1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class Arvados::V1::RepositoriesControllerTest < ActionController::TestCase
8 test "should get_all_logins with admin token" do
10 get :get_all_permissions
11 assert_response :success
14 test "should get_all_logins with non-admin token" do
15 authorize_with :active
16 get :get_all_permissions
20 test "get_all_permissions gives RW to repository owner" do
22 get :get_all_permissions
23 assert_response :success
25 json_response['repositories'].each do |repo|
26 if repo['uuid'] == repositories(:repository2).uuid
27 if repo['user_permissions'][users(:active).uuid]['can_write']
32 assert_equal(true, ok,
33 "No permission on own repo '@{repositories(:repository2).uuid}'")
36 test "get_all_permissions takes into account is_admin flag" do
38 get :get_all_permissions
39 assert_response :success
40 json_response['repositories'].each do |repo|
41 assert_not_nil(repo['user_permissions'][users(:admin).uuid],
42 "Admin user is not listed in perms for #{repo['uuid']}")
44 repo['user_permissions'][users(:admin).uuid]['can_write'],
45 "Admin has no perms for #{repo['uuid']}")
49 test "get_all_permissions takes into account is_active flag" do
50 act_as_user users(:active) do
51 Repository.create! name: 'active/testrepo'
59 get :get_all_permissions
60 assert_response :success
61 json_response['repositories'].each do |r|
62 r['user_permissions'].each do |user_uuid, perms|
63 refute_equal user_uuid, users(:active).uuid
68 test "get_all_permissions does not give any access to user without permission" do
69 viewer_uuid = users(:project_viewer).uuid
70 assert_equal(authorized_keys(:project_viewer).authorized_user_uuid,
72 "project_viewer must have an authorized_key for this test to work")
74 get :get_all_permissions
75 assert_response :success
76 readable_repos = json_response["repositories"].select do |repo|
77 repo["user_permissions"].has_key?(viewer_uuid)
79 assert_equal(["arvados"], readable_repos.map { |r| r["name"] },
80 "project_viewer should only have permissions on public repos")
83 test "get_all_permissions gives gitolite R to user with read-only access" do
85 get :get_all_permissions
86 assert_response :success
88 assert_equal(authorized_keys(:spectator).authorized_user_uuid,
89 users(:spectator).uuid,
90 "spectator must have an authorized_key for this test to work")
91 json_response['repositories'].each do |repo|
92 next unless repo['uuid'] == repositories(:foo).uuid
94 repo['user_permissions'][users(:spectator).uuid]['gitolite_permissions'],
95 "spectator user should have just R access to #{repo['uuid']}")
98 assert_equal true, found_it, "spectator user does not have R on foo repo"
101 test "get_all_permissions provides admin and active user keys" do
102 authorize_with :admin
103 get :get_all_permissions
104 assert_response :success
105 [:active, :admin].each do |u|
106 assert_equal(1, json_response['user_keys'][users(u).uuid].andand.count,
107 "expected 1 key for #{u} (#{users(u).uuid})")
108 assert_equal(json_response['user_keys'][users(u).uuid][0]['public_key'],
109 authorized_keys(u).public_key,
110 "response public_key does not match fixture #{u}.")
114 test "get_all_permissions lists all repos regardless of permissions" do
115 act_as_system_user do
116 # Create repos that could potentially be left out of the
117 # permission list by accident.
119 # No authorized_key, no username (this can't even be done
120 # without skipping validations)
121 r = Repository.create name: 'root/testrepo'
122 assert r.save validate: false
124 r = Repository.create name: 'invalid username / repo name', owner_uuid: users(:inactive).uuid
125 assert r.save validate: false
127 authorize_with :admin
128 get :get_all_permissions
129 assert_response :success
130 assert_equal(Repository.count, json_response["repositories"].size)
133 test "get_all_permissions lists user permissions for users with no authorized keys" do
134 authorize_with :admin
135 AuthorizedKey.destroy_all
136 get :get_all_permissions
137 assert_response :success
138 assert_equal(Repository.count, json_response["repositories"].size)
139 repos_with_perms = []
140 json_response['repositories'].each do |repo|
141 if repo['user_permissions'].any?
