3 class Arvados::V1::ReaderTokensTest < ActionController::IntegrationTest
7 specimens(:owned_by_spectator).uuid
10 def get_specimens(main_auth, read_auth)
12 params[:reader_tokens] = [api_token(read_auth)] if read_auth
14 headers.merge!(auth(main_auth)) if main_auth
15 get('/arvados/v1/specimens', params, headers)
18 def get_specimen_uuids(main_auth, read_auth)
19 get_specimens(main_auth, read_auth)
20 assert_response :success
21 json_response['items'].map { |spec| spec['uuid'] }
24 test "active user can't see spectator specimen" do
25 # Other tests in this suite assume that the active user doesn't
26 # have read permission to the owned_by_spectator specimen.
27 # This test checks that this assumption still holds.
28 refute_includes(get_specimen_uuids(:active, nil), spectator_specimen,
29 ["active user can read the owned_by_spectator specimen",
30 "other tests will return false positives"].join(" - "))
33 [nil, :active_noscope].each do |main_auth|
34 [:spectator, :spectator_specimens].each do |read_auth|
35 test "#{main_auth} auth with reader token #{read_auth} can read" do
36 assert_includes(get_specimen_uuids(main_auth, read_auth),
37 spectator_specimen, "did not find spectator specimen")
40 test "#{main_auth} auth with reader token #{read_auth} can't write" do
42 headers = auth(main_auth)
48 post('/arvados/v1/specimens.json',
49 {specimen: {}, reader_tokens: [api_token(read_auth)]}, headers)
50 assert_response expected
55 test "scopes are still limited with reader tokens" do
56 get('/arvados/v1/collections',
57 {reader_tokens: [api_token(:spectator_specimens)]},
58 auth(:active_noscope))
62 test "reader tokens grant no permissions when expired" do
63 get_specimens(:active_noscope, :expired)
67 test "reader tokens grant no permissions outside their scope" do
68 refute_includes(get_specimen_uuids(:active, :admin_vm), spectator_specimen,
69 "scoped reader token granted permissions out of scope")
projects / arvados.git / blob