X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/43e6f6ecae2eb26b58cfc0afb44b2b6476408741..9ede4c0a5cdadd5f1b5664950146626b794a6921:/lib/controller/integration_test.go

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index def8fd4858..9f5d12598b 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -510,10 +510,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		{"/arvados/v1/collections/" + coll.UUID, true, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, false, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, true, false},
+		// new code path (lib/controller/router etc) - single-cluster request
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", false, true},
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", true, true},
+		// new code path (lib/controller/router etc) - federated request
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", false, true},
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", true, true},
+		// old code path (proxyRailsAPI) - single-cluster request
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", false, true},
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", true, true},
+		// old code path (setupProxyRemoteCluster) - federated request
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", false, true},
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", true, true},
 	}
 
 	for _, tt := range tests {
@@ -533,24 +541,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		} else {
 			c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 		}
-		if !tt.reqIdProvided {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Matches, "^req-[0-9a-zA-Z]{20}$")
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*(req-[0-9a-zA-Z]{20}).*$")
-			}
+		respHdr := resp.Header.Get("X-Request-Id")
+		if tt.reqIdProvided {
+			c.Check(respHdr, check.Equals, customReqId)
 		} else {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Equals, customReqId)
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*("+customReqId+").*$")
-			}
+			c.Check(respHdr, check.Matches, `req-[0-9a-zA-Z]{20}`)
+		}
+		if tt.notFoundRequest {
+			var jresp httpserver.ErrorResponse
+			err := json.NewDecoder(resp.Body).Decode(&jresp)
+			c.Check(err, check.IsNil)
+			c.Assert(jresp.Errors, check.HasLen, 1)
+			c.Check(jresp.Errors[0], check.Matches, `.*\(`+respHdr+`\).*`)
 		}
 	}
 }
@@ -662,71 +664,158 @@ func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) {
 	}
 }
 
+// Test for #17785
+func (s *IntegrationSuite) TestFederatedApiClientAuthHandling(c *check.C) {
+	rootctx1, rootclnt1, _ := s.testClusters["z1111"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+
+	// Make sure LoginCluster is properly configured
+	for _, cls := range []string{"z1111", "z3333"} {
+		c.Check(
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+	}
+	// Get user's UUID & attempt to create a token for it on the remote cluster
+	_, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1,
+		"user@example.com", true)
+	_, rootclnt3, _ := s.testClusters["z3333"].ClientsWithToken(rootclnt1.AuthToken)
+	var resp arvados.APIClientAuthorization
+	err := rootclnt3.RequestAndDecode(
+		&resp, "POST", "arvados/v1/api_client_authorizations", nil,
+		map[string]interface{}{
+			"api_client_authorization": map[string]string{
+				"owner_uuid": user.UUID,
+			},
+		},
+	)
+	c.Assert(err, check.IsNil)
+	c.Assert(resp.APIClientID, check.Not(check.Equals), 0)
+	newTok := resp.TokenV2()
+	c.Assert(newTok, check.Not(check.Equals), "")
+
+	// Confirm the token is from z1111
+	c.Assert(strings.HasPrefix(newTok, "v2/z1111-gj3su-"), check.Equals, true)
+
+	// Confirm the token works and is from the correct user
+	_, rootclnt3bis, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+	var curUser arvados.User
+	err = rootclnt3bis.RequestAndDecode(
+		&curUser, "GET", "arvados/v1/users/current", nil, nil,
+	)
+	c.Assert(err, check.IsNil)
+	c.Assert(curUser.UUID, check.Equals, user.UUID)
+
+	// Request the ApiClientAuthorization list using the new token
+	_, userClient, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+	var acaLst arvados.APIClientAuthorizationList
+	err = userClient.RequestAndDecode(
+		&acaLst, "GET", "arvados/v1/api_client_authorizations", nil, nil,
+	)
+	c.Assert(err, check.IsNil)
+}
+
 // Test for bug #18076
 func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
 	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	_, rootclnt3, _ := s.testClusters["z3333"].RootClients()
 	conn1 := s.testClusters["z1111"].Conn()
 	conn3 := s.testClusters["z3333"].Conn()
 
