X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6c2a704b7a2d721087976b2b8ec4f22cdaf44178..a942e37250873d383bd885ba0dba70c63b3c073d:/services/api/test/functional/arvados/v1/groups_controller_test.rb diff --git a/services/api/test/functional/arvados/v1/groups_controller_test.rb b/services/api/test/functional/arvados/v1/groups_controller_test.rb index f8f9eaeb0d..de339c9554 100644 --- a/services/api/test/functional/arvados/v1/groups_controller_test.rb +++ b/services/api/test/functional/arvados/v1/groups_controller_test.rb @@ -14,32 +14,32 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase assert_response 403 end - test "get list of folders" do + test "get list of projects" do authorize_with :active - get :index, filters: [['group_class', '=', 'folder']], format: :json + get :index, filters: [['group_class', '=', 'project']], format: :json assert_response :success group_uuids = [] json_response['items'].each do |group| - assert_equal 'folder', group['group_class'] + assert_equal 'project', group['group_class'] group_uuids << group['uuid'] end - assert_includes group_uuids, groups(:afolder).uuid - assert_includes group_uuids, groups(:asubfolder).uuid + assert_includes group_uuids, groups(:aproject).uuid + assert_includes group_uuids, groups(:asubproject).uuid assert_not_includes group_uuids, groups(:system_group).uuid assert_not_includes group_uuids, groups(:private).uuid end - test "get list of groups that are not folders" do + test "get list of groups that are not projects" do authorize_with :active - get :index, filters: [['group_class', '=', nil]], format: :json + get :index, filters: [['group_class', '!=', 'project']], format: :json assert_response :success group_uuids = [] json_response['items'].each do |group| - assert_equal nil, group['group_class'] + assert_not_equal 'project', group['group_class'] group_uuids << group['uuid'] end - assert_not_includes group_uuids, groups(:afolder).uuid - assert_not_includes group_uuids, groups(:asubfolder).uuid + assert_not_includes group_uuids, groups(:aproject).uuid + assert_not_includes group_uuids, groups(:asubproject).uuid assert_includes group_uuids, groups(:private).uuid end @@ -54,25 +54,158 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase assert_equal 0, json_response['items_available'] end + def check_project_contents_response + assert_response :success + assert_operator 2, :<=, json_response['items_available'] + assert_operator 2, :<=, json_response['items'].count + kinds = json_response['items'].collect { |i| i['kind'] }.uniq + expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' + assert_equal expect_kinds, (expect_kinds & kinds) + + json_response['items'].each do |i| + if i['kind'] == 'arvados#group' + assert(i['group_class'] == 'project', + "group#contents returned a non-project group") + end + end + end + test 'get group-owned objects' do authorize_with :active get :contents, { - id: groups(:afolder).uuid, + id: groups(:aproject).uuid, format: :json, include_linked: true, } + check_project_contents_response + end + + test "user with project read permission can see project objects" do + authorize_with :project_viewer + get :contents, { + id: groups(:aproject).uuid, + format: :json, + include_linked: true, + } + check_project_contents_response + end + + test "list objects across projects" do + authorize_with :project_viewer + get :contents, { + format: :json, + filters: [['uuid', 'is_a', 'arvados#specimen']] + } assert_response :success - assert_operator 2, :<=, json_response['items_available'] - assert_operator 2, :<=, json_response['items'].count - kinds = json_response['items'].collect { |i| i['kind'] }.uniq - expect_kinds = %w'arvados#group arvados#specimen arvados#pipelineTemplate arvados#job' - assert_equal expect_kinds, (expect_kinds & kinds) + found_uuids = json_response['items'].collect { |i| i['uuid'] } + [[:in_aproject, true], + [:in_asubproject, true], + [:owned_by_private_group, false]].each do |specimen_fixture, should_find| + if should_find + assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'" + else + refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'" + end + end + end + + test "list objects in home project" do + authorize_with :active + get :contents, { + format: :json, + id: users(:active).uuid + } + assert_response :success + found_uuids = json_response['items'].collect { |i| i['uuid'] } + assert_includes found_uuids, specimens(:owned_by_active_user).uuid, "specimen did not appear in home project" + refute_includes found_uuids, specimens(:in_asubproject).uuid, "specimen appeared unexpectedly in home project" + end + + test "user with project read permission can see project collections" do + authorize_with :project_viewer + get :contents, { + id: groups(:asubproject).uuid, + format: :json, + } + ids = json_response['items'].map { |item| item["uuid"] } + assert_includes ids, collections(:baz_file_in_asubproject).uuid + end + + test 'list objects across multiple projects' do + authorize_with :project_viewer + get :contents, { + format: :json, + include_linked: false, + filters: [['uuid', 'is_a', 'arvados#specimen']] + } + assert_response :success + found_uuids = json_response['items'].collect { |i| i['uuid'] } + [[:in_aproject, true], + [:in_asubproject, true], + [:owned_by_private_group, false]].each do |specimen_fixture, should_find| + if should_find + assert_includes found_uuids, specimens(specimen_fixture).uuid, "did not find specimen fixture '#{specimen_fixture}'" + else + refute_includes found_uuids, specimens(specimen_fixture).uuid, "found specimen fixture '#{specimen_fixture}'" + end + end + end + + # Even though the project_viewer tests go through other controllers, + # I'm putting them here so they're easy to find alongside the other + # project tests. + def check_new_project_link_fails(link_attrs) + @controller = Arvados::V1::LinksController.new + post :create, link: { + link_class: "permission", + name: "can_read", + head_uuid: groups(:aproject).uuid, + }.merge(link_attrs) + assert_includes(403..422, response.status) + end + + test "user with project read permission can't add users to it" do + authorize_with :project_viewer + check_new_project_link_fails(tail_uuid: users(:spectator).uuid) + end + + test "user with project read permission can't add items to it" do + authorize_with :project_viewer + check_new_project_link_fails(tail_uuid: collections(:baz_file).uuid) + end + + test "user with project read permission can't rename items in it" do + authorize_with :project_viewer + @controller = Arvados::V1::LinksController.new + post :update, { + id: jobs(:running).uuid, + name: "Denied test name", + } + assert_includes(403..404, response.status) + end + + test "user with project read permission can't remove items from it" do + @controller = Arvados::V1::PipelineTemplatesController.new + authorize_with :project_viewer + post :update, { + id: pipeline_templates(:two_part).uuid, + pipeline_template: { + owner_uuid: users(:project_viewer).uuid, + } + } + assert_response 403 + end + + test "user with project read permission can't delete it" do + authorize_with :project_viewer + post :destroy, {id: groups(:aproject).uuid} + assert_response 403 end test 'get group-owned objects with limit' do authorize_with :active get :contents, { - id: groups(:afolder).uuid, + id: groups(:aproject).uuid, limit: 1, format: :json, } @@ -84,7 +217,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase test 'get group-owned objects with limit and offset' do authorize_with :active get :contents, { - id: groups(:afolder).uuid, + id: groups(:aproject).uuid, limit: 1, offset: 12345, format: :json, @@ -97,7 +230,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase test 'get group-owned objects with additional filter matching nothing' do authorize_with :active get :contents, { - id: groups(:afolder).uuid, + id: groups(:aproject).uuid, filters: [['uuid', 'in', ['foo_not_a_uuid','bar_not_a_uuid']]], format: :json, } @@ -106,89 +239,41 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase assert_equal 0, json_response['items_available'] end - test 'get group-owned objects without include_linked' do - unexpected_uuid = specimens(:in_afolder_linked_from_asubfolder).uuid - authorize_with :active - get :contents, { - id: groups(:asubfolder).uuid, - format: :json, - } - assert_response :success - uuids = json_response['items'].collect { |i| i['uuid'] } - assert_equal nil, uuids.index(unexpected_uuid) - end - - test 'get group-owned objects