services/api/test/unit/container_test.rb

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: AGPL-3.0
   4
   5 require 'test_helper'
   6 require 'helpers/container_test_helper'
   7
   8 class ContainerTest < ActiveSupport::TestCase
   9   include DbCurrentTime
  10   include ContainerTestHelper
  11
  12   DEFAULT_ATTRS = {
  13     command: ['echo', 'foo'],
  14     container_image: 'fa3c1a9cb6783f85f2ecda037e07b8c3+167',
  15     output_path: '/tmp',
  16     priority: 1,
  17     runtime_constraints: {"vcpus" => 1, "ram" => 1},
  18   }
  19
  20   REUSABLE_COMMON_ATTRS = {
  21     container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
  22     cwd: "test",
  23     command: ["echo", "hello"],
  24     output_path: "test",
  25     runtime_constraints: {
  26       "ram" => 12000000000,
  27       "vcpus" => 4,
  28     },
  29     mounts: {
  30       "test" => {"kind" => "json"},
  31     },
  32     environment: {
  33       "var" => "val",
  34     },
  35     secret_mounts: {},
  36   }
  37
  38   def minimal_new attrs={}
  39     cr = ContainerRequest.new DEFAULT_ATTRS.merge(attrs)
  40     cr.state = ContainerRequest::Committed
  41     act_as_user users(:active) do
  42       cr.save!
  43     end
  44     c = Container.find_by_uuid cr.container_uuid
  45     assert_not_nil c
  46     return c, cr
  47   end
  48
  49   def check_illegal_updates c, bad_updates
  50     bad_updates.each do |u|
  51       refute c.update_attributes(u), u.inspect
  52       refute c.valid?, u.inspect
  53       c.reload
  54     end
  55   end
  56
  57   def check_illegal_modify c
  58     check_illegal_updates c, [{command: ["echo", "bar"]},
  59                               {container_image: "arvados/apitestfixture:june10"},
  60                               {cwd: "/tmp2"},
  61                               {environment: {"FOO" => "BAR"}},
  62                               {mounts: {"FOO" => "BAR"}},
  63                               {output_path: "/tmp3"},
  64                               {locked_by_uuid: "zzzzz-gj3su-027z32aux8dg2s1"},
  65                               {auth_uuid: "zzzzz-gj3su-017z32aux8dg2s1"},
  66                               {runtime_constraints: {"FOO" => "BAR"}}]
  67   end
  68
  69   def check_bogus_states c
  70     check_illegal_updates c, [{state: nil},
  71                               {state: "Flubber"}]
  72   end
  73
  74   def check_no_change_from_cancelled c
  75     check_illegal_modify c
  76     check_bogus_states c
  77     check_illegal_updates c, [{ priority: 3 },
  78                               { state: Container::Queued },
  79                               { state: Container::Locked },
  80                               { state: Container::Running },
  81                               { state: Container::Complete }]
  82   end
  83
  84   test "Container create" do
  85     act_as_system_user do
  86       c, _ = minimal_new(environment: {},
  87                       mounts: {"BAR" => "FOO"},
  88                       output_path: "/tmp",
  89                       priority: 1,
  90                       runtime_constraints: {"vcpus" => 1, "ram" => 1})
  91
  92       check_illegal_modify c
  93       check_bogus_states c
  94
  95       c.reload
  96       c.priority = 2
  97       c.save!
  98     end
  99   end
 100
 101   test "Container valid priority" do
 102     act_as_system_user do
 103       c, _ = minimal_new(environment: {},
 104                       mounts: {"BAR" => "FOO"},
 105                       output_path: "/tmp",
 106                       priority: 1,
 107                       runtime_constraints: {"vcpus" => 1, "ram" => 1})
 108
 109       assert_raises(ActiveRecord::RecordInvalid) do
 110         c.priority = -1
 111         c.save!
 112       end
 113
 114       c.priority = 0
 115       c.save!
 116
 117       c.priority = 1
 118       c.save!
 119
 120       c.priority = 500
 121       c.save!
 122
 123       c.priority = 999
 124       c.save!
 125
 126       c.priority = 1000
 127       c.save!
 128
 129       assert_raises(ActiveRecord::RecordInvalid) do
 130         c.priority = 1001
 131         c.save!
