16669: Accept OIDC access token in lieu of arvados api token.

[arvados.git] / lib / controller / federation_test.go
diff --git a/lib/controller/federation_test.go b/lib/controller/federation_test.go

index f7735a3053fdd377b00d5b2e8097375d49910237..6a9ad8c15f3db2132bf5c122d8ae639764dbfff7 100644 (file)
--- a/lib/controller/federation_test.go
+++ b/lib/controller/federation_test.go
@@ -18,11 +18,11 @@ import (
         "strings"
         "time"
  
-       "git.curoverse.com/arvados.git/sdk/go/arvados"
-       "git.curoverse.com/arvados.git/sdk/go/arvadostest"
-       "git.curoverse.com/arvados.git/sdk/go/ctxlog"
-       "git.curoverse.com/arvados.git/sdk/go/httpserver"
-       "git.curoverse.com/arvados.git/sdk/go/keepclient"
+       "git.arvados.org/arvados.git/sdk/go/arvados"
+       "git.arvados.org/arvados.git/sdk/go/arvadostest"
+       "git.arvados.org/arvados.git/sdk/go/ctxlog"
+       "git.arvados.org/arvados.git/sdk/go/httpserver"
+       "git.arvados.org/arvados.git/sdk/go/keepclient"
         "github.com/sirupsen/logrus"
         check "gopkg.in/check.v1"
  )
@@ -57,13 +57,14 @@ func (s *FederationSuite) SetUpTest(c *check.C) {
         c.Assert(s.remoteMock.Start(), check.IsNil)
  
         cluster := &arvados.Cluster{
-               ClusterID:                 "zhome",
-               PostgreSQL:                integrationTestCluster().PostgreSQL,
-               EnableBetaController14287: enableBetaController14287,
+               ClusterID:        "zhome",
+               PostgreSQL:       integrationTestCluster().PostgreSQL,
+               ForceLegacyAPI14: forceLegacyAPI14,
         }
         cluster.TLS.Insecure = true
         cluster.API.MaxItemsPerResponse = 1000
         cluster.API.MaxRequestAmplification = 4
+       cluster.API.RequestTimeout = arvados.Duration(5 * time.Minute)
         arvadostest.SetServiceURL(&cluster.Services.RailsAPI, "http://localhost:1/")
         arvadostest.SetServiceURL(&cluster.Services.Controller, "http://localhost:/")
         s.testHandler = &Handler{Cluster: cluster}
@@ -83,6 +84,9 @@ func (s *FederationSuite) SetUpTest(c *check.C) {
                         Proxy:  true,
                         Scheme: "http",
                 },
+               "*": {
+                       Scheme: "https",
+               },
         }
  
         c.Assert(s.testServer.Start(), check.IsNil)
@@ -134,7 +138,7 @@ func (s *FederationSuite) TestNoAuth(c *check.C) {
         req := httptest.NewRequest("GET", "/arvados/v1/workflows/"+arvadostest.WorkflowWithDefinitionYAMLUUID, nil)
         resp := s.testRequest(req).Result()
         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
-       s.checkJSONErrorMatches(c, resp, `Not logged in`)
+       s.checkJSONErrorMatches(c, resp, `Not logged in.*`)
  }
  
  func (s *FederationSuite) TestBadAuth(c *check.C) {
@@ -142,7 +146,7 @@ func (s *FederationSuite) TestBadAuth(c *check.C) {
         req.Header.Set("Authorization", "Bearer aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
         resp := s.testRequest(req).Result()
         c.Check(resp.StatusCode, check.Equals, http.StatusUnauthorized)
-       s.checkJSONErrorMatches(c, resp, `Not logged in`)
+       s.checkJSONErrorMatches(c, resp, `Not logged in.*`)
  }
  
  func (s *FederationSuite) TestNoAccess(c *check.C) {
@@ -150,7 +154,7 @@ func (s *FederationSuite) TestNoAccess(c *check.C) {
         req.Header.Set("Authorization", "Bearer "+arvadostest.SpectatorToken)
         resp := s.testRequest(req).Result()
         c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
-       s.checkJSONErrorMatches(c, resp, `.*not found`)
+       s.checkJSONErrorMatches(c, resp, `.*not found.*`)
  }
  
  func (s *FederationSuite) TestGetUnknownRemote(c *check.C) {
@@ -467,6 +471,10 @@ func (s *FederationSuite) TestGetRemoteCollectionByPDH(c *check.C) {
  func (s *FederationSuite) TestGetCollectionByPDHError(c *check.C) {
         defer s.localServiceReturns404(c).Close()
  
