1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: AGPL-3.0
7 class PermissionsTest < ActionDispatch::IntegrationTest
9 include CurrentApiClient # for empty_collection
10 fixtures :users, :groups, :api_client_authorizations, :collections
12 test "adding and removing direct can_read links" do
13 # try to read collection as spectator
14 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
15 params: {:format => :json},
16 headers: auth(:spectator)
19 # try to add permission as spectator
20 post "/arvados/v1/links",
24 tail_uuid: users(:spectator).uuid,
25 link_class: 'permission',
27 head_uuid: collections(:foo_file).uuid,
31 headers: auth(:spectator)
34 # add permission as admin
35 post "/arvados/v1/links",
39 tail_uuid: users(:spectator).uuid,
40 link_class: 'permission',
42 head_uuid: collections(:foo_file).uuid,
47 u = json_response['uuid']
48 assert_response :success
50 # read collection as spectator
51 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
52 params: {:format => :json},
53 headers: auth(:spectator)
54 assert_response :success
56 # try to delete permission as spectator
57 delete "/arvados/v1/links/#{u}",
58 params: {:format => :json},
59 headers: auth(:spectator)
62 # delete permission as admin
63 delete "/arvados/v1/links/#{u}",
64 params: {:format => :json},
66 assert_response :success
68 # try to read collection as spectator
69 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
70 params: {:format => :json},
71 headers: auth(:spectator)
76 test "adding can_read links from user to group, group to collection" do
77 # try to read collection as spectator
78 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
79 params: {:format => :json},
80 headers: auth(:spectator)
83 # add permission for spectator to read group
84 post "/arvados/v1/links",
88 tail_uuid: users(:spectator).uuid,
89 link_class: 'permission',
91 head_uuid: groups(:private).uuid,
96 assert_response :success
98 # try to read collection as spectator
99 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
100 params: {:format => :json},
101 headers: auth(:spectator)
104 # add permission for group to read collection
105 post "/arvados/v1/links",
109 tail_uuid: groups(:private).uuid,
110 link_class: 'permission',
112 head_uuid: collections(:foo_file).uuid,
116 headers: auth(:admin)
117 u = json_response['uuid']
118 assert_response :success
120 # try to read collection as spectator
121 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
122 params: {:format => :json},
123 headers: auth(:spectator)
124 assert_response :success
126 # delete permission for group to read collection
127 delete "/arvados/v1/links/#{u}",
128 params: {:format => :json},
129 headers: auth(:admin)
130 assert_response :success
132 # try to read collection as spectator
133 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
134 params: {:format => :json},
135 headers: auth(:spectator)
141 test "adding can_read links from group to collection, user to group" do
142 # try to read collection as spectator
143 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
144 params: {:format => :json},
145 headers: auth(:spectator)
148 # add permission for group to read collection
149 post "/arvados/v1/links",
153 tail_uuid: groups(:private).uuid,
154 link_class: 'permission',
156 head_uuid: collections(:foo_file).uuid,
160 headers: auth(:admin)
161 assert_response :success
163 # try to read collection as spectator
164 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
165 params: {:format => :json},
166 headers: auth(:spectator)
169 # add permission for spectator to read group
170 post "/arvados/v1/links",
174 tail_uuid: users(:spectator).uuid,
175 link_class: 'permission',
177 head_uuid: groups(:private).uuid,
181 headers: auth(:admin)
182 u = json_response['uuid']
183 assert_response :success
185 # try to read collection as spectator
186 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
187 params: {:format => :json},
188 headers: auth(:spectator)
189 assert_response :success
191 # delete permission for spectator to read group
192 delete "/arvados/v1/links/#{u}",
193 params: {:format => :json},
194 headers: auth(:admin)
195 assert_response :success
197 # try to read collection as spectator
198 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
199 params: {:format => :json},
200 headers: auth(:spectator)
205 test "adding can_read links from user to group, group to group, group to collection" do
206 # try to read collection as spectator
207 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
208 params: {:format => :json},
209 headers: auth(:spectator)
212 # add permission for user to read group
213 post "/arvados/v1/links",
217 tail_uuid: users(:spectator).uuid,
218 link_class: 'permission',
220 head_uuid: groups(:private).uuid,
224 headers: auth(:admin)
225 assert_response :success
227 # add permission for group to read group
