Merge branch '13996-new-api-config' refs #13996

[arvados.git] / services / api / test / unit / container_test.rb
diff --git a/services/api/test/unit/container_test.rb b/services/api/test/unit/container_test.rb

index 83ab59b607b31a9e09b70e29c0c0792f09e5c559..88fd5feb6ad27c3c55dd5531c0a2566422239f41 100644 (file)
--- a/services/api/test/unit/container_test.rb
+++ b/services/api/test/unit/container_test.rb
@@ -33,14 +33,18 @@ class ContainerTest < ActiveSupport::TestCase
        "var" => "val",
      },
      secret_mounts: {},
        "var" => "val",
      },
      secret_mounts: {},
+    runtime_user_uuid: "zzzzz-tpzed-xurymjxw79nv3jz",
+    runtime_auth_scopes: ["all"]
    }
  
    }
  
+  def request_only attrs
+    attrs.reject {|k| [:runtime_user_uuid, :runtime_auth_scopes].include? k}
+  end
+
    def minimal_new attrs={}
    def minimal_new attrs={}
-    cr = ContainerRequest.new DEFAULT_ATTRS.merge(attrs)
+    cr = ContainerRequest.new request_only(DEFAULT_ATTRS.merge(attrs))
      cr.state = ContainerRequest::Committed
      cr.state = ContainerRequest::Committed
-    act_as_user users(:active) do
-      cr.save!
-    end
+    cr.save!
      c = Container.find_by_uuid cr.container_uuid
      assert_not_nil c
      return c, cr
      c = Container.find_by_uuid cr.container_uuid
      assert_not_nil c
      return c, cr
@@ -131,8 +135,96 @@ class ContainerTest < ActiveSupport::TestCase
      end
    end
  
      end
    end
  
+  test "Container runtime_status data types" do
+    set_user_from_auth :active
+    attrs = {
+      environment: {},
+      mounts: {"BAR" => {"kind" => "FOO"}},
+      output_path: "/tmp",
+      priority: 1,
+      runtime_constraints: {"vcpus" => 1, "ram" => 1}
+    }
+    c, _ = minimal_new(attrs)
+    assert_equal c.runtime_status, {}
+    assert_equal Container::Queued, c.state
+
+    set_user_from_auth :dispatch1
+    c.update_attributes! state: Container::Locked
+    c.update_attributes! state: Container::Running
+
+    [
+      'error', 'errorDetail', 'warning', 'warningDetail', 'activity'
+    ].each do |k|
+      # String type is allowed
+      string_val = 'A string is accepted'
+      c.update_attributes! runtime_status: {k => string_val}
+      assert_equal string_val, c.runtime_status[k]
+
+      # Other types aren't allowed
+      [
+        42, false, [], {}, nil
+      ].each do |unallowed_val|
+        assert_raises ActiveRecord::RecordInvalid do
+          c.update_attributes! runtime_status: {k => unallowed_val}
+        end
+      end
+    end
+  end
+
+  test "Container runtime_status updates" do
+    set_user_from_auth :active
+    attrs = {
+      environment: {},
+      mounts: {"BAR" => {"kind" => "FOO"}},
+      output_path: "/tmp",
+      priority: 1,
+      runtime_constraints: {"vcpus" => 1, "ram" => 1}
+    }
+    c1, _ = minimal_new(attrs)
+    assert_equal c1.runtime_status, {}
+
+    assert_equal Container::Queued, c1.state
+    assert_raises ArvadosModel::PermissionDeniedError do
+      c1.update_attributes! runtime_status: {'error' => 'Oops!'}
+    end
+
+    set_user_from_auth :dispatch1
+
+    # Allow updates when state = Locked
+    c1.update_attributes! state: Container::Locked
+    c1.update_attributes! runtime_status: {'error' => 'Oops!'}
+    assert c1.runtime_status.key? 'error'
+
+    # Reset when transitioning from Locked to Queued
+    c1.update_attributes! state: Container::Queued
+    assert_equal c1.runtime_status, {}
+
+    # Allow updates when state = Running
+    c1.update_attributes! state: Container::Locked
+    c1.update_attributes! state: Container::Running
+    c1.update_attributes! runtime_status: {'error' => 'Oops!'}
+    assert c1.runtime_status.key? 'error'
+
+    # Don't allow updates on other states
+    c1.update_attributes! state: Container::Complete
+    assert_raises ActiveRecord::RecordInvalid do
+      c1.update_attributes! runtime_status: {'error' => 'Some other error'}
+    end
+
+    set_user_from_auth :active
+    c2, _ = minimal_new(attrs)
+    assert_equal c2.runtime_status, {}
+    set_user_from_auth :dispatch1
+    c2.update_attributes! state: Container::Locked
+    c2.update_attributes! state: Container::Running
+    c2.update_attributes! state: Container::Cancelled
+    assert_raises ActiveRecord::RecordInvalid do
+      c2.update_attributes! runtime_status: {'error' => 'Oops!'}
+    end
+  end
  