 132       end
 133     end
 134   end
 135
 136
 137   test "Container serialized hash attributes sorted before save" do
 138     env = {"C" => 3, "B" => 2, "A" => 1}
 139     m = {"F" => {"kind" => 3}, "E" => {"kind" => 2}, "D" => {"kind" => 1}}
 140     rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
 141     c, _ = minimal_new(environment: env, mounts: m, runtime_constraints: rc)
 142     assert_equal c.environment.to_json, Container.deep_sort_hash(env).to_json
 143     assert_equal c.mounts.to_json, Container.deep_sort_hash(m).to_json
 144     assert_equal c.runtime_constraints.to_json, Container.deep_sort_hash(rc).to_json
 145   end
 146
 147   test 'deep_sort_hash on array of hashes' do
 148     a = {'z' => [[{'a' => 'a', 'b' => 'b'}]]}
 149     b = {'z' => [[{'b' => 'b', 'a' => 'a'}]]}
 150     assert_equal Container.deep_sort_hash(a).to_json, Container.deep_sort_hash(b).to_json
 151   end
 152
 153   test "find_reusable method should select higher priority queued container" do
 154     set_user_from_auth :active
 155     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
 156     c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
 157     c_high_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:2}))
 158     assert_not_equal c_low_priority.uuid, c_high_priority.uuid
 159     assert_equal Container::Queued, c_low_priority.state
 160     assert_equal Container::Queued, c_high_priority.state
 161     reused = Container.find_reusable(common_attrs)
 162     assert_not_nil reused
 163     assert_equal reused.uuid, c_high_priority.uuid
 164   end
 165
 166   test "find_reusable method should select latest completed container" do
 167     set_user_from_auth :active
 168     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "complete"}})
 169     completed_attrs = {
 170       state: Container::Complete,
 171       exit_code: 0,
 172       log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
 173       output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'
 174     }
 175
 176     c_older, _ = minimal_new(common_attrs.merge({use_existing: false}))
 177     c_recent, _ = minimal_new(common_attrs.merge({use_existing: false}))
 178     assert_not_equal c_older.uuid, c_recent.uuid
 179
 180     set_user_from_auth :dispatch1
 181     c_older.update_attributes!({state: Container::Locked})
 182     c_older.update_attributes!({state: Container::Running})
 183     c_older.update_attributes!(completed_attrs)
 184
 185     c_recent.update_attributes!({state: Container::Locked})
 186     c_recent.update_attributes!({state: Container::Running})
 187     c_recent.update_attributes!(completed_attrs)
 188
 189     reused = Container.find_reusable(common_attrs)
 190     assert_not_nil reused
 191     assert_equal reused.uuid, c_older.uuid
 192   end
 193
 194   test "find_reusable method should select oldest completed container when inconsistent outputs exist" do
 195     set_user_from_auth :active
 196     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "complete"}, priority: 1})
 197     completed_attrs = {
 198       state: Container::Complete,
 199       exit_code: 0,
 200       log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
 201     }
 202
 203     cr = ContainerRequest.new common_attrs
 204     cr.use_existing = false
 205     cr.state = ContainerRequest::Committed
 206     cr.save!
 207     c_output1 = Container.where(uuid: cr.container_uuid).first
 208
 209     cr = ContainerRequest.new common_attrs
 210     cr.use_existing = false
 211     cr.state = ContainerRequest::Committed
 212     cr.save!
 213     c_output2 = Container.where(uuid: cr.container_uuid).first
 214
 215     assert_not_equal c_output1.uuid, c_output2.uuid
 216
 217     set_user_from_auth :dispatch1
 218
 219     out1 = '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'
 220     log1 = collections(:real_log_collection).portable_data_hash
 221     c_output1.update_attributes!({state: Container::Locked})
 222     c_output1.update_attributes!({state: Container::Running})
 223     c_output1.update_attributes!(completed_attrs.merge({log: log1, output: out1}))
 224
 225     out2 = 'fa7aeb5140e2848d39b416daeef4ffc5+45'
 226     c_output2.update_attributes!({state: Container::Locked})
 227     c_output2.update_attributes!({state: Container::Running})
 228     c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
 229
 230     reused = Container.resolve(ContainerRequest.new(common_attrs))
 231     assert_equal c_output1.uuid, reused.uuid
 232   end
 233
 234   test "find_reusable method should select running container by start date" do
 235     set_user_from_auth :active
 236     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running"}})
 237     c_slower, _ = minimal_new(common_attrs.merge({use_existing: false}))
 238     c_faster_started_first, _ = minimal_new(common_attrs.merge({use_existing: false}))
 239     c_faster_started_second, _ = minimal_new(common_attrs.merge({use_existing: false}))
 240     # Confirm the 3 container UUIDs are different.
