1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
22 "git.arvados.org/arvados.git/lib/boot"
23 "git.arvados.org/arvados.git/lib/config"
24 "git.arvados.org/arvados.git/sdk/go/arvados"
25 "git.arvados.org/arvados.git/sdk/go/arvadostest"
26 "git.arvados.org/arvados.git/sdk/go/ctxlog"
27 check "gopkg.in/check.v1"
30 var _ = check.Suite(&IntegrationSuite{})
32 type IntegrationSuite struct {
33 testClusters map[string]*boot.TestCluster
34 oidcprovider *arvadostest.OIDCProvider
37 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
39 c.Skip("heavy integration tests don't run with forceLegacyAPI14")
45 s.oidcprovider = arvadostest.NewOIDCProvider(c)
46 s.oidcprovider.AuthEmail = "user@example.com"
47 s.oidcprovider.AuthEmailVerified = true
48 s.oidcprovider.AuthName = "Example User"
49 s.oidcprovider.ValidClientID = "clientid"
50 s.oidcprovider.ValidClientSecret = "clientsecret"
52 s.testClusters = map[string]*boot.TestCluster{
57 hostport := map[string]string{}
58 for id := range s.testClusters {
59 hostport[id] = func() string {
60 // TODO: Instead of expecting random ports on
61 // 127.0.0.11, 22, 33 to be race-safe, try
62 // different 127.x.y.z until finding one that
64 ln, err := net.Listen("tcp", ":0")
65 c.Assert(err, check.IsNil)
67 _, port, err := net.SplitHostPort(ln.Addr().String())
68 c.Assert(err, check.IsNil)
69 return "127.0.0." + id[3:] + ":" + port
72 for id := range s.testClusters {
77 ExternalURL: https://` + hostport[id] + `
84 Host: ` + hostport["z1111"] + `
92 Host: ` + hostport["z2222"] + `
101 Host: ` + hostport["z3333"] + `
114 Issuer: ` + s.oidcprovider.Issuer.URL + `
115 ClientID: ` + s.oidcprovider.ValidClientID + `
116 ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
118 EmailVerifiedClaim: email_verified
127 loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
129 loader.SkipLegacy = true
130 loader.SkipAPICalls = true
131 cfg, err := loader.Load()
132 c.Assert(err, check.IsNil)
133 tc := boot.NewTestCluster(
134 filepath.Join(cwd, "..", ".."),
135 id, cfg, "127.0.0."+id[3:], c.Log)
136 s.testClusters[id] = tc
137 s.testClusters[id].Start()
139 for _, tc := range s.testClusters {
141 c.Assert(ok, check.Equals, true)
145 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
146 for _, c := range s.testClusters {
151 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
152 conn1 := s.testClusters["z1111"].Conn()
153 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
154 conn3 := s.testClusters["z3333"].Conn()
155 userctx1, ac1, kc1, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
157 // Create the collection to find its PDH (but don't save it
159 var coll1 arvados.Collection
160 fs1, err := coll1.FileSystem(ac1, kc1)
161 c.Assert(err, check.IsNil)
162 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
163 c.Assert(err, check.IsNil)
164 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH")
165 c.Assert(err, check.IsNil)
167 c.Assert(err, check.IsNil)
168 mtxt, err := fs1.MarshalManifest(".")
169 c.Assert(err, check.IsNil)
170 pdh := arvados.PortableDataHash(mtxt)
172 // Looking up the PDH before saving returns 404 if cycle
173 // detection is working.
174 _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
175 c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`)
177 // Save the collection on cluster z1111.
178 coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
179 "manifest_text": mtxt,
181 c.Assert(err, check.IsNil)
183 // Retrieve the collection from cluster z3333.