    test "Container serialized hash attributes sorted before save" do
  
    test "Container serialized hash attributes sorted before save" do
+    set_user_from_auth :active
      env = {"C" => "3", "B" => "2", "A" => "1"}
      m = {"F" => {"kind" => "3"}, "E" => {"kind" => "2"}, "D" => {"kind" => "1"}}
      rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
      env = {"C" => "3", "B" => "2", "A" => "1"}
      m = {"F" => {"kind" => "3"}, "E" => {"kind" => "2"}, "D" => {"kind" => "1"}}
      rc = {"vcpus" => 1, "ram" => 1, "keep_cache_ram" => 1}
@@ -149,6 +241,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "find_reusable method should select higher priority queued container" do
    end
  
    test "find_reusable method should select higher priority queued container" do
+        Rails.configuration.Containers.LogReuseDecisions = true
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
      c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment:{"var" => "queued"}})
      c_low_priority, _ = minimal_new(common_attrs.merge({use_existing:false, priority:1}))
@@ -198,13 +291,13 @@ class ContainerTest < ActiveSupport::TestCase
        log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
      }
  
        log: 'ea10d51bcf88862dbcc36eb292017dfd+45',
      }
  
-    cr = ContainerRequest.new common_attrs
+    cr = ContainerRequest.new request_only(common_attrs)
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      c_output1 = Container.where(uuid: cr.container_uuid).first
  
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      c_output1 = Container.where(uuid: cr.container_uuid).first
  
-    cr = ContainerRequest.new common_attrs
+    cr = ContainerRequest.new request_only(common_attrs)
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
      cr.use_existing = false
      cr.state = ContainerRequest::Committed
      cr.save!
@@ -225,7 +318,8 @@ class ContainerTest < ActiveSupport::TestCase
      c_output2.update_attributes!({state: Container::Running})
      c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
  
      c_output2.update_attributes!({state: Container::Running})
      c_output2.update_attributes!(completed_attrs.merge({log: log1, output: out2}))
  
-    reused = Container.resolve(ContainerRequest.new(common_attrs))
+    set_user_from_auth :active
+    reused = Container.resolve(ContainerRequest.new(request_only(common_attrs)))
      assert_equal c_output1.uuid, reused.uuid
    end
  
      assert_equal c_output1.uuid, reused.uuid
    end
  
@@ -277,6 +371,34 @@ class ContainerTest < ActiveSupport::TestCase
      assert_equal reused.uuid, c_faster_started_second.uuid
    end
  
