1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::GroupsControllerTest < ActionController::TestCase
9 test "attempt to delete group without read or write access" do
10 authorize_with :active
11 post :destroy, params: {id: groups(:empty_lonely_group).uuid}
15 test "attempt to delete group without write access" do
16 authorize_with :active
17 post :destroy, params: {id: groups(:all_users).uuid}
21 test "get list of projects" do
22 authorize_with :active
23 get :index, params: {filters: [['group_class', '=', 'project']], format: :json}
24 assert_response :success
26 json_response['items'].each do |group|
27 assert_equal 'project', group['group_class']
28 group_uuids << group['uuid']
30 assert_includes group_uuids, groups(:aproject).uuid
31 assert_includes group_uuids, groups(:asubproject).uuid
32 assert_includes group_uuids, groups(:private).uuid
33 assert_not_includes group_uuids, groups(:system_group).uuid
34 assert_not_includes group_uuids, groups(:private_and_can_read_foofile).uuid
37 test "get list of groups that are not projects" do
38 authorize_with :active
39 get :index, params: {filters: [['group_class', '!=', 'project']], format: :json}
40 assert_response :success
42 json_response['items'].each do |group|
43 assert_not_equal 'project', group['group_class']
44 group_uuids << group['uuid']
46 assert_not_includes group_uuids, groups(:aproject).uuid
47 assert_not_includes group_uuids, groups(:asubproject).uuid
50 test "get list of groups with bogus group_class" do
51 authorize_with :active
53 filters: [['group_class', '=', 'nogrouphasthislittleclass']],
56 assert_response :success
57 assert_equal [], json_response['items']
58 assert_equal 0, json_response['items_available']
61 def check_project_contents_response disabled_kinds=[]
62 assert_response :success
63 assert_operator 2, :<=, json_response['items_available']
64 assert_operator 2, :<=, json_response['items'].count
65 kinds = json_response['items'].collect { |i| i['kind'] }.uniq
66 expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' - disabled_kinds
67 assert_equal expect_kinds, (expect_kinds & kinds)
69 json_response['items'].each do |i|
70 if i['kind'] == 'arvados#group'
71 assert(i['group_class'] == 'project',
72 "group#contents returned a non-project group")
76 disabled_kinds.each do |d|
77 assert_equal true, !kinds.include?(d)
81 test 'get group-owned objects' do
82 authorize_with :active
83 get :contents, params: {
84 id: groups(:aproject).uuid,
87 check_project_contents_response
90 test "user with project read permission can see project objects" do
91 authorize_with :project_viewer
92 get :contents, params: {
93 id: groups(:aproject).uuid,
96 check_project_contents_response
99 test "list objects across projects" do
100 authorize_with :project_viewer
101 get :contents, params: {
103 filters: [['uuid', 'is_a', 'arvados#specimen']]
105 assert_response :success
106 found_uuids = json_response['items'].collect { |i| i['uuid'] }
107 [[:in_aproject, true],
108 [:in_asubproject, true],
109 [:owned_by_private_group, false]].each do |specimen_fixture, should_find|
111 assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'"
113 refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'"
118 test "list trashed collections and projects" do
119 authorize_with :active
120 get(:contents, params: {
124 ['uuid', 'is_a', ['arvados#collection', 'arvados#group']],
125 ['is_trashed', '=', true],
129 assert_response :success
130 found_uuids = json_response['items'].collect { |i| i['uuid'] }
131 assert_includes found_uuids, groups(:trashed_project).uuid
132 refute_includes found_uuids, groups(:aproject).uuid
133 assert_includes found_uuids, collections(:expired_collection).uuid
134 refute_includes found_uuids, collections(:w_a_z_file).uuid
137 test "list objects in home project" do
138 authorize_with :active
139 get :contents, params: {
142 id: users(:active).uuid
144 assert_response :success
145 found_uuids = json_response['items'].collect { |i| i['uuid'] }
146 assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project"
147 refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project"
150 test "user with project read permission can see project collections" do
151 authorize_with :project_viewer
152 get :contents, params: {
153 id: groups(:asubproject).uuid,
156 ids = json_response['items'].map { |item| item["uuid"] }
157 assert_includes ids, collections(:baz_file_in_asubproject).uuid
161 ['collections.name', 'asc', :<=, "name"],
162 ['collections.name', 'desc', :>=, "name"],
163 ['name', 'asc', :<=, "name"],
164 ['name', 'desc', :>=, "name"],
165 ['collections.created_at', 'asc', :<=, "created_at"],
166 ['collections.created_at', 'desc', :>=, "created_at"],
167 ['created_at', 'asc', :<=, "created_at"],
168 ['created_at', 'desc', :>=, "created_at"],
169 ].each do |column, order, operator, field|
170 test "user with project read permission can sort projects on #{column} #{order}" do
171 authorize_with :project_viewer
172 get :contents, params: {
173 id: groups(:asubproject).uuid,
175 filters: [['uuid', 'is_a', "arvados#collection"]],
176 order: "#{column} #{order}"
178 sorted_values = json_response['items'].collect { |item| item[field] }
180 # Here we avoid assuming too much about the database
181 # collation. Both "alice"<"Bob" and "alice">"Bob" can be
182 # correct. Hopefully it _is_ safe to assume that if "a" comes
183 # before "b" in the ascii alphabet, "aX">"bY" is never true for
184 # any strings X and Y.
