X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0f8dc3d824f03b82b8db9f61bbcc0592b62b998f..06cf38c24519fa21556686545c768429b5af50dc:/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb diff --git a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb index 5da9145a81..192e6b956d 100644 --- a/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb +++ b/services/api/test/functional/arvados/v1/api_client_authorizations_controller_test.rb @@ -68,46 +68,80 @@ class Arvados::V1::ApiClientAuthorizationsControllerTest < ActionController::Tes end end - [ - [:admin, :admin, 200], - [:admin, :active, 403], - [:admin, :admin_vm, 403], # this belongs to the user of current session, but we can't get it by uuid - [:admin_trustedclient, :active, 200], - ].each do |user, token, status| - test "as user #{user} get #{token} token and expect #{status}" do + [# anyone can look up the token they're currently using + [:admin, :admin, 200, 200, 1], + [:active, :active, 200, 200, 1], + # cannot look up other tokens (even for same user) if not trustedclient + [:admin, :active, 403, 403], + [:admin, :admin_vm, 403, 403], + [:active, :admin, 403, 403], + # cannot look up other tokens for other users, regardless of trustedclient + [:admin_trustedclient, :active, 404, 200, 0], + [:active_trustedclient, :admin, 404, 200, 0], + ].each do |user, token, expect_get_response, expect_list_response, expect_list_items| + test "using '#{user}', get '#{token}' by uuid" do authorize_with user - get :show, {id: api_client_authorizations(token).uuid} - assert_response status + get :show, { + id: api_client_authorizations(token).uuid, + } + assert_response expect_get_response + end + + test "using '#{user}', update '#{token}' by uuid" do + authorize_with user + put :update, { + id: api_client_authorizations(token).uuid, + api_client_authorization: {}, + } + assert_response expect_get_response + end + + test "using '#{user}', delete '#{token}' by uuid" do + authorize_with user + post :destroy, { + id: api_client_authorizations(token).uuid, + } + assert_response expect_get_response end - end - [ - [:admin, :admin, 200], - [:admin, :active, 403], - [:admin, :admin_vm, 403], # this belongs to the user of current session, but we can't list it by uuid - [:admin_trustedclient, :active, 200], - ].each do |user, token, status| - test "as user #{user} list #{token} token using uuid and expect #{status}" do + test "using '#{user}', list '#{token}' by uuid" do authorize_with user get :index, { - filters: [['uuid','=',api_client_authorizations(token).uuid]] + filters: [['uuid','=',api_client_authorizations(token).uuid]], } - assert_response status + assert_response expect_list_response + if expect_list_items + assert_equal assigns(:objects).length, expect_list_items + end end - end - [ - [:admin, :admin, 200], - [:admin, :active, 403], - [:admin, :admin_vm, 200], # this belongs to the user of current session, and can be listed by token - [:admin_trustedclient, :active, 200], - ].each do |user, token, status| - test "as user #{user} list #{token} token using token and expect #{status}" do + test "using '#{user}', list '#{token}' by token" do authorize_with user get :index, { - filters: [['api_token','=',api_client_authorizations(token).api_token]] + filters: [['api_token','=',api_client_authorizations(token).api_token]], } - assert_response status + assert_response expect_list_response + if expect_list_items + assert_equal assigns(:objects).length, expect_list_items + end end end + + test "scoped token cannot change its own scopes" do + authorize_with :admin_vm + put :update, { + id: api_client_authorizations(:admin_vm).uuid, + api_client_authorization: {scopes: ['all']}, + } + assert_response 403 + end + + test "token cannot change its own uuid" do + authorize_with :admin + put :update, { + id: api_client_authorizations(:admin).uuid, + api_client_authorization: {uuid: 'zzzzz-gj3su-zzzzzzzzzzzzzzz'}, + } + assert_response 403 + end end