[arvados.git] / lib / controller / integration_test.go

// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0

package controller

import (
        "bytes"
        "context"
        "database/sql"
        "encoding/json"
        "io"
        "io/ioutil"
        "math"
        "net"
        "net/http"
        "net/url"
        "os"
        "path/filepath"

        "git.arvados.org/arvados.git/lib/boot"
        "git.arvados.org/arvados.git/lib/config"
        "git.arvados.org/arvados.git/lib/controller/rpc"
        "git.arvados.org/arvados.git/lib/service"
        "git.arvados.org/arvados.git/sdk/go/arvados"
        "git.arvados.org/arvados.git/sdk/go/arvadosclient"
        "git.arvados.org/arvados.git/sdk/go/arvadostest"
        "git.arvados.org/arvados.git/sdk/go/auth"
        "git.arvados.org/arvados.git/sdk/go/ctxlog"
        "git.arvados.org/arvados.git/sdk/go/keepclient"
        check "gopkg.in/check.v1"
)

var _ = check.Suite(&IntegrationSuite{})

type testCluster struct {
        super         boot.Supervisor
        config        arvados.Config
        controllerURL *url.URL
}

type IntegrationSuite struct {
        testClusters map[string]*testCluster
        oidcprovider *arvadostest.OIDCProvider
}

func (s *IntegrationSuite) SetUpSuite(c *check.C) {
        if forceLegacyAPI14 {
                c.Skip("heavy integration tests don't run with forceLegacyAPI14")
                return
        }

        cwd, _ := os.Getwd()

        s.oidcprovider = arvadostest.NewOIDCProvider(c)
        s.oidcprovider.AuthEmail = "user@example.com"
        s.oidcprovider.AuthEmailVerified = true
        s.oidcprovider.AuthName = "Example User"
        s.oidcprovider.ValidClientID = "clientid"
        s.oidcprovider.ValidClientSecret = "clientsecret"

        s.testClusters = map[string]*testCluster{
                "z1111": nil,
                "z2222": nil,
                "z3333": nil,
        }
        hostport := map[string]string{}
        for id := range s.testClusters {
                hostport[id] = func() string {
                        // TODO: Instead of expecting random ports on
                        // 127.0.0.11, 22, 33 to be race-safe, try
                        // different 127.x.y.z until finding one that
                        // isn't in use.
                        ln, err := net.Listen("tcp", ":0")
                        c.Assert(err, check.IsNil)
                        ln.Close()
                        _, port, err := net.SplitHostPort(ln.Addr().String())
                        c.Assert(err, check.IsNil)
                        return "127.0.0." + id[3:] + ":" + port
                }()
        }
        for id := range s.testClusters {
                yaml := `Clusters:
  ` + id + `:
    Services:
      Controller:
        ExternalURL: https://` + hostport[id] + `
    TLS:
      Insecure: true
    Login:
      LoginCluster: z1111
    SystemLogs:
      Format: text
    RemoteClusters:
      z1111:
        Host: ` + hostport["z1111"] + `
        Scheme: https
        Insecure: true
        Proxy: true
        ActivateUsers: true
`
                if id != "z2222" {
                        yaml += `      z2222:
        Host: ` + hostport["z2222"] + `
        Scheme: https
        Insecure: true
        Proxy: true
        ActivateUsers: true
`
                }
                if id != "z3333" {
                        yaml += `      z3333:
        Host: ` + hostport["z3333"] + `
        Scheme: https
        Insecure: true
        Proxy: true
        ActivateUsers: true
`
                }
                if id == "z1111" {
                        yaml += `
    Login:
      LoginCluster: z1111
      OpenIDConnect:
        Enable: true
        Issuer: ` + s.oidcprovider.Issuer.URL + `
        ClientID: ` + s.oidcprovider.ValidClientID + `
        ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
        EmailClaim: email
        EmailVerifiedClaim: email_verified
`
                } else {
                        yaml += `
    Login:
      LoginCluster: z1111
`
                }

                loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
                loader.Path = "-"
                loader.SkipLegacy = true
                loader.SkipAPICalls = true
                cfg, err := loader.Load()
                c.Assert(err, check.IsNil)
                s.testClusters[id] = &testCluster{
                        super: boot.Supervisor{
                                SourcePath:           filepath.Join(cwd, "..", ".."),
                                ClusterType:          "test",
                                ListenHost:           "127.0.0." + id[3:],
                                ControllerAddr:       ":0",
                                OwnTemporaryDatabase: true,
                                Stderr:               &service.LogPrefixer{Writer: ctxlog.LogWriter(c.Log), Prefix: []byte("[" + id + "] ")},
                        },
                        config: *cfg,
                }
                s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-")
        }
        for _, tc := range s.testClusters {
                au, ok := tc.super.WaitReady()
                c.Assert(ok, check.Equals, true)
                u := url.URL(*au)
                tc.controllerURL = &u
        }
}

func (s *IntegrationSuite) TearDownSuite(c *check.C) {
        for _, c := range s.testClusters {
                c.super.Stop()
        }
}