 241     assert_equal 3, [c_slower.uuid, c_faster_started_first.uuid, c_faster_started_second.uuid].uniq.length
 242     set_user_from_auth :dispatch1
 243     c_slower.update_attributes!({state: Container::Locked})
 244     c_slower.update_attributes!({state: Container::Running,
 245                                  progress: 0.1})
 246     c_faster_started_first.update_attributes!({state: Container::Locked})
 247     c_faster_started_first.update_attributes!({state: Container::Running,
 248                                                progress: 0.15})
 249     c_faster_started_second.update_attributes!({state: Container::Locked})
 250     c_faster_started_second.update_attributes!({state: Container::Running,
 251                                                 progress: 0.15})
 252     reused = Container.find_reusable(common_attrs)
 253     assert_not_nil reused
 254     # Selected container is the one that started first
 255     assert_equal reused.uuid, c_faster_started_first.uuid
 256   end
 257
 258   test "find_reusable method should select running container by progress" do
 259     set_user_from_auth :active
 260     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running2"}})
 261     c_slower, _ = minimal_new(common_attrs.merge({use_existing: false}))
 262     c_faster_started_first, _ = minimal_new(common_attrs.merge({use_existing: false}))
 263     c_faster_started_second, _ = minimal_new(common_attrs.merge({use_existing: false}))
 264     # Confirm the 3 container UUIDs are different.
 265     assert_equal 3, [c_slower.uuid, c_faster_started_first.uuid, c_faster_started_second.uuid].uniq.length
 266     set_user_from_auth :dispatch1
 267     c_slower.update_attributes!({state: Container::Locked})
 268     c_slower.update_attributes!({state: Container::Running,
 269                                  progress: 0.1})
 270     c_faster_started_first.update_attributes!({state: Container::Locked})
 271     c_faster_started_first.update_attributes!({state: Container::Running,
 272                                                progress: 0.15})
 273     c_faster_started_second.update_attributes!({state: Container::Locked})
 274     c_faster_started_second.update_attributes!({state: Container::Running,
 275                                                 progress: 0.2})
 276     reused = Container.find_reusable(common_attrs)
 277     assert_not_nil reused
 278     # Selected container is the one with most progress done
 279     assert_equal reused.uuid, c_faster_started_second.uuid
 280   end
 281
 282   test "find_reusable method should select locked container most likely to start sooner" do
 283     set_user_from_auth :active
 284     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "locked"}})
 285     c_low_priority, _ = minimal_new(common_attrs.merge({use_existing: false}))
 286     c_high_priority_older, _ = minimal_new(common_attrs.merge({use_existing: false}))
 287     c_high_priority_newer, _ = minimal_new(common_attrs.merge({use_existing: false}))
 288     # Confirm the 3 container UUIDs are different.
