Merge branch '13561-collection-versions-doc'

[arvados.git] / services / api / test / functional / arvados / v1 / users_controller_test.rb
diff --git a/services/api/test/functional/arvados/v1/users_controller_test.rb b/services/api/test/functional/arvados/v1/users_controller_test.rb

index e87068c5effdc69988fecbcdf41d111d581ea72f..b01597c05bf0280ea6cc6fa052ba98ff70526994 100644 (file)
--- a/services/api/test/functional/arvados/v1/users_controller_test.rb
+++ b/services/api/test/functional/arvados/v1/users_controller_test.rb
@@ -1,3 +1,7 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
  require 'test_helper'
  require 'helpers/users_test_helper'
  
  require 'test_helper'
  require 'helpers/users_test_helper'
  
@@ -6,8 +10,9 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
    include UsersTestHelper
  
    setup do
    include UsersTestHelper
  
    setup do
-    @all_links_at_start = Link.all
+    @initial_link_count = Link.count
      @vm_uuid = virtual_machines(:testvm).uuid
      @vm_uuid = virtual_machines(:testvm).uuid
+    ActionMailer::Base.deliveries = []
    end
  
    test "activate a user after signing UA" do
    end
  
    test "activate a user after signing UA" do
@@ -107,7 +112,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
      assert_nil created['identity_url'], 'expected no identity_url'
  
      # arvados#user, repo link and link add user to 'All users' group
      assert_nil created['identity_url'], 'expected no identity_url'
  
      # arvados#user, repo link and link add user to 'All users' group
-    verify_num_links @all_links_at_start, 4
+    verify_links_added 4
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
@@ -213,26 +218,6 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
          @vm_uuid, resp_obj['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
    end
  
          @vm_uuid, resp_obj['uuid'], 'arvados#virtualMachine', false, 'VirtualMachine'
    end
  
-  test "invoke setup with existing uuid in user, verify response" do
-    authorize_with :admin
-    inactive_user = users(:inactive)
-
-    post :setup, {
-      user: {uuid: inactive_user['uuid']},
-      openid_prefix: 'https://www.google.com/accounts/o8/id'
-    }
-
-    assert_response :success
-
-    response_items = JSON.parse(@response.body)['items']
-    resp_obj = find_obj_in_resp response_items, 'User', nil
-
-    assert_not_nil resp_obj['uuid'], 'expected uuid for the new user'
-    assert_equal inactive_user['uuid'], resp_obj['uuid']
-    assert_equal inactive_user['email'], resp_obj['email'],
-        'expecting inactive user email'
-  end
-
    test "invoke setup with existing uuid but different email, expect original email" do
      authorize_with :admin
      inactive_user = users(:inactive)
    test "invoke setup with existing uuid but different email, expect original email" do
      authorize_with :admin
      inactive_user = users(:inactive)
@@ -269,7 +254,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # four extra links; system_group, login, group and repo perms
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # four extra links; system_group, login, group and repo perms
-    verify_num_links @all_links_at_start, 4
+    verify_links_added 4
    end
  
    test "setup user with fake vm and expect error" do
    end
  
    test "setup user with fake vm and expect error" do
@@ -306,7 +291,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # five extra links; system_group, login, group, vm, repo
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # five extra links; system_group, login, group, vm, repo
-    verify_num_links @all_links_at_start, 5
+    verify_links_added 5
    end
  
    test "setup user with valid email, no vm and no repo as input" do
    end
  
    test "setup user with valid email, no vm and no repo as input" do
@@ -324,7 +309,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # three extra links; system_group, login, and group
      assert_equal response_object['email'], 'foo@example.com', 'expected given email'
  
      # three extra links; system_group, login, and group
-    verify_num_links @all_links_at_start, 3
+    verify_links_added 3
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          response_object['uuid'], response_object['email'], 'arvados#user', false, 'User'
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          response_object['uuid'], response_object['email'], 'arvados#user', false, 'User'
@@ -361,7 +346,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
          'expecting first name'
  
      # five extra links; system_group, login, group, repo and vm
          'expecting first name'
  
      # five extra links; system_group, login, group, repo and vm
-    verify_num_links @all_links_at_start, 5
+    verify_links_added 5
    end
  
    test "setup user with an existing user email and check different object is created" do
    end
  
    test "setup user with an existing user email and check different object is created" do
@@ -384,7 +369,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
          'expected different uuid after create operation'
      assert_equal inactive_user['email'], response_object['email'], 'expected given email'
      # system_group, openid, group, and repo. No vm link.
          'expected different uuid after create operation'
      assert_equal inactive_user['email'], response_object['email'], 'expected given email'
      # system_group, openid, group, and repo. No vm link.
-    verify_num_links @all_links_at_start, 4
+    verify_links_added 4
    end
  
    test "setup user with openid prefix" do
    end
  
    test "setup user with openid prefix" do
@@ -412,7 +397,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
  