// Get rpc connection struct initialized to communicate with the
// specified cluster.
func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn {
        return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider)
}

// Return Context, Arvados.Client and keepclient structs initialized
// to connect to the specified cluster (by clusterID) using with the supplied
// Arvados token.
func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
        cl := s.testClusters[clusterID].config.Clusters[clusterID]
        ctx := auth.NewContext(context.Background(), auth.NewCredentials(token))
        ac, err := arvados.NewClientFromConfig(&cl)
        if err != nil {
                panic(err)
        }
        ac.AuthToken = token
        arv, err := arvadosclient.New(ac)
        if err != nil {
                panic(err)
        }
        kc := keepclient.New(arv)
        return ctx, ac, kc
}

// Log in as a user called "example", get the user's API token,
// initialize clients with the API token, set up the user and
// optionally activate the user.  Return client structs for
// communicating with the cluster on behalf of the 'example' user.
func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient, arvados.User) {
        login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{
                ReturnTo: ",https://example.com",
                AuthInfo: rpc.UserSessionAuthInfo{
                        Email:     "user@example.com",
                        FirstName: "Example",
                        LastName:  "User",
                        Username:  "example",
                },
        })
        c.Assert(err, check.IsNil)
        redirURL, err := url.Parse(login.RedirectLocation)
        c.Assert(err, check.IsNil)
        userToken := redirURL.Query().Get("api_token")
        c.Logf("user token: %q", userToken)
        ctx, ac, kc := s.clientsWithToken(clusterID, userToken)
        user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
        c.Assert(err, check.IsNil)
        _, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID})
        c.Assert(err, check.IsNil)
        if activate {
                _, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID})
                c.Assert(err, check.IsNil)
                user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
                c.Assert(err, check.IsNil)
                c.Logf("user UUID: %q", user.UUID)
                if !user.IsActive {
                        c.Fatalf("failed to activate user -- %#v", user)
                }
        }
        return ctx, ac, kc, user
}

// Return Context, arvados.Client and keepclient structs initialized
// to communicate with the cluster as the system root user.
func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
        return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken)
}

// Return Context, arvados.Client and keepclient structs initialized
// to communicate with the cluster as the anonymous user.
func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
        return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken)
}

func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
        conn1 := s.conn("z1111")
        rootctx1, _, _ := s.rootClients("z1111")
        conn3 := s.conn("z3333")
        userctx1, ac1, kc1, _ := s.userClients(rootctx1, c, conn1, "z1111", true)

        // Create the collection to find its PDH (but don't save it
        // anywhere yet)
        var coll1 arvados.Collection
        fs1, err := coll1.FileSystem(ac1, kc1)
        c.Assert(err, check.IsNil)
        f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
        c.Assert(err, check.IsNil)
        _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
        c.Assert(err, check.IsNil)
        err = f.Close()
        c.Assert(err, check.IsNil)
        mtxt, err := fs1.MarshalManifest(".")
        c.Assert(err, check.IsNil)
        pdh := arvados.PortableDataHash(mtxt)

        // Looking up the PDH before saving returns 404 if cycle
        // detection is working.
        _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
        c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)

        // Save the collection on cluster z1111.
        coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
                "manifest_text": mtxt,
        }})
        c.Assert(err, check.IsNil)

        // Retrieve the collection from cluster z3333.
        coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
        c.Check(err, check.IsNil)
        c.Check(coll.PortableDataHash, check.Equals, pdh)
}

func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
        conn1 := s.conn("z1111")
        conn3 := s.conn("z3333")
        rootctx1, rootac1, rootkc1 := s.rootClients("z1111")
        anonctx3, anonac3, _ := s.anonymousClients("z3333")

        // Make sure anonymous token was set
        c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")

