projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
15795: Accept SystemRootToken from configuration
[arvados.git] / services / api / test / unit / user_test.rb
diff --git a/services/api/test/unit/user_test.rb b/services/api/test/unit/user_test.rb
index 742deda0c663a0946b8eac12f224b5c072069f25..adc37cc5951d231ceef9bedae120f495ad780917 100644 (file)
--- a/services/api/test/unit/user_test.rb
+++ b/services/api/test/unit/user_test.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'test_helper'
 
 class UserTest < ActiveSupport::TestCase
@@ -106,7 +110,7 @@ class UserTest < ActiveSupport::TestCase
   end
 
   test "new username set avoiding blacklist" do
-    Rails.configuration.auto_setup_name_blacklist = ["root"]
+    Rails.configuration.Users.AutoSetupUsernameBlacklist = {"root"=>{}}
     check_new_username_setting("root", "root2")
   end
 
@@ -153,8 +157,8 @@ class UserTest < ActiveSupport::TestCase
    [false, 'bar@example.com', nil, true],
    [true, 'foo@example.com', true, nil],
    [true, 'bar@example.com', true, true],
-   [false, false, nil, nil],
-   [true, false, true, nil]
+   [false, '', nil, nil],
+   [true, '', true, nil]
   ].each do |auto_admin_first_user_config, auto_admin_user_config, foo_should_be_admin, bar_should_be_admin|
     # In each case, 'foo' is created first, then 'bar', then 'bar2', then 'baz'.
     test "auto admin with auto_admin_first=#{auto_admin_first_user_config} auto_admin=#{auto_admin_user_config}" do
@@ -166,8 +170,8 @@ class UserTest < ActiveSupport::TestCase
         assert_equal 0, @all_users.count, "No admin users should exist (except for the system user)"
       end
 
-      Rails.configuration.auto_admin_first_user = auto_admin_first_user_config
-      Rails.configuration.auto_admin_user = auto_admin_user_config
+      Rails.configuration.Users.AutoAdminFirstUser = auto_admin_first_user_config
+      Rails.configuration.Users.AutoAdminUserWithEmail = auto_admin_user_config
 
       # See if the foo user has is_admin
       foo = User.new
@@ -337,58 +341,58 @@ class UserTest < ActiveSupport::TestCase
   test "create new user with notifications" do
     set_user_from_auth :admin
 
-    create_user_and_verify_setup_and_notifications true, 'active-notify-address@example.com', 'inactive-notify-address@example.com', nil, nil
-    create_user_and_verify_setup_and_notifications true, 'active-notify-address@example.com', [], nil, nil
-    create_user_and_verify_setup_and_notifications true, [], [], nil, nil
-    create_user_and_verify_setup_and_notifications false, 'active-notify-address@example.com', 'inactive-notify-address@example.com', nil, nil
-    create_user_and_verify_setup_and_notifications false, [], 'inactive-notify-address@example.com', nil, nil
-    create_user_and_verify_setup_and_notifications false, [], [], nil, nil
+    create_user_and_verify_setup_and_notifications true, {'active-notify-address@example.com'=>{}}, {'inactive-notify-address@example.com'=>{}}, nil, nil
+    create_user_and_verify_setup_and_notifications true, {'active-notify-address@example.com'=>{}}, {}, nil, nil
+    create_user_and_verify_setup_and_notifications true, {}, [], nil, nil
+    create_user_and_verify_setup_and_notifications false, {'active-notify-address@example.com'=>{}}, {'inactive-notify-address@example.com'=>{}}, nil, nil
+    create_user_and_verify_setup_and_notifications false, {}, {'inactive-notify-address@example.com'=>{}}, nil, nil
+    create_user_and_verify_setup_and_notifications false, {}, {}, nil, nil
   end
 
   [
     # Easy inactive user tests.
-    [false, [], [], "inactive-none@example.com", false, false, "inactivenone"],
-    [false, [], [], "inactive-vm@example.com", true, false, "inactivevm"],
-    [false, [], [], "inactive-repo@example.com", false, true, "inactiverepo"],
-    [false, [], [], "inactive-both@example.com", true, true, "inactiveboth"],
+    [false, {}, {}, "inactive-none@example.com", false, false, "inactivenone"],
+    [false, {}, {}, "inactive-vm@example.com", true, false, "inactivevm"],
+    [false, {}, {}, "inactive-repo@example.com", false, true, "inactiverepo"],
+    [false, {}, {}, "inactive-both@example.com", true, true, "inactiveboth"],
 