      # verify links
      # four new links: system_group, arvados#user, repo, and 'All users' group.
  
      # verify links
      # four new links: system_group, arvados#user, repo, and 'All users' group.
-    verify_num_links @all_links_at_start, 4
+    verify_links_added 4
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
@@ -472,7 +457,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
  
      # five new links: system_group, arvados#user, repo, vm and 'All
      # users' group link
  
      # five new links: system_group, arvados#user, repo, vm and 'All
      # users' group link
-    verify_num_links @all_links_at_start, 5
+    verify_links_added 5
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
  
      verify_link response_items, 'arvados#user', true, 'permission', 'can_login',
          created['uuid'], created['email'], 'arvados#user', false, 'User'
@@ -603,7 +588,7 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
  
      active_user = User.find_by_uuid(users(:active).uuid)
      readable_groups = active_user.groups_i_can(:read)
  
      active_user = User.find_by_uuid(users(:active).uuid)
      readable_groups = active_user.groups_i_can(:read)
-    all_users_group = Group.all.collect(&:uuid).select { |g| g.match /-f+$/ }
+    all_users_group = Group.all.collect(&:uuid).select { |g| g.match(/-f+$/) }
      refute_includes(readable_groups, all_users_group,
                      "active user can read All Users group after being deactivated")
      assert_equal(false, active_user.is_invited,
      refute_includes(readable_groups, all_users_group,
                      "active user can read All Users group after being deactivated")
      assert_equal(false, active_user.is_invited,
@@ -653,13 +638,28 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
  
      assert_equal Rails.configuration.user_notifier_email_from, setup_email.from[0]
      assert_equal 'foo@example.com', setup_email.to[0]
  
      assert_equal Rails.configuration.user_notifier_email_from, setup_email.from[0]
      assert_equal 'foo@example.com', setup_email.to[0]
-    assert_equal 'Welcome to Curoverse', setup_email.subject
-    assert (setup_email.body.to_s.include? 'Your Arvados account has been set up'),
-        'Expected Your Arvados account has been set up in email body'
-    assert (setup_email.body.to_s.include? 'foo@example.com'),
-        'Expected user email in email body'
-    assert (setup_email.body.to_s.include? Rails.configuration.workbench_address),
-        'Expected workbench url in email body'
+    assert_equal 'Welcome to Curoverse - shell account enabled', setup_email.subject
+    assert (setup_email.body.to_s.include? 'Your Arvados shell account has been set up'),
+        'Expected Your Arvados shell account has been set up in email body'
+    assert (setup_email.body.to_s.include? "#{Rails.configuration.workbench_address}users/#{created['uuid']}/virtual_machines"), 'Expected virtual machines url in email body'
+  end
+
+  test "setup inactive user by changing is_active to true" do
+    authorize_with :admin
+    active_user = users(:active)
+
+    # invoke setup with a repository
+    put :update, {
+          id: active_user['uuid'],
+          user: {
+            is_active: true,
+          }
+        }
+    assert_response :success
+    assert_equal active_user['uuid'], json_response['uuid']
+    updated = User.where(uuid: active_user['uuid']).first
+    assert_equal(true, updated.is_active)
+    assert_equal({read: true}, updated.group_permissions[all_users_group_uuid])
    end
  
    test "non-admin user can get basic information about readable users" do
    end
  
    test "non-admin user can get basic information about readable users" do
@@ -794,9 +794,147 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
                      "user's writable_by should include its owner_uuid")
    end
  