        // Create the collection to find its PDH (but don't save it
        // anywhere yet)
        var coll1 arvados.Collection
        fs1, err := coll1.FileSystem(rootac1, rootkc1)
        c.Assert(err, check.IsNil)
        f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
        c.Assert(err, check.IsNil)
        _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
        c.Assert(err, check.IsNil)
        err = f.Close()
        c.Assert(err, check.IsNil)
        mtxt, err := fs1.MarshalManifest(".")
        c.Assert(err, check.IsNil)
        pdh := arvados.PortableDataHash(mtxt)

        // Save the collection on cluster z1111.
        coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
                "manifest_text": mtxt,
        }})
        c.Assert(err, check.IsNil)

        // Share it with the anonymous users group.
        var outLink arvados.Link
        err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
                map[string]interface{}{"link": map[string]interface{}{
                        "link_class": "permission",
                        "name":       "can_read",
                        "tail_uuid":  "z1111-j7d0g-anonymouspublic",
                        "head_uuid":  coll1.UUID,
                },
                })
        c.Check(err, check.IsNil)

        // Current user should be z3 anonymous user
        outUser, err := anonac3.CurrentUser()
        c.Check(err, check.IsNil)
        c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")

        // Get the token uuid
        var outAuth arvados.APIClientAuthorization
        err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
        c.Check(err, check.IsNil)

        // Make a v2 token of the z3 anonymous user, and use it on z1
        _, anonac1, _ := s.clientsWithToken("z1111", outAuth.TokenV2())
        outUser2, err := anonac1.CurrentUser()
        c.Check(err, check.IsNil)
        // z3 anonymous user will be mapped to the z1 anonymous user
        c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")

        // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
        coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
        c.Check(err, check.IsNil)
        c.Check(coll.PortableDataHash, check.Equals, pdh)
}

// Get a token from the login cluster (z1111), use it to submit a
// container request on z2222.
func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
        conn1 := s.conn("z1111")
        rootctx1, _, _ := s.rootClients("z1111")
        _, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)

        // Use ac2 to get the discovery doc with a blank token, so the
        // SDK doesn't magically pass the z1111 token to z2222 before
        // we're ready to start our test.
        _, ac2, _ := s.clientsWithToken("z2222", "")
        var dd map[string]interface{}
        err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
        c.Assert(err, check.IsNil)

        var (
                body bytes.Buffer
                req  *http.Request
                resp *http.Response
                u    arvados.User
                cr   arvados.ContainerRequest
        )
        json.NewEncoder(&body).Encode(map[string]interface{}{
                "container_request": map[string]interface{}{
                        "command":         []string{"echo"},
                        "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
                        "cwd":             "/",
                        "output_path":     "/",
                },
        })
        ac2.AuthToken = ac1.AuthToken

        c.Log("...post CR with good (but not yet cached) token")
        cr = arvados.ContainerRequest{}
        req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
        c.Assert(err, check.IsNil)
        req.Header.Set("Content-Type", "application/json")
        err = ac2.DoAndDecode(&cr, req)
        c.Assert(err, check.IsNil)
        c.Logf("err == %#v", err)

        c.Log("...get user with good token")
        u = arvados.User{}
        req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
        c.Assert(err, check.IsNil)
        err = ac2.DoAndDecode(&u, req)
        c.Check(err, check.IsNil)
        c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")

        c.Log("...post CR with good cached token")
        cr = arvados.ContainerRequest{}
        req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
        c.Assert(err, check.IsNil)
        req.Header.Set("Content-Type", "application/json")
        err = ac2.DoAndDecode(&cr, req)
        c.Check(err, check.IsNil)
        c.Check(cr.UUID, check.Matches, "z2222-.*")

        c.Log("...post with good cached token ('OAuth2 ...')")
        cr = arvados.ContainerRequest{}
        req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
        c.Assert(err, check.IsNil)
        req.Header.Set("Content-Type", "application/json")
        req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
        resp, err = arvados.InsecureHTTPClient.Do(req)
        c.Assert(err, check.IsNil)
        err = json.NewDecoder(resp.Body).Decode(&cr)
        c.Check(err, check.IsNil)
        c.Check(cr.UUID, check.Matches, "z2222-.*")
}

func (s *IntegrationSuite) TestCreateContainerRequestWithBadToken(c *check.C) {
        var (
                body bytes.Buffer
                resp *http.Response
        )

        conn1 := s.conn("z1111")
        rootctx1, _, _ := s.rootClients("z1111")
        _, ac1, _, au := s.userClients(rootctx1, c, conn1, "z1111", true)