     # Easy active user tests.
-    [true, "active-notify@example.com", "inactive-notify@example.com", "active-none@example.com", false, false, "activenone"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "active-vm@example.com", true, false, "activevm"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "active-repo@example.com", false, true, "activerepo"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "active-both@example.com", true, true, "activeboth"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "active-none@example.com", false, false, "activenone"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "active-vm@example.com", true, false, "activevm"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "active-repo@example.com", false, true, "activerepo"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "active-both@example.com", true, true, "activeboth"],
 
     # Test users with malformed e-mail addresses.
-    [false, [], [], nil, true, true, nil],
-    [false, [], [], "arvados", true, true, nil],
-    [false, [], [], "@example.com", true, true, nil],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "*!*@example.com", true, false, nil],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "*!*@example.com", false, false, nil],
+    [false, {}, {}, nil, true, true, nil],
+    [false, {}, {}, "arvados", true, true, nil],
+    [false, {}, {}, "@example.com", true, true, nil],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "*!*@example.com", true, false, nil],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "*!*@example.com", false, false, nil],
 
     # Test users with various username transformations.
-    [false, [], [], "arvados@example.com", false, false, "arvados2"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "arvados@example.com", false, false, "arvados2"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "root@example.com", true, false, "root2"],
-    [false, "active-notify@example.com", "inactive-notify@example.com", "root@example.com", true, false, "root2"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "roo_t@example.com", false, true, "root2"],
-    [false, [], [], "^^incorrect_format@example.com", true, true, "incorrectformat"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "&4a_d9.@example.com", true, true, "ad9"],
-    [true, "active-notify@example.com", "inactive-notify@example.com", "&4a_d9.@example.com", false, false, "ad9"],
-    [false, "active-notify@example.com", "inactive-notify@example.com", "&4a_d9.@example.com", true, true, "ad9"],
-    [false, "active-notify@example.com", "inactive-notify@example.com", "&4a_d9.@example.com", false, false, "ad9"],
+    [false, {}, {}, "arvados@example.com", false, false, "arvados2"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "arvados@example.com", false, false, "arvados2"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "root@example.com", true, false, "root2"],
+    [false, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "root@example.com", true, false, "root2"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "roo_t@example.com", false, true, "root2"],
+    [false, {}, {}, "^^incorrect_format@example.com", true, true, "incorrectformat"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "&4a_d9.@example.com", true, true, "ad9"],
+    [true, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "&4a_d9.@example.com", false, false, "ad9"],
+    [false, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "&4a_d9.@example.com", true, true, "ad9"],
+    [false, {"active-notify@example.com"=>{}}, {"inactive-notify@example.com"=>{}}, "&4a_d9.@example.com", false, false, "ad9"],
   ].each do |active, new_user_recipients, inactive_recipients, email, auto_setup_vm, auto_setup_repo, expect_username|
     test "create new user with auto setup #{active} #{email} #{auto_setup_vm} #{auto_setup_repo}" do
       set_user_from_auth :admin
 
-      Rails.configuration.auto_setup_new_users = true
+      Rails.configuration.Users.AutoSetupNewUsers = true
 
       if auto_setup_vm
-        Rails.configuration.auto_setup_new_users_with_vm_uuid = virtual_machines(:testvm)['uuid']
+        Rails.configuration.Users.AutoSetupNewUsersWithVmUUID = virtual_machines(:testvm)['uuid']
       else
-        Rails.configuration.auto_setup_new_users_with_vm_uuid = false
+        Rails.configuration.Users.AutoSetupNewUsersWithVmUUID = ""
       end
 
-      Rails.configuration.auto_setup_new_users_with_repository = auto_setup_repo
+      Rails.configuration.Users.AutoSetupNewUsersWithRepository = auto_setup_repo
 
       create_user_and_verify_setup_and_notifications active, new_user_recipients, inactive_recipients, email, expect_username
     end
@@ -447,7 +451,9 @@ class UserTest < ActiveSupport::TestCase
 
     vm = VirtualMachine.create
 
-    response = User.setup user, openid_prefix, 'foo/testrepo', vm.uuid
+    response = user.setup(openid_prefix: openid_prefix,
+                          repo_name: 'foo/testrepo',
+                          vm_uuid: vm.uuid)
 
     resp_user = find_obj_in_resp response, 'User'
     verify_user resp_user, email
@@ -490,7 +496,9 @@ class UserTest < ActiveSupport::TestCase
 
     verify_link resp_link, 'permission', 'can_login', email, bad_uuid
 
-    response = User.setup user, openid_prefix, 'foo/testrepo', vm.uuid
+    response = user.setup(openid_prefix: openid_prefix,
+                          repo_name: 'foo/testrepo',
+                          vm_uuid: vm.uuid)
 
     resp_user = find_obj_in_resp response, 'User'
     verify_user resp_user, email
@@ -522,7 +530,7 @@ class UserTest < ActiveSupport::TestCase
 
     user = User.create ({uuid: 'zzzzz-tpzed-abcdefghijklmno', email: email})
 
