lib/controller/federation_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "encoding/json"
   9         "io/ioutil"
  10         "net/http"
  11         "net/http/httptest"
  12         "net/url"
  13         "strings"
  14         "time"
  15
  16         "git.curoverse.com/arvados.git/sdk/go/arvados"
  17         "git.curoverse.com/arvados.git/sdk/go/arvadostest"
  18         "git.curoverse.com/arvados.git/sdk/go/httpserver"
  19         "github.com/Sirupsen/logrus"
  20         check "gopkg.in/check.v1"
  21 )
  22
  23 // Gocheck boilerplate
  24 var _ = check.Suite(&FederationSuite{})
  25
  26 type FederationSuite struct {
  27         log *logrus.Logger
  28         // testServer and testHandler are the controller being tested,
  29         // "zhome".
  30         testServer  *httpserver.Server
  31         testHandler *Handler
  32         // remoteServer ("zzzzz") forwards requests to the Rails API
  33         // provided by the integration test environment.
  34         remoteServer *httpserver.Server
  35         // remoteMock ("zmock") appends each incoming request to
  36         // remoteMockRequests, and returns an empty 200 response.
  37         remoteMock         *httpserver.Server
  38         remoteMockRequests []http.Request
  39 }
  40
  41 func (s *FederationSuite) SetUpTest(c *check.C) {
  42         s.log = logrus.New()
  43         s.log.Formatter = &logrus.JSONFormatter{}
  44         s.log.Out = &logWriter{c.Log}
  45
  46         s.remoteServer = newServerFromIntegrationTestEnv(c)
  47         c.Assert(s.remoteServer.Start(), check.IsNil)
  48
  49         s.remoteMock = newServerFromIntegrationTestEnv(c)
  50         s.remoteMock.Server.Handler = http.HandlerFunc(s.remoteMockHandler)
  51         c.Assert(s.remoteMock.Start(), check.IsNil)
  52
  53         nodeProfile := arvados.NodeProfile{
  54                 Controller: arvados.SystemServiceInstance{Listen: ":"},
  55                 RailsAPI:   arvados.SystemServiceInstance{Listen: ":1"}, // local reqs will error "connection refused"
  56         }
  57         s.testHandler = &Handler{Cluster: &arvados.Cluster{
  58                 ClusterID:  "zhome",
  59                 PostgreSQL: integrationTestCluster().PostgreSQL,
  60                 NodeProfiles: map[string]arvados.NodeProfile{
  61                         "*": nodeProfile,
  62                 },
  63         }, NodeProfile: &nodeProfile}
  64         s.testServer = newServerFromIntegrationTestEnv(c)
  65         s.testServer.Server.Handler = httpserver.AddRequestIDs(httpserver.LogRequests(s.log, s.testHandler))
  66
  67         s.testHandler.Cluster.RemoteClusters = map[string]arvados.RemoteCluster{
  68                 "zzzzz": {
  69                         Host:   s.remoteServer.Addr,
  70                         Proxy:  true,
  71                         Scheme: "http",
  72                 },
  73                 "zmock": {
  74                         Host:   s.remoteMock.Addr,
  75                         Proxy:  true,
  76                         Scheme: "http",
  77                 },
  78         }
  79
  80         c.Assert(s.testServer.Start(), check.IsNil)
  81
  82         s.remoteMockRequests = nil
  83 }
  84
  85 func (s *FederationSuite) remoteMockHandler(w http.ResponseWriter, req *http.Request) {
  86         s.remoteMockRequests = append(s.remoteMockRequests, *req)
  87 }
  88
  89 func (s *FederationSuite) TearDownTest(c *check.C) {
  90         if s.remoteServer != nil {
  91                 s.remoteServer.Close()
  92         }
  93         if s.testServer != nil {
  94                 s.testServer.Close()
  95         }
  96 }
  97
  98 func (s *FederationSuite) testRequest(req *http.Request) *http.Response {
  99         resp := httptest.NewRecorder()
 100         s.testServer.Server.Handler.ServeHTTP(resp, req)
 101         return resp.Result()
 102 }
 103
 104 func (s *FederationSuite) TestLocalRequest(c *check.C) {
 105         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zhome-", 1), nil)
 106         resp := s.testRequest(req)
 107         s.checkHandledLocally(c, resp)
 108 }
 109
 110 func (s *FederationSuite) checkHandledLocally(c *check.C, resp *http.Response) {
 111         // Our "home" controller can't handle local requests because
 112         // it doesn't have its own stub/test Rails API, so we rely on
 113         // "connection refused" to indicate the controller tried to
 114         // proxy the request to its local Rails API.
