lib/controller/integration_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "bytes"
   9         "encoding/json"
  10         "fmt"
  11         "io"
  12         "io/ioutil"
  13         "math"
  14         "net"
  15         "net/http"
  16         "os"
  17         "os/exec"
  18         "path/filepath"
  19         "strconv"
  20         "strings"
  21
  22         "git.arvados.org/arvados.git/lib/boot"
  23         "git.arvados.org/arvados.git/lib/config"
  24         "git.arvados.org/arvados.git/sdk/go/arvados"
  25         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  26         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  27         check "gopkg.in/check.v1"
  28 )
  29
  30 var _ = check.Suite(&IntegrationSuite{})
  31
  32 type IntegrationSuite struct {
  33         testClusters map[string]*boot.TestCluster
  34         oidcprovider *arvadostest.OIDCProvider
  35 }
  36
  37 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
  38         if forceLegacyAPI14 {
  39                 c.Skip("heavy integration tests don't run with forceLegacyAPI14")
  40                 return
  41         }
  42
  43         cwd, _ := os.Getwd()
  44
  45         s.oidcprovider = arvadostest.NewOIDCProvider(c)
  46         s.oidcprovider.AuthEmail = "user@example.com"
  47         s.oidcprovider.AuthEmailVerified = true
  48         s.oidcprovider.AuthName = "Example User"
  49         s.oidcprovider.ValidClientID = "clientid"
  50         s.oidcprovider.ValidClientSecret = "clientsecret"
  51
  52         s.testClusters = map[string]*boot.TestCluster{
  53                 "z1111": nil,
  54                 "z2222": nil,
  55                 "z3333": nil,
  56         }
  57         hostport := map[string]string{}
  58         for id := range s.testClusters {
  59                 hostport[id] = func() string {
  60                         // TODO: Instead of expecting random ports on
  61                         // 127.0.0.11, 22, 33 to be race-safe, try
  62                         // different 127.x.y.z until finding one that
  63                         // isn't in use.
  64                         ln, err := net.Listen("tcp", ":0")
  65                         c.Assert(err, check.IsNil)
  66                         ln.Close()
  67                         _, port, err := net.SplitHostPort(ln.Addr().String())
  68                         c.Assert(err, check.IsNil)
  69                         return "127.0.0." + id[3:] + ":" + port
  70                 }()
  71         }
  72         for id := range s.testClusters {
  73                 yaml := `Clusters:
  74   ` + id + `:
  75     Services:
  76       Controller:
  77         ExternalURL: https://` + hostport[id] + `
  78     TLS:
  79       Insecure: true
  80     SystemLogs:
  81       Format: text
  82     RemoteClusters:
  83       z1111:
  84         Host: ` + hostport["z1111"] + `
  85         Scheme: https
  86         Insecure: true
  87         Proxy: true
  88         ActivateUsers: true
  89 `
  90                 if id != "z2222" {
  91                         yaml += `      z2222:
  92         Host: ` + hostport["z2222"] + `
  93         Scheme: https
  94         Insecure: true
  95         Proxy: true
  96         ActivateUsers: true
  97 `
  98                 }
  99                 if id != "z3333" {
 100                         yaml += `      z3333:
 101         Host: ` + hostport["z3333"] + `
 102         Scheme: https
 103         Insecure: true
 104         Proxy: true
 105         ActivateUsers: true
 106 `
 107                 }
 108                 if id == "z1111" {
 109                         yaml += `
 110     Login:
 111       LoginCluster: z1111
 112       OpenIDConnect:
 113         Enable: true
 114         Issuer: ` + s.oidcprovider.Issuer.URL + `
 115         ClientID: ` + s.oidcprovider.ValidClientID + `
 116         ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
 117         EmailClaim: email
 118         EmailVerifiedClaim: email_verified
 119 `
 120                 } else {
 121                         yaml += `
 122     Login:
 123       LoginCluster: z1111
 124 `
 125                 }
 126
 127                 loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
 128                 loader.Path = "-"
 129                 loader.SkipLegacy = true
 130                 loader.SkipAPICalls = true
 131                 cfg, err := loader.Load()
 132                 c.Assert(err, check.IsNil)
 133                 tc := boot.NewTestCluster(
 134                         filepath.Join(cwd, "..", ".."),
 135                         id, cfg, "127.0.0."+id[3:], c.Log)
 136                 s.testClusters[id] = tc
 137                 s.testClusters[id].Start()
 138         }
 139         for _, tc := range s.testClusters {
 140                 ok := tc.WaitReady()
 141                 c.Assert(ok, check.Equals, true)
 142         }
 143 }
 144
 145 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
 146         for _, c := range s.testClusters {
 147                 c.Super.Stop()
 148         }
 149 }
 150
 151 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
 152         conn1 := s.testClusters["z1111"].Conn()
 153         rootctx1, _, _ := s.testClusters["z1111"].RootClients()
 154         conn3 := s.testClusters["z3333"].Conn()
 155         userctx1, ac1, kc1, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 156
 157         // Create the collection to find its PDH (but don't save it
 158         // anywhere yet)
 159         var coll1 arvados.Collection
 160         fs1, err := coll1.FileSystem(ac1, kc1)
 161         c.Assert(err, check.IsNil)
 162         f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
 163         c.Assert(err, check.IsNil)
 164         _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
 165         c.Assert(err, check.IsNil)
 166         err = f.Close()
 167         c.Assert(err, check.IsNil)
 168         mtxt, err := fs1.MarshalManifest(".")