228 post "/arvados/v1/links",
232 tail_uuid: groups(:private).uuid,
233 link_class: 'permission',
235 head_uuid: groups(:empty_lonely_group).uuid,
239 headers: auth(:admin)
240 assert_response :success
242 # add permission for group to read collection
243 post "/arvados/v1/links",
247 tail_uuid: groups(:empty_lonely_group).uuid,
248 link_class: 'permission',
250 head_uuid: collections(:foo_file).uuid,
254 headers: auth(:admin)
255 u = json_response['uuid']
256 assert_response :success
258 # try to read collection as spectator
259 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
260 params: {:format => :json},
261 headers: auth(:spectator)
262 assert_response :success
264 # delete permission for group to read collection
265 delete "/arvados/v1/links/#{u}",
266 params: {:format => :json},
267 headers: auth(:admin)
268 assert_response :success
270 # try to read collection as spectator
271 get "/arvados/v1/collections/#{collections(:foo_file).uuid}",
272 params: {:format => :json},
273 headers: auth(:spectator)
277 test "read-only group-admin cannot modify administered user" do
278 put "/arvados/v1/users/#{users(:active).uuid}",
281 first_name: 'KilroyWasHere'
285 headers: auth(:rominiadmin)
289 test "read-only group-admin cannot read or update non-administered user" do
290 get "/arvados/v1/users/#{users(:spectator).uuid}",
291 params: {:format => :json},
292 headers: auth(:rominiadmin)
295 put "/arvados/v1/users/#{users(:spectator).uuid}",
298 first_name: 'KilroyWasHere'
302 headers: auth(:rominiadmin)
306 test "RO group-admin finds user's specimens, RW group-admin can update" do
307 [[:rominiadmin, false],
308 [:miniadmin, true]].each do |which_user, update_should_succeed|
309 get "/arvados/v1/specimens",
310 params: {:format => :json},
311 headers: auth(which_user)
312 assert_response :success
313 resp_uuids = json_response['items'].collect { |i| i['uuid'] }
314 [[true, specimens(:owned_by_active_user).uuid],
315 [true, specimens(:owned_by_private_group).uuid],
316 [false, specimens(:owned_by_spectator).uuid],
317 ].each do |should_find, uuid|
318 assert_equal(should_find, !resp_uuids.index(uuid).nil?,
319 "%s should%s see %s in specimen list" %
321 should_find ? '' : 'not ',
323 put "/arvados/v1/specimens/#{uuid}",
327 miniadmin_was_here: true
332 headers: auth(which_user)
335 elsif !update_should_succeed
338 assert_response :success
344 test "get_permissions returns list" do
345 # First confirm that user :active cannot get permissions on group :public
346 get "/arvados/v1/permissions/#{groups(:public).uuid}",
348 headers: auth(:active)
351 # add some permissions, including can_manage
352 # permission for user :active
353 post "/arvados/v1/links",
357 tail_uuid: users(:spectator).uuid,
358 link_class: 'permission',
360 head_uuid: groups(:public).uuid,
364 headers: auth(:admin)
365 assert_response :success
366 can_read_uuid = json_response['uuid']
368 post "/arvados/v1/links",
372 tail_uuid: users(:inactive).uuid,
373 link_class: 'permission',
375 head_uuid: groups(:public).uuid,
379 headers: auth(:admin)
380 assert_response :success
381 can_write_uuid = json_response['uuid']
383 post "/arvados/v1/links",
387 tail_uuid: users(:active).uuid,
388 link_class: 'permission',
390 head_uuid: groups(:public).uuid,
394 headers: auth(:admin)
395 assert_response :success
396 can_manage_uuid = json_response['uuid']
398 # Now user :active should be able to retrieve permissions
400 get("/arvados/v1/permissions/#{groups(:public).uuid}",
401 params: { :format => :json },
402 headers: auth(:active))
403 assert_response :success
405 perm_uuids = json_response['items'].map { |item| item['uuid'] }
406 assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found"
407 assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
408 assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
411 test "get_permissions returns 404 for nonexistent uuid" do
412 nonexistent = Group.generate_uuid
413 # make sure it really doesn't exist
414 get "/arvados/v1/groups/#{nonexistent}", params: nil, headers: auth(:admin)
417 get "/arvados/v1/permissions/#{nonexistent}", params: nil, headers: auth(:active)
421 test "get_permissions returns 403 if user can read but not manage" do
422 post "/arvados/v1/links",
425 tail_uuid: users(:active).uuid,
426 link_class: 'permission',
428 head_uuid: groups(:public).uuid,
432 headers: auth(:admin)
433 assert_response :success
435 get "/arvados/v1/permissions/#{groups(:public).uuid}",
437 headers: auth(:active)
441 test "active user can read the empty collection" do
442 # The active user should be able to read the empty collection.
444 get("/arvados/v1/collections/#{empty_collection_uuid}",
445 params: {:format => :json},
446 headers: auth(:active))
447 assert_response :success
448 assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty"
projects / arvados.git / blob