1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::GroupsControllerTest < ActionController::TestCase
9 test "attempt to delete group without read or write access" do
10 authorize_with :active
11 post :destroy, params: {id: groups(:empty_lonely_group).uuid}
15 test "attempt to delete group without write access" do
16 authorize_with :active
17 post :destroy, params: {id: groups(:all_users).uuid}
21 test "get list of projects" do
22 authorize_with :active
23 get :index, params: {filters: [['group_class', '=', 'project']], format: :json}
24 assert_response :success
26 json_response['items'].each do |group|
27 assert_equal 'project', group['group_class']
28 group_uuids << group['uuid']
30 assert_includes group_uuids, groups(:aproject).uuid
31 assert_includes group_uuids, groups(:asubproject).uuid
32 assert_includes group_uuids, groups(:private).uuid
33 assert_not_includes group_uuids, groups(:system_group).uuid
34 assert_not_includes group_uuids, groups(:private_and_can_read_foofile).uuid
37 test "get list of groups that are not projects" do
38 authorize_with :active
39 get :index, params: {filters: [['group_class', '!=', 'project']], format: :json}
40 assert_response :success
42 json_response['items'].each do |group|
43 assert_not_equal 'project', group['group_class']
44 group_uuids << group['uuid']
46 assert_not_includes group_uuids, groups(:aproject).uuid
47 assert_not_includes group_uuids, groups(:asubproject).uuid
50 test "get list of groups with bogus group_class" do
51 authorize_with :active
53 filters: [['group_class', '=', 'nogrouphasthislittleclass']],
56 assert_response :success
57 assert_equal [], json_response['items']
58 assert_equal 0, json_response['items_available']
61 def check_project_contents_response disabled_kinds=[]
62 assert_response :success
63 assert_operator 2, :<=, json_response['items_available']
64 assert_operator 2, :<=, json_response['items'].count
65 kinds = json_response['items'].collect { |i| i['kind'] }.uniq
66 expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' - disabled_kinds
67 assert_equal expect_kinds, (expect_kinds & kinds)
69 json_response['items'].each do |i|
70 if i['kind'] == 'arvados#group'
71 assert(i['group_class'] == 'project',
72 "group#contents returned a non-project group")
76 disabled_kinds.each do |d|
77 assert_equal true, !kinds.include?(d)
81 test 'get group-owned objects' do
82 authorize_with :active
83 get :contents, params: {
84 id: groups(:aproject).uuid,
87 check_project_contents_response
90 test "user with project read permission can see project objects" do
91 authorize_with :project_viewer
92 get :contents, params: {
93 id: groups(:aproject).uuid,
96 check_project_contents_response
99 test "list objects across projects" do
100 authorize_with :project_viewer
101 get :contents, params: {
103 filters: [['uuid', 'is_a', 'arvados#specimen']]
105 assert_response :success
106 found_uuids = json_response['items'].collect { |i| i['uuid'] }
107 [[:in_aproject, true],
108 [:in_asubproject, true],
109 [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
111 assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
113 refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
118 test "list trashed collections and projects" do
119 authorize_with :active
120 get(:contents, params: {
124 ['uuid', 'is_a', ['arvados#collection', 'arvados#group']],
125 ['is_trashed', '=', true],
129 assert_response :success
130 found_uuids = json_response['items'].collect { |i| i['uuid'] }
131 assert_includes found_uuids, groups(:trashed_project).uuid
132 refute_includes found_uuids, groups(:aproject).uuid
133 assert_includes found_uuids, collections(:expired_collection).uuid
134 refute_includes found_uuids, collections(:w_a_z_file).uuid
137 test "list objects in home project" do
138 authorize_with :active
139 get :contents, params: {
142 id: users(:active).uuid
144 assert_response :success
145 found_uuids = json_response['items'].collect { |i| i['uuid'] }
146 assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project"
147 refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project"
150 test "user with project read permission can see project collections" do
151 authorize_with :project_viewer
152 get :contents, params: {
153 id: groups(:asubproject).uuid,
156 ids = json_response['items'].map { |item| item["uuid"] }
157 assert_includes ids, collections(:baz_file_in_asubproject).uuid
161 ['collections.name', 'asc', :<=, "name"],
162 ['collections.name', 'desc', :>=, "name"],
163 ['name', 'asc', :<=, "name"],
164 ['name', 'desc', :>=, "name"],
165 ['collections.created_at', 'asc', :<=, "created_at"],
166 ['collections.created_at', 'desc', :>=, "created_at"],
167 ['created_at', 'asc', :<=, "created_at"],
168 ['created_at', 'desc', :>=, "created_at"],
169 ].each do |column, order, operator, field|
170 test "user with project read permission can sort projects on #{column} #{order}" do
171 authorize_with :project_viewer
172 get :contents, params: {
173 id: groups(:asubproject).uuid,
175 filters: [['uuid', 'is_a', "arvados#collection"]],
176 order: "#{column} #{order}"
178 sorted_values = json_response['items'].collect { |item| item[field] }
180 # Here we avoid assuming too much about the database
181 # collation. Both "alice"<"Bob" and "alice">"Bob" can be
182 # correct. Hopefully it _is_ safe to assume that if "a" comes
183 # before "b" in the ascii alphabet, "aX">"bY" is never true for
184 # any strings X and Y.