        tests := []struct {
                name         string
                token        string
                expectedCode int
        }{
                {"Good token", ac1.AuthToken, http.StatusOK},
                {"Bogus token", "abcdef", http.StatusUnauthorized},
                {"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
                {"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
        }

        json.NewEncoder(&body).Encode(map[string]interface{}{
                "container_request": map[string]interface{}{
                        "command":         []string{"echo"},
                        "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
                        "cwd":             "/",
                        "output_path":     "/",
                },
        })

        for _, tt := range tests {
                c.Log(c.TestName() + " " + tt.name)
                ac1.AuthToken = tt.token
                req, err := http.NewRequest("POST", "https://"+ac1.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
                c.Assert(err, check.IsNil)
                req.Header.Set("Content-Type", "application/json")
                resp, err = ac1.Do(req)
                c.Assert(err, check.IsNil)
                c.Assert(resp.StatusCode, check.Equals, tt.expectedCode)
        }
}

// We test the direct access to the database
// normally an integration test would not have a database access, but  in this case we need
// to test tokens that are secret, so there is no API response that will give them back
func (s *IntegrationSuite) dbConn(c *check.C, clusterID string) (*sql.DB, *sql.Conn) {
        ctx := context.Background()
        db, err := sql.Open("postgres", s.testClusters[clusterID].super.Cluster().PostgreSQL.Connection.String())
        c.Assert(err, check.IsNil)

        conn, err := db.Conn(ctx)
        c.Assert(err, check.IsNil)

        rows, err := conn.ExecContext(ctx, `SELECT 1`)
        c.Assert(err, check.IsNil)
        n, err := rows.RowsAffected()
        c.Assert(err, check.IsNil)
        c.Assert(n, check.Equals, int64(1))
        return db, conn
}

func (s *IntegrationSuite) TestRuntimeTokenInCR(c *check.C) {
        db, dbconn := s.dbConn(c, "z1111")
        defer db.Close()
        defer dbconn.Close()
        conn1 := s.conn("z1111")
        rootctx1, _, _ := s.rootClients("z1111")
        _, ac1, _, au := s.userClients(rootctx1, c, conn1, "z1111", true)

        tests := []struct {
                name                 string
                token                string
                expectAToGetAValidCR bool
                expectedToken        *string
        }{
                {"Good token z1111 user", ac1.AuthToken, true, &ac1.AuthToken},
                {"Bogus token", "abcdef", false, nil},
                {"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", false, nil},
                {"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", false, nil},
        }

        for _, tt := range tests {
                c.Log(c.TestName() + " " + tt.name)

                rq := map[string]interface{}{
                        "command":         []string{"echo"},
                        "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
                        "cwd":             "/",
                        "output_path":     "/",
                        "runtime_token":   tt.token,
                }
                cr, err := conn1.ContainerRequestCreate(rootctx1, arvados.CreateOptions{Attrs: rq})
                if tt.expectAToGetAValidCR {
                        c.Assert(err, check.IsNil)
                        c.Assert(cr, check.NotNil)
                        c.Assert(cr.UUID, check.Not(check.Equals), "")
                }

                if tt.expectedToken == nil {
                        break
                }

                c.Logf("cr.UUID: %s", cr.UUID)
                row := dbconn.QueryRowContext(rootctx1, `SELECT runtime_token from container_requests where uuid=$1`, cr.UUID)
                c.Assert(row, check.NotNil)
                // runtimeToken is *string and not a string because the database has a NULL column for this
                var runtimeToken *string
                err = row.Scan(&runtimeToken)
                c.Assert(err, check.IsNil)
                c.Assert(runtimeToken, check.NotNil)
                c.Assert(*runtimeToken, check.DeepEquals, *tt.expectedToken)
        }
}

// Test for bug #16263
func (s *IntegrationSuite) TestListUsers(c *check.C) {
        rootctx1, _, _ := s.rootClients("z1111")
        conn1 := s.conn("z1111")
        conn3 := s.conn("z3333")
        userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)

        // Make sure LoginCluster is properly configured
        for cls := range s.testClusters {
                c.Check(
                        s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
                        check.Equals, "z1111",
                        check.Commentf("incorrect LoginCluster config on cluster %q", cls))
        }
        // Make sure z1111 has users with NULL usernames
        lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
                Limit: math.MaxInt64, // check that large limit works (see #16263)
        })
        nullUsername := false
        c.Assert(err, check.IsNil)
        c.Assert(len(lst.Items), check.Not(check.Equals), 0)
        for _, user := range lst.Items {
                if user.Username == "" {
                        nullUsername = true
                }
        }
        c.Assert(nullUsername, check.Equals, true)

        user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
        c.Assert(err, check.IsNil)
        c.Check(user1.IsActive, check.Equals, true)