184 coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh})
185 c.Check(err, check.IsNil)
186 c.Check(coll.PortableDataHash, check.Equals, pdh)
189 func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) {
190 if _, err := exec.LookPath("s3cmd"); err != nil {
191 c.Skip("s3cmd not in PATH")
195 testText := "IntegrationSuite.TestS3WithFederatedToken"
197 conn1 := s.testClusters["z1111"].Conn()
198 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
199 userctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
200 conn3 := s.testClusters["z3333"].Conn()
202 createColl := func(clusterID string) arvados.Collection {
203 _, ac, kc := s.testClusters[clusterID].ClientsWithToken(ac1.AuthToken)
204 var coll arvados.Collection
205 fs, err := coll.FileSystem(ac, kc)
206 c.Assert(err, check.IsNil)
207 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
208 c.Assert(err, check.IsNil)
209 _, err = io.WriteString(f, testText)
210 c.Assert(err, check.IsNil)
212 c.Assert(err, check.IsNil)
213 mtxt, err := fs.MarshalManifest(".")
214 c.Assert(err, check.IsNil)
215 coll, err = s.testClusters[clusterID].Conn().CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
216 "manifest_text": mtxt,
218 c.Assert(err, check.IsNil)
222 for _, trial := range []struct {
223 clusterID string // create the collection on this cluster (then use z3333 to access it)
226 // Try the hardest test first: z3333 hasn't seen
227 // z1111's token yet, and we're just passing the
228 // opaque secret part, so z3333 has to guess that it
230 {"z1111", strings.Split(ac1.AuthToken, "/")[2]},
231 {"z3333", strings.Split(ac1.AuthToken, "/")[2]},
232 {"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)},
233 {"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)},
235 c.Logf("================ %v", trial)
236 coll := createColl(trial.clusterID)
238 cfgjson, err := conn3.ConfigGet(userctx1)
239 c.Assert(err, check.IsNil)
240 var cluster arvados.Cluster
241 err = json.Unmarshal(cfgjson, &cluster)
242 c.Assert(err, check.IsNil)
244 c.Logf("TokenV2 is %s", ac1.AuthToken)
245 host := cluster.Services.WebDAV.ExternalURL.Host
247 "--ssl", "--no-check-certificate",
248 "--host=" + host, "--host-bucket=" + host,
249 "--access_key=" + trial.token, "--secret_key=" + trial.token,
251 buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput()
252 c.Check(err, check.IsNil)
253 c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`)
255 buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput()
256 // Command fails because we don't return Etag header.
257 flen := strconv.Itoa(len(testText))
258 c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`)
262 func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
263 conn1 := s.testClusters["z1111"].Conn()
264 conn3 := s.testClusters["z3333"].Conn()
265 rootctx1, rootac1, rootkc1 := s.testClusters["z1111"].RootClients()
266 anonctx3, anonac3, _ := s.testClusters["z3333"].AnonymousClients()
268 // Make sure anonymous token was set
269 c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
271 // Create the collection to find its PDH (but don't save it
273 var coll1 arvados.Collection
274 fs1, err := coll1.FileSystem(rootac1, rootkc1)
275 c.Assert(err, check.IsNil)
276 f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
277 c.Assert(err, check.IsNil)
278 _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous")
279 c.Assert(err, check.IsNil)
281 c.Assert(err, check.IsNil)
282 mtxt, err := fs1.MarshalManifest(".")
283 c.Assert(err, check.IsNil)
284 pdh := arvados.PortableDataHash(mtxt)
286 // Save the collection on cluster z1111.
287 coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
288 "manifest_text": mtxt,
290 c.Assert(err, check.IsNil)
292 // Share it with the anonymous users group.