 169         c.Assert(err, check.IsNil)
 170         pdh := arvados.PortableDataHash(mtxt)
 171
 172         // Looking up the PDH before saving returns 404 if cycle
 173         // detection is working.
 174         _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
 175         c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
 176
 177         // Save the collection on cluster z1111.
 178         coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
 179                 "manifest_text": mtxt,
 180         }})
 181         c.Assert(err, check.IsNil)
 182
 183         // Retrieve the collection from cluster z3333.
 184         coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
 185         c.Check(err, check.IsNil)
 186         c.Check(coll.PortableDataHash, check.Equals, pdh)
 187 }
 188
 189 func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) {
 190         if _, err := exec.LookPath("s3cmd"); err != nil {
 191                 c.Skip("s3cmd not in PATH")
 192                 return
 193         }
 194
 195         testText := "IntegrationSuite.TestS3WithFederatedToken"
 196
 197         conn1 := s.testClusters["z1111"].Conn()
 198         rootctx1, _, _ := s.testClusters["z1111"].RootClients()
 199         userctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 200         conn3 := s.testClusters["z3333"].Conn()
 201
 202         createColl := func(clusterID string) arvados.Collection {
 203                 _, ac, kc := s.testClusters[clusterID].ClientsWithToken(ac1.AuthToken)
 204                 var coll arvados.Collection
 205                 fs, err := coll.FileSystem(ac, kc)
 206                 c.Assert(err, check.IsNil)
 207                 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
 208                 c.Assert(err, check.IsNil)
 209                 _, err = io.WriteString(f, testText)
 210                 c.Assert(err, check.IsNil)
 211                 err = f.Close()
 212                 c.Assert(err, check.IsNil)
 213                 mtxt, err := fs.MarshalManifest(".")
 214                 c.Assert(err, check.IsNil)
 215                 coll, err = s.testClusters[clusterID].Conn().CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
 216                         "manifest_text": mtxt,
 217                 }})
 218                 c.Assert(err, check.IsNil)
 219                 return coll
 220         }
 221
 222         for _, trial := range []struct {
 223                 clusterID string // create the collection on this cluster (then use z3333 to access it)
 224                 token     string
 225         }{
 226                 // Try the hardest test first: z3333 hasn't seen
 227                 // z1111's token yet, and we're just passing the
 228                 // opaque secret part, so z3333 has to guess that it
 229                 // belongs to z1111.