      assert_equal reused.uuid, c_faster_started_second.uuid
    end
  
+  test "find_reusable method should select non-failing running container" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "running2"}})
+    c_slower, _ = minimal_new(common_attrs.merge({use_existing: false}))
+    c_faster_started_first, _ = minimal_new(common_attrs.merge({use_existing: false}))
+    c_faster_started_second, _ = minimal_new(common_attrs.merge({use_existing: false}))
+    # Confirm the 3 container UUIDs are different.
+    assert_equal 3, [c_slower.uuid, c_faster_started_first.uuid, c_faster_started_second.uuid].uniq.length
+    set_user_from_auth :dispatch1
+    c_slower.update_attributes!({state: Container::Locked})
+    c_slower.update_attributes!({state: Container::Running,
+                                 progress: 0.1})
+    c_faster_started_first.update_attributes!({state: Container::Locked})
+    c_faster_started_first.update_attributes!({state: Container::Running,
+                                               runtime_status: {'warning' => 'This is not an error'},
+                                               progress: 0.15})
+    c_faster_started_second.update_attributes!({state: Container::Locked})
+    assert_equal 0, Container.where("runtime_status->'error' is not null").count
+    c_faster_started_second.update_attributes!({state: Container::Running,
+                                                runtime_status: {'error' => 'Something bad happened'},
+                                                progress: 0.2})
+    assert_equal 1, Container.where("runtime_status->'error' is not null").count
+    reused = Container.find_reusable(common_attrs)
+    assert_not_nil reused
+    # Selected the non-failing container even if it's the one with less progress done
+    assert_equal reused.uuid, c_faster_started_first.uuid
+  end
+
    test "find_reusable method should select locked container most likely to start sooner" do
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "locked"}})
    test "find_reusable method should select locked container most likely to start sooner" do
      set_user_from_auth :active
      common_attrs = REUSABLE_COMMON_ATTRS.merge({environment: {"var" => "locked"}})
@@ -389,12 +511,81 @@ class ContainerTest < ActiveSupport::TestCase
  
    test "find_reusable with logging enabled" do
      set_user_from_auth :active
  
    test "find_reusable with logging enabled" do
      set_user_from_auth :active
-    Rails.configuration.log_reuse_decisions = true
+    Rails.configuration.Containers.LogReuseDecisions = true
      Rails.logger.expects(:info).at_least(3)
      Container.find_reusable(REUSABLE_COMMON_ATTRS)
    end
  
      Rails.logger.expects(:info).at_least(3)
      Container.find_reusable(REUSABLE_COMMON_ATTRS)
    end
  
+  def runtime_token_attr tok
+    auth = api_client_authorizations(tok)
+    {runtime_user_uuid: User.find_by_id(auth.user_id).uuid,
+     runtime_auth_scopes: auth.scopes,
+     runtime_token: auth.token}
+  end
+
+  test "find_reusable method with same runtime_token" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:container_runtime_token).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with different runtime_token, same user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:crt_user).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with nil runtime_token, then runtime_token with same user" do
+    set_user_from_auth :crt_user
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs)
+    assert_equal Container::Queued, c1.state
+    assert_equal users(:container_runtime_token_user).uuid, c1.runtime_user_uuid
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    assert_not_nil reused
+    assert_equal reused.uuid, c1.uuid
+  end
+
+  test "find_reusable method with different runtime_token, different user" do
+    set_user_from_auth :crt_user
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:active).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_equal c1.uuid, reused.uuid
+  end
+
+  test "find_reusable method with nil runtime_token, then runtime_token with different user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: nil}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_equal c1.uuid, reused.uuid
+  end
+
+  test "find_reusable method with different runtime_token, different scope, same user" do
+    set_user_from_auth :active
+    common_attrs = REUSABLE_COMMON_ATTRS.merge({use_existing:false, priority:1, environment:{"var" => "queued"}})
+    c1, _ = minimal_new(common_attrs.merge({runtime_token: api_client_authorizations(:runtime_token_limited_scope).token}))
+    assert_equal Container::Queued, c1.state
+    reused = Container.find_reusable(common_attrs.merge(runtime_token_attr(:container_runtime_token)))
+    # See #14584
+    assert_equal c1.uuid, reused.uuid
+  end
+
    test "Container running" do
    test "Container running" do
+    set_user_from_auth :active
      c, _ = minimal_new priority: 1
  
      set_user_from_auth :dispatch1
      c, _ = minimal_new priority: 1
  
      set_user_from_auth :dispatch1
@@ -414,6 +605,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Lock and unlock" do
    end
  
    test "Lock and unlock" do
+    set_user_from_auth :active
      c, cr = minimal_new priority: 0
  
      set_user_from_auth :dispatch1
      c, cr = minimal_new priority: 0
  
      set_user_from_auth :dispatch1
@@ -473,7 +665,54 @@ class ContainerTest < ActiveSupport::TestCase
      assert_operator auth_exp, :<, db_current_time
    end
  