 115         c.Check(resp.StatusCode, check.Equals, http.StatusBadGateway)
 116         s.checkJSONErrorMatches(c, resp, `.*connection refused`)
 117 }
 118
 119 func (s *FederationSuite) TestNoAuth(c *check.C) {
 120         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 121         resp := s.testRequest(req)
 122         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
 123         s.checkJSONErrorMatches(c, resp, `Not logged in`)
 124 }
 125
 126 func (s *FederationSuite) TestBadAuth(c *check.C) {
 127         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 128         req.Header.Set("Authorization", "Bearer aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
 129         resp := s.testRequest(req)
 130         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
 131         s.checkJSONErrorMatches(c, resp, `Not logged in`)
 132 }
 133
 134 func (s *FederationSuite) TestNoAccess(c *check.C) {
 135         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 136         req.Header.Set("Authorization", "Bearer "+arvadostest.SpectatorToken)
 137         resp := s.testRequest(req)
 138         c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 139         s.checkJSONErrorMatches(c, resp, `.*not found`)
 140 }
 141
 142 func (s *FederationSuite) TestGetUnknownRemote(c *check.C) {
 143         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zz404-", 1), nil)
 144         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 145         resp := s.testRequest(req)
 146         c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 147         s.checkJSONErrorMatches(c, resp, `.*no proxy available for cluster zz404`)
 148 }
 149
 150 func (s *FederationSuite) TestRemoteError(c *check.C) {
 151         rc := s.testHandler.Cluster.RemoteClusters["zzzzz"]
 152         rc.Scheme = "https"
 153         s.testHandler.Cluster.RemoteClusters["zzzzz"] = rc
 154
 155         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 156         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 157         resp := s.testRequest(req)
 158         c.Check(resp.StatusCode, check.Equals, http.StatusBadGateway)
 159         s.checkJSONErrorMatches(c, resp, `.*HTTP response to HTTPS client`)
 160 }
 161
 162 func (s *FederationSuite) TestGetRemoteWorkflow(c *check.C) {
 163         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 164         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 165         resp := s.testRequest(req)
 166         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 167         var wf arvados.Workflow
 168         c.Check(json.NewDecoder(resp.Body).Decode(&wf), check.IsNil)
 169         c.Check(wf.UUID, check.Equals, arvadostest.WorkflowWithDefinitionYAMLUUID)
 170         c.Check(wf.OwnerUUID, check.Equals, arvadostest.ActiveUserUUID)
 171 }
 172
 173 func (s *FederationSuite) TestOptionsMethod(c *check.C) {
 174         req := httptest.NewRequest("OPTIONS", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 175         req.Header.Set("Origin", "https://example.com")
 176         resp := s.testRequest(req)
 177         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 178         body, err := ioutil.ReadAll(resp.Body)
 179         c.Check(err, check.IsNil)
 180         c.Check(string(body), check.Equals, "")
 181         c.Check(resp.Header.Get("Access-Control-Allow-Origin"), check.Equals, "*")
 182         for _, hdr := range []string{"Authorization", "Content-Type"} {
 183                 c.Check(resp.Header.Get("Access-Control-Allow-Headers"), check.Matches, ".*"+hdr+".*")
 184         }
 185         for _, method := range []string{"GET", "HEAD", "PUT", "POST", "DELETE"} {
 186                 c.Check(resp.Header.Get("Access-Control-Allow-Methods"), check.Matches, ".*"+method+".*")
 187         }
 188 }
 189
 190 func (s *FederationSuite) TestRemoteWithTokenInQuery(c *check.C) {
 191         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1)+"?api_token="+arvadostest.ActiveToken, nil)
 192         s.testRequest(req)
 193         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 194         pr := s.remoteMockRequests[0]
 195         // Token is salted and moved from query to Authorization header.
 196         c.Check(pr.URL.String(), check.Not(check.Matches), `.*api_token=.*`)
 197         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer v2/zzzzz-gj3su-077z32aux8dg2s1/7fd31b61f39c0e82a4155592163218272cedacdc")
 198 }
 199
 200 func (s *FederationSuite) TestLocalTokenSalted(c *check.C) {
 201         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1), nil)
 202         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 203         s.testRequest(req)
 204         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 205         pr := s.remoteMockRequests[0]
 206         // The salted token here has a "zzzzz-" UUID instead of a
 207         // "ztest-" UUID because ztest's local database has the
 208         // "zzzzz-" test fixtures. The "secret" part is HMAC(sha1,
 209         // arvadostest.ActiveToken, "zmock") = "7fd3...".
