X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/4f88adddbe3a15dd0cfd88b0f939f4e6d1e16611..b8de8845c856f7fe1232e5f048824211d1207ee7:/lib/controller/integration_test.go diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go index 7cec2058c7..3da01ca682 100644 --- a/lib/controller/integration_test.go +++ b/lib/controller/integration_test.go @@ -7,7 +7,12 @@ package controller import ( "bytes" "context" + "encoding/json" + "io" + "io/ioutil" + "math" "net" + "net/http" "net/url" "os" "path/filepath" @@ -18,6 +23,7 @@ import ( "git.arvados.org/arvados.git/lib/service" "git.arvados.org/arvados.git/sdk/go/arvados" "git.arvados.org/arvados.git/sdk/go/arvadosclient" + "git.arvados.org/arvados.git/sdk/go/arvadostest" "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/ctxlog" "git.arvados.org/arvados.git/sdk/go/keepclient" @@ -27,13 +33,14 @@ import ( var _ = check.Suite(&IntegrationSuite{}) type testCluster struct { - booter boot.Booter + super boot.Supervisor config arvados.Config controllerURL *url.URL } type IntegrationSuite struct { testClusters map[string]*testCluster + oidcprovider *arvadostest.OIDCProvider } func (s *IntegrationSuite) SetUpSuite(c *check.C) { @@ -43,6 +50,14 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { } cwd, _ := os.Getwd() + + s.oidcprovider = arvadostest.NewOIDCProvider(c) + s.oidcprovider.AuthEmail = "user@example.com" + s.oidcprovider.AuthEmailVerified = true + s.oidcprovider.AuthName = "Example User" + s.oidcprovider.ValidClientID = "clientid" + s.oidcprovider.ValidClientSecret = "clientsecret" + s.testClusters = map[string]*testCluster{ "z1111": nil, "z2222": nil, @@ -72,7 +87,7 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { TLS: Insecure: true Login: - # LoginCluster: z1111 + LoginCluster: z1111 SystemLogs: Format: text RemoteClusters: @@ -81,17 +96,45 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { Scheme: https Insecure: true Proxy: true - z2222: + ActivateUsers: true +` + if id != "z2222" { + yaml += ` z2222: Host: ` + hostport["z2222"] + ` Scheme: https Insecure: true Proxy: true - z3333: + ActivateUsers: true +` + } + if id != "z3333" { + yaml += ` z3333: Host: ` + hostport["z3333"] + ` Scheme: https Insecure: true Proxy: true + ActivateUsers: true +` + } + if id == "z1111" { + yaml += ` + Login: + LoginCluster: z1111 + OpenIDConnect: + Enable: true + Issuer: ` + s.oidcprovider.Issuer.URL + ` + ClientID: ` + s.oidcprovider.ValidClientID + ` + ClientSecret: ` + s.oidcprovider.ValidClientSecret + ` + EmailClaim: email + EmailVerifiedClaim: email_verified +` + } else { + yaml += ` + Login: + LoginCluster: z1111 ` + } + loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c)) loader.Path = "-" loader.SkipLegacy = true @@ -99,9 +142,8 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { cfg, err := loader.Load() c.Assert(err, check.IsNil) s.testClusters[id] = &testCluster{ - booter: boot.Booter{ + super: boot.Supervisor{ SourcePath: filepath.Join(cwd, "..", ".."), - LibPath: filepath.Join(cwd, "..", "..", "tmp"), ClusterType: "test", ListenHost: "127.0.0." + id[3:], ControllerAddr: ":0", @@ -110,10 +152,10 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { }, config: *cfg, } - s.testClusters[id].booter.Start(context.Background(), &s.testClusters[id].config) + s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-") } for _, tc := range s.testClusters { - au, ok := tc.booter.WaitReady() + au, ok := tc.super.WaitReady() c.Assert(ok, check.Equals, true) u := url.URL(*au) tc.controllerURL = &u @@ -122,17 +164,22 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) { func (s *IntegrationSuite) TearDownSuite(c *check.C) { for _, c := range s.testClusters { - c.booter.Stop() + c.super.Stop() } } +// Get rpc connection struct initialized to communicate with the +// specified cluster. func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn { return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider) } +// Return Context, Arvados.Client and keepclient structs initialized +// to connect to the specified cluster (by clusterID) using with the supplied +// Arvados token. func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) { cl := s.testClusters[clusterID].config.Clusters[clusterID] - rootctx := auth.NewContext(context.Background(), auth.NewCredentials(token)) + ctx := auth.NewContext(context.Background(), auth.NewCredentials(token)) ac, err := arvados.NewClientFromConfig(&cl) if err != nil { panic(err) @@ -143,10 +190,14 @@ func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (con panic(err) } kc := keepclient.New(arv) - return rootctx, ac, kc + return ctx, ac, kc } -func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx