X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3facf89bf048487ee718fe15d012b489f2d407b7..37044d922164855ba5cc443e775037ab12cdbf95:/services/api/test/integration/remote_user_test.rb diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb index 9ad93c2ee6..af7b747d74 100644 --- a/services/api/test/integration/remote_user_test.rb +++ b/services/api/test/integration/remote_user_test.rb @@ -55,7 +55,6 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest SSLCertName: [["CN", WEBrick::Utils::getservername]], StartCallback: lambda { ready.push(true) }) srv.mount_proc '/discovery/v1/apis/arvados/v1/rest' do |req, res| - Rails.cache.delete 'arvados_v1_rest_discovery' res.body = Arvados::V1::SchemaController.new.send(:discovery_doc).to_json end srv.mount_proc '/arvados/v1/users/current' do |req, res| @@ -67,6 +66,20 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest res.status = @stub_status res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json end + srv.mount_proc '/arvados/v1/api_client_authorizations/current' do |req, res| + if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork' + # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork + res.status = 401 + return + end + res.status = @stub_token_status + if res.status == 200 + res.body = { + uuid: api_client_authorizations(:active).uuid.sub('zzzzz', clusterid), + scopes: @stub_token_scopes, + }.to_json + end + end Thread.new do srv.start end @@ -86,6 +99,8 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest is_active: true, is_invited: true, } + @stub_token_status = 200 + @stub_token_scopes = ["all"] end teardown do @@ -94,6 +109,31 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end end + test 'authenticate with remote token that has limited scope' do + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + @stub_token_scopes = ["GET /arvados/v1/users/current"] + + # re-authorize before cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + # simulate cache expiry + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). + update_all(expires_at: db_current_time - 1.minute) + + # re-authorize after cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response 403 + end + test 'authenticate with remote token' do get '/arvados/v1/users/current', params: {format: 'json'}, @@ -115,8 +155,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest assert_response :success # simulate cache expiry - ApiClientAuthorization.where( - uuid: salted_active_token(remote: 'zbbbb').split('/')[1]). + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). update_all(expires_at: db_current_time - 1.minute) # re-authorize after cache expires @@ -264,6 +303,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end test "list readable groups with salted token" do + Rails.configuration.Users.RoleGroupsVisibleToAll = false salted_token = salt_token(fixture: :active, remote: 'zbbbb') get '/arvados/v1/groups', params: { @@ -325,30 +365,43 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest assert_equal 'barney', json_response['username'] end - test 'get inactive user from Login cluster when AutoSetupNewUsers is set' do - Rails.configuration.Login.LoginCluster = 'zbbbb' - Rails.configuration.Users.AutoSetupNewUsers = true - @stub_content = { - uuid: 'zbbbb-tpzed-000000000000001', - email: 'foo@example.com', - username: 'barney', - is_admin: false, - is_active: false, - is_invited: false, - } - get '/arvados/v1/users/current', - params: {format: 'json'}, - headers: auth(remote: 'zbbbb') - assert_response :success - assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] - assert_equal false, json_response['is_admin'] - assert_equal false, json_response['is_active'] - assert_equal false, json_response['is_invited'] - assert_equal 'foo@example.com', json_response['email'] - assert_equal 'barney', json_response['username'] + [true, false].each do |trusted| + [true, false].each do |logincluster| + [true, false].each do |admin| + [true, false].each do |active| + [true, false].each do |autosetup| + [true, false].each do |invited| + test "get invited=#{invited}, active=#{active}, admin=#{admin} user from #{if logincluster then "Login" else "peer" end} cluster when AutoSetupNewUsers=#{autosetup} ActivateUsers=#{trusted}" do + Rails.configuration.Login.LoginCluster = 'zbbbb' if logincluster + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = trusted + Rails.configuration.Users.AutoSetupNewUsers = autosetup + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: admin, + is_active: active, + is_invited: invited, + } + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal (logincluster && admin && invited && active), json_response['is_admin'] + assert_equal (invited and (logincluster || trusted || autosetup)), json_response['is_invited'] + assert_equal (invited and (logincluster || trusted) and active), json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + end + end + end + end + end + end end - test 'get active user from Login cluster when AutoSetupNewUsers is set' do + test 'get active user from Login cluster when AutoSetupNewUsers is set' do Rails.configuration.Login.LoginCluster = 'zbbbb' Rails.configuration.Users.AutoSetupNewUsers = true @stub_content = {