      assert_operator auth_exp, :<, db_current_time
    end
  
+  test "Exceed maximum lock-unlock cycles" do
+    Rails.configuration.Containers.MaxDispatchAttempts = 3
+
+    set_user_from_auth :active
+    c, cr = minimal_new
+
+    set_user_from_auth :dispatch1
+    assert_equal Container::Queued, c.state
+    assert_equal 0, c.lock_count
+
+    c.lock
+    c.reload
+    assert_equal 1, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 1, c.lock_count
+    assert_equal Container::Queued, c.state
+
+    c.lock
+    c.reload
+    assert_equal 2, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 2, c.lock_count
+    assert_equal Container::Queued, c.state
+
+    c.lock
+    c.reload
+    assert_equal 3, c.lock_count
+    assert_equal Container::Locked, c.state
+
+    c.unlock
+    c.reload
+    assert_equal 3, c.lock_count
+    assert_equal Container::Cancelled, c.state
+
+    assert_raise(ArvadosModel::LockFailedError) do
+      # Cancelled to Locked is not allowed
+      c.lock
+    end
+  end
+
    test "Container queued cancel" do
    test "Container queued cancel" do
+    set_user_from_auth :active
      c, cr = minimal_new({container_count_max: 1})
      set_user_from_auth :dispatch1
      assert c.update_attributes(state: Container::Cancelled), show_errors(c)
      c, cr = minimal_new({container_count_max: 1})
      set_user_from_auth :dispatch1
      assert c.update_attributes(state: Container::Cancelled), show_errors(c)
@@ -486,7 +725,16 @@ class ContainerTest < ActiveSupport::TestCase
      assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
    end
  
      assert_equal 1, Container.readable_by(users(:active)).where(state: "Queued").count
    end
  
+  test "Containers with no matching request are readable by admin" do
+    uuids = Container.includes('container_requests').where(container_requests: {uuid: nil}).collect(&:uuid)
+    assert_not_empty uuids
+    assert_empty Container.readable_by(users(:active)).where(uuid: uuids)
+    assert_not_empty Container.readable_by(users(:admin)).where(uuid: uuids)
+    assert_equal uuids.count, Container.readable_by(users(:admin)).where(uuid: uuids).count
+  end
+
    test "Container locked cancel" do
    test "Container locked cancel" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
@@ -495,6 +743,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Container locked cancel with log" do
    end
  
    test "Container locked cancel with log" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      assert c.lock, show_errors(c)
@@ -506,6 +755,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "Container running cancel" do
    end
  
    test "Container running cancel" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -527,7 +777,53 @@ class ContainerTest < ActiveSupport::TestCase
      end
    end
  
      end
    end
  
+  [
+    [Container::Queued, {state: Container::Locked}],
+    [Container::Queued, {state: Container::Running}],
+    [Container::Queued, {state: Container::Complete}],
+    [Container::Queued, {state: Container::Cancelled}],
+    [Container::Queued, {priority: 123456789}],
+    [Container::Queued, {runtime_status: {'error' => 'oops'}}],
+    [Container::Queued, {cwd: '/'}],
+    [Container::Locked, {state: Container::Running}],
+    [Container::Locked, {state: Container::Queued}],
+    [Container::Locked, {priority: 123456789}],
+    [Container::Locked, {runtime_status: {'error' => 'oops'}}],
+    [Container::Locked, {cwd: '/'}],
+    [Container::Running, {state: Container::Complete}],
+    [Container::Running, {state: Container::Cancelled}],
+    [Container::Running, {priority: 123456789}],
+    [Container::Running, {runtime_status: {'error' => 'oops'}}],
+    [Container::Running, {cwd: '/'}],
+    [Container::Complete, {state: Container::Cancelled}],
+    [Container::Complete, {priority: 123456789}],
+    [Container::Complete, {runtime_status: {'error' => 'oops'}}],
+    [Container::Complete, {cwd: '/'}],
+    [Container::Cancelled, {cwd: '/'}],
+  ].each do |start_state, updates|
+    test "Container update #{updates.inspect} when #{start_state} forbidden for non-admin" do
+      set_user_from_auth :active
+      c, _ = minimal_new
+      if start_state != Container::Queued
+        set_user_from_auth :dispatch1
+        c.lock
+        if start_state != Container::Locked
+          c.update_attributes! state: Container::Running
+          if start_state != Container::Running
+            c.update_attributes! state: start_state
+          end
+        end
+      end
+      assert_equal c.state, start_state
+      set_user_from_auth :active
+      assert_raises(ArvadosModel::PermissionDeniedError) do
+        c.update_attributes! updates
+      end
+    end
+  end
+
    test "Container only set exit code on complete" do
    test "Container only set exit code on complete" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -539,35 +835,94 @@ class ContainerTest < ActiveSupport::TestCase
      assert c.update_attributes(exit_code: 1, state: Container::Complete)
    end
  