185 reliably_sortable_names = sorted_values.select do |name|
186 name[0] >= 'a' && name[0] <= 'z'
190 # Preserve order of sorted_values. But do not use &=. If
191 # sorted_values has out-of-order duplicates, we want to preserve
192 # them here, so we can detect them and fail the test below.
193 sorted_values.select! do |name|
194 reliably_sortable_names.include? name
197 assert_sorted(operator, sorted_values)
201 def assert_sorted(operator, sorted_items)
202 actually_checked_anything = false
204 sorted_items.each do |entry|
206 assert_operator(previous, operator, entry,
207 "Entries sorted incorrectly.")
208 actually_checked_anything = true
212 assert actually_checked_anything, "Didn't even find two items to compare."
215 # Even though the project_viewer tests go through other controllers,
216 # I'm putting them here so they're easy to find alongside the other
218 def check_new_project_link_fails(link_attrs)
219 @controller = Arvados::V1::LinksController.new
220 post :create, params: {
222 link_class: "permission",
224 head_uuid: groups(:aproject).uuid,
227 assert_includes(403..422, response.status)
230 test "user with project read permission can't add users to it" do
231 authorize_with :project_viewer
232 check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
235 test "user with project read permission can't add items to it" do
236 authorize_with :project_viewer
237 check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
240 test "user with project read permission can't rename items in it" do
241 authorize_with :project_viewer
242 @controller = Arvados::V1::LinksController.new
243 post :update, params: {
244 id: jobs(:running).uuid,
245 name: "Denied test name",
247 assert_includes(403..404, response.status)
250 test "user with project read permission can't remove items from it" do
251 @controller = Arvados::V1::PipelineTemplatesController.new
252 authorize_with :project_viewer
253 post :update, params: {
254 id: pipeline_templates(:two_part).uuid,
256 owner_uuid: users(:project_viewer).uuid,
262 test "user with project read permission can't delete it" do
263 authorize_with :project_viewer
264 post :destroy, params: {id: groups(:aproject).uuid}
268 test 'get group-owned objects with limit' do
269 authorize_with :active
270 get :contents, params: {
271 id: groups(:aproject).uuid,
275 assert_response :success
276 assert_operator 1, :<, json_response['items_available']
277 assert_equal 1, json_response['items'].count
280 test 'get group-owned objects with limit and offset' do
281 authorize_with :active
282 get :contents, params: {
283 id: groups(:aproject).uuid,
288 assert_response :success
289 assert_operator 1, :<, json_response['items_available']
290 assert_equal 0, json_response['items'].count
293 test 'get group-owned objects with additional filter matching nothing' do
294 authorize_with :active
295 get :contents, params: {
296 id: groups(:aproject).uuid,
297 filters: [['uuid', 'in', ['foo_not_a_uuid','bar_not_a_uuid']]],
300 assert_response :success
301 assert_equal [], json_response['items']
302 assert_equal 0, json_response['items_available']
305 %w(offset limit).each do |arg|
306 ['foo', '', '1234five', '0x10', '-8'].each do |val|
307 test "Raise error on bogus #{arg} parameter #{val.inspect}" do
308 authorize_with :active
309 get :contents, params: {
310 :id => groups(:aproject).uuid,
319 test "Collection contents don't include manifest_text" do
320 authorize_with :active
321 get :contents, params: {
322 id: groups(:aproject).uuid,
323 filters: [["uuid", "is_a", "arvados#collection"]],
326 assert_response :success
327 refute(json_response["items"].any? { |c| not c["portable_data_hash"] },
328 "response included an item without a portable data hash")
329 refute(json_response["items"].any? { |c| c.include?("manifest_text") },
330 "response included an item with a manifest text")
333 test 'get writable_by list for owned group' do
334 authorize_with :active
336 id: groups(:aproject).uuid,
339 assert_response :success
340 assert_not_nil(json_response['writable_by'],
341 "Should receive uuid list in 'writable_by' field")
