X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5022c4068227e4d354389169a9abd726206aff7d..b7fb5c4593dcc679f5343f0f55b3774a7bcfe499:/services/api/test/integration/remote_user_test.rb diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb index 4823aca5f6..179d30f3cb 100644 --- a/services/api/test/integration/remote_user_test.rb +++ b/services/api/test/integration/remote_user_test.rb @@ -67,6 +67,20 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest res.status = @stub_status res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json end + srv.mount_proc '/arvados/v1/api_client_authorizations/current' do |req, res| + if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork' + # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork + res.status = 401 + return + end + res.status = @stub_token_status + if res.status == 200 + res.body = { + uuid: api_client_authorizations(:active).uuid.sub('zzzzz', clusterid), + scopes: @stub_token_scopes, + }.to_json + end + end Thread.new do srv.start end @@ -79,12 +93,15 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host[0]}" @stub_status = 200 @stub_content = { - uuid: 'zbbbb-tpzed-000000000000000', + uuid: 'zbbbb-tpzed-000000000000001', email: 'foo@example.com', username: 'barney', is_admin: true, is_active: true, + is_invited: true, } + @stub_token_status = 200 + @stub_token_scopes = ["all"] end teardown do @@ -93,12 +110,37 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end end + test 'authenticate with remote token that has limited scope' do + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + @stub_token_scopes = ["GET /arvados/v1/users/current"] + + # re-authorize before cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + # simulate cache expiry + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). + update_all(expires_at: db_current_time - 1.minute) + + # re-authorize after cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response 403 + end + test 'authenticate with remote token' do get '/arvados/v1/users/current', params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal false, json_response['is_admin'] assert_equal false, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] @@ -114,8 +156,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest assert_response :success # simulate cache expiry - ApiClientAuthorization.where( - uuid: salted_active_token(remote: 'zbbbb').split('/')[1]). + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). update_all(expires_at: db_current_time - 1.minute) # re-authorize after cache expires @@ -153,6 +194,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest # revoke original token @stub_content[:is_active] = false + @stub_content[:is_invited] = false # simulate cache expiry ApiClientAuthorization.where( @@ -262,6 +304,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end test "list readable groups with salted token" do + Rails.configuration.Users.RoleGroupsVisibleToAll = false salted_token = salt_token(fixture: :active, remote: 'zbbbb') get '/arvados/v1/groups', params: { @@ -279,13 +322,31 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest refute_includes(group_uuids, groups(:testusergroup_admins).uuid) end + test 'do not auto-activate user from untrusted cluster' do + Rails.configuration.RemoteClusters['zbbbb'].AutoSetupNewUsers = false + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = false + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal false, json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + post '/arvados/v1/users/zbbbb-tpzed-000000000000001/activate', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response 422 + end + test 'auto-activate user from trusted cluster' do Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = true get '/arvados/v1/users/current', params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal false, json_response['is_admin'] assert_equal true, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] @@ -298,13 +359,111 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal true, json_response['is_admin'] assert_equal true, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] assert_equal 'barney', json_response['username'] end + [true, false].each do |trusted| + [true, false].each do |logincluster| + [true, false].each do |admin| + [true, false].each do |active| + [true, false].each do |autosetup| + [true, false].each do |invited| + test "get invited=#{invited}, active=#{active}, admin=#{admin} user from #{if logincluster then "Login" else "peer" end} cluster when AutoSetupNewUsers=#{autosetup} ActivateUsers=#{trusted}" do + Rails.configuration.Login.LoginCluster = 'zbbbb' if logincluster + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = trusted + Rails.configuration.Users.AutoSetupNewUsers = autosetup + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: admin, + is_active: active, + is_invited: invited, + } + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal (logincluster && admin && invited && active), json_response['is_admin'] + assert_equal (invited and (logincluster || trusted || autosetup)), json_response['is_invited'] + assert_equal (invited and (logincluster || trusted) and active), json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + end + end + end + end + end + end + end + + test 'get active user from Login cluster when AutoSetupNewUsers is set' do + Rails.configuration.Login.LoginCluster = 'zbbbb' + Rails.configuration.Users.AutoSetupNewUsers = true + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: false, + is_active: true, + is_invited: true, + } + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal true, json_response['is_active'] + assert_equal true, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: false, + is_active: false, + is_invited: false, + } + + # Use cached value. User will still be active because we haven't + # re-queried the upstream cluster. + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal true, json_response['is_active'] + assert_equal true, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + # Delete cached value. User should be inactive now. + act_as_system_user do + ApiClientAuthorization.delete_all + end + + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal false, json_response['is_active'] + assert_equal false, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + end + test 'pre-activate remote user' do @stub_content = { uuid: 'zbbbb-tpzed-000000000001234', @@ -312,6 +471,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest username: 'barney', is_admin: true, is_active: true, + is_invited: true, } post '/arvados/v1/users', @@ -346,6 +506,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest username: 'barney', is_admin: true, is_active: true, + is_invited: true, } get '/arvados/v1/users/current', @@ -394,4 +555,22 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end end + test 'authenticate with remote token, remote user is system user' do + @stub_content[:uuid] = 'zbbbb-tpzed-000000000000000' + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_equal 'from cluster zbbbb', json_response['last_name'] + end + + test 'authenticate with remote token, remote user is anonymous user' do + @stub_content[:uuid] = 'zbbbb-tpzed-anonymouspublic' + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zzzzz-tpzed-anonymouspublic', json_response['uuid'] + end + + end