      assert c.update_attributes(exit_code: 1, state: Container::Complete)
    end
  
-  test "locked_by_uuid can set output on running container" do
-    c, _ = minimal_new
-    set_user_from_auth :dispatch1
-    c.lock
-    c.update_attributes! state: Container::Running
-
-    assert_equal c.locked_by_uuid, Thread.current[:api_client_authorization].uuid
+  test "locked_by_uuid can update log when locked/running, and output when running" do
+    set_user_from_auth :active
+    logcoll = collections(:real_log_collection)
+    c, cr1 = minimal_new
+    cr2 = ContainerRequest.new(DEFAULT_ATTRS)
+    cr2.state = ContainerRequest::Committed
+    act_as_user users(:active) do
+      cr2.save!
+    end
+    assert_equal cr1.container_uuid, cr2.container_uuid
  
  
-    assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
-    assert c.update_attributes! state: Container::Complete
-  end
+    logpdh_time1 = logcoll.portable_data_hash
  
  
-  test "auth_uuid can set output on running container, but not change container state" do
-    c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      set_user_from_auth :dispatch1
      c.lock
-    c.update_attributes! state: Container::Running
-
-    Thread.current[:api_client_authorization] = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
-    Thread.current[:user] = User.find_by_id(Thread.current[:api_client_authorization].user_id)
-    assert c.update_attributes output: collections(:collection_owned_by_active).portable_data_hash
+    assert_equal c.locked_by_uuid, Thread.current[:api_client_authorization].uuid
+    c.update_attributes!(log: logpdh_time1)
+    c.update_attributes!(state: Container::Running)
+    cr1.reload
+    cr2.reload
+    cr1log_uuid = cr1.log_uuid
+    cr2log_uuid = cr2.log_uuid
+    assert_not_nil cr1log_uuid
+    assert_not_nil cr2log_uuid
+    assert_not_equal logcoll.uuid, cr1log_uuid
+    assert_not_equal logcoll.uuid, cr2log_uuid
+    assert_not_equal cr1log_uuid, cr2log_uuid
+
+    logcoll.update_attributes!(manifest_text: logcoll.manifest_text + ". acbd18db4cc2f85cedef654fccc4a4d8+3 0:3:foo.txt\n")
+    logpdh_time2 = logcoll.portable_data_hash
+
+    assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
+    assert c.update_attributes(log: logpdh_time2)
+    assert c.update_attributes(state: Container::Complete, log: logcoll.portable_data_hash)
+    c.reload
+    assert_equal collections(:collection_owned_by_active).portable_data_hash, c.output
+    assert_equal logpdh_time2, c.log
+    refute c.update_attributes(output: nil)
+    refute c.update_attributes(log: nil)
+    cr1.reload
+    cr2.reload
+    assert_equal cr1log_uuid, cr1.log_uuid
+    assert_equal cr2log_uuid, cr2.log_uuid
+    assert_equal 1, Collection.where(uuid: [cr1log_uuid, cr2log_uuid]).to_a.collect(&:portable_data_hash).uniq.length
+    assert_equal ". acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+./log\\040for\\040container\\040#{cr1.container_uuid} acbd18db4cc2f85cedef654fccc4a4d8+3 cdd549ae79fe6640fa3d5c6261d8303c+195 0:3:foo.txt 3:195:zzzzz-8i9sb-0vsrcqi7whchuil.log.txt
+", Collection.find_by_uuid(cr1log_uuid).manifest_text
+  end
+
+  ["auth_uuid", "runtime_token"].each do |tok|
+    test "#{tok} can set output, progress, runtime_status, state on running container -- but not log" do
+      if tok == "runtime_token"
+        set_user_from_auth :spectator
+        c, _ = minimal_new(container_image: "9ae44d5792468c58bcf85ce7353c7027+124",
+                           runtime_token: api_client_authorizations(:active).token)
+      else
+        set_user_from_auth :active
+        c, _ = minimal_new
+      end
+      set_user_from_auth :dispatch1
+      c.lock
+      c.update_attributes! state: Container::Running
+
+      if tok == "runtime_token"
+        auth = ApiClientAuthorization.validate(token: c.runtime_token)
+        Thread.current[:api_client_authorization] = auth
+        Thread.current[:api_client] = auth.api_client
+        Thread.current[:token] = auth.token
+        Thread.current[:user] = auth.user
+      else
+        auth = ApiClientAuthorization.find_by_uuid(c.auth_uuid)
+        Thread.current[:api_client_authorization] = auth
+        Thread.current[:api_client] = auth.api_client
+        Thread.current[:token] = auth.token
+        Thread.current[:user] = auth.user
+      end
  