342 assert_includes(json_response['writable_by'], users(:active).uuid,
343 "owner should be included in writable_by list")
346 test 'no writable_by list for group with read-only access' do
347 authorize_with :rominiadmin
349 id: groups(:testusergroup_admins).uuid,
352 assert_response :success
353 assert_equal([json_response['owner_uuid']],
354 json_response['writable_by'],
355 "Should only see owner_uuid in 'writable_by' field")
358 test 'get writable_by list by admin user' do
359 authorize_with :admin
361 id: groups(:testusergroup_admins).uuid,
364 assert_response :success
365 assert_not_nil(json_response['writable_by'],
366 "Should receive uuid list in 'writable_by' field")
367 assert_includes(json_response['writable_by'],
369 "Current user should be included in 'writable_by' field")
372 test 'creating subproject with duplicate name fails' do
373 authorize_with :active
374 post :create, params: {
377 owner_uuid: users(:active).uuid,
378 group_class: 'project',
382 response_errors = json_response['errors']
383 assert_not_nil response_errors, 'Expected error in response'
384 assert(response_errors.first.include?('duplicate key'),
385 "Expected 'duplicate key' error in #{response_errors.first}")
388 test 'creating duplicate named subproject succeeds with ensure_unique_name' do
389 authorize_with :active
390 post :create, params: {
393 owner_uuid: users(:active).uuid,
394 group_class: 'project',
396 ensure_unique_name: true
398 assert_response :success
399 new_project = json_response
400 assert_not_equal(new_project['uuid'],
401 groups(:aproject).uuid,
402 "create returned same uuid as existing project")
403 assert_match(/^A Project \(\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}Z\)$/,
408 [['owner_uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 200,
409 'zzzzz-d1hrv-subprojpipeline', 'zzzzz-d1hrv-1xfj6xkicf2muk2'],
410 [["pipeline_instances.state", "not in", ["Complete", "Failed"]], 200,
411 'zzzzz-d1hrv-1xfj6xkicf2muk2', 'zzzzz-d1hrv-i3e77t9z5y8j9cc'],
412 [['container_requests.requesting_container_uuid', '=', nil], 200,
413 'zzzzz-xvhdp-cr4queuedcontnr', 'zzzzz-xvhdp-cr4requestercn2'],
414 [['container_requests.no_such_column', '=', nil], 422],
415 [['container_requests.', '=', nil], 422],
416 [['.requesting_container_uuid', '=', nil], 422],
417 [['no_such_table.uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 422],
418 ].each do |filter, expect_code, expect_uuid, not_expect_uuid|
419 test "get contents with '#{filter}' filter" do
420 authorize_with :active
421 get :contents, params: {filters: [filter], format: :json}
422 assert_response expect_code
423 if expect_code == 200
424 assert_not_empty json_response['items']
425 item_uuids = json_response['items'].collect {|item| item['uuid']}
426 assert_includes(item_uuids, expect_uuid)
427 assert_not_includes(item_uuids, not_expect_uuid)
432 test 'get contents with jobs and pipeline instances disabled' do
433 Rails.configuration.API.DisabledAPIs = {'jobs.index'=>{}, 'pipeline_instances.index'=>{}}
435 authorize_with :active
436 get :contents, params: {
437 id: groups(:aproject).uuid,
440 check_project_contents_response %w'arvados#pipelineInstance arvados#job'
443 test 'get contents with low max_index_database_read' do
444 # Some result will certainly have at least 12 bytes in a
446 Rails.configuration.API.MaxIndexDatabaseRead = 12
447 authorize_with :active
448 get :contents, params: {
449 id: groups(:aproject).uuid,
452 assert_response :success
453 assert_not_empty(json_response['items'])
454 assert_operator(json_response['items'].count,
455 :<, json_response['items_available'])
458 test 'get contents, recursive=true' do
459 authorize_with :active
461 id: groups(:aproject).uuid,
465 get :contents, params: params
466 owners = json_response['items'].map do |item|
469 assert_includes(owners, groups(:aproject).uuid)
470 assert_includes(owners, groups(:asubproject).uuid)
473 [false, nil].each do |recursive|
474 test "get contents, recursive=#{recursive.inspect}" do
475 authorize_with :active
477 id: groups(:aproject).uuid,
480 params[:recursive] = false if recursive == false
481 get :contents, params: params
