17296: Merge branch 'master'
[arvados.git] / lib / controller / federation / user_test.go
1 // Copyright (C) The Arvados Authors. All rights reserved.
2 //
3 // SPDX-License-Identifier: AGPL-3.0
4
5 package federation
6
7 import (
8         "context"
9         "encoding/json"
10         "errors"
11         "math"
12         "net/url"
13         "os"
14         "strings"
15
16         "git.arvados.org/arvados.git/lib/controller/rpc"
17         "git.arvados.org/arvados.git/sdk/go/arvados"
18         "git.arvados.org/arvados.git/sdk/go/arvadostest"
19         "git.arvados.org/arvados.git/sdk/go/auth"
20         "git.arvados.org/arvados.git/sdk/go/ctxlog"
21         check "gopkg.in/check.v1"
22 )
23
24 var _ = check.Suite(&UserSuite{})
25
26 type UserSuite struct {
27         FederationSuite
28 }
29
30 func (s *UserSuite) TestLoginClusterUserList(c *check.C) {
31         s.cluster.ClusterID = "local"
32         s.cluster.Login.LoginCluster = "zzzzz"
33         s.fed = New(s.cluster)
34         s.addDirectRemote(c, "zzzzz", rpc.NewConn("zzzzz", &url.URL{Scheme: "https", Host: os.Getenv("ARVADOS_API_HOST")}, true, rpc.PassthroughTokenProvider))
35
36         for _, updateFail := range []bool{false, true} {
37                 for _, opts := range []arvados.ListOptions{
38                         {Offset: 0, Limit: -1, Select: nil},
39                         {Offset: 0, Limit: math.MaxInt64, Select: nil},
40                         {Offset: 1, Limit: 1, Select: nil},
41                         {Offset: 0, Limit: 2, Select: []string{"uuid"}},
42                         {Offset: 0, Limit: 2, Select: []string{"uuid", "email"}},
43                 } {
44                         c.Logf("updateFail %v, opts %#v", updateFail, opts)
45                         spy := arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
46                         stub := &arvadostest.APIStub{Error: errors.New("local cluster failure")}
47                         if updateFail {
48                                 s.fed.local = stub
49                         } else {
50                                 s.fed.local = rpc.NewConn(s.cluster.ClusterID, spy.URL, true, rpc.PassthroughTokenProvider)
51                         }
52                         userlist, err := s.fed.UserList(s.ctx, opts)
53                         if err != nil {
54                                 c.Logf("... UserList failed %q", err)
55                         }
56                         if updateFail && err == nil {
57                                 // All local updates fail, so the only
58                                 // cases expected to succeed are the
59                                 // ones with 0 results.
60                                 c.Check(userlist.Items, check.HasLen, 0)
61                                 c.Check(stub.Calls(nil), check.HasLen, 0)
62                         } else if updateFail {
63                                 c.Logf("... err %#v", err)
64                                 calls := stub.Calls(stub.UserBatchUpdate)
65                                 if c.Check(calls, check.HasLen, 1) {
66                                         c.Logf("... stub.UserUpdate called with options: %#v", calls[0].Options)
67                                         shouldUpdate := map[string]bool{
68                                                 "uuid":       false,
69                                                 "email":      true,
70                                                 "first_name": true,
71                                                 "last_name":  true,
72                                                 "is_admin":   true,
73                                                 "is_active":  true,
74                                                 "prefs":      true,
75                                                 // can't safely update locally
76                                                 "owner_uuid":   false,
77                                                 "identity_url": false,
78                                                 // virtual attrs
79                                                 "full_name":  false,
80                                                 "is_invited": false,
81                                         }
82                                         if opts.Select != nil {
83                                                 // Only the selected
84                                                 // fields (minus uuid)
85                                                 // should be updated.