context.Context, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) { +// Log in as a user called "example", get the user's API token, +// initialize clients with the API token, set up the user and +// optionally activate the user. Return client structs for +// communicating with the cluster on behalf of the 'example' user. +func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient, arvados.User) { login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{ ReturnTo: ",https://example.com", AuthInfo: rpc.UserSessionAuthInfo{ @@ -160,49 +211,393 @@ func (s *IntegrationSuite) userClients(c *check.C, conn *rpc.Conn, rootctx conte redirURL, err := url.Parse(login.RedirectLocation) c.Assert(err, check.IsNil) userToken := redirURL.Query().Get("api_token") + c.Logf("user token: %q", userToken) ctx, ac, kc := s.clientsWithToken(clusterID, userToken) user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{}) - if err != nil { - panic(err) - } + c.Assert(err, check.IsNil) _, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID}) - if err != nil { - panic(err) - } - user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{}) - if err != nil { - panic(err) + c.Assert(err, check.IsNil) + if activate { + _, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID}) + c.Assert(err, check.IsNil) + user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Logf("user UUID: %q", user.UUID) + if !user.IsActive { + c.Fatalf("failed to activate user -- %#v", user) + } } - return ctx, ac, kc + return ctx, ac, kc, user } +// Return Context, arvados.Client and keepclient structs initialized +// to communicate with the cluster as the system root user. func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) { return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken) } -func (s *IntegrationSuite) TestLoopDetection(c *check.C) { +// Return Context, arvados.Client and keepclient structs initialized +// to communicate with the cluster as the anonymous user. +func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) { + return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken) +} + +func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) { conn1 := s.conn("z1111") rootctx1, _, _ := s.rootClients("z1111") conn3 := s.conn("z3333") - // rootctx3, _, _ := s.rootClients("z3333") - - userctx1, ac1, kc1 := s.userClients(c, conn1, rootctx1, "z1111", true) - _, err := conn1.CollectionGet(rootctx1, arvados.GetOptions{UUID: "1f4b0bc7583c2a7f9102c395f4ffc5e3+45"}) - c.Check(err, check.ErrorMatches, `.*404 Not Found.*`) + userctx1, ac1, kc1, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + // Create the collection to find its PDH (but don't save it + // anywhere yet) var coll1 arvados.Collection fs1, err := coll1.FileSystem(ac1, kc1) - if err != nil { - c.Error(err) - } - f, err := fs1.OpenFile("foo", os.O_CREATE|os.O_RDWR, 0777) - f.Write([]byte("foo")) - f.Close() + c.Assert(err, check.IsNil) + f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) + c.Assert(err, check.IsNil) + _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionByPDH") + c.Assert(err, check.IsNil) + err = f.Close() + c.Assert(err, check.IsNil) mtxt, err := fs1.MarshalManifest(".") + c.Assert(err, check.IsNil) + pdh := arvados.PortableDataHash(mtxt) + + // Looking up the PDH before saving returns 404 if cycle + // detection is working. + _, err = conn1.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) + c.Assert(err, check.ErrorMatches, `.*404 Not Found.*`) + + // Save the collection on cluster z1111. coll1, err = conn1.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ "manifest_text": mtxt, }}) - coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: "1f4b0bc7583c2a7f9102c395f4ffc5e3+45"}) + c.Assert(err, check.IsNil) + + // Retrieve the collection from cluster z3333. + coll, err := conn3.CollectionGet(userctx1, arvados.GetOptions{UUID: pdh}) + c.Check(err, check.IsNil) + c.Check(coll.PortableDataHash, check.Equals, pdh) +} + +func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) { + conn1 := s.conn("z1111") + conn3 := s.conn("z3333") + rootctx1, rootac1, rootkc1 := s.rootClients("z1111") + anonctx3, anonac3, _ := s.anonymousClients("z3333") + + // Make sure anonymous token was set + c.Assert(anonac3.AuthToken, check.Not(check.Equals), "") + + // Create the collection to find its PDH (but don't save it + // anywhere yet) + var coll1 arvados.Collection + fs1, err := coll1.FileSystem(rootac1, rootkc1) + c.Assert(err, check.IsNil) + f, err := fs1.