lib/controller/federation_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package controller
   6
   7 import (
   8         "encoding/json"
   9         "io/ioutil"
  10         "net/http"
  11         "net/http/httptest"
  12         "net/url"
  13         "strings"
  14         "time"
  15
  16         "git.curoverse.com/arvados.git/sdk/go/arvados"
  17         "git.curoverse.com/arvados.git/sdk/go/arvadostest"
  18         "git.curoverse.com/arvados.git/sdk/go/httpserver"
  19         "git.curoverse.com/arvados.git/sdk/go/keepclient"
  20         "github.com/Sirupsen/logrus"
  21         check "gopkg.in/check.v1"
  22 )
  23
  24 // Gocheck boilerplate
  25 var _ = check.Suite(&FederationSuite{})
  26
  27 type FederationSuite struct {
  28         log *logrus.Logger
  29         // testServer and testHandler are the controller being tested,
  30         // "zhome".
  31         testServer  *httpserver.Server
  32         testHandler *Handler
  33         // remoteServer ("zzzzz") forwards requests to the Rails API
  34         // provided by the integration test environment.
  35         remoteServer *httpserver.Server
  36         // remoteMock ("zmock") appends each incoming request to
  37         // remoteMockRequests, and returns an empty 200 response.
  38         remoteMock         *httpserver.Server
  39         remoteMockRequests []http.Request
  40 }
  41
  42 func (s *FederationSuite) SetUpTest(c *check.C) {
  43         s.log = logrus.New()
  44         s.log.Formatter = &logrus.JSONFormatter{}
  45         s.log.Out = &logWriter{c.Log}
  46
  47         s.remoteServer = newServerFromIntegrationTestEnv(c)
  48         c.Assert(s.remoteServer.Start(), check.IsNil)
  49
  50         s.remoteMock = newServerFromIntegrationTestEnv(c)
  51         s.remoteMock.Server.Handler = http.HandlerFunc(s.remoteMockHandler)
  52         c.Assert(s.remoteMock.Start(), check.IsNil)
  53
  54         nodeProfile := arvados.NodeProfile{
  55                 Controller: arvados.SystemServiceInstance{Listen: ":"},
  56                 RailsAPI:   arvados.SystemServiceInstance{Listen: ":1"}, // local reqs will error "connection refused"
  57         }
  58         s.testHandler = &Handler{Cluster: &arvados.Cluster{
  59                 ClusterID:  "zhome",
  60                 PostgreSQL: integrationTestCluster().PostgreSQL,
  61                 NodeProfiles: map[string]arvados.NodeProfile{
  62                         "*": nodeProfile,
  63                 },
  64         }, NodeProfile: &nodeProfile}
  65         s.testServer = newServerFromIntegrationTestEnv(c)
  66         s.testServer.Server.Handler = httpserver.AddRequestIDs(httpserver.LogRequests(s.log, s.testHandler))
  67
  68         s.testHandler.Cluster.RemoteClusters = map[string]arvados.RemoteCluster{
  69                 "zzzzz": {
  70                         Host:   s.remoteServer.Addr,
  71                         Proxy:  true,
  72                         Scheme: "http",
  73                 },
  74                 "zmock": {
  75                         Host:   s.remoteMock.Addr,
  76                         Proxy:  true,
  77                         Scheme: "http",
  78                 },
  79         }
  80
  81         c.Assert(s.testServer.Start(), check.IsNil)
  82
  83         s.remoteMockRequests = nil
  84 }
  85
  86 func (s *FederationSuite) remoteMockHandler(w http.ResponseWriter, req *http.Request) {
  87         s.remoteMockRequests = append(s.remoteMockRequests, *req)
  88 }
  89
  90 func (s *FederationSuite) TearDownTest(c *check.C) {
  91         if s.remoteServer != nil {
  92                 s.remoteServer.Close()
  93         }
  94         if s.testServer != nil {
  95                 s.testServer.Close()
  96         }
  97 }
  98
  99 func (s *FederationSuite) testRequest(req *http.Request) *http.Response {
 100         resp := httptest.NewRecorder()
 101         s.testServer.Server.Handler.ServeHTTP(resp, req)
 102         return resp.Result()
 103 }
 104
 105 func (s *FederationSuite) TestLocalRequest(c *check.C) {
 106         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zhome-", 1), nil)
 107         resp := s.testRequest(req)
 108         s.checkHandledLocally(c, resp)
 109 }
 110
 111 func (s *FederationSuite) checkHandledLocally(c *check.C, resp *http.Response) {
 112         // Our "home" controller can't handle local requests because
 113         // it doesn't have its own stub/test Rails API, so we rely on
 114         // "connection refused" to indicate the controller tried to
 115         // proxy the request to its local Rails API.