185 reliably_sortable_names = sorted_values.select do |name|
186 name[0] >= 'a' && name[0] <= 'z'
190 # Preserve order of sorted_values. But do not use &=. If
191 # sorted_values has out-of-order duplicates, we want to preserve
192 # them here, so we can detect them and fail the test below.
193 sorted_values.select! do |name|
194 reliably_sortable_names.include? name
197 assert_sorted(operator, sorted_values)
201 def assert_sorted(operator, sorted_items)
202 actually_checked_anything = false
204 sorted_items.each do |entry|
206 assert_operator(previous, operator, entry,
207 "Entries sorted incorrectly.")
208 actually_checked_anything = true
212 assert actually_checked_anything, "Didn't even find two items to compare."
215 # Even though the project_viewer tests go through other controllers,
216 # I'm putting them here so they're easy to find alongside the other
218 def check_new_project_link_fails(link_attrs)
219 @controller = Arvados::V1::LinksController.new
220 post :create, params: {
222 link_class: "permission",
224 head_uuid: groups(:aproject).uuid,
227 assert_includes(403..422, response.status)
230 test "user with project read permission can't add users to it" do
231 authorize_with :project_viewer
232 check_new_project_link_fails(tail_uuid: users(:spectator).uuid)
235 test "user with project read permission can't add items to it" do
236 authorize_with :project_viewer
237 check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid)
240 test "user with project read permission can't rename items in it" do
241 authorize_with :project_viewer
242 @controller = Arvados::V1::LinksController.new
243 post :update, params: {
244 id: jobs(:running).uuid,
245 name: "Denied test name",
247 assert_includes(403..404, response.status)
250 test "user with project read permission can't remove items from it" do
251 @controller = Arvados::V1::PipelineTemplatesController.new
252 authorize_with :project_viewer
253 post :update, params: {
254 id: pipeline_templates(:two_part).uuid,
256 owner_uuid: users(:project_viewer).uuid,
262 test "user with project read permission can't delete it" do
263 authorize_with :project_viewer
264 post :destroy, params: {id: groups(:aproject).uuid}
268 test 'get group-owned objects with limit' do
269 authorize_with :active
270 get :contents, params: {
271 id: groups(:aproject).uuid,
275 assert_response :success
276 assert_operator 1, :<, json_response['items_available']
277 assert_equal 1, json_response['items'].count
280 test 'get group-owned objects with limit and offset' do
281 authorize_with :active
282 get :contents, params: {
283 id: groups(:aproject).uuid,
288 assert_response :success
289 assert_operator 1, :<, json_response['items_available']
290 assert_equal 0, json_response['items'].count
293 test 'get group-owned objects with additional filter matching nothing' do
294 authorize_with :active
295 get :contents, params: {
296 id: groups(:aproject).uuid,
297 filters: [['uuid', 'in', ['foo_not_a_uuid','bar_not_a_uuid']]],
300 assert_response :success
301 assert_equal [], json_response['items']
302 assert_equal 0, json_response['items_available']
305 %w(offset limit).each do |arg|
306 ['foo', '', '1234five', '0x10', '-8'].each do |val|
307 test "Raise error on bogus #{arg} parameter #{val.inspect}" do
308 authorize_with :active
309 get :contents, params: {
310 :id => groups(:aproject).uuid,
319 test "Collection contents don't include manifest_text or unsigned_manifest_text" do
320 authorize_with :active
321 get :contents, params: {
322 id: groups(:aproject).uuid,
323 filters: [["uuid", "is_a", "arvados#collection"]],
326 assert_response :success
327 refute(json_response["items"].any? { |c| not c["portable_data_hash"] },
328 "response included an item without a portable data hash")
329 refute(json_response["items"].any? { |c| c.include?("manifest_text") },
330 "response included an item with manifest_text")
331 refute(json_response["items"].any? { |c| c.include?("unsigned_manifest_text") },
332 "response included an item with unsigned_manifest_text")
335 test 'get writable_by list for owned group' do
336 authorize_with :active
338 id: groups(:aproject).uuid,
341 assert_response :success
342 assert_not_nil(json_response['writable_by'],