  
-    assert_raises ArvadosModel::PermissionDeniedError do
-      # auth_uuid cannot set container state
-      c.update_attributes state: Container::Complete
+      assert c.update_attributes(output: collections(:collection_owned_by_active).portable_data_hash)
+      assert c.update_attributes(runtime_status: {'warning' => 'something happened'})
+      assert c.update_attributes(progress: 0.5)
+      refute c.update_attributes(log: collections(:real_log_collection).portable_data_hash)
+      c.reload
+      assert c.update_attributes(state: Container::Complete, exit_code: 0)
      end
    end
  
    test "not allowed to set output that is not readable by current user" do
      end
    end
  
    test "not allowed to set output that is not readable by current user" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -582,18 +937,20 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "other token cannot set output on running container" do
    end
  
    test "other token cannot set output on running container" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c.update_attributes! state: Container::Running
  
      set_user_from_auth :running_to_be_deleted_container_auth
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c.update_attributes! state: Container::Running
  
      set_user_from_auth :running_to_be_deleted_container_auth
-    assert_raises ArvadosModel::PermissionDeniedError do
-      c.update_attributes! output: collections(:foo_file).portable_data_hash
+    assert_raises(ArvadosModel::PermissionDeniedError) do
+      c.update_attributes(output: collections(:foo_file).portable_data_hash)
      end
    end
  
    test "can set trashed output on running container" do
      end
    end
  
    test "can set trashed output on running container" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -607,6 +964,7 @@ class ContainerTest < ActiveSupport::TestCase
    end
  
    test "not allowed to set trashed output that is not readable by current user" do
    end
  
    test "not allowed to set trashed output that is not readable by current user" do
+    set_user_from_auth :active
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
      c, _ = minimal_new
      set_user_from_auth :dispatch1
      c.lock
@@ -626,20 +984,24 @@ class ContainerTest < ActiveSupport::TestCase
      {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
      {state: Container::Cancelled},
    ].each do |final_attrs|
      {state: Container::Complete, exit_code: 0, output: '1f4b0bc7583c2a7f9102c395f4ffc5e3+45'},
      {state: Container::Cancelled},
    ].each do |final_attrs|
-    test "secret_mounts is null after container is #{final_attrs[:state]}" do
+    test "secret_mounts and runtime_token are null after container is #{final_attrs[:state]}" do
+      set_user_from_auth :active
        c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
        c, cr = minimal_new(secret_mounts: {'/secret' => {'kind' => 'text', 'content' => 'foo'}},
-                          container_count_max: 1)
+                          container_count_max: 1, runtime_token: api_client_authorizations(:active).token)
        set_user_from_auth :dispatch1
        c.lock
        c.update_attributes!(state: Container::Running)
        c.reload
        assert c.secret_mounts.has_key?('/secret')
        set_user_from_auth :dispatch1
        c.lock
        c.update_attributes!(state: Container::Running)
        c.reload
        assert c.secret_mounts.has_key?('/secret')
+      assert_equal api_client_authorizations(:active).token, c.runtime_token
  
        c.update_attributes!(final_attrs)
        c.reload
        assert_equal({}, c.secret_mounts)
  
        c.update_attributes!(final_attrs)
        c.reload
        assert_equal({}, c.secret_mounts)
+      assert_nil c.runtime_token
        cr.reload
        assert_equal({}, cr.secret_mounts)
        cr.reload
        assert_equal({}, cr.secret_mounts)
+      assert_nil cr.runtime_token
        assert_no_secrets_logged
      end
    end
        assert_no_secrets_logged
      end
    end