142 repos_with_perms << repo['uuid']
145 assert_not_empty repos_with_perms, 'permissions are missing'
148 # Ensure get_all_permissions correctly describes what the normal
149 # permission system would do.
150 test "get_all_permissions obeys group permissions" do
151 act_as_user system_user do
152 r = Repository.create!(name: 'admin/groupcanwrite', owner_uuid: users(:admin).uuid)
153 g = Group.create!(group_class: 'group', name: 'repo-writers')
155 u2 = users(:spectator)
156 Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_manage')
157 Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write')
158 Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read')
160 r = Repository.create!(name: 'admin/groupreadonly', owner_uuid: users(:admin).uuid)
161 g = Group.create!(group_class: 'group', name: 'repo-readers')
163 u2 = users(:spectator)
164 Link.create!(tail_uuid: g.uuid, head_uuid: r.uuid, link_class: 'permission', name: 'can_read')
165 Link.create!(tail_uuid: u1.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_write')
166 Link.create!(tail_uuid: u2.uuid, head_uuid: g.uuid, link_class: 'permission', name: 'can_read')
168 authorize_with :admin
169 get :get_all_permissions
170 assert_response :success
171 json_response['repositories'].each do |repo|
172 repo['user_permissions'].each do |user_uuid, perms|
173 u = User.find_by_uuid(user_uuid)
175 assert u.can? read: repo['uuid']
176 assert_match(/R/, perms['gitolite_permissions'])
178 refute_match(/R/, perms['gitolite_permissions'])
180 if perms['can_write']
181 assert u.can? write: repo['uuid']
182 assert_match(/RW\+/, perms['gitolite_permissions'])
184 refute_match(/W/, perms['gitolite_permissions'])
186 if perms['can_manage']
187 assert u.can? manage: repo['uuid']
188 assert_match(/RW\+/, perms['gitolite_permissions'])
194 test "default index includes fetch_url" do
195 authorize_with :active
197 assert_response :success
198 assert_includes(json_response["items"].map { |r| r["fetch_url"] },
199 "git@git.zzzzz.arvadosapi.com:active/foo.git")
203 {cfg: "GitSSH.ExternalURL", cfgval: URI("ssh://git@example.com"), match: %r"^git@example.com:"},
204 {cfg: "GitSSH.ExternalURL", cfgval: URI(""), match: %r"^git@git.zzzzz.arvadosapi.com:"},
205 {cfg: "GitSSH", cfgval: false, refute: /^git@/ },
206 {cfg: "GitHTTP.ExternalURL", cfgval: URI("https://example.com/"), match: %r"^https://example.com/"},
207 {cfg: "GitHTTP.ExternalURL", cfgval: URI(""), match: %r"^https://git.zzzzz.arvadosapi.com/"},
208 {cfg: "GitHTTP", cfgval: false, refute: /^http/ },
210 test "set #{expect[:cfg]} to #{expect[:cfgval]}" do
211 ConfigLoader.set_cfg Rails.configuration.Services, expect[:cfg].to_s, expect[:cfgval]
212 authorize_with :active
214 assert_response :success
215 assert_not_empty json_response['items']
216 json_response['items'].each do |r|
218 r['clone_urls'].each do |u|
219 refute_match expect[:refute], u
222 assert((r['clone_urls'].any? do |u|
223 expect[:match].match u
225 "no match for #{expect[:match]} in #{r['clone_urls'].inspect}")
231 test "select push_url in index" do
232 authorize_with :active
233 get(:index, params: {select: ["uuid", "push_url"]})
234 assert_response :success
235 assert_includes(json_response["items"].map { |r| r["push_url"] },
236 "git@git.zzzzz.arvadosapi.com:active/foo.git")
239 test "select clone_urls in index" do
240 authorize_with :active
241 get(:index, params: {select: ["uuid", "clone_urls"]})
242 assert_response :success
243 assert_includes(json_response["items"].map { |r| r["clone_urls"] }.flatten,
244 "git@git.zzzzz.arvadosapi.com:active/foo.git")