293 var outLink arvados.Link
294 err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil,
295 map[string]interface{}{"link": map[string]interface{}{
296 "link_class": "permission",
298 "tail_uuid": "z1111-j7d0g-anonymouspublic",
299 "head_uuid": coll1.UUID,
302 c.Check(err, check.IsNil)
304 // Current user should be z3 anonymous user
305 outUser, err := anonac3.CurrentUser()
306 c.Check(err, check.IsNil)
307 c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic")
309 // Get the token uuid
310 var outAuth arvados.APIClientAuthorization
311 err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
312 c.Check(err, check.IsNil)
314 // Make a v2 token of the z3 anonymous user, and use it on z1
315 _, anonac1, _ := s.testClusters["z1111"].ClientsWithToken(outAuth.TokenV2())
316 outUser2, err := anonac1.CurrentUser()
317 c.Check(err, check.IsNil)
318 // z3 anonymous user will be mapped to the z1 anonymous user
319 c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
321 // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
322 coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
323 c.Check(err, check.IsNil)
324 c.Check(coll.PortableDataHash, check.Equals, pdh)
327 // Get a token from the login cluster (z1111), use it to submit a
328 // container request on z2222.
329 func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
330 conn1 := s.testClusters["z1111"].Conn()
331 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
332 _, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
334 // Use ac2 to get the discovery doc with a blank token, so the
335 // SDK doesn't magically pass the z1111 token to z2222 before
336 // we're ready to start our test.
337 _, ac2, _ := s.testClusters["z2222"].ClientsWithToken("")
338 var dd map[string]interface{}
339 err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
340 c.Assert(err, check.IsNil)
347 cr arvados.ContainerRequest
349 json.NewEncoder(&body).Encode(map[string]interface{}{
350 "container_request": map[string]interface{}{
351 "command": []string{"echo"},
352 "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
357 ac2.AuthToken = ac1.AuthToken
359 c.Log("...post CR with good (but not yet cached) token")
360 cr = arvados.ContainerRequest{}
361 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
362 c.Assert(err, check.IsNil)
363 req.Header.Set("Content-Type", "application/json")
364 err = ac2.DoAndDecode(&cr, req)
365 c.Logf("err == %#v", err)
367 c.Log("...get user with good token")
369 req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
370 c.Assert(err, check.IsNil)
371 err = ac2.DoAndDecode(&u, req)
372 c.Check(err, check.IsNil)
373 c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
375 c.Log("...post CR with good cached token")
376 cr = arvados.ContainerRequest{}
377 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
378 c.Assert(err, check.IsNil)
379 req.Header.Set("Content-Type", "application/json")
380 err = ac2.DoAndDecode(&cr, req)
381 c.Check(err, check.IsNil)
382 c.Check(cr.UUID, check.Matches, "z2222-.*")
384 c.Log("...post with good cached token ('OAuth2 ...')")
385 cr = arvados.ContainerRequest{}
386 req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
387 c.Assert(err, check.IsNil)
388 req.Header.Set("Content-Type", "application/json")
389 req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
390 resp, err = arvados.InsecureHTTPClient.Do(req)
391 if c.Check(err, check.IsNil) {
392 err = json.NewDecoder(resp.Body).Decode(&cr)
393 c.Check(err, check.IsNil)
394 c.Check(cr.UUID, check.Matches, "z2222-.*")
398 // Test for bug #16263
399 func (s *IntegrationSuite) TestListUsers(c *check.C) {
400 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
401 conn1 := s.testClusters["z1111"].Conn()
402 conn3 := s.testClusters["z3333"].Conn()
403 userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
405 // Make sure LoginCluster is properly configured
406 for cls := range s.testClusters {
408 s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
409 check.Equals, "z1111",
410 check.Commentf("incorrect LoginCluster config on cluster %q", cls))
412 // Make sure z1111 has users with NULL usernames
413 lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
414 Limit: math.MaxInt64, // check that large limit works (see #16263)
416 nullUsername := false
417 c.Assert(err, check.IsNil)
418 c.Assert(len(lst.Items), check.Not(check.Equals), 0)
