X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1d1c6de3c842a33a57b7d469fdaaaa1b873433dc..8c82f404b48a159797bd0e96e3d0098f0cf3ba16:/services/api/test/unit/create_superuser_token_test.rb

diff --git a/services/api/test/unit/create_superuser_token_test.rb b/services/api/test/unit/create_superuser_token_test.rb
index d5ca3f9650..e95e0f2264 100644
--- a/services/api/test/unit/create_superuser_token_test.rb
+++ b/services/api/test/unit/create_superuser_token_test.rb
@@ -1,3 +1,8 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+require 'safe_json'
 require 'test_helper'
 require 'create_superuser_token'
 
@@ -73,6 +78,25 @@ class CreateSuperUserTokenTest < ActiveSupport::TestCase
       create_superuser_token active_user_token
     end
     assert_not_nil e
-    assert_equal "Token already exists but is not a superuser token.", e.message
+    assert_equal "Token exists but is not a superuser token.", e.message
+  end
+
+  test "specified token has limited scope" do
+    active_user_token = api_client_authorizations("data_manager").api_token
+    e = assert_raises RuntimeError do
+      create_superuser_token active_user_token
+    end
+    assert_not_nil e
+    assert_match /^Token exists but has limited scope/, e.message
+  end
+
+  test "existing token has limited scope" do
+    active_user_token = api_client_authorizations("admin_vm").api_token
+    ApiClientAuthorization.
+      where(user_id: system_user.id).
+      update_all(scopes: ["GET /"])
+    fixture_tokens = ApiClientAuthorization.all.collect(&:api_token)
+    new_token = create_superuser_token
+    refute_includes(fixture_tokens, new_token)
   end
 end