X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/44df50add91dc3117291e3a6a908fa442b883106..bd11c0a9ff6ce23f0992af11d7dc7aef32860e22:/services/api/test/unit/log_test.rb diff --git a/services/api/test/unit/log_test.rb b/services/api/test/unit/log_test.rb index 7a27767d5c..3876775916 100644 --- a/services/api/test/unit/log_test.rb +++ b/services/api/test/unit/log_test.rb @@ -15,8 +15,9 @@ class LogTest < ActiveSupport::TestCase end def assert_properties(test_method, event, props, *keys) - verb = (test_method == :assert_nil) ? 'not include' : 'include' + verb = (test_method == :assert_nil) ? 'have nil' : 'define' keys.each do |prop_name| + assert_includes(props, prop_name, "log properties missing #{prop_name}") self.send(test_method, props[prop_name], "#{event.to_s} log should #{verb} #{prop_name}") end @@ -38,7 +39,6 @@ class LogTest < ActiveSupport::TestCase "log is not 'modified by' current user") assert_equal(current_api_client.andand.uuid, log.modified_by_client_uuid, "log is not 'modified by' current client") - assert_equal(thing.kind, log.object_kind, "log kind mismatch") assert_equal(thing.uuid, log.object_uuid, "log UUID mismatch") assert_equal(event_type.to_s, log.event_type, "log event type mismatch") time_method, old_props_test, new_props_test = EVENT_TEST_METHODS[event_type] @@ -54,6 +54,17 @@ class LogTest < ActiveSupport::TestCase yield props if block_given? end + def assert_auth_logged_with_clean_properties(auth, event_type) + assert_logged(auth, event_type) do |props| + ['old_attributes', 'new_attributes'].map { |k| props[k] }.compact + .each do |attributes| + refute_includes(attributes, 'api_token', + "auth log properties include sensitive API token") + end + yield props if block_given? + end + end + def set_user_from_auth(auth_name) client_auth = api_client_authorizations(auth_name) Thread.current[:api_client_authorization] = client_auth @@ -95,6 +106,7 @@ class LogTest < ActiveSupport::TestCase auth = api_client_authorizations(:spectator) orig_etag = auth.etag orig_attrs = auth.attributes + orig_attrs.delete 'api_token' auth.destroy assert_logged(auth, :destroy) do |props| assert_equal(orig_etag, props['old_etag'], "destroyed auth etag mismatch") @@ -165,4 +177,51 @@ class LogTest < ActiveSupport::TestCase assert_nothing_raised { log.save! } assert_nothing_raised { log.destroy } end + + test "failure saving log causes failure saving object" do + Log.class_eval do + alias_method :_orig_validations, :perform_validations + def perform_validations(options) + false + end + end + begin + set_user_from_auth :active_trustedclient + user = users(:active) + user.first_name = 'Test' + assert_raise(ActiveRecord::RecordInvalid) { user.save! } + ensure + Log.class_eval do + alias_method :perform_validations, :_orig_validations + end + end + end + + test "don't log changes only to ApiClientAuthorization.last_used_*" do + set_user_from_auth :admin_trustedclient + auth = api_client_authorizations(:spectator) + start_log_count = get_logs_about(auth).size + auth.last_used_at = Time.now + auth.last_used_by_ip_address = '::1' + auth.save! + assert_equal(start_log_count, get_logs_about(auth).size, + "log count changed after 'using' ApiClientAuthorization") + auth.created_by_ip_address = '::1' + auth.save! + assert_logged(auth, :update) + end + + test "token isn't included in ApiClientAuthorization logs" do + set_user_from_auth :admin_trustedclient + auth = ApiClientAuthorization.new + auth.user = users(:spectator) + auth.api_client = api_clients(:untrusted) + auth.save! + assert_auth_logged_with_clean_properties(auth, :create) + auth.expires_at = Time.now + auth.save! + assert_auth_logged_with_clean_properties(auth, :update) + auth.destroy + assert_auth_logged_with_clean_properties(auth, :destroy) + end end