 289     assert_equal 3, [c_low_priority.uuid, c_high_priority_older.uuid, c_high_priority_newer.uuid].uniq.length
 290     set_user_from_auth :dispatch1
 291     c_low_priority.update_attributes!({state: Container::Locked,
 292                                        priority: 1})
 293     c_high_priority_older.update_attributes!({state: Container::Locked,
 294                                               priority: 2})
 295     c_high_priority_newer.update_attributes!({state: Container::Locked,
 296                                               priority: 2})
 297     reused = Container.find_reusable(common_attrs)
 298     assert_not_nil reused
 299     assert_equal reused.uuid, c_high_priority_older.uuid
 300   end
 301
 302   test "find_reusable method should select running over failed container" do
 303     set_user_from_auth :active
 304     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "failed_vs_running"}})
 305     c_failed, _ = minimal_new(common_attrs.merge({use_existing: false}))
 306     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
 307     assert_not_equal c_failed.uuid, c_running.uuid
 308     set_user_from_auth :dispatch1
 309     c_failed.update_attributes!({state: Container::Locked})
 310     c_failed.update_attributes!({state: Container::Running})
 311     c_failed.update_attributes!({state: Container::Complete,
 312                                  exit_code: 42,
 313                                  log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
 314                                  output: 'ea10d51bcf88862dbcc36eb292017dfd+45'})
 315     c_running.update_attributes!({state: Container::Locked})
 316     c_running.update_attributes!({state: Container::Running,
 317                                   progress: 0.15})
 318     reused = Container.find_reusable(common_attrs)
 319     assert_not_nil reused
 320     assert_equal reused.uuid, c_running.uuid
 321   end
 322
 323   test "find_reusable method should select complete over running container" do
 324     set_user_from_auth :active
 325     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "completed_vs_running"}})
 326     c_completed, _ = minimal_new(common_attrs.merge({use_existing: false}))
 327     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
 328     assert_not_equal c_completed.uuid, c_running.uuid
 329     set_user_from_auth :dispatch1
 330     c_completed.update_attributes!({state: Container::Locked})
 331     c_completed.update_attributes!({state: Container::Running})
 332     c_completed.update_attributes!({state: Container::Complete,
 333                                     exit_code: 0,
 334                                     log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
 335                                     output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'})
 336     c_running.update_attributes!({state: Container::Locked})
 337     c_running.update_attributes!({state: Container::Running,
 338                                   progress: 0.15})
 339     reused = Container.find_reusable(common_attrs)
 340     assert_not_nil reused
 341     assert_equal c_completed.uuid, reused.uuid
 342   end
 343
 344   test "find_reusable method should select running over locked container" do
 345     set_user_from_auth :active
 346     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running_vs_locked"}})
 347     c_locked, _ = minimal_new(common_attrs.merge({use_existing: false}))
 348     c_running, _ = minimal_new(common_attrs.merge({use_existing: false}))
 349     assert_not_equal c_running.uuid, c_locked.uuid
 350     set_user_from_auth :dispatch1
 351     c_locked.update_attributes!({state: Container::Locked})
 352     c_running.update_attributes!({state: Container::Locked})
 353     c_running.update_attributes!({state: Container::Running,
 354                                   progress: 0.15})
 355     reused = Container.find_reusable(common_attrs)
 356     assert_not_nil reused
 357     assert_equal reused.uuid, c_running.uuid
 358   end
 359
 360   test "find_reusable method should select locked over queued container" do
 361     set_user_from_auth :active
 362     common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running_vs_locked"}})
 363     c_locked, _ = minimal_new(common_attrs.merge({use_existing: false}))
 364     c_queued, _ = minimal_new(common_attrs.merge({use_existing: false}))
 365     assert_not_equal c_queued.uuid, c_locked.uuid
 366     set_user_from_auth :dispatch1
 367     c_locked.update_attributes!({state: Container::Locked})
 368     reused = Container.find_reusable(common_attrs)
 369     assert_not_nil reused
 370     assert_equal reused.uuid, c_locked.uuid
 371   end
 372
 373   test "find_reusable method should not select failed container" do
 374     set_user_from_auth :active
 375     attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "failed"}})
 376     c, _ = minimal_new(attrs)
 377     set_user_from_auth :dispatch1