86                                                 for k := range shouldUpdate {
87                                                         shouldUpdate[k] = false
88                                                 }
89                                                 for _, k := range opts.Select {
90                                                         if k != "uuid" {
91                                                                 shouldUpdate[k] = true
92                                                         }
93                                                 }
94                                         }
95                                         var uuid string
96                                         for uuid = range calls[0].Options.(arvados.UserBatchUpdateOptions).Updates {
97                                         }
98                                         for k, shouldFind := range shouldUpdate {
99                                                 _, found := calls[0].Options.(arvados.UserBatchUpdateOptions).Updates[uuid][k]
100                                                 c.Check(found, check.Equals, shouldFind, check.Commentf("offending attr: %s", k))
101                                         }
102                                 }
103                         } else {
104                                 updates := 0
105                                 for _, d := range spy.RequestDumps {
106                                         d := string(d)
107                                         if strings.Contains(d, "PATCH /arvados/v1/users/batch") {
108                                                 c.Check(d, check.Matches, `(?ms).*Authorization: Bearer `+arvadostest.SystemRootToken+`.*`)
109                                                 updates++
110                                         }
111                                 }
112                                 c.Check(err, check.IsNil)
113                                 c.Check(updates, check.Equals, 1)
114                                 c.Logf("... response items %#v", userlist.Items)
115                         }
116                 }
117         }
118 }
119
120 func (s *UserSuite) TestLoginClusterUserGet(c *check.C) {
121         s.cluster.ClusterID = "local"
122         s.cluster.Login.LoginCluster = "zzzzz"
123         s.fed = New(s.cluster)
124         s.addDirectRemote(c, "zzzzz", rpc.NewConn("zzzzz", &url.URL{Scheme: "https", Host: os.Getenv("ARVADOS_API_HOST")}, true, rpc.PassthroughTokenProvider))
125
126         opts := arvados.GetOptions{UUID: "zzzzz-tpzed-xurymjxw79nv3jz", Select: []string{"uuid", "email"}}
127
128         stub := &arvadostest.APIStub{Error: errors.New("local cluster failure")}
129         s.fed.local = stub
130         s.fed.UserGet(s.ctx, opts)
131
132         calls := stub.Calls(stub.UserBatchUpdate)
133         if c.Check(calls, check.HasLen, 1) {
134                 c.Logf("... stub.UserUpdate called with options: %#v", calls[0].Options)
135                 shouldUpdate := map[string]bool{
136                         "uuid":       false,
137                         "email":      true,
138                         "first_name": true,
139                         "last_name":  true,
140                         "is_admin":   true,
141                         "is_active":  true,
142                         "prefs":      true,
143                         // can't safely update locally
144                         "owner_uuid":   false,
145                         "identity_url": false,
146                         // virtual attrs
147                         "full_name":  false,
148                         "is_invited": false,
149                 }
150                 if opts.Select != nil {
151                         // Only the selected
152                         // fields (minus uuid)
153                         // should be updated.
154                         for k := range shouldUpdate {
155                                 shouldUpdate[k] = false
156                         }
157                         for _, k := range opts.Select {
158                                 if k != "uuid" {
159                                         shouldUpdate[k] = true
160                                 }
161                         }
162                 }
163                 var uuid string
164                 for uuid = range calls[0].Options.(arvados.UserBatchUpdateOptions).Updates {
165                 }
166                 for k, shouldFind := range shouldUpdate {
167                         _, found := calls[0].Options.(arvados.UserBatchUpdateOptions).Updates[uuid][k]
168                         c.Check(found, check.Equals, shouldFind, check.Commentf("offending attr: %s", k))
169                 }
170         }
171
172 }
173
174 func (s *UserSuite) TestLoginClusterUserListBypassFederation(c *check.C) {
175         s.cluster.ClusterID = "local"
176         s.cluster.Login.LoginCluster = "zzzzz"
177         s.fed = New(s.cluster)
178         s.addDirectRemote(c, "zzzzz", rpc.NewConn("zzzzz", &url.URL{Scheme: "https", Host: os.Getenv("ARVADOS_API_HOST")},
179                 true, rpc.PassthroughTokenProvider))
180
181         spy := arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
182         s.fed.local = rpc.NewConn(s.cluster.ClusterID, spy.URL, true, rpc.PassthroughTokenProvider)
183
184         _, err := s.fed.UserList(s.ctx, arvados.ListOptions{Offset: 0, Limit: math.MaxInt64, Select: nil, BypassFederation: true})
185         // this will fail because it is not using a root token
186         c.Check(err.(*arvados.TransactionError).StatusCode, check.Equals, 403)
187
188         // Now use SystemRootToken
189         ctx := context.Background()
190         ctx = ctxlog.Context(ctx, ctxlog.TestLogger(c))
191         ctx = auth.NewContext(ctx, &auth.Credentials{Tokens: []string{arvadostest.SystemRootToken}})
192
193         // Assert that it did not try to batch update users.
194         _, err = s.fed.UserList(ctx, arvados.ListOptions{Offset: 0, Limit: math.MaxInt64, Select: nil, BypassFederation: true})
195         for _, d := range spy.RequestDumps {
196                 d := string(d)
197                 if strings.Contains(d, "PATCH /arvados/v1/users/batch") {
198                         c.Fail()
199                 }
200         }
201         c.Check(err, check.IsNil)
202 }
203
204 // userAttrsCachedFromLoginCluster must have an entry for every field
205 // in the User struct.
206 func (s *UserSuite) TestUserAttrsUpdateWhitelist(c *check.C) {
207         buf, err := json.Marshal(&arvados.User{})
208         c.Assert(err, check.IsNil)
209         var allFields map[string]interface{}
210         err = json.Unmarshal(buf, &allFields)
211         c.Assert(err, check.IsNil)
212         for k := range allFields {
213                 _, ok := userAttrsCachedFromLoginCluster[k]
214                 c.Check(ok, check.Equals, true, check.Commentf("field name %q missing from userAttrsCachedFromLoginCluster", k))
215         }
216 }