                      "user's writable_by should include its owner_uuid")
    end
  
+  [
+    [:admin, true],
+    [:active, false],
+  ].each do |auth_user, expect_success|
+    test "update_uuid as #{auth_user}" do
+      authorize_with auth_user
+      orig_uuid = users(:active).uuid
+      post :update_uuid, {
+             id: orig_uuid,
+             new_uuid: 'zbbbb-tpzed-abcde12345abcde',
+           }
+      if expect_success
+        assert_response :success
+        assert_empty User.where(uuid: orig_uuid)
+      else
+        assert_response 403
+        assert_not_empty User.where(uuid: orig_uuid)
+      end
+    end
+  end
+
+  test "refuse to merge with redirect_to_user_uuid=false (not yet supported)" do
+    authorize_with :project_viewer_trustedclient
+    post :merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: users(:active).uuid,
+           redirect_to_new_user: false,
+         }
+    assert_response(422)
+  end
+
+  test "refuse to merge user into self" do
+    authorize_with(:active_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: users(:active).uuid,
+           redirect_to_new_user: true,
+         })
+    assert_response(422)
+  end
+
+  [[:active, :project_viewer_trustedclient],
+   [:active_trustedclient, :project_viewer]].each do |src, dst|
+    test "refuse to merge with untrusted token (#{src} -> #{dst})" do
+      authorize_with(src)
+      post(:merge, {
+             new_user_token: api_client_authorizations(dst).api_token,
+             new_owner_uuid: api_client_authorizations(dst).user.uuid,
+             redirect_to_new_user: true,
+           })
+      assert_response(403)
+    end
+  end
+
+  [[:expired_trustedclient, :project_viewer_trustedclient],
+   [:project_viewer_trustedclient, :expired_trustedclient]].each do |src, dst|
+    test "refuse to merge with expired token (#{src} -> #{dst})" do
+      authorize_with(src)
+      post(:merge, {
+             new_user_token: api_client_authorizations(dst).api_token,
+             new_owner_uuid: api_client_authorizations(dst).user.uuid,
+             redirect_to_new_user: true,
+           })
+      assert_response(401)
+    end
+  end
+
+  [['src', :active_trustedclient],
+   ['dst', :project_viewer_trustedclient]].each do |which_scoped, auth|
+    test "refuse to merge with scoped #{which_scoped} token" do
+      act_as_system_user do
+        api_client_authorizations(auth).update_attributes(scopes: ["GET /", "POST /", "PUT /"])
+      end
+      authorize_with(:active_trustedclient)
+      post(:merge, {
+             new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
+             new_owner_uuid: users(:project_viewer).uuid,
+             redirect_to_new_user: true,
+           })
+      assert_response(403)
+    end
+  end
+
+  test "refuse to merge if new_owner_uuid is not writable" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: groups(:anonymously_accessible_project).uuid,
+           redirect_to_new_user: true,
+         })
+    assert_response(403)
+  end
+
+  test "refuse to merge if new_owner_uuid is empty" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: "",
+           redirect_to_new_user: true,
+         })
+    assert_response(422)
+  end
+
+  test "refuse to merge if new_owner_uuid is not provided" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           redirect_to_new_user: true,
+         })
+    assert_response(422)
+  end
+
+  test "refuse to update redirect_to_user_uuid directly" do
+    authorize_with(:active_trustedclient)
+    patch(:update, {
+            id: users(:active).uuid,
+            user: {
+              redirect_to_user_uuid: users(:active).uuid,
+            },
+          })
+    assert_response(403)
+  end
+
+  test "merge 'project_viewer' account into 'active' account" do
+    authorize_with(:project_viewer_trustedclient)
+    post(:merge, {
+           new_user_token: api_client_authorizations(:active_trustedclient).api_token,
+           new_owner_uuid: users(:active).uuid,
+           redirect_to_new_user: true,
+         })
+    assert_response(:success)
+    assert_equal(users(:project_viewer).redirect_to_user_uuid, users(:active).uuid)
+
+    auth = ApiClientAuthorization.validate(token: api_client_authorizations(:project_viewer).api_token)
+    assert_not_nil(auth)
+    assert_not_nil(auth.user)
+    assert_equal(users(:active).uuid, auth.user.uuid)
+  end
  
    NON_ADMIN_USER_DATA = ["uuid", "kind", "is_active", "email", "first_name",
  
    NON_ADMIN_USER_DATA = ["uuid", "kind", "is_active", "email", "first_name",
-                         "last_name"].sort
+                         "last_name", "username"].sort
  
    def check_non_admin_index
      assert_response :success
  
    def check_non_admin_index
      assert_response :success
@@ -844,15 +982,13 @@ class Arvados::V1::UsersControllerTest < ActionController::TestCase
                   "admin's filtered index did not return inactive user")
    end
  
                   "admin's filtered index did not return inactive user")
    end
  
-  def verify_num_links (original_links, expected_additional_links)
-    links_now = Link.all
-    assert_equal expected_additional_links, Link.all.size-original_links.size,
-        "Expected #{expected_additional_links.inspect} more links"
+  def verify_links_added more
+    assert_equal @initial_link_count+more, Link.count,
+        "Started with #{@initial_link_count} links, expected #{more} more"
    end
  
    def find_obj_in_resp (response_items, object_type, head_kind=nil)
      return_obj = nil
    end
  
    def find_obj_in_resp (response_items, object_type, head_kind=nil)
      return_obj = nil
-    response_items
      response_items.each { |x|
        if !x
          next
      response_items.each { |x|
        if !x
          next