343 "Should receive uuid list in 'writable_by' field")
344 assert_includes(json_response['writable_by'], users(:active).uuid,
345 "owner should be included in writable_by list")
348 test 'no writable_by list for group with read-only access' do
349 authorize_with :rominiadmin
351 id: groups(:testusergroup_admins).uuid,
354 assert_response :success
355 assert_equal([json_response['owner_uuid']],
356 json_response['writable_by'],
357 "Should only see owner_uuid in 'writable_by' field")
360 test 'get writable_by list by admin user' do
361 authorize_with :admin
363 id: groups(:testusergroup_admins).uuid,
366 assert_response :success
367 assert_not_nil(json_response['writable_by'],
368 "Should receive uuid list in 'writable_by' field")
369 assert_includes(json_response['writable_by'],
371 "Current user should be included in 'writable_by' field")
374 test 'creating subproject with duplicate name fails' do
375 authorize_with :active
376 post :create, params: {
379 owner_uuid: users(:active).uuid,
380 group_class: 'project',
384 response_errors = json_response['errors']
385 assert_not_nil response_errors, 'Expected error in response'
386 assert(response_errors.first.include?('duplicate key'),
387 "Expected 'duplicate key' error in #{response_errors.first}")
390 test 'creating duplicate named subproject succeeds with ensure_unique_name' do
391 authorize_with :active
392 post :create, params: {
395 owner_uuid: users(:active).uuid,
396 group_class: 'project',
398 ensure_unique_name: true
400 assert_response :success
401 new_project = json_response
402 assert_not_equal(new_project['uuid'],
403 groups(:aproject).uuid,
404 "create returned same uuid as existing project")
405 assert_match(/^A Project \(\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d\.\d{3}Z\)$/,
410 [['owner_uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 200,
411 'zzzzz-d1hrv-subprojpipeline', 'zzzzz-d1hrv-1xfj6xkicf2muk2'],
412 [["pipeline_instances.state", "not in", ["Complete", "Failed"]], 200,
413 'zzzzz-d1hrv-1xfj6xkicf2muk2', 'zzzzz-d1hrv-i3e77t9z5y8j9cc'],
414 [['container_requests.requesting_container_uuid', '=', nil], 200,
415 'zzzzz-xvhdp-cr4queuedcontnr', 'zzzzz-xvhdp-cr4requestercn2'],
416 [['container_requests.no_such_column', '=', nil], 422],
417 [['container_requests.', '=', nil], 422],
418 [['.requesting_container_uuid', '=', nil], 422],
419 [['no_such_table.uuid', '!=', 'zzzzz-tpzed-xurymjxw79nv3jz'], 422],
420 ].each do |filter, expect_code, expect_uuid, not_expect_uuid|
421 test "get contents with '#{filter}' filter" do
422 authorize_with :active
423 get :contents, params: {filters: [filter], format: :json}
424 assert_response expect_code
425 if expect_code == 200
426 assert_not_empty json_response['items']
427 item_uuids = json_response['items'].collect {|item| item['uuid']}
428 assert_includes(item_uuids, expect_uuid)
429 assert_not_includes(item_uuids, not_expect_uuid)
434 test 'get contents with jobs and pipeline instances disabled' do
435 Rails.configuration.API.DisabledAPIs = ConfigLoader.to_OrderedOptions(
436 {'jobs.index'=>{}, 'pipeline_instances.index'=>{}})
438 authorize_with :active
439 get :contents, params: {
440 id: groups(:aproject).uuid,
443 check_project_contents_response %w'arvados#pipelineInstance arvados#job'
446 test 'get contents with low max_index_database_read' do
447 # Some result will certainly have at least 12 bytes in a
449 Rails.configuration.API.MaxIndexDatabaseRead = 12
450 authorize_with :active
451 get :contents, params: {
452 id: groups(:aproject).uuid,
455 assert_response :success
456 assert_not_empty(json_response['items'])
457 assert_operator(json_response['items'].count,
458 :<, json_response['items_available'])
461 test 'get contents, recursive=true' do
462 authorize_with :active
464 id: groups(:aproject).uuid,
468 get :contents, params: params
469 owners = json_response['items'].map do |item|
472 assert_includes(owners, groups(:aproject).uuid)
473 assert_includes(owners, groups(:asubproject).uuid)
476 [false, nil].each do |recursive|
477 test "get contents, recursive=#{recursive.inspect}" do
478 authorize_with :active
480 id: groups(:aproject).uuid,
483 params[:recursive] = false if recursive == false
484 get :contents, params: params
