1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
22 "git.arvados.org/arvados.git/lib/config"
23 "git.arvados.org/arvados.git/sdk/go/arvados"
24 "git.arvados.org/arvados.git/sdk/go/arvadostest"
25 "git.arvados.org/arvados.git/sdk/go/ctxlog"
26 check "gopkg.in/check.v1"
29 var _ = check.Suite(&IntegrationSuite{})
31 type IntegrationSuite struct {
32 testClusters map[string]*arvadostest.TestCluster
33 oidcprovider *arvadostest.OIDCProvider
36 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
38 c.Skip("heavy integration tests don't run with forceLegacyAPI14")
44 s.oidcprovider = arvadostest.NewOIDCProvider(c)
45 s.oidcprovider.AuthEmail = "user@example.com"
46 s.oidcprovider.AuthEmailVerified = true
47 s.oidcprovider.AuthName = "Example User"
48 s.oidcprovider.ValidClientID = "clientid"
49 s.oidcprovider.ValidClientSecret = "clientsecret"
51 s.testClusters = map[string]*arvadostest.TestCluster{
56 hostport := map[string]string{}
57 for id := range s.testClusters {
58 hostport[id] = func() string {
59 // TODO: Instead of expecting random ports on
60 // 127.0.0.11, 22, 33 to be race-safe, try
61 // different 127.x.y.z until finding one that
63 ln, err := net.Listen("tcp", ":0")
64 c.Assert(err, check.IsNil)
66 _, port, err := net.SplitHostPort(ln.Addr().String())
67 c.Assert(err, check.IsNil)
68 return "127.0.0." + id[3:] + ":" + port
71 for id := range s.testClusters {
76 ExternalURL: https://` + hostport[id] + `
83 Host: ` + hostport["z1111"] + `
91 Host: ` + hostport["z2222"] + `
100 Host: ` + hostport["z3333"] + `
113 Issuer: ` + s.oidcprovider.Issuer.URL + `
114 ClientID: ` + s.oidcprovider.ValidClientID + `
115 ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
117 EmailVerifiedClaim: email_verified
126 loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
128 loader.SkipLegacy = true
129 loader.SkipAPICalls = true
130 cfg, err := loader.Load()
131 c.Assert(err, check.IsNil)
132 tc := arvadostest.NewTestCluster(
133 filepath.Join(cwd, "..", ".."),
134 id, cfg, "127.0.0."+id[3:], c.Log)
135 s.testClusters[id] = tc
136 s.testClusters[id].Start()
138 for _, tc := range s.testClusters {
140 c.Assert(ok, check.Equals, true)
144 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
145 for _, c := range s.testClusters {
150 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
151 conn1 := s.testClusters["z1111"].Conn()
152 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
153 conn3 := s.testClusters["z3333"].Conn()
154 userctx1, ac1, kc1, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
156 // Create the collection to find its PDH (but don't save it
158 var coll1 arvados.Collection
159 fs1, err := coll1.FileSystem(ac1, kc1)
160 c.Assert(err, check.IsNil)
161 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
162 c.Assert(err, check.IsNil)
163 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
164 c.Assert(err, check.IsNil)
166 c.Assert(err, check.IsNil)
167 mtxt, err := fs1.MarshalManifest(".")
168 c.Assert(err, check.IsNil)
169 pdh := arvados.PortableDataHash(mtxt)
171 // Looking up the PDH before saving returns 404 if cycle
172 // detection is working.
173 _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
174 c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
176 // Save the collection on cluster z1111.
177 coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
178 "manifest_text": mtxt,
180 c.Assert(err, check.IsNil)
182 // Retrieve the collection from cluster z3333.
183 coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
184 c.Check(err, check.IsNil)
185 c.Check(coll.PortableDataHash, check.Equals, pdh)
188 func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) {
189 if _, err := exec.LookPath("s3cmd"); err != nil {
190 c.Skip("s3cmd not in PATH")
194 testText := "IntegrationSuite.TestS3WithFederatedToken"
196 conn1 := s.testClusters["z1111"].Conn()
197 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
198 userctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
199 conn3 := s.testClusters["z3333"].Conn()
201 createColl := func(clusterID string) arvados.Collection {
202 _, ac, kc := s.testClusters[clusterID].ClientsWithToken(ac1.AuthToken)
203 var coll arvados.Collection
204 fs, err := coll.FileSystem(ac, kc)
205 c.Assert(err, check.IsNil)
206 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
207 c.Assert(err, check.IsNil)
208 _, err = io.WriteString(f, testText)
209 c.Assert(err, check.IsNil)
211 c.Assert(err, check.IsNil)
212 mtxt, err := fs.MarshalManifest(".")
