railsSpy *arvadostest.Proxy
}
-func (s *GroupSuite) TearDownSuite(c *check.C) {
- // Undo any changes/additions to the user database so they
- // don't affect subsequent tests.
- arvadostest.ResetEnv()
- c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
-}
-
-func (s *GroupSuite) SetUpTest(c *check.C) {
+func (s *GroupSuite) SetUpSuite(c *check.C) {
cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
c.Assert(err, check.IsNil)
s.cluster, err = cfg.GetCluster("")
*s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
}
-func (s *GroupSuite) TearDownTest(c *check.C) {
+func (s *GroupSuite) TearDownSuite(c *check.C) {
s.railsSpy.Close()
+ // Undo any changes/additions to the user database so they
+ // don't affect subsequent tests.
+ arvadostest.ResetEnv()
+ c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
}
func (s *GroupSuite) setUpVocabulary(c *check.C, testVocabulary string) {
}
}
}
+
+func (s *GroupSuite) TestCanWriteCanManageResponses(c *check.C) {
+ ctxUser1 := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.ActiveTokenV2}})
+ ctxUser2 := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.SpectatorToken}})
+ ctxAdmin := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.AdminToken}})
+ project, err := s.localdb.GroupCreate(ctxUser1, arvados.CreateOptions{
+ Attrs: map[string]interface{}{
+ "group_class": "project",
+ },
+ })
+ c.Assert(err, check.IsNil)
+ c.Check(project.CanWrite, check.Equals, true)
+ c.Check(project.CanManage, check.Equals, true)
+
+ subproject, err := s.localdb.GroupCreate(ctxUser1, arvados.CreateOptions{
+ Attrs: map[string]interface{}{
+ "owner_uuid": project.UUID,
+ "group_class": "project",
+ },
+ })
+ c.Assert(err, check.IsNil)
+ c.Check(subproject.CanWrite, check.Equals, true)
+ c.Check(subproject.CanManage, check.Equals, true)
+
+ projlist, err := s.localdb.GroupList(ctxUser1, arvados.ListOptions{
+ Limit: -1,
+ Filters: []arvados.Filter{{"uuid", "in", []string{project.UUID, subproject.UUID}}},
+ })
+ c.Assert(err, check.IsNil)
+ c.Assert(projlist.Items, check.HasLen, 2)
+ for _, p := range projlist.Items {
+ c.Check(p.CanWrite, check.Equals, true)
+ c.Check(p.CanManage, check.Equals, true)
+ }
+
+ // Give 2nd user permission to read
+ permlink, err := s.localdb.LinkCreate(ctxAdmin, arvados.CreateOptions{
+ Attrs: map[string]interface{}{
+ "link_class": "permission",
+ "name": "can_read",
+ "tail_uuid": arvadostest.SpectatorUserUUID,
+ "head_uuid": project.UUID,
+ },
+ })
+ c.Assert(err, check.IsNil)
+
+ // As 2nd user: can read, cannot manage, cannot write
+ project2, err := s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(project2.CanWrite, check.Equals, false)
+ c.Check(project2.CanManage, check.Equals, false)
+
+ _, err = s.localdb.LinkUpdate(ctxAdmin, arvados.UpdateOptions{
+ UUID: permlink.UUID,
+ Attrs: map[string]interface{}{
+ "name": "can_write",
+ },
+ })
+ c.Assert(err, check.IsNil)
+
+ // As 2nd user: cannot manage, can write
+ project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(project2.CanWrite, check.Equals, true)
+ c.Check(project2.CanManage, check.Equals, false)
+
+ // As owner: after freezing, can manage (owner), cannot write (frozen)
+ project, err = s.localdb.GroupUpdate(ctxUser1, arvados.UpdateOptions{
+ UUID: project.UUID,
+ Attrs: map[string]interface{}{
+ "frozen_by_uuid": arvadostest.ActiveUserUUID,
+ }})
+ c.Assert(err, check.IsNil)
+ c.Check(project.CanWrite, check.Equals, false)
+ c.Check(project.CanManage, check.Equals, true)
+
+ // As admin: can manage (admin), cannot write (frozen)
+ project, err = s.localdb.GroupGet(ctxAdmin, arvados.GetOptions{UUID: project.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(project.CanWrite, check.Equals, false)
+ c.Check(project.CanManage, check.Equals, true)
+
+ // As 2nd user: cannot manage (perm), cannot write (frozen)
+ project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(project2.CanWrite, check.Equals, false)
+ c.Check(project2.CanManage, check.Equals, false)
+
+ // After upgrading perm to "manage", as 2nd user: can manage (perm), cannot write (frozen)
+ _, err = s.localdb.LinkUpdate(ctxAdmin, arvados.UpdateOptions{
+ UUID: permlink.UUID,
+ Attrs: map[string]interface{}{
+ "name": "can_manage",
+ },
+ })
+ c.Assert(err, check.IsNil)
+ project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(project2.CanWrite, check.Equals, false)
+ c.Check(project2.CanManage, check.Equals, true)
+
+ // 2nd user can also manage (but not write) the subject inside the frozen project
+ subproject2, err := s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: subproject.UUID})
+ c.Assert(err, check.IsNil)
+ c.Check(subproject2.CanWrite, check.Equals, false)
+ c.Check(subproject2.CanManage, check.Equals, true)
+
+ u, err := s.localdb.UserGet(ctxUser1, arvados.GetOptions{
+ UUID: arvadostest.ActiveUserUUID,
+ })
+ c.Assert(err, check.IsNil)
+ c.Check(u.CanWrite, check.Equals, true)
+ c.Check(u.CanManage, check.Equals, true)
+
+ for _, selectParam := range [][]string{
+ nil,
+ {"can_write", "can_manage"},
+ } {
+ c.Logf("selectParam: %+v", selectParam)
+ ulist, err := s.localdb.UserList(ctxUser1, arvados.ListOptions{
+ Limit: -1,
+ Filters: []arvados.Filter{{"uuid", "=", arvadostest.ActiveUserUUID}},
+ Select: selectParam,
+ })
+ c.Assert(err, check.IsNil)
+ c.Assert(ulist.Items, check.HasLen, 1)
+ c.Logf("%+v", ulist.Items)
+ for _, u := range ulist.Items {
+ c.Check(u.CanWrite, check.Equals, true)
+ c.Check(u.CanManage, check.Equals, true)
+ }
+ }
+}
projects / arvados.git / blobdiff