 	// Make sure LoginCluster is properly configured
-	for cls := range s.testClusters {
+	for _, cls := range []string{"z1111", "z3333"} {
 		c.Check(
 			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
 			check.Equals, "z1111",
 			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
 	}
 
-	// Create some users, request them on the federated cluster so they're cached.
-	var users []arvados.User
-	for userNr := range []int{1, 2} {
-		_, _, _, user := s.testClusters["z1111"].UserClients(
-			rootctx1,
-			c,
-			conn1,
-			fmt.Sprintf("user%d@example.com", userNr),
-			true)
-		c.Assert(user.Username, check.Not(check.Equals), "")
-		users = append(users, user)
-
-		lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: math.MaxInt64})
-		c.Assert(err, check.Equals, nil)
-		userFound := false
-		for _, fedUser := range lst.Items {
-			if fedUser.UUID == user.UUID {
-				c.Assert(fedUser.Username, check.Equals, user.Username)
-				userFound = true
-				break
+	for testCaseNr, testCase := range []struct {
+		name           string
+		withRepository bool
+	}{
+		{"User without local repository", false},
+		{"User with local repository", true},
+	} {
+		c.Log(c.TestName() + " " + testCase.name)
+		// Create some users, request them on the federated cluster so they're cached.
+		var users []arvados.User
+		for userNr := 0; userNr < 2; userNr++ {
+			_, _, _, user := s.testClusters["z1111"].UserClients(
+				rootctx1,
+				c,
+				conn1,
+				fmt.Sprintf("user%d%d@example.com", testCaseNr, userNr),
+				true)
+			c.Assert(user.Username, check.Not(check.Equals), "")
+			users = append(users, user)
+
+			lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+			c.Assert(err, check.Equals, nil)
+			userFound := false
+			for _, fedUser := range lst.Items {
+				if fedUser.UUID == user.UUID {
+					c.Assert(fedUser.Username, check.Equals, user.Username)
+					userFound = true
+					break
+				}
+			}
+			c.Assert(userFound, check.Equals, true)
+
+			if testCase.withRepository {
+				var repo interface{}
+				err = rootclnt3.RequestAndDecode(
+					&repo, "POST", "arvados/v1/repositories", nil,
+					map[string]interface{}{
+						"repository": map[string]string{
+							"name":       fmt.Sprintf("%s/test", user.Username),
+							"owner_uuid": user.UUID,
+						},
+					},
+				)
+				c.Assert(err, check.IsNil)
 			}
 		}
-		c.Assert(userFound, check.Equals, true)
-	}
 
-	// Swap the usernames
-	_, err := conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
-		UUID: users[0].UUID,
-		Attrs: map[string]interface{}{
-			"username": "",
-		},
-	})
-	c.Assert(err, check.Equals, nil)
-	_, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
-		UUID: users[1].UUID,
-		Attrs: map[string]interface{}{
-			"username": users[0].Username,
-		},
-	})
-	c.Assert(err, check.Equals, nil)
-	_, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
-		UUID: users[0].UUID,
-		Attrs: map[string]interface{}{
-			"username": users[1].Username,
-		},
-	})
-	c.Assert(err, check.Equals, nil)
+		// Swap the usernames
+		_, err := conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
+			UUID: users[0].UUID,
+			Attrs: map[string]interface{}{
+				"username": "",
+			},
+		})
+		c.Assert(err, check.Equals, nil)
+		_, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
+			UUID: users[1].UUID,
+			Attrs: map[string]interface{}{
+				"username": users[0].Username,
+			},
+		})
+		c.Assert(err, check.Equals, nil)
+		_, err = conn1.UserUpdate(rootctx1, arvados.UpdateOptions{
+			UUID: users[0].UUID,
+			Attrs: map[string]interface{}{
+				"username": users[1].Username,
+			},
+		})
+		c.Assert(err, check.Equals, nil)
 