        // Ask for the user list on z3333 using z1111's system root token
        lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
        c.Assert(err, check.IsNil)
        found := false
        for _, user := range lst.Items {
                if user.UUID == user1.UUID {
                        c.Check(user.IsActive, check.Equals, true)
                        found = true
                        break
                }
        }
        c.Check(found, check.Equals, true)

        // Deactivate user acct on z1111
        _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
        c.Assert(err, check.IsNil)

        // Get user list from z3333, check the returned z1111 user is
        // deactivated
        lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
        c.Assert(err, check.IsNil)
        found = false
        for _, user := range lst.Items {
                if user.UUID == user1.UUID {
                        c.Check(user.IsActive, check.Equals, false)
                        found = true
                        break
                }
        }
        c.Check(found, check.Equals, true)

        // Deactivated user can see is_active==false via "get current
        // user" API
        user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
        c.Assert(err, check.IsNil)
        c.Check(user1.IsActive, check.Equals, false)
}

func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
        conn1 := s.conn("z1111")
        conn3 := s.conn("z3333")
        rootctx1, rootac1, _ := s.rootClients("z1111")

        // Create user on LoginCluster z1111
        _, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false)

        // Make a new root token (because rootClients() uses SystemRootToken)
        var outAuth arvados.APIClientAuthorization
        err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
        c.Check(err, check.IsNil)

        // Make a v2 root token to communicate with z3333
        rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2())

        // Create VM on z3333
        var outVM arvados.VirtualMachine
        err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
                map[string]interface{}{"virtual_machine": map[string]interface{}{
                        "hostname": "example",
                },
                })
        c.Check(outVM.UUID[0:5], check.Equals, "z3333")
        c.Check(err, check.IsNil)

        // Make sure z3333 user list is up to date
        _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
        c.Check(err, check.IsNil)

        // Try to set up user on z3333 with the VM
        _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
        c.Check(err, check.IsNil)

        var outLinks arvados.LinkList
        err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
                arvados.ListOptions{
                        Limit: 1000,
                        Filters: []arvados.Filter{
                                {
                                        Attr:     "tail_uuid",
                                        Operator: "=",
                                        Operand:  user.UUID,
                                },
                                {
                                        Attr:     "head_uuid",
                                        Operator: "=",
                                        Operand:  outVM.UUID,
                                },
                                {
                                        Attr:     "name",
                                        Operator: "=",
                                        Operand:  "can_login",
                                },
                                {
                                        Attr:     "link_class",
                                        Operator: "=",
                                        Operand:  "permission",
                                }}})
        c.Check(err, check.IsNil)

        c.Check(len(outLinks.Items), check.Equals, 1)
}

func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
        conn1 := s.conn("z1111")
        rootctx1, _, _ := s.rootClients("z1111")
        s.userClients(rootctx1, c, conn1, "z1111", true)

        accesstoken := s.oidcprovider.ValidAccessToken()

        for _, clusterid := range []string{"z1111", "z2222"} {
                c.Logf("trying clusterid %s", clusterid)

                conn := s.conn(clusterid)
                ctx, ac, kc := s.clientsWithToken(clusterid, accesstoken)

                var coll arvados.Collection

                // Write some file data and create a collection
                {
                        fs, err := coll.FileSystem(ac, kc)
                        c.Assert(err, check.IsNil)
                        f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
                        c.Assert(err, check.IsNil)
                        _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
                        c.Assert(err, check.IsNil)
                        err = f.Close()
                        c.Assert(err, check.IsNil)
                        mtxt, err := fs.MarshalManifest(".")
                        c.Assert(err, check.IsNil)
                        coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
                                "manifest_text": mtxt,
                        }})
                        c.Assert(err, check.IsNil)
                }

                // Read the collection & file data
                {
                        user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
                        c.Assert(err, check.IsNil)
                        c.Check(user.FullName, check.Equals, "Example User")
                        coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
                        c.Assert(err, check.IsNil)
                        c.Check(coll.ManifestText, check.Not(check.Equals), "")
                        fs, err := coll.FileSystem(ac, kc)
                        c.Assert(err, check.IsNil)
                        f, err := fs.Open("test.txt")
                        c.Assert(err, check.IsNil)
                        buf, err := ioutil.ReadAll(f)
                        c.Assert(err, check.IsNil)
                        c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))
                }
        }
}