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) + c.Assert(err, check.IsNil) + _, err = io.WriteString(f, "IntegrationSuite.TestGetCollectionAsAnonymous") + c.Assert(err, check.IsNil) + err = f.Close() + c.Assert(err, check.IsNil) + mtxt, err := fs1.MarshalManifest(".") + c.Assert(err, check.IsNil) + pdh := arvados.PortableDataHash(mtxt) + + // Save the collection on cluster z1111. + coll1, err = conn1.CollectionCreate(rootctx1, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": mtxt, + }}) + c.Assert(err, check.IsNil) + + // Share it with the anonymous users group. + var outLink arvados.Link + err = rootac1.RequestAndDecode(&outLink, "POST", "/arvados/v1/links", nil, + map[string]interface{}{"link": map[string]interface{}{ + "link_class": "permission", + "name": "can_read", + "tail_uuid": "z1111-j7d0g-anonymouspublic", + "head_uuid": coll1.UUID, + }, + }) + c.Check(err, check.IsNil) + + // Current user should be z3 anonymous user + outUser, err := anonac3.CurrentUser() + c.Check(err, check.IsNil) + c.Check(outUser.UUID, check.Equals, "z3333-tpzed-anonymouspublic") + + // Get the token uuid + var outAuth arvados.APIClientAuthorization + err = anonac3.RequestAndDecode(&outAuth, "GET", "/arvados/v1/api_client_authorizations/current", nil, nil) + c.Check(err, check.IsNil) + + // Make a v2 token of the z3 anonymous user, and use it on z1 + _, anonac1, _ := s.clientsWithToken("z1111", outAuth.TokenV2()) + outUser2, err := anonac1.CurrentUser() + c.Check(err, check.IsNil) + // z3 anonymous user will be mapped to the z1 anonymous user + c.Check(outUser2.UUID, check.Equals, "z1111-tpzed-anonymouspublic") + + // Retrieve the collection (which is on z1) using anonymous from cluster z3333. + coll, err := conn3.CollectionGet(anonctx3, arvados.GetOptions{UUID: coll1.UUID}) + c.Check(err, check.IsNil) + c.Check(coll.PortableDataHash, check.Equals, pdh) +} + +// Get a token from the login cluster (z1111), use it to submit a +// container request on z2222. +func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) { + conn1 := s.conn("z1111") + rootctx1, _, _ := s.rootClients("z1111") + _, ac1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + + // Use ac2 to get the discovery doc with a blank token, so the + // SDK doesn't magically pass the z1111 token to z2222 before + // we're ready to start our test. + _, ac2, _ := s.clientsWithToken("z2222", "") + var dd map[string]interface{} + err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil) + c.Assert(err, check.IsNil) + + var ( + body bytes.Buffer + req *http.Request + resp *http.Response + u arvados.User + cr arvados.ContainerRequest + ) + json.NewEncoder(&body).Encode(map[string]interface{}{ + "container_request": map[string]interface{}{ + "command": []string{"echo"}, + "container_image": "d41d8cd98f00b204e9800998ecf8427e+0", + "cwd": "/", + "output_path": "/", + }, + }) + ac2.AuthToken = ac1.AuthToken + + c.Log("...post CR with good (but not yet cached) token") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + err = ac2.DoAndDecode(&cr, req) + c.Logf("err == %#v", err) + + c.Log("...get user with good token") + u = arvados.User{} + req, err = http.NewRequest("GET", "https://"+ac2.APIHost+"/arvados/v1/users/current", nil) + c.Assert(err, check.IsNil) + err = ac2.DoAndDecode(&u, req) + c.Check(err, check.IsNil) + c.Check(u.UUID, check.Matches, "z1111-tpzed-.*") + + c.Log("...post CR with good cached token") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + err = ac2.DoAndDecode(&cr, req) + c.Check(err, check.IsNil) + c.Check(cr.UUID, check.Matches, "z2222-.*") + + c.Log("...post with good cached token ('OAuth2 ...')") + cr = arvados.ContainerRequest{} + req, err = http.NewRequest("POST", "https://"+ac2.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body.Bytes())) + c.Assert(err, check.IsNil) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken) + resp, err = arvados.InsecureHTTPClient.Do(req) + if c.Check(err, check.IsNil) { + err = json.NewDecoder(resp.Body).Decode(&cr) + c.Check(err, check.IsNil) + c.Check(cr.UUID, check.Matches, "z2222-.*") + } +} + +// Test for bug #16263 +func (s *IntegrationSuite) TestListUsers(c *check.C) { + rootctx1, _, _ := s.rootClients("z1111") + conn1 := s.conn("z1111") + conn3 := s.conn("z3333") + userctx1, _, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true) + + // Make sure LoginCluster is properly configured + for cls := range s.testClusters { + c.Check( + s.testClusters[cls].config.Clusters[cls].Login.LoginCluster, + check.Equals, "z1111", + check.Commentf("incorrect LoginCluster config on cluster %q", cls)) + } + // Make sure z1111 has users with NULL usernames + lst, err := conn1.UserList(rootctx1, arvados.ListOptions{ + Limit: math.MaxInt64, // check that large limit works (see #16263) + }) + nullUsername := false + c.Assert(err, check.IsNil) + c.Assert(len(lst.Items), check.Not(check.Equals), 