419 for _, user := range lst.Items {
420 if user.Username == "" {
424 c.Assert(nullUsername, check.Equals, true)
426 user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
427 c.Assert(err, check.IsNil)
428 c.Check(user1.IsActive, check.Equals, true)
430 // Ask for the user list on z3333 using z1111's system root token
431 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
432 c.Assert(err, check.IsNil)
434 for _, user := range lst.Items {
435 if user.UUID == user1.UUID {
436 c.Check(user.IsActive, check.Equals, true)
441 c.Check(found, check.Equals, true)
443 // Deactivate user acct on z1111
444 _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
445 c.Assert(err, check.IsNil)
447 // Get user list from z3333, check the returned z1111 user is
449 lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
450 c.Assert(err, check.IsNil)
452 for _, user := range lst.Items {
453 if user.UUID == user1.UUID {
454 c.Check(user.IsActive, check.Equals, false)
459 c.Check(found, check.Equals, true)
461 // Deactivated user can see is_active==false via "get current
463 user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
464 c.Assert(err, check.IsNil)
465 c.Check(user1.IsActive, check.Equals, false)
468 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
469 conn1 := s.testClusters["z1111"].Conn()
470 conn3 := s.testClusters["z3333"].Conn()
471 rootctx1, rootac1, _ := s.testClusters["z1111"].RootClients()
473 // Create user on LoginCluster z1111
474 _, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
476 // Make a new root token (because rootClients() uses SystemRootToken)
477 var outAuth arvados.APIClientAuthorization
478 err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
479 c.Check(err, check.IsNil)
481 // Make a v2 root token to communicate with z3333
482 rootctx3, rootac3, _ := s.testClusters["z3333"].ClientsWithToken(outAuth.TokenV2())
484 // Create VM on z3333
485 var outVM arvados.VirtualMachine
486 err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
487 map[string]interface{}{"virtual_machine": map[string]interface{}{
488 "hostname": "example",
491 c.Check(outVM.UUID[0:5], check.Equals, "z3333")
492 c.Check(err, check.IsNil)
494 // Make sure z3333 user list is up to date
495 _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
496 c.Check(err, check.IsNil)
498 // Try to set up user on z3333 with the VM
499 _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
500 c.Check(err, check.IsNil)
502 var outLinks arvados.LinkList
503 err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
506 Filters: []arvados.Filter{
520 Operand: "can_login",
525 Operand: "permission",
527 c.Check(err, check.IsNil)
529 c.Check(len(outLinks.Items), check.Equals, 1)
532 func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
533 conn1 := s.testClusters["z1111"].Conn()
534 rootctx1, _, _ := s.testClusters["z1111"].RootClients()
535 s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
537 accesstoken := s.oidcprovider.ValidAccessToken()
539 for _, clusterID := range []string{"z1111", "z2222"} {
540 c.Logf("trying clusterid %s", clusterID)
542 conn := s.testClusters[clusterID].Conn()
543 ctx, ac, kc := s.testClusters[clusterID].ClientsWithToken(accesstoken)
545 var coll arvados.Collection
547 // Write some file data and create a collection
549 fs, err := coll.FileSystem(ac, kc)
550 c.Assert(err, check.IsNil)
551 f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
552 c.Assert(err, check.IsNil)
553 _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
554 c.Assert(err, check.IsNil)
556 c.Assert(err, check.IsNil)
557 mtxt, err := fs.MarshalManifest(".")
558 c.Assert(err, check.IsNil)
559 coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
560 "manifest_text": mtxt,
562 c.Assert(err, check.IsNil)
565 // Read the collection & file data
567 user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
568 c.Assert(err, check.IsNil)
569 c.Check(user.FullName, check.Equals, "Example User")
570 coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
571 c.Assert(err, check.IsNil)
572 c.Check(coll.ManifestText, check.Not(check.Equals), "")
573 fs, err := coll.FileSystem(ac, kc)
574 c.Assert(err, check.IsNil)
575 f, err := fs.Open("test.txt")
576 c.Assert(err, check.IsNil)
577 buf, err := ioutil.ReadAll(f)
578 c.Assert(err, check.IsNil)
579 c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))