1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
11 "git.arvados.org/arvados.git/lib/config"
12 "git.arvados.org/arvados.git/lib/controller/rpc"
13 "git.arvados.org/arvados.git/lib/ctrlctx"
14 "git.arvados.org/arvados.git/sdk/go/arvados"
15 "git.arvados.org/arvados.git/sdk/go/arvadostest"
16 "git.arvados.org/arvados.git/sdk/go/auth"
17 "git.arvados.org/arvados.git/sdk/go/ctxlog"
18 "github.com/jmoiron/sqlx"
19 check "gopkg.in/check.v1"
22 var _ = check.Suite(&TestUserSuite{})
24 type TestUserSuite struct {
25 cluster *arvados.Cluster
26 ctrl *testLoginController
27 railsSpy *arvadostest.Proxy
30 // transaction context
35 func (s *TestUserSuite) SetUpSuite(c *check.C) {
36 cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
37 c.Assert(err, check.IsNil)
38 s.cluster, err = cfg.GetCluster("")
39 c.Assert(err, check.IsNil)
40 s.cluster.Login.Test.Enable = true
41 s.cluster.Login.Test.Users = map[string]arvados.TestUser{
42 "valid": {Email: "valid@example.com", Password: "v@l1d"},
44 s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
45 s.ctrl = &testLoginController{
47 Parent: &Conn{railsProxy: rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)},
49 s.db = arvadostest.DB(c, s.cluster)
52 func (s *TestUserSuite) SetUpTest(c *check.C) {
53 tx, err := s.db.Beginx()
54 c.Assert(err, check.IsNil)
55 s.ctx = ctrlctx.NewWithTransaction(context.Background(), tx)
59 func (s *TestUserSuite) TearDownTest(c *check.C) {
63 func (s *TestUserSuite) TestLogin(c *check.C) {
64 for _, trial := range []struct {
69 {false, "foo", "bar"},
73 {true, "valid", "v@l1d"},
74 {true, "valid@example.com", "v@l1d"},
76 c.Logf("=== %#v", trial)
77 resp, err := s.ctrl.UserAuthenticate(s.ctx, arvados.UserAuthenticateOptions{
78 Username: trial.username,
79 Password: trial.password,
82 c.Check(err, check.IsNil)
83 c.Check(resp.APIToken, check.Not(check.Equals), "")
84 c.Check(resp.UUID, check.Matches, `zzzzz-gj3su-.*`)
85 c.Check(resp.Scopes, check.DeepEquals, []string{"all"})
87 authinfo := getCallbackAuthInfo(c, s.railsSpy)
88 c.Check(authinfo.Email, check.Equals, "valid@example.com")
89 c.Check(authinfo.AlternateEmails, check.DeepEquals, []string(nil))
91 c.Check(err, check.ErrorMatches, `authentication failed.*`)
96 func (s *TestUserSuite) TestLoginForm(c *check.C) {
97 resp, err := s.ctrl.Login(s.ctx, arvados.LoginOptions{
98 ReturnTo: "https://localhost:12345/example",
100 c.Check(err, check.IsNil)
101 c.Check(resp.HTML.String(), check.Matches, `(?ms).*<form method="POST".*`)
102 c.Check(resp.HTML.String(), check.Matches, `(?ms).*<input id="return_to" type="hidden" name="return_to" value="https://localhost:12345/example">.*`)
105 func (s *TestUserSuite) TestExpireTokenOnLogout(c *check.C) {
106 s.cluster.Login.TrustPrivateNetworks = true
107 returnTo := "https://[::1]:12345/logout"
108 for _, trial := range []struct {
110 expiringTokenUUID string
111 shouldExpireToken bool
114 {arvadostest.ActiveTokenV2, arvadostest.ActiveTokenUUID, true},
116 {arvadostest.AdminToken, arvadostest.AdminTokenUUID, true},
117 // inexistent v1 token -- logout shouldn't fail
118 {"thisdoesntexistasatoken", "", false},
119 // inexistent v2 token -- logout shouldn't fail
120 {"v2/some-fake-uuid/thisdoesntexistasatoken", "", false},
122 c.Logf("=== %#v", trial)
123 ctx := auth.NewContext(s.ctx, &auth.Credentials{
124 Tokens: []string{trial.requestToken},
129 qry := `SELECT uuid FROM api_client_authorizations WHERE uuid=$1 AND (expires_at IS NULL OR expires_at > current_timestamp AT TIME ZONE 'UTC') LIMIT 1`
131 if trial.shouldExpireToken {
132 err = s.tx.QueryRowContext(ctx, qry, trial.expiringTokenUUID).Scan(&tokenUUID)
133 c.Check(err, check.IsNil)
136 resp, err := s.ctrl.Logout(ctx, arvados.LogoutOptions{
139 c.Check(err, check.IsNil)
140 c.Check(resp.RedirectLocation, check.Equals, returnTo)
142 if trial.shouldExpireToken {
143 err = s.tx.QueryRowContext(ctx, qry, trial.expiringTokenUUID).Scan(&tokenUUID)
144 c.Check(err, check.Equals, sql.ErrNoRows)