 116         c.Check(resp.StatusCode, check.Equals, http.StatusBadGateway)
 117         s.checkJSONErrorMatches(c, resp, `.*connection refused`)
 118 }
 119
 120 func (s *FederationSuite) TestNoAuth(c *check.C) {
 121         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 122         resp := s.testRequest(req)
 123         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
 124         s.checkJSONErrorMatches(c, resp, `Not logged in`)
 125 }
 126
 127 func (s *FederationSuite) TestBadAuth(c *check.C) {
 128         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 129         req.Header.Set("Authorization", "Bearer aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
 130         resp := s.testRequest(req)
 131         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
 132         s.checkJSONErrorMatches(c, resp, `Not logged in`)
 133 }
 134
 135 func (s *FederationSuite) TestNoAccess(c *check.C) {
 136         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 137         req.Header.Set("Authorization", "Bearer "+arvadostest.SpectatorToken)
 138         resp := s.testRequest(req)
 139         c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 140         s.checkJSONErrorMatches(c, resp, `.*not found`)
 141 }
 142
 143 func (s *FederationSuite) TestGetUnknownRemote(c *check.C) {
 144         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zz404-", 1), nil)
 145         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 146         resp := s.testRequest(req)
 147         c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 148         s.checkJSONErrorMatches(c, resp, `.*no proxy available for cluster zz404`)
 149 }
 150
 151 func (s *FederationSuite) TestRemoteError(c *check.C) {
 152         rc := s.testHandler.Cluster.RemoteClusters["zzzzz"]
 153         rc.Scheme = "https"
 154         s.testHandler.Cluster.RemoteClusters["zzzzz"] = rc
 155
 156         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 157         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 158         resp := s.testRequest(req)
 159         c.Check(resp.StatusCode, check.Equals, http.StatusBadGateway)
 160         s.checkJSONErrorMatches(c, resp, `.*HTTP response to HTTPS client`)
 161 }
 162
 163 func (s *FederationSuite) TestGetRemoteWorkflow(c *check.C) {
 164         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 165         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 166         resp := s.testRequest(req)
 167         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 168         var wf arvados.Workflow
 169         c.Check(json.NewDecoder(resp.Body).Decode(&wf), check.IsNil)
 170         c.Check(wf.UUID, check.Equals, arvadostest.WorkflowWithDefinitionYAMLUUID)
 171         c.Check(wf.OwnerUUID, check.Equals, arvadostest.ActiveUserUUID)
 172 }
 173
 174 func (s *FederationSuite) TestOptionsMethod(c *check.C) {
 175         req := httptest.NewRequest("OPTIONS", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
 176         req.Header.Set("Origin", "https://example.com")
 177         resp := s.testRequest(req)
 178         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 179         body, err := ioutil.ReadAll(resp.Body)
 180         c.Check(err, check.IsNil)
 181         c.Check(string(body), check.Equals, "")
 182         c.Check(resp.Header.Get("Access-Control-Allow-Origin"), check.Equals, "*")
 183         for _, hdr := range []string{"Authorization", "Content-Type"} {
 184                 c.Check(resp.Header.Get("Access-Control-Allow-Headers"), check.Matches, ".*"+hdr+".*")
 185         }
 186         for _, method := range []string{"GET", "HEAD", "PUT", "POST", "DELETE"} {
 187                 c.Check(resp.Header.Get("Access-Control-Allow-Methods"), check.Matches, ".*"+method+".*")
 188         }
 189 }
 190
 191 func (s *FederationSuite) TestRemoteWithTokenInQuery(c *check.C) {
 192         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1)+"?api_token="+arvadostest.ActiveToken, nil)
 193         s.testRequest(req)
 194         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 195         pr := s.remoteMockRequests[0]
 196         // Token is salted and moved from query to Authorization header.
