filepath.Join(cwd, "..", ".."),
id, cfg, "127.0.0."+id[3:], c.Log)
tc.Super.NoWorkbench1 = true
+ tc.Super.NoWorkbench2 = true
tc.Start()
s.testClusters[id] = tc
}
c.Check(coll.PortableDataHash, check.Equals, pdh)
}
+// z3333 should forward the locally-issued anonymous user token to its login
+// cluster z1111. That is no problem because the login cluster controller will
+// map any anonymous user token to its local anonymous user.
+//
+// This needs to work because wb1 has a tendency to slap the local anonymous
+// user token on every request as a reader_token, which gets folded into the
+// request token list controller.
+//
+// Use a z1111 user token and the anonymous token from z3333 passed in as a
+// reader_token to do a request on z3333, asking for the z1111 anonymous user
+// object. The request will be forwarded to the z1111 cluster. The presence of
+// the z3333 anonymous user token should not prohibit the request from being
+// forwarded.
+func (s *IntegrationSuite) TestForwardAnonymousTokenToLoginCluster(c *check.C) {
+ conn1 := s.testClusters["z1111"].Conn()
+ s.testClusters["z3333"].Conn()
+
+ rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+ _, anonac3, _ := s.testClusters["z3333"].AnonymousClients()
+
+ // Make a user connection to z3333 (using a z1111 user, because that's the login cluster)
+ _, userac1, _, _ := s.testClusters["z3333"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+ // Get the anonymous user token for z3333
+ var anon3Auth arvados.APIClientAuthorization
+ err := anonac3.RequestAndDecode(&anon3Auth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil)
+ c.Check(err, check.IsNil)
+
+ var userList arvados.UserList
+ where := make(map[string]string)
+ where["uuid"] = "z1111-tpzed-anonymouspublic"
+ err = userac1.RequestAndDecode(&userList, "GET", "/arvados/v1/users", nil,
+ map[string]interface{}{
+ "reader_tokens": []string{anon3Auth.TokenV2()},
+ "where": where,
+ },
+ )
+ // The local z3333 anonymous token must be allowed to be forwarded to the login cluster
+ c.Check(err, check.IsNil)
+
+ userac1.AuthToken = "v2/z1111-gj3su-asdfasdfasdfasd/this-token-does-not-validate-so-anonymous-token-will-be-used-instead"
+ err = userac1.RequestAndDecode(&userList, "GET", "/arvados/v1/users", nil,
+ map[string]interface{}{
+ "reader_tokens": []string{anon3Auth.TokenV2()},
+ "where": where,
+ },
+ )
+ c.Check(err, check.IsNil)
+}
+
// Get a token from the login cluster (z1111), use it to submit a
// container request on z2222.
func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
{"/arvados/v1/collections/" + coll.UUID, true, false},
{"/arvados/v1/specimens/" + specimen.UUID, false, false},
{"/arvados/v1/specimens/" + specimen.UUID, true, false},
+ // new code path (lib/controller/router etc) - single-cluster request
{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", false, true},
{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", true, true},
+ // new code path (lib/controller/router etc) - federated request
+ {"/arvados/v1/collections/z2222-4zz18-0123456789abcde", false, true},
+ {"/arvados/v1/collections/z2222-4zz18-0123456789abcde", true, true},
+ // old code path (proxyRailsAPI) - single-cluster request
{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", false, true},
{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", true, true},
+ // old code path (setupProxyRemoteCluster) - federated request
+ {"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", false, true},
+ {"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", true, true},
}
for _, tt := range tests {
} else {
c.Check(resp.StatusCode, check.Equals, http.StatusOK)
}
- if !tt.reqIdProvided {
- c.Check(resp.Header.Get("X-Request-Id"), check.Matches, "^req-[0-9a-zA-Z]{20}$")
- if tt.notFoundRequest {
- var jresp httpserver.ErrorResponse
- err := json.NewDecoder(resp.Body).Decode(&jresp)
- c.Check(err, check.IsNil)
- c.Assert(jresp.Errors, check.HasLen, 1)
- c.Check(jresp.Errors[0], check.Matches, "^.*(req-[0-9a-zA-Z]{20}).*$")
- }
+ respHdr := resp.Header.Get("X-Request-Id")
+ if tt.reqIdProvided {
+ c.Check(respHdr, check.Equals, customReqId)
} else {
- c.Check(resp.Header.Get("X-Request-Id"), check.Equals, customReqId)
- if tt.notFoundRequest {
- var jresp httpserver.ErrorResponse
- err := json.NewDecoder(resp.Body).Decode(&jresp)
- c.Check(err, check.IsNil)
- c.Assert(jresp.Errors, check.HasLen, 1)
- c.Check(jresp.Errors[0], check.Matches, "^.*("+customReqId+").*$")
- }
+ c.Check(respHdr, check.Matches, `req-[0-9a-zA-Z]{20}`)
+ }
+ if tt.notFoundRequest {
+ var jresp httpserver.ErrorResponse
+ err := json.NewDecoder(resp.Body).Decode(&jresp)
+ c.Check(err, check.IsNil)
+ c.Assert(jresp.Errors, check.HasLen, 1)
+ c.Check(jresp.Errors[0], check.Matches, `.*\(`+respHdr+`\).*`)
}
}
}
},
)
c.Assert(err, check.IsNil)
+ c.Assert(resp.APIClientID, check.Not(check.Equals), 0)
newTok := resp.TokenV2()
c.Assert(newTok, check.Not(check.Equals), "")
)
c.Assert(err, check.IsNil)
c.Assert(curUser.UUID, check.Equals, user.UUID)
+
+ // Request the ApiClientAuthorization list using the new token
+ _, userClient, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+ var acaLst arvados.APIClientAuthorizationList
+ err = userClient.RequestAndDecode(
+ &acaLst, "GET", "arvados/v1/api_client_authorizations", nil, nil,
+ )
+ c.Assert(err, check.IsNil)
}
// Test for bug #18076
projects / arvados.git / blobdiff