X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1e3eacb0ca6f2228f50f13514c7577a149a707e6..bdc069a04fd98529f5c79c6b8a7164fb9119723d:/lib/controller/integration_test.go diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 2adb5811ea..3bf64771d7 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -7,8 +7,11 @@ package controller import ( "bytes" "context" + "encoding/json" "io" + "math" "net" + "net/http" "net/url" "os" "path/filepath" @@ -73,7 +76,7 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { TLS: Insecure: true Login: - # LoginCluster: z1111 + LoginCluster: z1111 SystemLogs: Format: text RemoteClusters: @@ -83,19 +86,26 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { Insecure: true Proxy: true ActivateUsers: true - z2222: +` + if id != "z2222" { + yaml += ` z2222: Host: ` + hostport["z2222"] + ` Scheme: https Insecure: true Proxy: true ActivateUsers: true - z3333: +` + } + if id != "z3333" { + yaml += ` z3333: Host: ` + hostport["z3333"] + ` Scheme: https Insecure: true Proxy: true ActivateUsers: true ` + } + loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c)) loader.Path = "-" loader.SkipLegacy = true @@ -113,7 +123,7 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { }, config: *cfg, } - s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config) + s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-") } for _, tc := range s.testClusters { au, ok := tc.super.WaitReady() @@ -149,7 +159,7 @@ func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (con return ctx, ac, kc } -func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx context.Context, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) { +func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) { login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{ ReturnTo: ",https://example.com", AuthInfo: rpc.UserSessionAuthInfo{ @@ -190,7 +200,7 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { conn1 := s.conn("z1111") rootctx1, _, _ := s.rootClients("z1111") conn3 := s.conn("z3333") - userctx1, ac1, kc1 := s.userClients(c, conn1, rootctx1, "z1111", true) + userctx1, ac1, kc1 := s.userClients(rootctx1, c, conn1, "z1111", true) // Create the collection to find its PDH (but don't save it // anywhere yet) @@ -223,3 +233,143 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { c.Check(err, check.IsNil) c.Check(coll.PortableDataHash, check.Equals, pdh) } + +// Get a token from the login cluster (z1111), use it to submit a +// container request on z2222. +func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) { + conn1 := s.conn("z1111") + rootctx1, _, _ := s.rootClients("z1111") + _, ac1, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + + // Use ac2 to get the discovery doc with a blank token, so the + // SDK doesn't magically pass the z1111 token to z2222 before + // we're ready to start our test. + _, ac2, _ := s.clientsWithToken("z2222", "") + var dd map[string]interface{} + err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil) + c.Assert(err, check.IsNil) + + var ( + body bytes.Buffer + req *http.Request + resp *http.Response + u arvados.User + cr arvados.ContainerRequest + ) + json.NewEncoder(&body).Encode(map[string]interface{}{ + "container_request": map[string]interface{}{ + "command": []string{"echo"}, + "container_image": "d41d8cd98f00b204e9800998ecf8427e+0", + "cwd": "/", + "output_path": "/", + }, + }) + ac2.AuthToken = ac1.AuthToken + + c.Log("...post CR with good (but not yet cached) token") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + err = ac2.DoAndDecode(&cr, req) + c.Logf("err == %#v", err) + + c.Log("...get user with good token") + u = arvados.User{} + req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil) + c.Assert(err, check.IsNil) + err = ac2.DoAndDecode(&u, req) + c.Check(err, check.IsNil) + c.Check(u.UUID, check.Matches, "z1111-tpzed-.*") + + c.Log("...post CR with good cached token") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + err = ac2.DoAndDecode(&cr, req) + c.Check(err, check.IsNil) + c.Check(cr.UUID, check.Matches, "z2222-.*") + + c.Log("...post with good cached token ('OAuth2 ...')") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken) + resp, err = arvados.InsecureHTTPClient.Do(req) + if c.Check(err, check.IsNil) { + err = json.NewDecoder(resp.Body).Decode(&cr) + c.Check(cr.UUID, check.Matches, "z2222-.*") + } +} + +// Test for bug #16263 +func (s *IntegrationSuite) TestListUsers(c *check.C) { + rootctx1, _, _ := s.rootClients("z1111") + conn1 := s.conn("z1111") + conn3 := s.conn("z3333") + userctx1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + + // Make sure LoginCluster is properly configured + for cls := range s.testClusters { + c.Check( + s.testClusters[cls].config.Clusters[cls].Login.LoginCluster, + check.Equals, "z1111", + check.Commentf("incorrect LoginCluster config on cluster %q", cls)) + } + // Make sure z1111 has users with NULL usernames + lst, err := conn1.UserList(rootctx1, arvados.ListOptions{ + Limit: math.MaxInt64, // check that large limit works (see #16263) + }) + nullUsername := false + c.Assert(err, check.IsNil) + c.Assert(len(lst.Items), check.Not(check.Equals), 0) + for _, user := range lst.Items { + if user.Username == "" { + nullUsername = true + } + } + c.Assert(nullUsername, check.Equals, true) + + user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Check(user1.IsActive, check.Equals, true) + + // Ask for the user list on z3333 using z1111's system root token + lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.IsNil) + found := false + for _, user := range lst.Items { + if user.UUID == user1.UUID { + c.Check(user.IsActive, check.Equals, true) + found = true + break + } + } + c.Check(found, check.Equals, true) + + // Deactivate user acct on z1111 + _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID}) + c.Assert(err, check.IsNil) + + // Get user list from z3333, check the returned z1111 user is + // deactivated + lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.IsNil) + found = false + for _, user := range lst.Items { + if user.UUID == user1.UUID { + c.Check(user.IsActive, check.Equals, false) + found = true + break + } + } + c.Check(found, check.Equals, true) + + // Deactivated user can see is_active==false via "get current + // user" API + user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Check(user1.IsActive, check.Equals, false) +}