485 owners = json_response['items'].map do |item|
488 assert_includes(owners, groups(:aproject).uuid)
489 refute_includes(owners, groups(:asubproject).uuid)
493 test 'get home project contents, recursive=true' do
494 authorize_with :active
495 get :contents, params: {
496 id: users(:active).uuid,
500 owners = json_response['items'].map do |item|
503 assert_includes(owners, users(:active).uuid)
504 assert_includes(owners, groups(:aproject).uuid)
505 assert_includes(owners, groups(:asubproject).uuid)
508 ### trashed project tests ###
513 # trashed_project (zzzzz-j7d0g-trashedproject1)
514 # trashed_subproject (zzzzz-j7d0g-trashedproject2)
515 # trashed_subproject3 (zzzzz-j7d0g-trashedproject3)
516 # zzzzz-xvhdp-cr5trashedcontr
519 :admin].each do |auth|
520 # project: to query, to untrash, is visible, parent contents listing success
522 [:trashed_project, [], false, true],
523 [:trashed_project, [:trashed_project], true, true],
524 [:trashed_subproject, [], false, false],
525 [:trashed_subproject, [:trashed_project], true, true],
526 [:trashed_subproject3, [:trashed_project], false, true],
527 [:trashed_subproject3, [:trashed_subproject3], false, false],
528 [:trashed_subproject3, [:trashed_project, :trashed_subproject3], true, true],
529 ].each do |project, untrash, visible, success|
531 test "contents listing #{project} #{untrash} as #{auth}" do
534 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
536 get :contents, params: {
537 id: groups(project).owner_uuid,
541 assert_response :success
542 item_uuids = json_response['items'].map do |item|
546 assert_includes(item_uuids, groups(project).uuid)
548 assert_not_includes(item_uuids, groups(project).uuid)
555 test "contents of #{project} #{untrash} as #{auth}" do
558 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
560 get :contents, params: {
561 id: groups(project).uuid,
565 assert_response :success
571 test "index #{project} #{untrash} as #{auth}" do
574 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
576 get :index, params: {
579 assert_response :success
580 item_uuids = json_response['items'].map do |item|
584 assert_includes(item_uuids, groups(project).uuid)
586 assert_not_includes(item_uuids, groups(project).uuid)
590 test "show #{project} #{untrash} as #{auth}" do
593 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
596 id: groups(project).uuid,
600 assert_response :success
606 test "show include_trash=false #{project} #{untrash} as #{auth}" do
609 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
612 id: groups(project).uuid,
617 assert_response :success
623 test "show include_trash #{project} #{untrash} as #{auth}" do
626 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
629 id: groups(project).uuid,
633 assert_response :success
636 test "index include_trash #{project} #{untrash} as #{auth}" do
639 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
641 get :index, params: {
645 assert_response :success
646 item_uuids = json_response['items'].map do |item|
649 assert_includes(item_uuids, groups(project).uuid)
653 test "delete project #{auth}" do
655 [:trashed_project].each do |pr|
656 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
658 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
659 post :destroy, params: {
660 id: groups(:trashed_project).uuid,
663 assert_response :success
664 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
667 test "untrash project #{auth}" do
669 assert Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
670 post :untrash, params: {
671 id: groups(:trashed_project).uuid,
674 assert_response :success
675 assert !Group.find_by_uuid(groups(:trashed_project).uuid).is_trashed
678 test "untrash project with name conflict #{auth}" do
680 [:trashed_project].each do |pr|
681 Group.find_by_uuid(groups(pr).uuid).update! is_trashed: false
683 gc = Group.create!({owner_uuid: "zzzzz-j7d0g-trashedproject1",
684 name: "trashed subproject 3",
685 group_class: "project"})
686 post :untrash, params: {
687 id: groups(:trashed_subproject3).uuid,
689 ensure_unique_name: true
691 assert_response :success
692 assert_match /^trashed subproject 3 \(\d{4}-\d\d-\d\d.*?Z\)$/, json_response['name']
695 test "move trashed subproject to new owner #{auth}" do
697 assert_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
