+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
require 'test_helper'
class PermissionsTest < ActionDispatch::IntegrationTest
+ include DbCurrentTime
+ include CurrentApiClient # for empty_collection
fixtures :users, :groups, :api_client_authorizations, :collections
+ teardown do
+ User.invalidate_permissions_cache db_current_time.to_i
+ end
+
test "adding and removing direct can_read links" do
# try to read collection as spectator
get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
# try to read collection as spectator
get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
assert_response 404
-
+
end
# try to read collection as spectator
get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator)
assert_response 404
-
+
end
test "adding can_read links from user to group, group to group, group to collection" do
assert_response 404
end
- test "read-only group-admin sees correct subset of user list" do
- get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin)
- assert_response :success
- resp_uuids = json_response['items'].collect { |i| i['uuid'] }
- [[true, users(:rominiadmin).uuid],
- [true, users(:active).uuid],
- [false, users(:miniadmin).uuid],
- [false, users(:spectator).uuid]].each do |should_find, uuid|
- assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list"
- end
- end
-
test "read-only group-admin cannot modify administered user" do
put "/arvados/v1/users/#{users(:active).uuid}", {
:user => {
end
test "get_permissions returns list" do
- # add some permissions
+ # First confirm that user :active cannot get permissions on group :public
+ get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
+ assert_response 404
+
+ # add some permissions, including can_manage
+ # permission for user :active
post "/arvados/v1/links", {
:format => :json,
:link => {
tail_uuid: users(:spectator).uuid,
link_class: 'permission',
name: 'can_read',
- head_uuid: collections(:foo_file).uuid,
+ head_uuid: groups(:public).uuid,
properties: {}
}
}, auth(:admin)
post "/arvados/v1/links", {
:format => :json,
:link => {
- tail_uuid: users(:active).uuid,
+ tail_uuid: users(:inactive).uuid,
link_class: 'permission',
name: 'can_write',
- head_uuid: collections(:foo_file).uuid,
+ head_uuid: groups(:public).uuid,
properties: {}
}
}, auth(:admin)
post "/arvados/v1/links", {
:format => :json,
:link => {
- tail_uuid: users(:inactive).uuid,
+ tail_uuid: users(:active).uuid,
link_class: 'permission',
name: 'can_manage',
- head_uuid: collections(:foo_file).uuid,
+ head_uuid: groups(:public).uuid,
properties: {}
}
}, auth(:admin)
assert_response :success
can_manage_uuid = json_response['uuid']
- get "/arvados/v1/permissions/#{collections(:foo_file).uuid}", {
- :format => :json,
- }, auth(:admin)
+ # Now user :active should be able to retrieve permissions
+ # on group :public.
+ get("/arvados/v1/permissions/#{groups(:public).uuid}",
+ { :format => :json },
+ auth(:active))
assert_response :success
perm_uuids = json_response['items'].map { |item| item['uuid'] }
- assert perm_uuids.include?(can_read_uuid), "can_read_uuid not found"
- assert perm_uuids.include?(can_write_uuid), "can_write_uuid not found"
- assert perm_uuids.include?(can_manage_uuid), "can_manage_uuid not found"
+ assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found"
+ assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found"
+ assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found"
end
test "get_permissions returns 404 for nonexistent uuid" do
- nonexistent = Collection.generate_uuid
+ nonexistent = Group.generate_uuid
# make sure it really doesn't exist
- get "/arvados/v1/collections/#{nonexistent}", { :format => :json }, auth(:admin)
+ get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin)
assert_response 404
- get "/arvados/v1/permissions/#{nonexistent}", { :format => :json }, auth(:active)
+ get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active)
assert_response 404
end
- test "get_permissions returns 403 if user lacks manage permission" do
- get "/arvados/v1/permissions/#{collections(:foo_file).uuid}", { :format => :json }, auth(:active)
+ test "get_permissions returns 403 if user can read but not manage" do
+ post "/arvados/v1/links", {
+ :link => {
+ tail_uuid: users(:active).uuid,
+ link_class: 'permission',
+ name: 'can_read',
+ head_uuid: groups(:public).uuid,
+ properties: {}
+ }
+ }, auth(:admin)
+ assert_response :success
+
+ get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active)
assert_response 403
end
+
+ test "active user can read the empty collection" do
+ # The active user should be able to read the empty collection.
+
+ get("/arvados/v1/collections/#{empty_collection_uuid}",
+ { :format => :json },
+ auth(:active))
+ assert_response :success
+ assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty"
+ end
end
projects / arvados.git / blobdiff