 378     c.update_attributes!({state: Container::Locked})
 379     c.update_attributes!({state: Container::Running})
 380     c.update_attributes!({state: Container::Complete,
 381                           exit_code: 33})
 382     reused = Container.find_reusable(attrs)
 383     assert_nil reused
 384   end
 385
 386   test "find_reusable with logging disabled" do
 387     set_user_from_auth :active
 388     Rails.logger.expects(:info).never
 389     Container.find_reusable(REUSABLE_COMMON_ATTRS)
 390   end
 391
 392   test "find_reusable with logging enabled" do
 393     set_user_from_auth :active
 394     Rails.configuration.log_reuse_decisions = true
 395     Rails.logger.expects(:info).at_least(3)
 396     Container.find_reusable(REUSABLE_COMMON_ATTRS)
 397   end
 398
 399   test "Container running" do
 400     c, _ = minimal_new priority: 1
 401
 402     set_user_from_auth :dispatch1
 403     check_illegal_updates c, [{state: Container::Running},
 404                               {state: Container::Complete}]
 405
 406     c.lock
 407     c.update_attributes! state: Container::Running
 408
 409     check_illegal_modify c
 410     check_bogus_states c
 411
 412     check_illegal_updates c, [{state: Container::Queued}]
 413     c.reload
 414
 415     c.update_attributes! priority: 3
 416   end
 417
 418   test "Lock and unlock" do
 419     c, cr = minimal_new priority: 0
 420
 421     set_user_from_auth :dispatch1
 422     assert_equal Container::Queued, c.state
 423
 424     assert_raise(ArvadosModel::LockFailedError) do
 425       # "no priority"
 426       c.lock
 427     end
 428     c.reload
 429     assert cr.update_attributes priority: 1
 430
 431     refute c.update_attributes(state: Container::Running), "not locked"
 432     c.reload
 433     refute c.update_attributes(state: Container::Complete), "not locked"
 434     c.reload
 435
 436     assert c.lock, show_errors(c)
 437     assert c.locked_by_uuid
 438     assert c.auth_uuid
 439
 440     assert_raise(ArvadosModel::LockFailedError) {c.lock}
 441     c.reload
 442
 443     assert c.unlock, show_errors(c)
 444     refute c.locked_by_uuid
 445     refute c.auth_uuid
 446
 447     refute c.update_attributes(state: Container::Running), "not locked"
 448     c.reload
 449     refute c.locked_by_uuid
 450     refute c.auth_uuid
 451
 452     assert c.lock, show_errors(c)
 453     assert c.update_attributes(state: Container::Running), show_errors(c)
 454     assert c.locked_by_uuid
 455     assert c.auth_uuid
 456
 457     auth_uuid_was = c.auth_uuid
 458
 459     assert_raise(ArvadosModel::LockFailedError) do
 460       # Running to Locked is not allowed
 461       c.lock
 462     end
 463     c.reload
 464     assert_raise(ArvadosModel::InvalidStateTransitionError) do
 465       # Running to Queued is not allowed
 466       c.unlock
 467     end
 468     c.reload
 469
 470     assert c.update_attributes(state: Container::Complete), show_errors(c)
 471     refute c.locked_by_uuid
 472     refute c.auth_uuid
 473
 474     auth_exp = ApiClientAuthorization.find_by_uuid(auth_uuid_was).expires_at
 475     assert_operator auth_exp, :<, db_current_time
 476   end
 477
 478   test "Container queued cancel" do
 479     c, cr = minimal_new({container_count_max: 1})
 480     set_user_from_auth :dispatch1
 481     assert c.update_attributes(state: Container::Cancelled), show_errors(c)
 482     check_no_change_from_cancelled c
 483     cr.reload
 484     assert_equal ContainerRequest::Final, cr.state
 485   end
 486
 487   test "Container queued count" do
 488     assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
 489   end
 490
 491   test "Container locked cancel" do
 492     c, _ = minimal_new
 493     set_user_from_auth :dispatch1
 494     assert c.lock, show_errors(c)
 495     assert c.update_attributes(state: Container::Cancelled), show_errors(c)
 496     check_no_change_from_cancelled c
 497   end
 498
 499   test "Container locked cancel with log" do
 500     c, _ = minimal_new
 501     set_user_from_auth :dispatch1
 502     assert c.lock, show_errors(c)
 503     assert c.update_attributes(
 504              state: Container::Cancelled,
 505              log: collections(:real_log_collection).portable_data_hash,
 506            ), show_errors(c)
 507     check_no_change_from_cancelled c
 508   end
 509
 510   test "Container running cancel" do
 511     c, _ = minimal_new
 512     set_user_from_auth :dispatch1
 513     c.lock
 514     c.update_attributes! state: Container::Running
 515     c.update_attributes! state: Container::Cancelled
 516     check_no_change_from_cancelled c
 517   end
 518
 519   test "Container create forbidden for non-admin" do
 520     set_user_from_auth :active_trustedclient
 521     c = Container.new DEFAULT_ATTRS
 522     c.environment = {}
 523     c.mounts = {"BAR" => "FOO"}
 524     c.output_path = "/tmp"
 525     c.priority = 1
 526     c.runtime_constraints = {}
 527     assert_raises(ArvadosModel::PermissionDeniedError) do
 528       c.save!