+       // zmock's normal response (200 with an empty body) would
+       // change the outcome from 404 to 502
+       delete(s.testHandler.Cluster.RemoteClusters, "zmock")
+
         req := httptest.NewRequest("GET", "/arvados/v1/collections/99999999999999999999999999999999+99", nil)
         req.Header.Set("Authorization", "Bearer "+arvadostest.ActiveToken)
  
@@ -479,6 +487,10 @@ func (s *FederationSuite) TestGetCollectionByPDHError(c *check.C) {
  func (s *FederationSuite) TestGetCollectionByPDHErrorBadHash(c *check.C) {
         defer s.localServiceReturns404(c).Close()
  
+       // zmock's normal response (200 with an empty body) would
+       // change the outcome
+       delete(s.testHandler.Cluster.RemoteClusters, "zmock")
+
         srv2 := &httpserver.Server{
                 Server: http.Server{
                         Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
@@ -512,7 +524,7 @@ func (s *FederationSuite) TestGetCollectionByPDHErrorBadHash(c *check.C) {
         resp := s.testRequest(req).Result()
         defer resp.Body.Close()
  
-       c.Check(resp.StatusCode, check.Equals, http.StatusNotFound)
+       c.Check(resp.StatusCode, check.Equals, http.StatusBadGateway)
  }
  
  func (s *FederationSuite) TestSaltedTokenGetCollectionByPDH(c *check.C) {
@@ -534,6 +546,10 @@ func (s *FederationSuite) TestSaltedTokenGetCollectionByPDH(c *check.C) {
  func (s *FederationSuite) TestSaltedTokenGetCollectionByPDHError(c *check.C) {
         arvadostest.SetServiceURL(&s.testHandler.Cluster.Services.RailsAPI, "https://"+os.Getenv("ARVADOS_TEST_API_HOST"))
  
+       // zmock's normal response (200 with an empty body) would
+       // change the outcome
+       delete(s.testHandler.Cluster.RemoteClusters, "zmock")
+
         req := httptest.NewRequest("GET", "/arvados/v1/collections/99999999999999999999999999999999+99", nil)
         req.Header.Set("Authorization", "Bearer v2/zzzzz-gj3su-077z32aux8dg2s1/282d7d172b6cfdce364c5ed12ddf7417b2d00065")
         resp := s.testRequest(req).Result()
@@ -571,6 +587,21 @@ func (s *FederationSuite) TestUpdateRemoteContainerRequest(c *check.C) {
         setPri(1) // Reset fixture so side effect doesn't break other tests.
  }
  
+func (s *FederationSuite) TestCreateContainerRequestBadToken(c *check.C) {
+       defer s.localServiceReturns404(c).Close()
+       // pass cluster_id via query parameter, this allows arvados-controller
+       // to avoid parsing the body
+       req := httptest.NewRequest("POST", "/arvados/v1/container_requests?cluster_id=zzzzz",
+               strings.NewReader(`{"container_request":{}}`))
+       req.Header.Set("Authorization", "Bearer abcdefg")
+       req.Header.Set("Content-type", "application/json")
+       resp := s.testRequest(req).Result()
+       c.Check(resp.StatusCode, check.Equals, http.StatusForbidden)
+       var e map[string][]string
+       c.Check(json.NewDecoder(resp.Body).Decode(&e), check.IsNil)
+       c.Check(e["errors"], check.DeepEquals, []string{"invalid API token"})
+}
+
  func (s *FederationSuite) TestCreateRemoteContainerRequest(c *check.C) {
         defer s.localServiceReturns404(c).Close()
         // pass cluster_id via query parameter, this allows arvados-controller