 197         c.Check(pr.URL.String(), check.Not(check.Matches), `.*api_token=.*`)
 198         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer v2/zzzzz-gj3su-077z32aux8dg2s1/7fd31b61f39c0e82a4155592163218272cedacdc")
 199 }
 200
 201 func (s *FederationSuite) TestLocalTokenSalted(c *check.C) {
 202         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1), nil)
 203         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 204         s.testRequest(req)
 205         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 206         pr := s.remoteMockRequests[0]
 207         // The salted token here has a "zzzzz-" UUID instead of a
 208         // "ztest-" UUID because ztest's local database has the
 209         // "zzzzz-" test fixtures. The "secret" part is HMAC(sha1,
 210         // arvadostest.ActiveToken, "zmock") = "7fd3...".
 211         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer v2/zzzzz-gj3su-077z32aux8dg2s1/7fd31b61f39c0e82a4155592163218272cedacdc")
 212 }
 213
 214 func (s *FederationSuite) TestRemoteTokenNotSalted(c *check.C) {
 215         // remoteToken can be any v1 token that doesn't appear in
 216         // ztest's local db.
 217         remoteToken := "abcdef00000000000000000000000000000000000000000000"
 218         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+strings.Replace(arvadostest.WorkflowWithDefinitionYAMLUUID, "zzzzz-", "zmock-", 1), nil)
 219         req.Header.Set("Authorization", "Bearer "+remoteToken)
 220         s.testRequest(req)
 221         c.Assert(len(s.remoteMockRequests), check.Equals, 1)
 222         pr := s.remoteMockRequests[0]
 223         c.Check(pr.Header.Get("Authorization"), check.Equals, "Bearer "+remoteToken)
 224 }
 225
 226 func (s *FederationSuite) TestWorkflowCRUD(c *check.C) {
 227         wf := arvados.Workflow{
 228                 Description: "TestCRUD",
 229         }
 230         {
 231                 body := &strings.Builder{}
 232                 json.NewEncoder(body).Encode(&wf)
 233                 req := httptest.NewRequest("POST", "/arvados/v1/workflows", strings.NewReader(url.Values{
 234                         "workflow": {body.String()},
 235                 }.Encode()))
 236                 req.Header.Set("Content-type", "application/x-www-form-urlencoded")
 237                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 238                 rec := httptest.NewRecorder()
 239                 s.remoteServer.Server.Handler.ServeHTTP(rec, req) // direct to remote -- can't proxy a create req because no uuid
 240                 resp := rec.Result()
 241                 s.checkResponseOK(c, resp)
 242                 json.NewDecoder(resp.Body).Decode(&wf)
 243
 244                 defer func() {
 245                         req := httptest.NewRequest("DELETE", "/arvados/v1/workflows/"+wf.UUID, nil)
 246                         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 247                         s.remoteServer.Server.Handler.ServeHTTP(httptest.NewRecorder(), req)
 248                 }()
 249                 c.Check(wf.UUID, check.Not(check.Equals), "")
 250
 251                 c.Assert(wf.ModifiedAt, check.NotNil)
 252                 c.Logf("wf.ModifiedAt: %v", wf.ModifiedAt)
 253                 c.Check(time.Since(*wf.ModifiedAt) < time.Minute, check.Equals, true)
 254         }
 255         for _, method := range []string{"PATCH", "PUT", "POST"} {
 256                 form := url.Values{
 257                         "workflow": {`{"description": "Updated with ` + method + `"}`},
 258                 }
 259                 if method == "POST" {
 260                         form["_method"] = []string{"PATCH"}