-    response = User.setup user, openid_prefix
+    response = user.setup(openid_prefix: openid_prefix)
 
     resp_user = find_obj_in_resp response, 'User'
     verify_user resp_user, email
@@ -537,7 +545,8 @@ class UserTest < ActiveSupport::TestCase
     verify_link group_perm, 'permission', 'can_read', resp_user[:uuid], nil
 
     # invoke setup again with repo_name
-    response = User.setup user, openid_prefix, 'foo/testrepo'
+    response = user.setup(openid_prefix: openid_prefix,
+                          repo_name: 'foo/testrepo')
     resp_user = find_obj_in_resp response, 'User', nil
     verify_user resp_user, email
     assert_equal user.uuid, resp_user[:uuid], 'expected uuid not found'
@@ -551,7 +560,9 @@ class UserTest < ActiveSupport::TestCase
     # invoke setup again with a vm_uuid
     vm = VirtualMachine.create
 
-    response = User.setup user, openid_prefix, 'foo/testrepo', vm.uuid
+    response = user.setup(openid_prefix: openid_prefix,
+                          repo_name: 'foo/testrepo',
+                          vm_uuid: vm.uuid)
 
     resp_user = find_obj_in_resp response, 'User', nil
     verify_user resp_user, email
@@ -614,12 +625,12 @@ class UserTest < ActiveSupport::TestCase
   end
 
   def create_user_and_verify_setup_and_notifications (active, new_user_recipients, inactive_recipients, email, expect_username)
-    Rails.configuration.new_user_notification_recipients = new_user_recipients
-    Rails.configuration.new_inactive_user_notification_recipients = inactive_recipients
+    Rails.configuration.Users.NewUserNotificationRecipients = new_user_recipients
+    Rails.configuration.Users.NewInactiveUserNotificationRecipients = inactive_recipients
 
     ActionMailer::Base.deliveries = []
 
-    can_setup = (Rails.configuration.auto_setup_new_users and
+    can_setup = (Rails.configuration.Users.AutoSetupNewUsers and
                  (not expect_username.nil?))
     expect_repo_name = "#{expect_username}/#{expect_username}"
     prior_repo = Repository.where(name: expect_repo_name).first
@@ -632,21 +643,21 @@ class UserTest < ActiveSupport::TestCase
     assert_equal(expect_username, user.username)
 
     # check user setup
-    verify_link_exists(Rails.configuration.auto_setup_new_users,
+    verify_link_exists(Rails.configuration.Users.AutoSetupNewUsers || active,
                        groups(:all_users).uuid, user.uuid,
                        "permission", "can_read")
     # Check for OID login link.
-    verify_link_exists(Rails.configuration.auto_setup_new_users,
+    verify_link_exists(Rails.configuration.Users.AutoSetupNewUsers || active,
                        user.uuid, user.email, "permission", "can_login")
     # Check for repository.
     if named_repo = (prior_repo or
                      Repository.where(name: expect_repo_name).first)
       verify_link_exists((can_setup and prior_repo.nil? and
-                          Rails.configuration.auto_setup_new_users_with_repository),
+                          Rails.configuration.Users.AutoSetupNewUsersWithRepository),
                          named_repo.uuid, user.uuid, "permission", "can_manage")
     end
     # Check for VM login.
-    if auto_vm_uuid = Rails.configuration.auto_setup_new_users_with_vm_uuid
+    if (auto_vm_uuid = Rails.configuration.Users.AutoSetupNewUsersWithVmUUID) != ""
       verify_link_exists(can_setup, auto_vm_uuid, user.uuid,
                          "permission", "can_login", "username", expect_username)
     end
@@ -655,17 +666,17 @@ class UserTest < ActiveSupport::TestCase
     new_user_email = nil
     new_inactive_user_email = nil
 