with include_linked' do - expected_uuid = specimens(:in_afolder_linked_from_asubfolder).uuid + test "get all pages of group-owned objects" do authorize_with :active - get :contents, { - id: groups(:asubfolder).uuid, - include_linked: true, - format: :json, - } - assert_response :success - uuids = json_response['items'].collect { |i| i['uuid'] } - assert_includes uuids, expected_uuid, "Did not get #{expected_uuid}" - - expected_name = links(:specimen_is_in_two_folders).name - found_specimen_name = false - assert(json_response['links'].any?, - "Expected a non-empty array of links in response") - json_response['links'].each do |link| - if link['head_uuid'] == expected_uuid - if link['name'] == expected_name - found_specimen_name = true - end - end - end - assert(found_specimen_name, - "Expected to find name '#{expected_name}' in response") - end - - [false, true].each do |inc_ind| - test "get all pages of group-owned #{'and -linked ' if inc_ind}objects" do - authorize_with :active - limit = 5 - offset = 0 - items_available = nil - uuid_received = {} - owner_received = {} - while true - # Behaving badly here, using the same controller multiple - # times within a test. - @json_response = nil - get :contents, { - id: groups(:afolder).uuid, - include_linked: inc_ind, - limit: limit, - offset: offset, - format: :json, - } - assert_response :success - assert_operator(0, :<, json_response['items'].count, - "items_available=#{items_available} but received 0 "\ - "items with offset=#{offset}") - items_available ||= json_response['items_available'] - assert_equal(items_available, json_response['items_available'], - "items_available changed between page #{offset/limit} "\ - "and page #{1+offset/limit}") - json_response['items'].each do |item| - uuid = item['uuid'] - assert_equal(nil, uuid_received[uuid], - "Received '#{uuid}' again on page #{1+offset/limit}") - uuid_received[uuid] = true - owner_received[item['owner_uuid']] = true - offset += 1 - if not inc_ind - assert_equal groups(:afolder).uuid, item['owner_uuid'] - end - end - break if offset >= items_available - end - if inc_ind - assert_operator 0, :<, (json_response.keys - [users(:active).uuid]).count, - "Set include_linked=true but did not receive any non-owned items" + limit = 5 + offset = 0 + items_available = nil + uuid_received = {} + owner_received = {} + while true + # Behaving badly here, using the same controller multiple + # times within a test. + @json_response = nil + get :contents, { + id: groups(:aproject).uuid, + limit: limit, + offset: offset, + format: :json, + } + assert_response :success + assert_operator(0, :<, json_response['items'].count, + "items_available=#{items_available} but received 0 "\ + "items with offset=#{offset}") + items_available ||= json_response['items_available'] + assert_equal(items_available, json_response['items_available'], + "items_available changed between page #{offset/limit} "\ + "and page #{1+offset/limit}") + json_response['items'].each do |item| + uuid = item['uuid'] + assert_equal(nil, uuid_received[uuid], + "Received '#{uuid}' again on page #{1+offset/limit}") + uuid_received[uuid] = true + owner_received[item['owner_uuid']] = true + offset += 1 + assert_equal groups(:aproject).uuid, item['owner_uuid'] end + break if offset >= items_available end end @@ -197,7 +282,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase test "Raise error on bogus #{arg} parameter #{val.inspect}" do authorize_with :active get :contents, { - :id => groups(:afolder).uuid, + :id => groups(:aproject).uuid, :format => :json, arg => val, } @@ -209,7 +294,7 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase test 'get writable_by list for owned group' do authorize_with :active get :show, { - id: groups(:afolder).uuid, + id: groups(:aproject).uuid, format: :json } assert_response :success @@ -226,8 +311,9 @@ class Arvados::V1::GroupsControllerTest < ActionController::TestCase format: :json } assert_response :success - assert_nil(json_response['writable_by'], - "Should not receive uuid list in 'writable_by' field") + assert_equal([json_response['owner_uuid']], + json_response['writable_by'], + "Should only see owner_uuid in 'writable_by' field") end test 'get writable_by list by admin user' do