213 c.Assert(err, check.IsNil)
214 coll, err = s.testClusters[clusterID].Conn().CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
215 "manifest_text": mtxt,
217 c.Assert(err, check.IsNil)
221 for _, trial := range []struct {
222 clusterID string // create the collection on this cluster (then use z3333 to access it)
225 // Try the hardest test first: z3333 hasn't seen
226 // z1111's token yet, and we're just passing the
227 // opaque secret part, so z3333 has to guess that it
229 {"z1111", strings.Split(ac1.AuthToken, "/")[2]},
230 {"z3333", strings.Split(ac1.AuthToken, "/")[2]},
231 {"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)},
232 {"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)},
234 c.Logf("================ %v", trial)
235 coll := createColl(trial.clusterID)
237 cfgjson, err := conn3.ConfigGet(userctx1)
238 c.Assert(err, check.IsNil)
239 var cluster arvados.Cluster
240 err = json.Unmarshal(cfgjson, &cluster)
241 c.Assert(err, check.IsNil)
243 c.Logf("TokenV2 is %s", ac1.AuthToken)
244 host := cluster.Services.WebDAV.ExternalURL.Host
246 "--ssl", "--no-check-certificate",
247 "--host=" + host, "--host-bucket=" + host,
248 "--access_key=" + trial.token, "--secret_key=" + trial.token,
250 buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput()
251 c.Check(err, check.IsNil)
252 c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`)
254 buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput()
255 // Command fails because we don't return Etag header.
256 flen := strconv.Itoa(len(testText))
257 c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`)
261 func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
262 conn1 := s.testClusters["z1111"].Conn()
263 conn3 := s.testClusters["z3333"].Conn()
264 rootctx1, rootac1, rootkc1 := s.testClusters["z1111"].RootClients()
265 anonctx3, anonac3, _ := s.testClusters["z3333"].AnonymousClients()
267 // Make sure anonymous token was set
268 c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
270 // Create the collection to find its PDH (but don't save it
272 var coll1 arvados.Collection
273 fs1, err := coll1.FileSystem(rootac1, rootkc1)
274 c.Assert(err, check.IsNil)
275 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
276 c.Assert(err, check.IsNil)
277 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
278 c.Assert(err, check.IsNil)
280 c.Assert(err, check.IsNil)
281 mtxt, err := fs1.MarshalManifest(".")
282 c.Assert(err, check.IsNil)
283 pdh := arvados.PortableDataHash(mtxt)
285 // Save the collection on cluster z1111.
286 coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
287 "manifest_text": mtxt,
289 c.Assert(err, check.IsNil)
291 // Share it with the anonymous users group.
292 var outLink arvados.Link
293 err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
294 map[string]interface{}{"link": map[string]interface{}{
295 "link_class": "permission",
297 "tail_uuid": "z1111-j7d0g-anonymouspublic",
298 "head_uuid": coll1.UUID,
301 c.Check(err, check.IsNil)
303 // Current user should be z3 anonymous user
304 outUser, err := anonac3.CurrentUser()
305 c.Check(err, check.IsNil)
306 c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")
308 // Get the token uuid
309 var outAuth arvados.APIClientAuthorization
310 err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
311 c.Check(err, check.IsNil)
313 // Make a v2 token of the z3 anonymous user, and use it on z1
314 _, anonac1, _ := s.testClusters["z1111"].ClientsWithToken(outAuth.TokenV2())
315 outUser2, err := anonac1.CurrentUser()
316 c.Check(err, check.IsNil)
317 // z3 anonymous user will be mapped to the z1 anonymous user
318 c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
320 // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
321 coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
322 c.Check(err, check.IsNil)
323 c.Check(coll.PortableDataHash, check.Equals, pdh)
326 // Get a token from the login cluster (z1111), use it to submit a
327 // container request on z2222.
328 func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
329 conn1 := s.testClusters["z1111"].Conn()
330 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
331 _, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
333 // Use ac2 to get the discovery doc with a blank token, so the
334 // SDK doesn't magically pass the z1111 token to z2222 before
335 // we're ready to start our test.
336 _, ac2, _ := s.testClusters["z2222"].ClientsWithToken("")
337 var dd map[string]interface{}
338 err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
339 c.Assert(err, check.IsNil)
346 cr arvados.ContainerRequest
348 json.NewEncoder(&body).Encode(map[string]interface{}{
349 "container_request": map[string]interface{}{
350 "command": []string{"echo"},
351 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
356 ac2.AuthToken = ac1.AuthToken
358 c.Log("...post CR with good (but not yet cached) token")
359 cr = arvados.ContainerRequest{}
360 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
361 c.Assert(err, check.IsNil)
362 req.Header.Set("Content-Type", "application/json")
363 err = ac2.DoAndDecode(&cr, req)
364 c.Logf("err == %#v", err)
366 c.Log("...get user with good token")
368 req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
369 c.Assert(err, check.IsNil)
370 err = ac2.DoAndDecode(&u, req)
371 c.Check(err, check.IsNil)
372 c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
374 c.Log("...post CR with good cached token")
375 cr = arvados.ContainerRequest{}
376 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
377 c.Assert(err, check.IsNil)
378 req.Header.Set("Content-Type", "application/json")
379 err = ac2.DoAndDecode(&cr, req)
380 c.Check(err, check.IsNil)
381 c.Check(cr.UUID, check.Matches, "z2222-.*")
383 c.Log("...post with good cached token ('OAuth2 ...')")
