')
157 r = Repository.create!(name: 'admin/groupreadonly', owner_uuid: users(:admin).uuid)
158 g = Group.create!(group_class: 'group', name: 'repo-readers')
160 u2 = users(:spectator)
161 Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_read')
162 Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write')
163 Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read')
165 authorize_with :admin
166 get :get_all_permissions
167 assert_response :success
168 json_response['repositories'].each do |repo|
169 repo['user_permissions'].each do |user_uuid, perms|
170 u = User.find_by_uuid(user_uuid)
172 assert u.can? read: repo['uuid']
173 assert_match /R/, perms['gitolite_permissions']
175 refute_match /R/, perms['gitolite_permissions']
177 if perms['can_write']
178 assert u.can? write: repo['uuid']
179 assert_match /RW/, perms['gitolite_permissions']
181 refute_match /W/, perms['gitolite_permissions']
183 if perms['can_manage']
184 assert u.can? manage: repo['uuid']
185 assert_match /RW/, perms['gitolite_permissions']
191 test "default index includes fetch_url" do
192 authorize_with :active
194 assert_response :success
195 assert_includes(json_response["items"].map { |r| r["fetch_url"] },
196 "git@git.zzzzz.arvadosapi.com:active/foo.git")
200 {cfg: :git_repo_ssh_base, cfgval: "git@example.com:", match: %r"^git@example.com:/"},
201 {cfg: :git_repo_ssh_base, cfgval: true, match: %r"^git@git.zzzzz.arvadosapi.com:/"},
202 {cfg: :git_repo_ssh_base, cfgval: false, refute: /^git@/ },
203 {cfg: :git_repo_https_base, cfgval: "https://example.com/", match: %r"https://example.com/"},
204 {cfg: :git_repo_https_base, cfgval: true, match: %r"^https://git.zzzzz.arvadosapi.com/"},
205 {cfg: :git_repo_https_base, cfgval: false, refute: /^http/ },
207 test "set #{expect[:cfg]} to #{expect[:cfgval]}" do
208 Rails.configuration.send expect[:cfg].to_s+"=", expect[:cfgval]
209 authorize_with :active
211 assert_response :success
212 json_response['items'].each do |r|
214 r['clone_urls'].each do |u|
215 refute_match expect[:refute], u
218 assert r['clone_urls'].any? do |u|
219 expect[:prefix].match u
226 test "select push_url in index" do
227 authorize_with :active
228 get(:index, {select: ["uuid", "push_url"]})
229 assert_response :success
230 assert_includes(json_response["items"].map { |r| r["push_url"] },
231 "git@git.zzzzz.arvadosapi.com:active/foo.git")
234 test "select clone_urls in index" do
235 authorize_with :active
236 get(:index, {select: ["uuid", "clone_urls"]})
237 assert_response :success
238 assert_includes(json_response["items"].map { |r| r["clone_urls"] }.flatten,
239 "git@git.zzzzz.arvadosapi.com:active/foo.git")
projects / arvados.git / blob