-    new_user_email_subject = "#{Rails.configuration.email_subject_prefix}New user created notification"
-    if Rails.configuration.auto_setup_new_users
+    new_user_email_subject = "#{Rails.configuration.Users.EmailSubjectPrefix}New user created notification"
+    if Rails.configuration.Users.AutoSetupNewUsers
       new_user_email_subject = (expect_username or active) ?
-                                 "#{Rails.configuration.email_subject_prefix}New user created and setup notification" :
-                                 "#{Rails.configuration.email_subject_prefix}New user created, but not setup notification"
+                                 "#{Rails.configuration.Users.EmailSubjectPrefix}New user created and setup notification" :
+                                 "#{Rails.configuration.Users.EmailSubjectPrefix}New user created, but not setup notification"
     end
 
     ActionMailer::Base.deliveries.each do |d|
       if d.subject == new_user_email_subject then
         new_user_email = d
-      elsif d.subject == "#{Rails.configuration.email_subject_prefix}New inactive user notification" then
+      elsif d.subject == "#{Rails.configuration.Users.EmailSubjectPrefix}New inactive user notification" then
         new_inactive_user_email = d
       end
     end
@@ -674,8 +685,8 @@ class UserTest < ActiveSupport::TestCase
     # if the new user email recipients config parameter is set
     if not new_user_recipients.empty? then
       assert_not_nil new_user_email, 'Expected new user email after setup'
-      assert_equal Rails.configuration.user_notifier_email_from, new_user_email.from[0]
-      assert_equal new_user_recipients, new_user_email.to[0]
+      assert_equal Rails.configuration.Users.UserNotifierEmailFrom, new_user_email.from[0]
+      assert_equal new_user_recipients.keys.first, new_user_email.to[0]
       assert_equal new_user_email_subject, new_user_email.subject
     else
       assert_nil new_user_email, 'Did not expect new user email after setup'
@@ -684,9 +695,9 @@ class UserTest < ActiveSupport::TestCase
     if not active
       if not inactive_recipients.empty? then
         assert_not_nil new_inactive_user_email, 'Expected new inactive user email after setup'
-        assert_equal Rails.configuration.user_notifier_email_from, new_inactive_user_email.from[0]
-        assert_equal inactive_recipients, new_inactive_user_email.to[0]
-        assert_equal "#{Rails.configuration.email_subject_prefix}New inactive user notification", new_inactive_user_email.subject
+        assert_equal Rails.configuration.Users.UserNotifierEmailFrom, new_inactive_user_email.from[0]
+        assert_equal inactive_recipients.keys.first, new_inactive_user_email.to[0]
+        assert_equal "#{Rails.configuration.Users.EmailSubjectPrefix}New inactive user notification", new_inactive_user_email.subject
       else
         assert_nil new_inactive_user_email, 'Did not expect new inactive user email after setup'
       end
@@ -710,4 +721,168 @@ class UserTest < ActiveSupport::TestCase
     end
   end
 