 210         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer v2/zzzzz-gj3su-077z32aux8dg2s1/7fd31b61f39c0e82a4155592163218272cedacdc")
 211 }
 212
 213 func (s *FederationSuite) TestRemoteTokenNotSalted(c *check.C) {
 214         // remoteToken can be any v1 token that doesn't appear in
 215         // ztest's local db.
 216         remoteToken := "abcdef00000000000000000000000000000000000000000000"
 217         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1), nil)
 218         req.Header.Set("Authorization", "Bearer "+remoteToken)
 219         s.testRequest(req)
 220         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 221         pr := s.remoteMockRequests[0]
 222         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer "+remoteToken)
 223 }
 224
 225 func (s *FederationSuite) TestWorkflowCRUD(c *check.C) {
 226         wf := arvados.Workflow{
 227                 Description: "TestCRUD",
 228         }
 229         {
 230                 body := &strings.Builder{}
 231                 json.NewEncoder(body).Encode(&wf)
 232                 req := httptest.NewRequest("POST", "/arvados/v1/workflows", strings.NewReader(url.Values{
 233                         "workflow": {body.String()},
 234                 }.Encode()))
 235                 req.Header.Set("Content-type", "application/x-www-form-urlencoded")
 236                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 237                 rec := httptest.NewRecorder()
 238                 s.remoteServer.Server.Handler.ServeHTTP(rec, req) // direct to remote -- can't proxy a create req because no uuid
 239                 resp := rec.Result()
 240                 s.checkResponseOK(c, resp)
 241                 json.NewDecoder(resp.Body).Decode(&wf)
 242
 243                 defer func() {
 244                         req := httptest.NewRequest("DELETE", "/arvados/v1/workflows/"+wf.UUID, nil)
 245                         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 246                         s.remoteServer.Server.Handler.ServeHTTP(httptest.NewRecorder(), req)
 247                 }()
 248                 c.Check(wf.UUID, check.Not(check.Equals), "")
 249
 250                 c.Assert(wf.ModifiedAt, check.NotNil)
 251                 c.Logf("wf.ModifiedAt: %v", wf.ModifiedAt)
 252                 c.Check(time.Since(*wf.ModifiedAt) < time.Minute, check.Equals, true)
 253         }
 254         for _, method := range []string{"PATCH", "PUT", "POST"} {
 255                 form := url.Values{
 256                         "workflow": {`{"description": "Updated with ` + method + `"}`},
 257                 }
 258                 if method == "POST" {
 259                         form["_method"] = []string{"PATCH"}
 260                 }
 261                 req := httptest.NewRequest(method, "/arvados/v1/workflows/"+wf.UUID, strings.NewReader(form.Encode()))
 262                 req.Header.Set("Content-type", "application/x-www-form-urlencoded")
 263                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 264                 resp := s.testRequest(req)
 265                 s.checkResponseOK(c, resp)
 266                 err := json.NewDecoder(resp.Body).Decode(&wf)
 267                 c.Check(err, check.IsNil)
 268
 269                 c.Check(wf.Description, check.Equals, "Updated with "+method)
 270         }
 271         {
 272                 req := httptest.NewRequest("DELETE", "/arvados/v1/workflows/"+wf.UUID, nil)
 273                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 274                 resp := s.testRequest(req)
 275                 s.checkResponseOK(c, resp)
 276                 err := json.NewDecoder(resp.Body).Decode(&wf)
 277                 c.Check(err, check.IsNil)
 278         }
 279         {
 280                 req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+wf.UUID, nil)
 281                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 282                 resp := s.testRequest(req)
 283                 c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 284         }
 285 }
 286
 287 func (s *FederationSuite) checkResponseOK(c *check.C, resp *http.Response) {
 288         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 289         if resp.StatusCode != http.StatusOK {
 290                 body, err := ioutil.ReadAll(resp.Body)
 291                 c.Logf("... response body = %q, %v\n", body, err)
 292         }
 293 }
 294
 295 func (s *FederationSuite) checkJSONErrorMatches(c *check.C, resp *http.Response, re string) {
 296         var jresp httpserver.ErrorResponse
 297         err := json.NewDecoder(resp.Body).Decode(&jresp)
 298         c.Check(err, check.IsNil)
 299         c.Assert(len(jresp.Errors), check.Equals, 1)
 300         c.Check(jresp.Errors[0], check.Matches, re)
 301 }