 230                 {"z1111", strings.Split(ac1.AuthToken, "/")[2]},
 231                 {"z3333", strings.Split(ac1.AuthToken, "/")[2]},
 232                 {"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)},
 233                 {"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)},
 234         } {
 235                 c.Logf("================ %v", trial)
 236                 coll := createColl(trial.clusterID)
 237
 238                 cfgjson, err := conn3.ConfigGet(userctx1)
 239                 c.Assert(err, check.IsNil)
 240                 var cluster arvados.Cluster
 241                 err = json.Unmarshal(cfgjson, &cluster)
 242                 c.Assert(err, check.IsNil)
 243
 244                 c.Logf("TokenV2 is %s", ac1.AuthToken)
 245                 host := cluster.Services.WebDAV.ExternalURL.Host
 246                 s3args := []string{
 247                         "--ssl", "--no-check-certificate",
 248                         "--host=" + host, "--host-bucket=" + host,
 249                         "--access_key=" + trial.token, "--secret_key=" + trial.token,
 250                 }
 251                 buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput()
 252                 c.Check(err, check.IsNil)
 253                 c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`)
 254
 255                 buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput()
 256                 // Command fails because we don't return Etag header.
 257                 flen := strconv.Itoa(len(testText))
 258                 c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`)
 259         }
 260 }
 261
 262 func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
 263         conn1 := s.testClusters["z1111"].Conn()
 264         conn3 := s.testClusters["z3333"].Conn()
 265         rootctx1, rootac1, rootkc1 := s.testClusters["z1111"].RootClients()
 266         anonctx3, anonac3, _ := s.testClusters["z3333"].AnonymousClients()
 267
 268         // Make sure anonymous token was set
 269         c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
 270
 271         // Create the collection to find its PDH (but don't save it
 272         // anywhere yet)
 273         var coll1 arvados.Collection
 274         fs1, err := coll1.FileSystem(rootac1, rootkc1)
 275         c.Assert(err, check.IsNil)
 276         f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
 277         c.Assert(err, check.IsNil)
 278         _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
 279         c.Assert(err, check.IsNil)
 280         err = f.Close()
 281         c.Assert(err, check.IsNil)
 282         mtxt, err := fs1.MarshalManifest(".")
 283         c.Assert(err, check.IsNil)
 284         pdh := arvados.PortableDataHash(mtxt)
 285
 286         // Save the collection on cluster z1111.
 287         coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
 288                 "manifest_text": mtxt,
 289         }})
 290         c.Assert(err, check.IsNil)
 291
 292         // Share it with the anonymous users group.
 293         var outLink arvados.Link
 294         err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
 295                 map[string]interface{}{"link": map[string]interface{}{
 296                         "link_class": "permission",
 297                         "name":       "can_read",
 298                         "tail_uuid":  "z1111-j7d0g-anonymouspublic",
 299                         "head_uuid":  coll1.UUID,
 300                 },
 301                 })
 302         c.Check(err, check.IsNil)
 303
 304         // Current user should be z3 anonymous user
 305         outUser, err := anonac3.CurrentUser()
 306         c.Check(err, check.IsNil)
 307         c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")
 308
 309         // Get the token uuid
 310         var outAuth arvados.APIClientAuthorization
 311         err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
 312         c.Check(err, check.IsNil)
 313
 314         // Make a v2 token of the z3 anonymous user, and use it on z1
 315         _, anonac1, _ := s.testClusters["z1111"].ClientsWithToken(outAuth.TokenV2())
 316         outUser2, err := anonac1.CurrentUser()
 317         c.Check(err, check.IsNil)
 318         // z3 anonymous user will be mapped to the z1 anonymous user
 319         c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
 320
 321         // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
 322         coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
 323         c.Check(err, check.IsNil)
 324         c.Check(coll.PortableDataHash, check.Equals, pdh)
 325 }
 326
 327 // Get a token from the login cluster (z1111), use it to submit a
 328 // container request on z2222.
 329 func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
 330         conn1 := s.testClusters["z1111"].Conn()
 331         rootctx1, _, _ := s.testClusters["z1111"].RootClients()
 332         _, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 333
 334         // Use ac2 to get the discovery doc with a blank token, so the
 335         // SDK doesn't magically pass the z1111 token to z2222 before
 336         // we're ready to start our test.
