Merge branch '17535-test-provision-jenkins'
[arvados.git] / lib / controller / auth_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package controller
6
7 import (
8         "context"
9         "encoding/json"
10         "fmt"
11         "net/http"
12         "net/http/httptest"
13         "os"
14         "time"
15
16         "git.arvados.org/arvados.git/sdk/go/arvados"
17         "git.arvados.org/arvados.git/sdk/go/arvadostest"
18         "git.arvados.org/arvados.git/sdk/go/ctxlog"
19         "git.arvados.org/arvados.git/sdk/go/httpserver"
20         "github.com/sirupsen/logrus"
21         check "gopkg.in/check.v1"
22 )
23
24 // Gocheck boilerplate
25 var _ = check.Suite(&AuthSuite{})
26
27 type AuthSuite struct {
28         log logrus.FieldLogger
29         // testServer and testHandler are the controller being tested,
30         // "zhome".
31         testServer  *httpserver.Server
32         testHandler *Handler
33         // remoteServer ("zzzzz") forwards requests to the Rails API
34         // provided by the integration test environment.
35         remoteServer *httpserver.Server
36         // remoteMock ("zmock") appends each incoming request to
37         // remoteMockRequests, and returns 200 with an empty JSON
38         // object.
39         remoteMock         *httpserver.Server
40         remoteMockRequests []http.Request
41
42         fakeProvider *arvadostest.OIDCProvider
43 }
44
45 func (s *AuthSuite) SetUpTest(c *check.C) {
46         s.log = ctxlog.TestLogger(c)
47
48         s.remoteServer = newServerFromIntegrationTestEnv(c)
49         c.Assert(s.remoteServer.Start(), check.IsNil)
50
51         s.remoteMock = newServerFromIntegrationTestEnv(c)
52         s.remoteMock.Server.Handler = http.HandlerFunc(http.NotFound)
53         c.Assert(s.remoteMock.Start(), check.IsNil)
54
55         s.fakeProvider = arvadostest.NewOIDCProvider(c)
56         s.fakeProvider.AuthEmail = "active-user@arvados.local"
57         s.fakeProvider.AuthEmailVerified = true
58         s.fakeProvider.AuthName = "Fake User Name"
59         s.fakeProvider.ValidCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
60         s.fakeProvider.PeopleAPIResponse = map[string]interface{}{}
61         s.fakeProvider.ValidClientID = "test%client$id"
62         s.fakeProvider.ValidClientSecret = "test#client/secret"
63
64         cluster := &arvados.Cluster{
65                 ClusterID:       "zhome",
66                 PostgreSQL:      integrationTestCluster().PostgreSQL,
67                 SystemRootToken: arvadostest.SystemRootToken,
68         }
69         cluster.TLS.Insecure = true
70         cluster.API.MaxItemsPerResponse = 1000
71         cluster.API.MaxRequestAmplification = 4
72         cluster.API.RequestTimeout = arvados.Duration(5 * time.Minute)
73         arvadostest.SetServiceURL(&cluster.Services.RailsAPI, "https://"+os.Getenv("ARVADOS_TEST_API_HOST"))
74         arvadostest.SetServiceURL(&cluster.Services.Controller, "http://localhost/")
75
76         cluster.RemoteClusters = map[string]arvados.RemoteCluster{
77                 "zzzzz": {
78                         Host:   s.remoteServer.Addr,
79                         Proxy:  true,
80                         Scheme: "http",
81                 },
82                 "zmock": {
83                         Host:   s.remoteMock.Addr,
84                         Proxy:  true,
85                         Scheme: "http",
86                 },
87                 "*": {
88                         Scheme: "https",
89                 },
90         }
91         cluster.Login.OpenIDConnect.Enable = true
92         cluster.Login.OpenIDConnect.Issuer = s.fakeProvider.Issuer.URL
93         cluster.Login.OpenIDConnect.ClientID = s.fakeProvider.ValidClientID
94         cluster.Login.OpenIDConnect.ClientSecret = s.fakeProvider.ValidClientSecret
95         cluster.Login.OpenIDConnect.EmailClaim = "email"
96         cluster.Login.OpenIDConnect.EmailVerifiedClaim = "email_verified"
97         cluster.Login.OpenIDConnect.AcceptAccessToken = true
98         cluster.Login.OpenIDConnect.AcceptAccessTokenScope = ""
99
100         s.testHandler = &Handler{Cluster: cluster}
101         s.testServer = newServerFromIntegrationTestEnv(c)
102         s.testServer.Server.Handler = httpserver.HandlerWithContext(
103                 ctxlog.Context(context.Background(), s.log),
104                 httpserver.AddRequestIDs(httpserver.LogRequests(s.testHandler)))
105         c.Assert(s.testServer.Start(), check.IsNil)
106 }
107
108 func (s *AuthSuite) TestLocalOIDCAccessToken(c *check.C) {
109         req := httptest.NewRequest("GET", "/arvados/v1/users/current", nil)
110         req.Header.Set("Authorization", "Bearer "+s.fakeProvider.ValidAccessToken())
111         rr := httptest.NewRecorder()
112         s.testServer.Server.Handler.ServeHTTP(rr, req)
113         resp := rr.Result()
114         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
115         var u arvados.User
116         c.Check(json.NewDecoder(resp.Body).Decode(&u), check.IsNil)
117         c.Check(u.UUID, check.Equals, arvadostest.ActiveUserUUID)
118         c.Check(u.OwnerUUID, check.Equals, "zzzzz-tpzed-000000000000000")
119
120         // Request again to exercise cache.
121         req = httptest.NewRequest("GET", "/arvados/v1/users/current", nil)
122         req.Header.Set("Authorization", "Bearer "+s.fakeProvider.ValidAccessToken())
123         rr = httptest.NewRecorder()
124         s.testServer.Server.Handler.ServeHTTP(rr, req)
125         resp = rr.Result()
126         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
127 }