 261                 }
 262                 req := httptest.NewRequest(method, "/arvados/v1/workflows/"+wf.UUID, strings.NewReader(form.Encode()))
 263                 req.Header.Set("Content-type", "application/x-www-form-urlencoded")
 264                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 265                 resp := s.testRequest(req)
 266                 s.checkResponseOK(c, resp)
 267                 err := json.NewDecoder(resp.Body).Decode(&wf)
 268                 c.Check(err, check.IsNil)
 269
 270                 c.Check(wf.Description, check.Equals, "Updated with "+method)
 271         }
 272         {
 273                 req := httptest.NewRequest("DELETE", "/arvados/v1/workflows/"+wf.UUID, nil)
 274                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 275                 resp := s.testRequest(req)
 276                 s.checkResponseOK(c, resp)
 277                 err := json.NewDecoder(resp.Body).Decode(&wf)
 278                 c.Check(err, check.IsNil)
 279         }
 280         {
 281                 req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+wf.UUID, nil)
 282                 req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 283                 resp := s.testRequest(req)
 284                 c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
 285         }
 286 }
 287
 288 func (s *FederationSuite) checkResponseOK(c *check.C, resp *http.Response) {
 289         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 290         if resp.StatusCode != http.StatusOK {
 291                 body, err := ioutil.ReadAll(resp.Body)
 292                 c.Logf("... response body = %q, %v\n", body, err)
 293         }
 294 }
 295
 296 func (s *FederationSuite) checkJSONErrorMatches(c *check.C, resp *http.Response, re string) {
 297         var jresp httpserver.ErrorResponse
 298         err := json.NewDecoder(resp.Body).Decode(&jresp)
 299         c.Check(err, check.IsNil)
 300         c.Assert(len(jresp.Errors), check.Equals, 1)
 301         c.Check(jresp.Errors[0], check.Matches, re)
 302 }
 303
 304 func (s *FederationSuite) TestGetRemoteCollection(c *check.C) {
 305         req := httptest.NewRequest("GET", "/arvados/v1/collections/"+arvadostest.UserAgreementCollection, nil)
 306         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
 307         resp := s.testRequest(req)
 308         c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 309         var col arvados.Collection
 310         c.Check(json.NewDecoder(resp.Body).Decode(&col), check.IsNil)
 311         c.Check(col.UUID, check.Equals, arvadostest.UserAgreementCollection)
 312         c.Check(col.ManifestText, check.Matches,
 313                 `\. 6a4ff0499484c6c79c95cd8c566bd25f\+249025\+Rzzzzz-[0-9a-f]{40}@[0-9a-f]{8} 0:249025:GNU_General_Public_License,_version_3.pdf
 314 `)
 315
 316         // Confirm the regular expression identifies other groups of hints correctly
 317         c.Check(keepclient.SignedLocatorRe.FindStringSubmatch(`6a4ff0499484c6c79c95cd8c566bd25f+249025+B1+C2+A05227438989d04712ea9ca1c91b556cef01d5cc7@5ba5405b+D3+E4`),
 318                 check.DeepEquals,
 319                 []string{"6a4ff0499484c6c79c95cd8c566bd25f+249025+B1+C2+A05227438989d04712ea9ca1c91b556cef01d5cc7@5ba5405b+D3+E4",
 320                         "6a4ff0499484c6c79c95cd8c566bd25f",
 321                         "+249025",
 322                         "+B1+C2", "+C2",
 323                         "+A05227438989d04712ea9ca1c91b556cef01d5cc7@5ba5405b",
 324                         "05227438989d04712ea9ca1c91b556cef01d5cc7", "5ba5405b",
 325                         "+D3+E4", "+E4"})
 326 }