 529     end
 530   end
 531
 532   test "Container only set exit code on complete" do
 533     c, _ = minimal_new
 534     set_user_from_auth :dispatch1
 535     c.lock
 536     c.update_attributes! state: Container::Running
 537
 538     check_illegal_updates c, [{exit_code: 1},
 539                               {exit_code: 1, state: Container::Cancelled}]
 540
 541     assert c.update_attributes(exit_code: 1, state: Container::Complete)
 542   end
 543
 544   test "locked_by_uuid can set output on running container" do
 545     c, _ = minimal_new
 546     set_user_from_auth :dispatch1
 547     c.lock
 548     c.update_attributes! state: Container::Running
 549
 550     assert_equal c.locked_by_uuid, Thread.current[:api_client_authorization].uuid
 551
 552     assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
 553     assert c.update_attributes! state: Container::Complete
 554   end
 555
 556   test "auth_uuid can set output on running container, but not change container state" do
 557     c, _ = minimal_new
 558     set_user_from_auth :dispatch1
 559     c.lock
 560     c.update_attributes! state: Container::Running
 561
 562     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
 563     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
 564     assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
 565
 566     assert_raises ArvadosModel::PermissionDeniedError do
 567       # auth_uuid cannot set container state
 568       c.update_attributes state: Container::Complete
 569     end
 570   end
 571
 572   test "not allowed to set output that is not readable by current user" do
 573     c, _ = minimal_new
 574     set_user_from_auth :dispatch1
 575     c.lock
 576     c.update_attributes! state: Container::Running
 577
 578     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
 579     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
 580
 581     assert_raises ActiveRecord::RecordInvalid do
 582       c.update_attributes! output: collections(:collection_not_readable_by_active).portable_data_hash
 583     end
 584   end
 585
 586   test "other token cannot set output on running container" do
 587     c, _ = minimal_new
 588     set_user_from_auth :dispatch1
 589     c.lock
 590     c.update_attributes! state: Container::Running
 591
 592     set_user_from_auth :running_to_be_deleted_container_auth
 593     assert_raises ArvadosModel::PermissionDeniedError do
 594       c.update_attributes! output: collections(:foo_file).portable_data_hash
 595     end
 596   end
 597
 598   test "can set trashed output on running container" do
 599     c, _ = minimal_new
 600     set_user_from_auth :dispatch1
 601     c.lock
 602     c.update_attributes! state: Container::Running
 603
 604     output = Collection.find_by_uuid('zzzzz-4zz18-mto52zx1s7sn3jk')
 605
 606     assert output.is_trashed
 607     assert c.update_attributes output: output.portable_data_hash
 608     assert c.update_attributes! state: Container::Complete
 609   end
 610
 611   test "not allowed to set trashed output that is not readable by current user" do
 612     c, _ = minimal_new
 613     set_user_from_auth :dispatch1
 614     c.lock
 615     c.update_attributes! state: Container::Running
 616
 617     output = Collection.find_by_uuid('zzzzz-4zz18-mto52zx1s7sn3jr')
 618
 619     Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
 620     Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
 621
 622     assert_raises ActiveRecord::RecordInvalid do
 623       c.update_attributes! output: output.portable_data_hash
 624     end
 625   end
 626
 627   [
 628     {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
 629     {state: Container::Cancelled},
 630   ].each do |final_attrs|
 631     test "secret_mounts is null after container is #{final_attrs[:state]}" do
 632       c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
 633                           container_count_max: 1)
 634       set_user_from_auth :dispatch1
 635       c.lock
 636       c.update_attributes!(state: Container::Running)
 637       c.reload
 638       assert c.secret_mounts.has_key?('/secret')
 639
 640       c.update_attributes!(final_attrs)
 641       c.reload
 642       assert_equal({}, c.secret_mounts)
 643       cr.reload
 644       assert_equal({}, cr.secret_mounts)
 645       assert_no_secrets_logged
 646     end
 647   end
 648 end