+ // z3 anonymous user will be mapped to the z1 anonymous user
+ c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic")
+
+ // Retrieve the collection (which is on z1) using anonymous from cluster z3333.
+ coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID})
+ c.Check(err, check.IsNil)
+ c.Check(coll.PortableDataHash, check.Equals, pdh)
+}
+
+// Get a token from the login cluster (z1111), use it to submit a
+// container request on z2222.
+func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
+ conn1 := s.conn("z1111")
+ rootctx1, _, _ := s.rootClients("z1111")
+ _, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+ // Use ac2 to get the discovery doc with a blank token, so the
+ // SDK doesn't magically pass the z1111 token to z2222 before
+ // we're ready to start our test.
+ _, ac2, _ := s.clientsWithToken("z2222", "")
+ var dd map[string]interface{}
+ err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
+ c.Assert(err, check.IsNil)
+
+ var (
+ body bytes.Buffer
+ req *http.Request
+ resp *http.Response
+ u arvados.User
+ cr arvados.ContainerRequest
+ )
+ json.NewEncoder(&body).Encode(map[string]interface{}{
+ "container_request": map[string]interface{}{
+ "command": []string{"echo"},
+ "container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+ "cwd": "/",
+ "output_path": "/",
+ },
+ })
+ ac2.AuthToken = ac1.AuthToken
+
+ c.Log("...post CR with good (but not yet cached) token")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ err = ac2.DoAndDecode(&cr, req)
+ c.Logf("err == %#v", err)
+
+ c.Log("...get user with good token")
+ u = arvados.User{}
+ req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil)
+ c.Assert(err, check.IsNil)
+ err = ac2.DoAndDecode(&u, req)
+ c.Check(err, check.IsNil)
+ c.Check(u.UUID, check.Matches, "z1111-tpzed-.*")
+
+ c.Log("...post CR with good cached token")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ err = ac2.DoAndDecode(&cr, req)
+ c.Check(err, check.IsNil)
+ c.Check(cr.UUID, check.Matches, "z2222-.*")
+
+ c.Log("...post with good cached token ('OAuth2 ...')")
+ cr = arvados.ContainerRequest{}
+ req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes()))
+ c.Assert(err, check.IsNil)
+ req.Header.Set("Content-Type", "application/json")
+ req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
+ resp, err = arvados.InsecureHTTPClient.Do(req)
+ if c.Check(err, check.IsNil) {
+ err = json.NewDecoder(resp.Body).Decode(&cr)
+ c.Check(err, check.IsNil)
+ c.Check(cr.UUID, check.Matches, "z2222-.*")
+ }
+}
+
+// Test for bug #16263
+func (s *IntegrationSuite) TestListUsers(c *check.C) {
+ rootctx1, _, _ := s.rootClients("z1111")
+ conn1 := s.conn("z1111")
+ conn3 := s.conn("z3333")
+ userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+
+ // Make sure LoginCluster is properly configured
+ for cls := range s.testClusters {
+ c.Check(
+ s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
+ check.Equals, "z1111",
+ check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+ }
+ // Make sure z1111 has users with NULL usernames
+ lst, err := conn1.UserList(rootctx1, arvados.ListOptions{
+ Limit: math.MaxInt64, // check that large limit works (see #16263)
+ })
+ nullUsername := false
+ c.Assert(err, check.IsNil)
+ c.Assert(len(lst.Items), check.Not(check.Equals), 0)
+ for _, user := range lst.Items {
+ if user.Username == "" {
+ nullUsername = true
+ }
+ }
+ c.Assert(nullUsername, check.Equals, true)
+
+ user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
+ c.Assert(err, check.IsNil)
+ c.Check(user1.IsActive, check.Equals, true)
+
+ // Ask for the user list on z3333 using z1111's system root token
+ lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+ c.Assert(err, check.IsNil)
+ found := false
+ for _, user := range lst.Items {
+ if user.UUID == user1.UUID {
+ c.Check(user.IsActive, check.Equals, true)
+ found = true
+ break
+ }
+ }
+ c.Check(found, check.Equals, true)
+
+ // Deactivate user acct on z1111
+ _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID})
+ c.Assert(err, check.IsNil)
+
+ // Get user list from z3333, check the returned z1111 user is
+ // deactivated
+ lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+ c.Assert(err, check.IsNil)
+ found = false
+ for _, user := range lst.Items {
+ if user.UUID == user1.UUID {
+ c.Check(user.IsActive, check.Equals, false)
+ found = true
+ break
+ }
+ }
+ c.Check(found, check.Equals, true)
+
+ // Deactivated user can see is_active==false via "get current
+ // user" API
+ user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
+ c.Assert(err, check.IsNil)
+ c.Check(user1.IsActive, check.Equals, false)
+}
+
+func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
+ conn1 := s.conn("z1111")
+ conn3 := s.conn("z3333")
+ rootctx1, rootac1, _ := s.rootClients("z1111")
+
+ // Create user on LoginCluster z1111
+ _, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false)
+
+ // Make a new root token (because rootClients() uses SystemRootToken)
+ var outAuth arvados.APIClientAuthorization
+ err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
+ c.Check(err, check.IsNil)
+
+ // Make a v2 root token to communicate with z3333
+ rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2())
+
+ // Create VM on z3333
+ var outVM arvados.VirtualMachine
+ err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
+ map[string]interface{}{"virtual_machine": map[string]interface{}{
+ "hostname": "example",
+ },
+ })
+ c.Check(outVM.UUID[0:5], check.Equals, "z3333")
+ c.Check(err, check.IsNil)
+
+ // Make sure z3333 user list is up to date
+ _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
+ c.Check(err, check.IsNil)
+
+ // Try to set up user on z3333 with the VM
+ _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
+ c.Check(err, check.IsNil)
+
+ var outLinks arvados.LinkList
+ err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
+ arvados.ListOptions{
+ Limit: 1000,
+ Filters: []arvados.Filter{
+ {
+ Attr: "tail_uuid",
+ Operator: "=",
+ Operand: user.UUID,
+ },
+ {
+ Attr: "head_uuid",
+ Operator: "=",
+ Operand: outVM.UUID,
+ },
+ {
+ Attr: "name",
+ Operator: "=",
+ Operand: "can_login",
+ },
+ {
+ Attr: "link_class",
+ Operator: "=",
+ Operand: "permission",
+ }}})
+ c.Check(err, check.IsNil)
+
+ c.Check(len(outLinks.Items), check.Equals, 1)