698 put :update, params: {
699 id: groups(:trashed_subproject).uuid,
701 owner_uuid: users(:active).uuid
706 assert_response :success
707 assert_not_nil Group.readable_by(users(auth)).where(uuid: groups(:trashed_subproject).uuid).first
711 test 'get shared owned by another user' do
712 authorize_with :user_bar_in_sharing_group
714 act_as_system_user do
716 tail_uuid: users(:user_bar_in_sharing_group).uuid,
717 link_class: 'permission',
719 head_uuid: groups(:project_owned_by_foo).uuid)
722 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
724 assert_equal 1, json_response['items'].length
725 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
727 assert_equal 1, json_response['included'].length
728 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
731 test 'get shared, owned by unreadable project' do
732 authorize_with :user_bar_in_sharing_group
734 act_as_system_user do
735 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
737 tail_uuid: users(:user_bar_in_sharing_group).uuid,
738 link_class: 'permission',
740 head_uuid: groups(:project_owned_by_foo).uuid)
743 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
745 assert_equal 1, json_response['items'].length
746 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
748 assert_equal 0, json_response['included'].length
751 test 'get shared, add permission link' do
752 authorize_with :user_bar_in_sharing_group
754 act_as_system_user do
755 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
756 head_uuid: groups(:project_owned_by_foo).uuid,
757 link_class: 'permission',
761 get :shared, params: {:filters => [["group_class", "=", "project"]], :include => "owner_uuid"}
763 assert_equal 1, json_response['items'].length
764 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
766 assert_equal 1, json_response['included'].length
767 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
770 ### contents with exclude_home_project
772 test 'contents, exclude home owned by another user' do
773 authorize_with :user_bar_in_sharing_group
775 act_as_system_user do
777 tail_uuid: users(:user_bar_in_sharing_group).uuid,
778 link_class: 'permission',
780 head_uuid: groups(:project_owned_by_foo).uuid)
782 tail_uuid: users(:user_bar_in_sharing_group).uuid,
783 link_class: 'permission',
785 head_uuid: collections(:collection_owned_by_foo).uuid)
788 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
790 assert_equal 2, json_response['items'].length
791 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
792 assert_equal json_response['items'][1]["uuid"], collections(:collection_owned_by_foo).uuid
794 assert_equal 1, json_response['included'].length
795 assert_equal json_response['included'][0]["uuid"], users(:user_foo_in_sharing_group).uuid
798 test 'contents, exclude home, owned by unreadable project' do
799 authorize_with :user_bar_in_sharing_group
801 act_as_system_user do
802 Group.find_by_uuid(groups(:project_owned_by_foo).uuid).update!(owner_uuid: groups(:aproject).uuid)
804 tail_uuid: users(:user_bar_in_sharing_group).uuid,
805 link_class: 'permission',
807 head_uuid: groups(:project_owned_by_foo).uuid)
810 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
812 assert_equal 1, json_response['items'].length
813 assert_equal json_response['items'][0]["uuid"], groups(:project_owned_by_foo).uuid
815 assert_equal 0, json_response['included'].length
818 test 'contents, exclude home, add permission link' do
819 authorize_with :user_bar_in_sharing_group
821 act_as_system_user do
822 Link.create!(tail_uuid: groups(:group_for_sharing_tests).uuid,
823 head_uuid: groups(:project_owned_by_foo).uuid,
824 link_class: 'permission',
828 get :contents, params: {:include => "owner_uuid", :exclude_home_project => true}
830 assert_equal 1, json_response['items'].length
831 assert_equal groups(:project_owned_by_foo).uuid, json_response['items'][0]["uuid"]
833 assert_equal 1, json_response['included'].length
834 assert_equal users(:user_foo_in_sharing_group).uuid, json_response['included'][0]["uuid"]
837 test 'contents, exclude home, with parent specified' do
838 authorize_with :active
840 get :contents, params: {id: groups(:aproject).uuid, :include => "owner_uuid", :exclude_home_project => true}