 337         _, ac2, _ := s.testClusters["z2222"].ClientsWithToken("")
 338         var dd map[string]interface{}
 339         err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
 340         c.Assert(err, check.IsNil)
 341
 342         var (
 343                 body bytes.Buffer
 344                 req  *http.Request
 345                 resp *http.Response
 346                 u    arvados.User
 347                 cr   arvados.ContainerRequest
 348         )
 349         json.NewEncoder(&body).Encode(map[string]interface{}{
 350                 "container_request": map[string]interface{}{
 351                         "command":         []string{"echo"},
 352                         "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
 353                         "cwd":             "/",
 354                         "output_path":     "/",
 355                 },
 356         })
 357         ac2.AuthToken = ac1.AuthToken
 358
 359         c.Log("...post CR with good (but not yet cached) token")
 360         cr = arvados.ContainerRequest{}
 361         req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
 362         c.Assert(err, check.IsNil)
 363         req.Header.Set("Content-Type", "application/json")
 364         err = ac2.DoAndDecode(&cr, req)
 365         c.Logf("err == %#v", err)
 366
 367         c.Log("...get user with good token")
 368         u = arvados.User{}
 369         req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
 370         c.Assert(err, check.IsNil)
 371         err = ac2.DoAndDecode(&u, req)
 372         c.Check(err, check.IsNil)
 373         c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
 374
 375         c.Log("...post CR with good cached token")
 376         cr = arvados.ContainerRequest{}
 377         req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
 378         c.Assert(err, check.IsNil)
 379         req.Header.Set("Content-Type", "application/json")
 380         err = ac2.DoAndDecode(&cr, req)
 381         c.Check(err, check.IsNil)
 382         c.Check(cr.UUID, check.Matches, "z2222-.*")
 383
 384         c.Log("...post with good cached token ('OAuth2 ...')")
 385         cr = arvados.ContainerRequest{}
 386         req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
 387         c.Assert(err, check.IsNil)
 388         req.Header.Set("Content-Type", "application/json")
 389         req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
 390         resp, err = arvados.InsecureHTTPClient.Do(req)
 391         if c.Check(err, check.IsNil) {
 392                 err = json.NewDecoder(resp.Body).Decode(&cr)
 393                 c.Check(err, check.IsNil)
 394                 c.Check(cr.UUID, check.Matches, "z2222-.*")
 395         }
 396 }
 397
 398 // Test for bug #16263
 399 func (s *IntegrationSuite) TestListUsers(c *check.C) {
 400         rootctx1, _, _ := s.testClusters["z1111"].RootClients()
 401         conn1 := s.testClusters["z1111"].Conn()
 402         conn3 := s.testClusters["z3333"].Conn()
 403         userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 404
 405         // Make sure LoginCluster is properly configured
 406         for cls := range s.testClusters {
 407                 c.Check(
 408                         s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
 409                         check.Equals, "z1111",
 410                         check.Commentf("incorrect LoginCluster config on cluster %q", cls))
 411         }
 412         // Make sure z1111 has users with NULL usernames
 413         lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
 414                 Limit: math.MaxInt64, // check that large limit works (see #16263)
 415         })
 416         nullUsername := false
 417         c.Assert(err, check.IsNil)
 418         c.Assert(len(lst.Items), check.Not(check.Equals), 0)
 419         for _, user := range lst.Items {
 420                 if user.Username == "" {
 421                         nullUsername = true
 422                 }
 423         }
 424         c.Assert(nullUsername, check.Equals, true)
 425
 426         user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
 427         c.Assert(err, check.IsNil)
 428         c.Check(user1.IsActive, check.Equals, true)
 429
 430         // Ask for the user list on z3333 using z1111's system root token
 431         lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
 432         c.Assert(err, check.IsNil)
 433         found := false
 434         for _, user := range lst.Items {
 435                 if user.UUID == user1.UUID {
 436                         c.Check(user.IsActive, check.Equals, true)
 437                         found = true
 438                         break
 439                 }
 440         }
 441         c.Check(found, check.Equals, true)
 442
 443         // Deactivate user acct on z1111
 444         _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
 445         c.Assert(err, check.IsNil)
 446
 447         // Get user list from z3333, check the returned z1111 user is
 448         // deactivated
 449         lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
 450         c.Assert(err, check.IsNil)
 451         found = false
 452         for _, user := range lst.Items {
 453                 if user.UUID == user1.UUID {
 454                         c.Check(user.IsActive, check.Equals, false)
 455                         found = true
 456                         break
 457                 }
 458         }
 459         c.Check(found, check.Equals, true)
 460
 461         // Deactivated user can see is_active==false via "get current
 462         // user" API
 463         user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
 464         c.Assert(err, check.IsNil)