482 owners = json_response['items'].map do |item|
485 assert_includes(owners, groups(:aproject).uuid)
486 refute_includes(owners, groups(:asubproject).uuid)
490 test 'get home project contents, recursive=true' do
491 authorize_with :active
492 get :contents, params: {
493 id: users(:active).uuid,
497 owners = json_response['items'].map do |item|
500 assert_includes(owners, users(:active).uuid)
501 assert_includes(owners, groups(:aproject).uuid)
502 assert_includes(owners, groups(:asubproject).uuid)
505 ### trashed project tests ###
510 # trashed_project (zzzzz-j7d0g-trashedproject1)
511 # trashed_subproject (zzzzz-j7d0g-trashedproject2)
512 # trashed_subproject3 (zzzzz-j7d0g-trashedproject3)
513 # zzzzz-xvhdp-cr5trashedcontr
516 :admin].each do |auth|
517 # project: to query, to untrash, is visible, parent contents listing success
519 [:trashed_project, [], false, true],
520 [:trashed_project, [:trashed_project], true, true],
521 [:trashed_subproject, [], false, false],
522 [:trashed_subproject, [:trashed_project], true, true],
523 [:trashed_subproject3, [:trashed_project], false, true],
524 [:trashed_subproject3, [:trashed_subproject3], false, false],
525 [:trashed_subproject3, [:trashed_project, :trashed_subproject3], true, true],
526 ].each do |project, untrash, visible, success|
528 test "contents listing #{project} #{untrash} as #{auth}" do
531 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
533 get :contents, params: {
534 id: groups(project).owner_uuid,
538 assert_response :success
539 item_uuids = json_response['items'].map do |item|
543 assert_includes(item_uuids, groups(project).uuid)
545 assert_not_includes(item_uuids, groups(project).uuid)
552 test "contents of #{project} #{untrash} as #{auth}" do
555 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
557 get :contents, params: {
558 id: groups(project).uuid,
562 assert_response :success
568 test "index #{project} #{untrash} as #{auth}" do
571 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
573 get :index, params: {
576 assert_response :success
577 item_uuids = json_response['items'].map do |item|
581 assert_includes(item_uuids, groups(project).uuid)
583 assert_not_includes(item_uuids, groups(project).uuid)
587 test "show #{project} #{untrash} as #{auth}" do
590 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
593 id: groups(project).uuid,
597 assert_response :success
603 test "show include_trash=false #{project} #{untrash} as #{auth}" do
606 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
609 id: groups(project).uuid,
614 assert_response :success
620 test "show include_trash #{project} #{untrash} as #{auth}" do
623 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
626 id: groups(project).uuid,
630 assert_response :success
633 test "index include_trash #{project} #{untrash} as #{auth}" do
636 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
638 get :index, params: {
642 assert_response :success
643 item_uuids = json_response['items'].map do |item|
646 assert_includes(item_uuids, groups(project).uuid)
650 test "delete project #{auth}" do
652 [:trashed_project].each do |pr|
653 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
655 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
656 post :destroy, params: {
657 id: groups(:trashed_project).uuid,
660 assert_response :success
661 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
664 test "untrash project #{auth}" do
666 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
667 post :untrash, params: {
668 id: groups(:trashed_project).uuid,
671 assert_response :success
672 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
675 test "untrash project with name conflict #{auth}" do
677 [:trashed_project].each do |pr|
678 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
680 gc = Group.create!({owner_uuid: "zzzzz-j7d0g-trashedproject1",
681 name: "trashed subproject 3",
682 group_class: "project"})
683 post :untrash, params: {
684 id: groups(:trashed_subproject3).uuid,
686 ensure_unique_name: true
688 assert_response :success
689 assert_match /^trashed subproject 3 \(\d{4}-\d\d-\d\d.*?Z\)$/, json_response['name']