0) + for _, user := range lst.Items { + if user.Username == "" { + nullUsername = true + } + } + c.Assert(nullUsername, check.Equals, true) + + user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Check(user1.IsActive, check.Equals, true) + + // Ask for the user list on z3333 using z1111's system root token + lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.IsNil) + found := false + for _, user := range lst.Items { + if user.UUID == user1.UUID { + c.Check(user.IsActive, check.Equals, true) + found = true + break + } + } + c.Check(found, check.Equals, true) + + // Deactivate user acct on z1111 + _, err = conn1.UserUnsetup(rootctx1, arvados.GetOptions{UUID: user1.UUID}) + c.Assert(err, check.IsNil) + + // Get user list from z3333, check the returned z1111 user is + // deactivated + lst, err = conn3.UserList(rootctx1, arvados.ListOptions{Limit: -1}) + c.Assert(err, check.IsNil) + found = false + for _, user := range lst.Items { + if user.UUID == user1.UUID { + c.Check(user.IsActive, check.Equals, false) + found = true + break + } + } + c.Check(found, check.Equals, true) + + // Deactivated user can see is_active==false via "get current + // user" API + user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Check(user1.IsActive, check.Equals, false) +} + +func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) { + conn1 := s.conn("z1111") + conn3 := s.conn("z3333") + rootctx1, rootac1, _ := s.rootClients("z1111") + + // Create user on LoginCluster z1111 + _, _, _, user := s.userClients(rootctx1, c, conn1, "z1111", false) + + // Make a new root token (because rootClients() uses SystemRootToken) + var outAuth arvados.APIClientAuthorization + err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil) + c.Check(err, check.IsNil) + + // Make a v2 root token to communicate with z3333 + rootctx3, rootac3, _ := s.clientsWithToken("z3333", outAuth.TokenV2()) + + // Create VM on z3333 + var outVM arvados.VirtualMachine + err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil, + map[string]interface{}{"virtual_machine": map[string]interface{}{ + "hostname": "example", + }, + }) + c.Check(outVM.UUID[0:5], check.Equals, "z3333") + c.Check(err, check.IsNil) + + // Make sure z3333 user list is up to date + _, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000}) c.Check(err, check.IsNil) - c.Check(coll.PortableDataHash, check.Equals, "1f4b0bc7583c2a7f9102c395f4ffc5e3+45") + + // Try to set up user on z3333 with the VM + _, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID}) + c.Check(err, check.IsNil) + + var outLinks arvados.LinkList + err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil, + arvados.ListOptions{ + Limit: 1000, + Filters: []arvados.Filter{ + { + Attr: "tail_uuid", + Operator: "=", + Operand: user.UUID, + }, + { + Attr: "head_uuid", + Operator: "=", + Operand: outVM.UUID, + }, + { + Attr: "name", + Operator: "=", + Operand: "can_login", + }, + { + Attr: "link_class", + Operator: "=", + Operand: "permission", + }}}) + c.Check(err, check.IsNil) + + c.Check(len(outLinks.Items), check.Equals, 1) +} + +func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) { + conn1 := s.conn("z1111") + rootctx1, _, _ := s.rootClients("z1111") + s.userClients(rootctx1, c, conn1, "z1111", true) + + accesstoken := s.oidcprovider.ValidAccessToken() + + for _, clusterid := range []string{"z1111", "z2222"} { + c.Logf("trying clusterid %s", clusterid) + + conn := s.conn(clusterid) + ctx, ac, kc := s.clientsWithToken(clusterid, accesstoken) + + var coll arvados.Collection + + // Write some file data and create a collection + { + fs, err := coll.FileSystem(ac, kc) + c.Assert(err, check.IsNil) + f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777) + c.Assert(err, check.IsNil) + _, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth") + c.Assert(err, check.IsNil) + err = f.Close() + c.Assert(err, check.IsNil) + mtxt, err := fs.MarshalManifest(".") + c.Assert(err, check.IsNil) + coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{ + "manifest_text": mtxt, + }}) + c.Assert(err, check.IsNil) + } + + // Read the collection & file data + { + user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{}) + c.Assert(err, check.IsNil) + c.Check(user.FullName, check.Equals, "Example User") + coll, err = conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID}) + c.Assert(err, check.IsNil) + c.Check(coll.ManifestText, check.Not(check.Equals), "") + fs, err := coll.FileSystem(ac, kc) + c.Assert(err, check.IsNil) + f, err := fs.Open("test.txt") + c.Assert(err, check.IsNil) + buf, err := ioutil.ReadAll(f) + c.Assert(err, check.IsNil) + c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth")) + } + } }