 465         c.Check(user1.IsActive, check.Equals, false)
 466 }
 467
 468 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
 469         conn1 := s.testClusters["z1111"].Conn()
 470         conn3 := s.testClusters["z3333"].Conn()
 471         rootctx1, rootac1, _ := s.testClusters["z1111"].RootClients()
 472
 473         // Create user on LoginCluster z1111
 474         _, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 475
 476         // Make a new root token (because rootClients() uses SystemRootToken)
 477         var outAuth arvados.APIClientAuthorization
 478         err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
 479         c.Check(err, check.IsNil)
 480
 481         // Make a v2 root token to communicate with z3333
 482         rootctx3, rootac3, _ := s.testClusters["z3333"].ClientsWithToken(outAuth.TokenV2())
 483
 484         // Create VM on z3333
 485         var outVM arvados.VirtualMachine
 486         err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
 487                 map[string]interface{}{"virtual_machine": map[string]interface{}{
 488                         "hostname": "example",
 489                 },
 490                 })
 491         c.Check(outVM.UUID[0:5], check.Equals, "z3333")
 492         c.Check(err, check.IsNil)
 493
 494         // Make sure z3333 user list is up to date
 495         _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
 496         c.Check(err, check.IsNil)
 497
 498         // Try to set up user on z3333 with the VM
 499         _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
 500         c.Check(err, check.IsNil)
 501
 502         var outLinks arvados.LinkList
 503         err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
 504                 arvados.ListOptions{
 505                         Limit: 1000,
 506                         Filters: []arvados.Filter{
 507                                 {
 508                                         Attr:     "tail_uuid",
 509                                         Operator: "=",
 510                                         Operand:  user.UUID,
 511                                 },
 512                                 {
 513                                         Attr:     "head_uuid",
 514                                         Operator: "=",
 515                                         Operand:  outVM.UUID,
 516                                 },
 517                                 {
 518                                         Attr:     "name",
 519                                         Operator: "=",
 520                                         Operand:  "can_login",
 521                                 },
 522                                 {
 523                                         Attr:     "link_class",
 524                                         Operator: "=",
 525                                         Operand:  "permission",
 526                                 }}})
 527         c.Check(err, check.IsNil)
 528
 529         c.Check(len(outLinks.Items), check.Equals, 1)
 530 }
 531
 532 func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
 533         conn1 := s.testClusters["z1111"].Conn()
 534         rootctx1, _, _ := s.testClusters["z1111"].RootClients()
 535         s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 536
 537         accesstoken := s.oidcprovider.ValidAccessToken()
 538
 539         for _, clusterID := range []string{"z1111", "z2222"} {
 540                 c.Logf("trying clusterid %s", clusterID)
 541
 542                 conn := s.testClusters[clusterID].Conn()
 543                 ctx, ac, kc := s.testClusters[clusterID].ClientsWithToken(accesstoken)
 544
 545                 var coll arvados.Collection
 546
 547                 // Write some file data and create a collection
 548                 {
 549                         fs, err := coll.FileSystem(ac, kc)
 550                         c.Assert(err, check.IsNil)
 551                         f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
 552                         c.Assert(err, check.IsNil)
 553                         _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
 554                         c.Assert(err, check.IsNil)
 555                         err = f.Close()
 556                         c.Assert(err, check.IsNil)
 557                         mtxt, err := fs.MarshalManifest(".")
 558                         c.Assert(err, check.IsNil)
 559                         coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
 560                                 "manifest_text": mtxt,
 561                         }})
 562                         c.Assert(err, check.IsNil)
 563                 }
 564
 565                 // Read the collection & file data
 566                 {
 567                         user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
 568                         c.Assert(err, check.IsNil)
 569                         c.Check(user.FullName, check.Equals, "Example User")
 570                         coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
 571                         c.Assert(err, check.IsNil)
 572                         c.Check(coll.ManifestText, check.Not(check.Equals), "")
 573                         fs, err := coll.FileSystem(ac, kc)
 574                         c.Assert(err, check.IsNil)
 575                         f, err := fs.Open("test.txt")
 576                         c.Assert(err, check.IsNil)
 577                         buf, err := ioutil.ReadAll(f)
 578                         c.Assert(err, check.IsNil)
 579                         c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))
 580                 }
 581         }
 582 }