692 test "move trashed subproject to new owner #{auth}" do
694 assert_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
695 put :update, params: {
696 id: groups(:trashed_subproject).uuid,
698 owner_uuid: users(:active).uuid
703 assert_response :success
704 assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
708 test 'get shared owned by another user' do
709 authorize_with :user_bar_in_sharing_group
711 act_as_system_user do
713 tail_uuid: users(:user_bar_in_sharing_group).uuid,
714 link_class: 'permission',
716 head_uuid: groups(:project_owned_by_foo).uuid)
719 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
721 assert_equal 1, json_response['items'].length
722 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
724 assert_equal 1, json_response['included'].length
725 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
728 test 'get shared, owned by unreadable project' do
729 authorize_with :user_bar_in_sharing_group
731 act_as_system_user do
732 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
734 tail_uuid: users(:user_bar_in_sharing_group).uuid,
735 link_class: 'permission',
737 head_uuid: groups(:project_owned_by_foo).uuid)
740 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
742 assert_equal 1, json_response['items'].length
743 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
745 assert_equal 0, json_response['included'].length
748 test 'get shared, add permission link' do
749 authorize_with :user_bar_in_sharing_group
751 act_as_system_user do
752 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
753 head_uuid: groups(:project_owned_by_foo).uuid,
754 link_class: 'permission',
758 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
760 assert_equal 1, json_response['items'].length
761 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
763 assert_equal 1, json_response['included'].length
764 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
767 ### contents with exclude_home_project
769 test 'contents, exclude home owned by another user' do
770 authorize_with :user_bar_in_sharing_group
772 act_as_system_user do
774 tail_uuid: users(:user_bar_in_sharing_group).uuid,
775 link_class: 'permission',
777 head_uuid: groups(:project_owned_by_foo).uuid)
779 tail_uuid: users(:user_bar_in_sharing_group).uuid,
780 link_class: 'permission',
782 head_uuid: collections(:collection_owned_by_foo).uuid)
785 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
787 assert_equal 2, json_response['items'].length
788 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
789 assert_equal json_response['items'][1]["uuid"], collections(:collection_owned_by_foo).uuid
791 assert_equal 1, json_response['included'].length
792 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
795 test 'contents, exclude home, owned by unreadable project' do
796 authorize_with :user_bar_in_sharing_group
798 act_as_system_user do
799 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
801 tail_uuid: users(:user_bar_in_sharing_group).uuid,
802 link_class: 'permission',
804 head_uuid: groups(:project_owned_by_foo).uuid)
807 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
809 assert_equal 1, json_response['items'].length
810 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
812 assert_equal 0, json_response['included'].length
815 test 'contents, exclude home, add permission link' do
816 authorize_with :user_bar_in_sharing_group
818 act_as_system_user do
819 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
820 head_uuid: groups(:project_owned_by_foo).uuid,
821 link_class: 'permission',
825 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
827 assert_equal 1, json_response['items'].length
828 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
830 assert_equal 1, json_response['included'].length
831 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
834 test 'contents, exclude home, with parent specified' do
835 authorize_with :active
837 get :contents, params: {id: groups(:aproject).uuid, :include => "owner_uuid", :exclude_home_project => true}
projects / arvados.git / blob