X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/22fcbed20b2691bcdfa5854004dcb95aa1f2e40d..365b9ca0ea4291d9864297593d185aeef66457ba:/lib/controller/integration_test.go diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 6851442054..4cf6a68328 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -150,6 +150,16 @@ func (s *IntegrationSuite) TearDownSuite(c *check.C) { } } +func (s *IntegrationSuite) TestDefaultStorageClassesOnCollections(c *check.C) { + conn := s.testClusters["z1111"].Conn() + rootctx, _, _ := s.testClusters["z1111"].RootClients() + userctx, _, kc, _ := s.testClusters["z1111"].UserClients(rootctx, c, conn, s.oidcprovider.AuthEmail, true) + c.Assert(len(kc.DefaultStorageClasses) > 0, check.Equals, true) + coll, err := conn.CollectionCreate(userctx, arvados.CreateOptions{}) + c.Assert(err, check.IsNil) + c.Assert(coll.StorageClassesDesired, check.DeepEquals, kc.DefaultStorageClasses) +} + func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { conn1 := s.testClusters["z1111"].Conn() rootctx1, _, _ := s.testClusters["z1111"].RootClients() @@ -652,6 +662,111 @@ func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) { } } +// Test for bug #18076 +func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) { + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + _, rootclnt3, _ := s.testClusters["z3333"].RootClients() + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + + // Make sure LoginCluster is properly configured + for cls := range s.testClusters { + if cls == "z1111" || cls == "z3333" { + c.Check( + s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster, + check.Equals, "z1111", + check.Commentf("incorrect LoginCluster config on cluster %q", cls)) + } + } + + for testCaseNr, testCase := range []struct { + name string + withRepository bool + }{ + {"User without local repository", false}, + {"User with local repository", true}, + } { + c.Log(c.TestName() + " " + testCase.name) + // Create some users, request them on the federated cluster so they're cached. + var users []arvados.User + for userNr := 0; userNr < 2; userNr++ { + _, _, _, user := s.testClusters["z1111"].UserClients( + rootctx1, + c, + conn1, + fmt.Sprintf("user%d%d@example.com", testCaseNr, userNr), + true) + c.Assert(user.Username, check.Not(check.Equals), "") + users = append(users, user) + + lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.Equals, nil) + userFound := false + for _, fedUser := range lst.Items { + if fedUser.UUID == user.UUID { + c.Assert(fedUser.Username, check.Equals, user.Username) + userFound = true + break + } + } + c.Assert(userFound, check.Equals, true) + + if testCase.withRepository { + var repo interface{} + err = rootclnt3.RequestAndDecode( + &repo, "POST", "arvados/v1/repositories", nil, + map[string]interface{}{ + "repository": map[string]string{ + "name": fmt.Sprintf("%s/test", user.Username), + "owner_uuid": user.UUID, + }, + }, + ) + c.Assert(err, check.IsNil) + } + } + + // Swap the usernames + _, err := conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[0].UUID, + Attrs: map[string]interface{}{ + "username": "", + }, + }) + c.Assert(err, check.Equals, nil) + _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[1].UUID, + Attrs: map[string]interface{}{ + "username": users[0].Username, + }, + }) + c.Assert(err, check.Equals, nil) + _, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{ + UUID: users[0].UUID, + Attrs: map[string]interface{}{ + "username": users[1].Username, + }, + }) + c.Assert(err, check.Equals, nil) + + // Re-request the list on the federated cluster & check for updates + lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.Equals, nil) + var user0Found, user1Found bool + for _, user := range lst.Items { + if user.UUID == users[0].UUID { + user0Found = true + c.Assert(user.Username, check.Equals, users[1].Username) + } else if user.UUID == users[1].UUID { + user1Found = true + c.Assert(user.Username, check.Equals, users[0].Username) + } + } + c.Assert(user0Found, check.Equals, true) + c.Assert(user1Found, check.Equals, true) + } +} + // Test for bug #16263 func (s *IntegrationSuite) TestListUsers(c *check.C) { rootctx1, _, _ := s.testClusters["z1111"].RootClients() @@ -676,6 +791,7 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) { for _, user := range lst.Items { if user.Username == "" { nullUsername = true + break } } c.Assert(nullUsername, check.Equals, true) @@ -715,11 +831,9 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) { } c.Check(found, check.Equals, true) - // Deactivated user can see is_active==false via "get current - // user" API + // Deactivated user no longer has working token user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{}) - c.Assert(err, check.IsNil) - c.Check(user1.IsActive, check.Equals, false) + c.Assert(err, check.ErrorMatches, `.*401 Unauthorized.*`) } func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { @@ -845,3 +959,63 @@ func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) { } } } + +// z3333 should not forward a locally-issued container runtime token, +// associated with a z1111 user, to its login cluster z1111. z1111 +// would only call back to z3333 and then reject the response because +// the user ID does not match the token prefix. See +// dev.arvados.org/issues/18346 +func (s *IntegrationSuite) TestForwardRuntimeTokenToLoginCluster(c *check.C) { + db3, db3conn := s.dbConn(c, "z3333") + defer db3.Close() + defer db3conn.Close() + rootctx1, _, _ := s.testClusters["z1111"].RootClients() + rootctx3, _, _ := s.testClusters["z3333"].RootClients() + conn1 := s.testClusters["z1111"].Conn() + conn3 := s.testClusters["z3333"].Conn() + userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true) + + user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Logf("user1 %+v", user1) + + imageColl, err := conn3.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar\n", + }}) + c.Assert(err, check.IsNil) + c.Logf("imageColl %+v", imageColl) + + cr, err := conn3.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "state": "Committed", + "command": []string{"echo"}, + "container_image": imageColl.PortableDataHash, + "cwd": "/", + "output_path": "/", + "priority": 1, + "runtime_constraints": arvados.RuntimeConstraints{ + VCPUs: 1, + RAM: 1000000000, + }, + }}) + c.Assert(err, check.IsNil) + c.Logf("container request %+v", cr) + ctr, err := conn3.ContainerLock(rootctx3, arvados.GetOptions{UUID: cr.ContainerUUID}) + c.Assert(err, check.IsNil) + c.Logf("container %+v", ctr) + + // We could use conn3.ContainerAuth() here, but that API + // hasn't been added to sdk/go/arvados/api.go yet. + row := db3conn.QueryRowContext(context.Background(), `SELECT api_token from api_client_authorizations where uuid=$1`, ctr.AuthUUID) + c.Check(row, check.NotNil) + var val sql.NullString + row.Scan(&val) + c.Assert(val.Valid, check.Equals, true) + runtimeToken := "v2/" + ctr.AuthUUID + "/" + val.String + ctrctx, _, _ := s.testClusters["z3333"].ClientsWithToken(runtimeToken) + c.Logf("container runtime token %+v", runtimeToken) + + _, err = conn3.UserGet(ctrctx, arvados.GetOptions{UUID: user1.UUID}) + c.Assert(err, check.NotNil) + c.Check(err, check.ErrorMatches, `request failed: .* 401 Unauthorized: cannot use a locally issued token to forward a request to our login cluster \(z1111\)`) + c.Check(err, check.Not(check.ErrorMatches), `(?ms).*127\.0\.0\.11.*`) +}