-	// Re-request the list on the federated cluster
-	_, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: math.MaxInt64})
-	c.Assert(err, check.Equals, nil)
+		// Re-request the list on the federated cluster & check for updates
+		lst, err := conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1})
+		c.Assert(err, check.Equals, nil)
+		var user0Found, user1Found bool
+		for _, user := range lst.Items {
+			if user.UUID == users[0].UUID {
+				user0Found = true
+				c.Assert(user.Username, check.Equals, users[1].Username)
+			} else if user.UUID == users[1].UUID {
+				user1Found = true
+				c.Assert(user.Username, check.Equals, users[0].Username)
+			}
+		}
+		c.Assert(user0Found, check.Equals, true)
+		c.Assert(user1Found, check.Equals, true)
+	}
 }
 
 // Test for bug #16263
@@ -793,11 +882,9 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) {
 	}
 	c.Check(found, check.Equals, true)
 
-	// Deactivated user can see is_active==false via "get current
-	// user" API
+	// Deactivated user no longer has working token
 	user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
-	c.Assert(err, check.IsNil)
-	c.Check(user1.IsActive, check.Equals, false)
+	c.Assert(err, check.ErrorMatches, `.*401 Unauthorized.*`)
 }
 
 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
@@ -923,3 +1010,63 @@ func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
 		}
 	}
 }
+
+// z3333 should not forward a locally-issued container runtime token,
+// associated with a z1111 user, to its login cluster z1111. z1111
+// would only call back to z3333 and then reject the response because
+// the user ID does not match the token prefix. See
+// dev.arvados.org/issues/18346
+func (s *IntegrationSuite) TestForwardRuntimeTokenToLoginCluster(c *check.C) {
+	db3, db3conn := s.dbConn(c, "z3333")
+	defer db3.Close()
+	defer db3conn.Close()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	rootctx3, _, _ := s.testClusters["z3333"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+	conn3 := s.testClusters["z3333"].Conn()
+	userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+	user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
+	c.Assert(err, check.IsNil)
+	c.Logf("user1 %+v", user1)
+
+	imageColl, err := conn3.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar\n",
+	}})
+	c.Assert(err, check.IsNil)
+	c.Logf("imageColl %+v", imageColl)
+
+	cr, err := conn3.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"state":           "Committed",
+		"command":         []string{"echo"},
+		"container_image": imageColl.PortableDataHash,
+		"cwd":             "/",
+		"output_path":     "/",
+		"priority":        1,
+		"runtime_constraints": arvados.RuntimeConstraints{
+			VCPUs: 1,
+			RAM:   1000000000,
+		},
+	}})
+	c.Assert(err, check.IsNil)
+	c.Logf("container request %+v", cr)
+	ctr, err := conn3.ContainerLock(rootctx3, arvados.GetOptions{UUID: cr.ContainerUUID})
+	c.Assert(err, check.IsNil)
+	c.Logf("container %+v", ctr)
+
+	// We could use conn3.ContainerAuth() here, but that API
+	// hasn't been added to sdk/go/arvados/api.go yet.
+	row := db3conn.QueryRowContext(context.Background(), `SELECT api_token from api_client_authorizations where uuid=$1`, ctr.AuthUUID)
+	c.Check(row, check.NotNil)
+	var val sql.NullString
+	row.Scan(&val)
+	c.Assert(val.Valid, check.Equals, true)
+	runtimeToken := "v2/" + ctr.AuthUUID + "/" + val.String
+	ctrctx, _, _ := s.testClusters["z3333"].ClientsWithToken(runtimeToken)
+	c.Logf("container runtime token %+v", runtimeToken)
+
+	_, err = conn3.UserGet(ctrctx, arvados.GetOptions{UUID: user1.UUID})
+	c.Assert(err, check.NotNil)
+	c.Check(err, check.ErrorMatches, `request failed: .* 401 Unauthorized: cannot use a locally issued token to forward a request to our login cluster \(z1111\)`)
+	c.Check(err, check.Not(check.ErrorMatches), `(?ms).*127\.0\.0\.11.*`)
+}