384 cr = arvados.ContainerRequest{}
385 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
386 c.Assert(err, check.IsNil)
387 req.Header.Set("Content-Type", "application/json")
388 req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
389 resp, err = arvados.InsecureHTTPClient.Do(req)
390 if c.Check(err, check.IsNil) {
391 err = json.NewDecoder(resp.Body).Decode(&cr)
392 c.Check(err, check.IsNil)
393 c.Check(cr.UUID, check.Matches, "z2222-.*")
397 // Test for bug #16263
398 func (s *IntegrationSuite) TestListUsers(c *check.C) {
399 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
400 conn1 := s.testClusters["z1111"].Conn()
401 conn3 := s.testClusters["z3333"].Conn()
402 userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
404 // Make sure LoginCluster is properly configured
405 for cls := range s.testClusters {
407 s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
408 check.Equals, "z1111",
409 check.Commentf("incorrect LoginCluster config on cluster %q", cls))
411 // Make sure z1111 has users with NULL usernames
412 lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
413 Limit: math.MaxInt64, // check that large limit works (see #16263)
415 nullUsername := false
416 c.Assert(err, check.IsNil)
417 c.Assert(len(lst.Items), check.Not(check.Equals), 0)
418 for _, user := range lst.Items {
419 if user.Username == "" {
423 c.Assert(nullUsername, check.Equals, true)
425 user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
426 c.Assert(err, check.IsNil)
427 c.Check(user1.IsActive, check.Equals, true)
429 // Ask for the user list on z3333 using z1111's system root token
430 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
431 c.Assert(err, check.IsNil)
433 for _, user := range lst.Items {
434 if user.UUID == user1.UUID {
435 c.Check(user.IsActive, check.Equals, true)
440 c.Check(found, check.Equals, true)
442 // Deactivate user acct on z1111
443 _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
444 c.Assert(err, check.IsNil)
446 // Get user list from z3333, check the returned z1111 user is
448 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
449 c.Assert(err, check.IsNil)
451 for _, user := range lst.Items {
452 if user.UUID == user1.UUID {
453 c.Check(user.IsActive, check.Equals, false)
458 c.Check(found, check.Equals, true)
460 // Deactivated user can see is_active==false via "get current
462 user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
463 c.Assert(err, check.IsNil)
464 c.Check(user1.IsActive, check.Equals, false)
467 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
468 conn1 := s.testClusters["z1111"].Conn()
469 conn3 := s.testClusters["z3333"].Conn()
470 rootctx1, rootac1, _ := s.testClusters["z1111"].RootClients()
472 // Create user on LoginCluster z1111
473 _, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
475 // Make a new root token (because rootClients() uses SystemRootToken)
476 var outAuth arvados.APIClientAuthorization
477 err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
478 c.Check(err, check.IsNil)
480 // Make a v2 root token to communicate with z3333
481 rootctx3, rootac3, _ := s.testClusters["z3333"].ClientsWithToken(outAuth.TokenV2())
483 // Create VM on z3333
484 var outVM arvados.VirtualMachine
485 err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
486 map[string]interface{}{"virtual_machine": map[string]interface{}{
487 "hostname": "example",
490 c.Check(outVM.UUID[0:5], check.Equals, "z3333")
491 c.Check(err, check.IsNil)
493 // Make sure z3333 user list is up to date
494 _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
495 c.Check(err, check.IsNil)
497 // Try to set up user on z3333 with the VM
498 _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
499 c.Check(err, check.IsNil)
501 var outLinks arvados.LinkList
502 err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
505 Filters: []arvados.Filter{
519 Operand: "can_login",
524 Operand: "permission",
526 c.Check(err, check.IsNil)
528 c.Check(len(outLinks.Items), check.Equals, 1)
531 func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
532 conn1 := s.testClusters["z1111"].Conn()
533 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
534 s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
536 accesstoken := s.oidcprovider.ValidAccessToken()
538 for _, clusterID := range []string{"z1111", "z2222"} {
539 c.Logf("trying clusterid %s", clusterID)
541 conn := s.testClusters[clusterID].Conn()
542 ctx, ac, kc := s.testClusters[clusterID].ClientsWithToken(accesstoken)
544 var coll arvados.Collection
546 // Write some file data and create a collection
548 fs, err := coll.FileSystem(ac, kc)
549 c.Assert(err, check.IsNil)
550 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
551 c.Assert(err, check.IsNil)
552 _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
553 c.Assert(err, check.IsNil)
555 c.Assert(err, check.IsNil)
556 mtxt, err := fs.MarshalManifest(".")
557 c.Assert(err, check.IsNil)
558 coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
559 "manifest_text": mtxt,
561 c.Assert(err, check.IsNil)
564 // Read the collection & file data
566 user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
567 c.Assert(err, check.IsNil)
568 c.Check(user.FullName, check.Equals, "Example User")
569 coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
570 c.Assert(err, check.IsNil)
571 c.Check(coll.ManifestText, check.Not(check.Equals), "")
572 fs, err := coll.FileSystem(ac, kc)
573 c.Assert(err, check.IsNil)
574 f, err := fs.Open("test.txt")
575 c.Assert(err, check.IsNil)
576 buf, err := ioutil.ReadAll(f)
577 c.Assert(err, check.IsNil)
578 c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))