+  [
+    [:active, 'zzzzz-borkd-abcde12345abcde'],
+    [:active, 'zzzzz-j7d0g-abcde12345abcde'],
+    [:active, 'zzzzz-tpzed-borkd'],
+    [:system_user, 'zzzzz-tpzed-abcde12345abcde'],
+    [:anonymous, 'zzzzz-tpzed-abcde12345abcde'],
+  ].each do |fixture, new_uuid|
+    test "disallow update_uuid #{fixture} -> #{new_uuid}" do
+      u = users(fixture)
+      orig_uuid = u.uuid
+      act_as_system_user do
+        assert_raises do
+          u.update_uuid(new_uuid: new_uuid)
+        end
+      end
+      # "Successfully aborted orig->new" outcome looks the same as
+      # "successfully updated new->orig".
+      assert_update_success(old_uuid: new_uuid,
+                            new_uuid: orig_uuid,
+                            expect_owned_objects: fixture == :active)
+    end
+  end
+
+  [:active, :spectator, :admin].each do |target|
+    test "update_uuid on #{target} as non-admin user" do
+      act_as_user users(:active) do
+        assert_raises(ArvadosModel::PermissionDeniedError) do
+          users(target).update_uuid(new_uuid: 'zzzzz-tpzed-abcde12345abcde')
+        end
+      end
+    end
+  end
+
+  test "update_uuid to existing uuid" do
+    u = users(:active)
+    orig_uuid = u.uuid
+    new_uuid = users(:admin).uuid
+    act_as_system_user do
+      assert_raises do
+        u.update_uuid(new_uuid: new_uuid)
+      end
+    end
+    u.reload
+    assert_equal u.uuid, orig_uuid
+    assert_not_empty Collection.where(owner_uuid: orig_uuid)
+    assert_not_empty Group.where(owner_uuid: orig_uuid)
+  end
+
+  [
+    [:active, 'zbbbb-tpzed-abcde12345abcde'],
+    [:active, 'zzzzz-tpzed-abcde12345abcde'],
+    [:admin, 'zbbbb-tpzed-abcde12345abcde'],
+    [:admin, 'zzzzz-tpzed-abcde12345abcde'],
+  ].each do |fixture, new_uuid|
+    test "update_uuid #{fixture} to unused uuid #{new_uuid}" do
+      u = users(fixture)
+      orig_uuid = u.uuid
+      act_as_system_user do
+        u.update_uuid(new_uuid: new_uuid)
+      end
+      assert_update_success(old_uuid: orig_uuid,
+                            new_uuid: new_uuid,
+                            expect_owned_objects: fixture == :active)
+    end
+  end
+
+  def assert_update_success(old_uuid:, new_uuid:, expect_owned_objects: true)
+    [[User, :uuid],
+     [Link, :head_uuid],
+     [Link, :tail_uuid],
+     [Group, :owner_uuid],
+     [Collection, :owner_uuid],
+    ].each do |klass, attr|
+      assert_empty klass.where(attr => old_uuid)
+      if klass == User || expect_owned_objects
+        assert_not_empty klass.where(attr => new_uuid)
+      end
+    end
+  end
+
+  test "lookup user by email" do
+    u = User.register({"email" => "active-user@arvados.local", "identity_url" => "different-identity-url"})
+    active = User.find_by_uuid(users(:active).uuid)
+    assert_equal active.uuid, u.uuid
+    assert_equal "active-user@arvados.local", active.email
+    # identity_url is not updated
+    assert_equal "https://active-user.openid.local", active.identity_url
+  end
+
+  test "lookup user by alternate email" do
+    # register method will find that active-user@arvados.local already
+    # exists and return existing 'active' user.
+    u = User.register({"email" => "user@parent-company.com",
+                       "alternate_emails" => ["active-user@arvados.local"],
+                       "identity_url" => "different-identity-url"})
+    active = User.find_by_uuid(users(:active).uuid)
+    assert_equal active.uuid, u.uuid
+
+    # email should be updated
+    assert_equal "user@parent-company.com", active.email
+
+    # identity_url is not updated
+    assert_equal "https://active-user.openid.local", active.identity_url
+  end
+
+  test "register new user" do
+    u = User.register({"email" => "never-before-seen-user@arvados.local",
+                       "identity_url" => "different-identity-url",
+                       "first_name" => "Robert",
+                       "last_name" => "Baratheon",
+                       "username" => "bobby"})
+    nbs = User.find_by_uuid(u.uuid)
+    assert_equal nbs.uuid, u.uuid
+    assert_equal "different-identity-url", nbs.identity_url
+    assert_equal "never-before-seen-user@arvados.local", nbs.email
+    assert_equal false, nbs.is_admin
+    assert_equal false , nbs.is_active
+    assert_equal "bobby", nbs.username
+    assert_equal "Robert", nbs.first_name
+    assert_equal "Baratheon", nbs.last_name
+  end
+
+  test "fail when email address is ambiguous" do
+    User.register({"email" => "active-user@arvados.local"})
+    u = User.register({"email" => "never-before-seen-user@arvados.local"})
+    u.email = "active-user@arvados.local"
+    act_as_system_user do
+      u.save!
+    end
+    assert_raises do
+      User.register({"email" => "active-user@arvados.local"})
+    end
+  end
+
+  test "fail lookup without identifiers" do
+    assert_raises do
+      User.register({"first_name" => "Robert", "last_name" => "Baratheon"})
+    end
+    assert_raises do
+      User.register({"first_name" => "Robert", "last_name" => "Baratheon", "identity_url" => "", "email" => ""})
+    end
+  end
+
+  test "user can update name" do
+    set_user_from_auth :active
+    user = users(:active)
+    user.first_name = "MyNewName"
+    assert user.save
+  end
+
+  test "user cannot update email" do
+    set_user_from_auth :active
+    user = users(:active)
+    user.email = "new-name@example.com"
+    assert_not_allowed { user.save }
+  end
+
+  test "admin can update email" do
+    set_user_from_auth :admin
+    user = users(:active)
+    user.email = "new-name@example.com"
+    assert user.save
+  end
+
 end