import (
"bytes"
"context"
+ "encoding/json"
"io"
+ "math"
"net"
+ "net/http"
"net/url"
"os"
"path/filepath"
TLS:
Insecure: true
Login:
- # LoginCluster: z1111
+ LoginCluster: z1111
SystemLogs:
Format: text
RemoteClusters:
Insecure: true
Proxy: true
ActivateUsers: true
- z2222:
+`
+ if id != "z2222" {
+ yaml += ` z2222:
Host: ` + hostport["z2222"] + `
Scheme: https
Insecure: true
Proxy: true
ActivateUsers: true
- z3333:
+`
+ }
+ if id != "z3333" {
+ yaml += ` z3333:
Host: ` + hostport["z3333"] + `
Scheme: https
Insecure: true
Proxy: true
ActivateUsers: true
`
+ }
+
loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
loader.Path = "-"
loader.SkipLegacy = true
},
config: *cfg,
}
- s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config)
+ s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-")
}
for _, tc := range s.testClusters {
au, ok := tc.super.WaitReady()
return ctx, ac, kc
}
-func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx context.Context, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) {
+func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) {
login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{
ReturnTo: ",https://example.com",
AuthInfo: rpc.UserSessionAuthInfo{
conn1 := s.conn("z1111")
rootctx1, _, _ := s.rootClients("z1111")
conn3 := s.conn("z3333")
- userctx1, ac1, kc1 := s.userClients(c, conn1, rootctx1, "z1111", true)
+ userctx1, ac1, kc1 := s.userClients(rootctx1, c, conn1, "z1111", true)
// Create the collection to find its PDH (but don't save it
// anywhere yet)
c.Check(err, check.IsNil)
c.Check(coll.PortableDataHash, check.Equals, pdh)
}
+
+// Get a token from the login cluster (z1111), use it to submit a
+// container request on z2222.
+func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
+ conn1 := s.conn("z1111")
+ rootctx1, _, _ := s.rootClients("z1111")
+ _, ac1, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+ // Use ac2 to get the discovery doc with a blank token, so the
+ // SDK doesn't magically pass the z1111 token to z2222 before
+ // we're ready to start our test.
+ _, ac2, _ := s.clientsWithToken("z2222", "")
+ var dd map[string]interface{}
+ err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
+ c.Assert(err, check.IsNil)
+
+ var (
+ body bytes.Buffer
+ req *http.Request
+ resp *http.Response
+ u arvados.User
+ cr arvados.ContainerRequest
+ )
+ json.NewEncoder(&body).Encode(map[string]interface{}{
+ "container_request": map[string]interface{}{
+ "command": []string{"echo"},
+ "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+ "cwd": "/",
+ "output_path": "/",
+ },
+ })
+ ac2.AuthToken = ac1.AuthToken
+
+ c.Log("...post CR with good (but not yet cached) token")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ err = ac2.DoAndDecode(&cr, req)
+ c.Logf("err == %#v", err)
+
+ c.Log("...get user with good token")
+ u = arvados.User{}
+ req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
+ c.Assert(err, check.IsNil)
+ err = ac2.DoAndDecode(&u, req)
+ c.Check(err, check.IsNil)
+ c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
+
+ c.Log("...post CR with good cached token")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ err = ac2.DoAndDecode(&cr, req)
+ c.Check(err, check.IsNil)
+ c.Check(cr.UUID, check.Matches, "z2222-.*")
+
+ c.Log("...post with good cached token ('OAuth2 ...')")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
+ resp, err = arvados.InsecureHTTPClient.Do(req)
+ if c.Check(err, check.IsNil) {
+ err = json.NewDecoder(resp.Body).Decode(&cr)
+ c.Check(cr.UUID, check.Matches, "z2222-.*")
+ }
+}
+
+// Test for bug #16263
+func (s *IntegrationSuite) TestListUsers(c *check.C) {
+ rootctx1, _, _ := s.rootClients("z1111")
+ conn1 := s.conn("z1111")
+ conn3 := s.conn("z3333")
+ userctx1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+ // Make sure LoginCluster is properly configured
+ for cls := range s.testClusters {
+ c.Check(
+ s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
+ check.Equals, "z1111",
+ check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+ }
+ // Make sure z1111 has users with NULL usernames
+ lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
+ Limit: math.MaxInt64, // check that large limit works (see #16263)
+ })
+ nullUsername := false
+ c.Assert(err, check.IsNil)
+ c.Assert(len(lst.Items), check.Not(check.Equals), 0)
+ for _, user := range lst.Items {
+ if user.Username == "" {
+ nullUsername = true
+ }
+ }
+ c.Assert(nullUsername, check.Equals, true)
+
+ user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
+ c.Assert(err, check.IsNil)
+ c.Check(user1.IsActive, check.Equals, true)
+
+ // Ask for the user list on z3333 using z1111's system root token
+ lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+ c.Assert(err, check.IsNil)
+ found := false
+ for _, user := range lst.Items {
+ if user.UUID == user1.UUID {
+ c.Check(user.IsActive, check.Equals, true)
+ found = true
+ break
+ }
+ }
+ c.Check(found, check.Equals, true)
+
+ // Deactivate user acct on z1111
+ _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
+ c.Assert(err, check.IsNil)
+
+ // Get user list from z3333, check the returned z1111 user is
+ // deactivated
+ lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+ c.Assert(err, check.IsNil)
+ found = false
+ for _, user := range lst.Items {
+ if user.UUID == user1.UUID {
+ c.Check(user.IsActive, check.Equals, false)
+ found = true
+ break
+ }
+ }
+ c.Check(found, check.Equals, true)
+
+ // Deactivated user can see is_active==false via "get current
+ // user" API
+ user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
+ c.Assert(err, check.IsNil)
+ c.Check(user1.IsActive, check.Equals, false)
+}