X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/420949e37a2903ab87f64f57278dfdc6a261a7f3..8a0e9c549595e114a0eadc9d6792a17fb59d0f3e:/services/api/test/integration/api_client_authorizations_scopes_test.rb diff --git a/services/api/test/integration/api_client_authorizations_scopes_test.rb b/services/api/test/integration/api_client_authorizations_scopes_test.rb index ba91670822..d015e450a6 100644 --- a/services/api/test/integration/api_client_authorizations_scopes_test.rb +++ b/services/api/test/integration/api_client_authorizations_scopes_test.rb @@ -1,90 +1,93 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + # The v1 API uses token scopes to control access to the REST API at the path # level. This is enforced in the base ApplicationController, making it a # functional test that we can run against many different controllers. require 'test_helper' -class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest +class ApiTokensScopeTest < ActionDispatch::IntegrationTest fixtures :all - def setup - @token = {} - end - - def auth_with(name) - @token = {api_token: api_client_authorizations(name).api_token} - end - def v1_url(*parts) - (['arvados', 'v1'] + parts).join('/') - end - - def request_with_auth(method, path, params={}) - send(method, path, @token.merge(params)) - end - - def get_with_auth(*args) - request_with_auth(:get_via_redirect, *args) - end - - def post_with_auth(*args) - request_with_auth(:post_via_redirect, *args) + (['', 'arvados', 'v1'] + parts).join('/') end test "user list token can only list users" do - auth_with :active_userlist - get_with_auth v1_url('users') + get_args = [params: {}, headers: auth(:active_userlist)] + get(v1_url('users'), *get_args) assert_response :success - get_with_auth v1_url('users', '') # Add trailing slash. + get(v1_url('users', ''), *get_args) # Add trailing slash. assert_response :success - get_with_auth v1_url('users', 'current') + get(v1_url('users', 'current'), *get_args) assert_response 403 - get_with_auth v1_url('virtual_machines') + get(v1_url('virtual_machines'), *get_args) assert_response 403 end + test "narrow + wide scoped tokens for different users" do + get_args = [params: { + reader_tokens: [api_client_authorizations(:anonymous).api_token] + }, headers: auth(:active_userlist)] + get(v1_url('users'), *get_args) + assert_response :success + get(v1_url('users', ''), *get_args) # Add trailing slash. + assert_response :success + get(v1_url('users', 'current'), *get_args) + assert_response 403 + get(v1_url('virtual_machines'), *get_args) + assert_response 403 + end + test "specimens token can see exactly owned specimens" do - auth_with :active_specimens - get_with_auth v1_url('specimens') + get_args = [params: {}, headers: auth(:active_specimens)] + get(v1_url('specimens'), *get_args) assert_response 403 - get_with_auth v1_url('specimens', specimens(:owned_by_active_user).uuid) + get(v1_url('specimens', specimens(:owned_by_active_user).uuid), *get_args) + assert_response :success + head(v1_url('specimens', specimens(:owned_by_active_user).uuid), *get_args) assert_response :success - get_with_auth v1_url('specimens', specimens(:owned_by_spectator).uuid) + get(v1_url('specimens', specimens(:owned_by_spectator).uuid), *get_args) assert_includes(403..404, @response.status) end test "token with multiple scopes can use them all" do def get_token_count - get_with_auth v1_url('api_client_authorizations') + get(v1_url('api_client_authorizations'), + params: {}, + headers: auth(:active_apitokens)) assert_response :success token_count = JSON.parse(@response.body)['items_available'] assert_not_nil(token_count, "could not find token count") token_count end - auth_with :active_apitokens # Test the GET scope. token_count = get_token_count # Test the POST scope. - post_with_auth(v1_url('api_client_authorizations'), - api_client_authorization: {user_id: users(:active).id}) + post(v1_url('api_client_authorizations'), + params: {api_client_authorization: {user_id: users(:active).id}}, + headers: auth(:active_apitokens)) assert_response :success assert_equal(token_count + 1, get_token_count, "token count suggests POST was not accepted") # Test other requests are denied. - get_with_auth v1_url('api_client_authorizations', - api_client_authorizations(:active_apitokens).uuid) + get(v1_url('api_client_authorizations', + api_client_authorizations(:active_apitokens).uuid), + params: {}, headers: auth(:active_apitokens)) assert_response 403 end test "token without scope has no access" do # Logs are good for this test, because logs have relatively # few access controls enforced at the model level. - auth_with :admin_noscope - get_with_auth v1_url('logs') + req_args = [params: {}, headers: auth(:admin_noscope)] + get(v1_url('logs'), *req_args) assert_response 403 - get_with_auth v1_url('logs', logs(:log1).uuid) + get(v1_url('logs', logs(:noop).uuid), *req_args) assert_response 403 - post_with_auth(v1_url('logs'), log: {}) + post(v1_url('logs'), *req_args) assert_response 403 end @@ -94,10 +97,11 @@ class Arvados::V1::ApiTokensScopeTest < ActionController::IntegrationTest def vm_logins_url(name) v1_url('virtual_machines', virtual_machines(name).uuid, 'logins') end - auth_with :admin_vm - get_with_auth vm_logins_url(:testvm) + get_args = [params: {}, headers: auth(:admin_vm)] + get(vm_logins_url(:testvm), *get_args) assert_response :success - get_with_auth vm_logins_url(:testvm2) - assert(@response.status >= 400, "getting testvm2 logins should have failed") + get(vm_logins_url(:testvm2), *get_args) + assert_includes(400..419, @response.status, + "getting testvm2 logins should have failed") end end