X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6f70a514652050bde05301a4715be8769f213ac6..0561bd0c3c07257fd58ded6c7cfa5feeae97af57:/services/api/test/integration/permissions_test.rb diff --git a/services/api/test/integration/permissions_test.rb b/services/api/test/integration/permissions_test.rb index f83e8c374f..f8f1e254bf 100644 --- a/services/api/test/integration/permissions_test.rb +++ b/services/api/test/integration/permissions_test.rb @@ -1,8 +1,18 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + require 'test_helper' class PermissionsTest < ActionDispatch::IntegrationTest + include DbCurrentTime + include CurrentApiClient # for empty_collection fixtures :users, :groups, :api_client_authorizations, :collections + teardown do + User.invalidate_permissions_cache db_current_time.to_i + end + test "adding and removing direct can_read links" do # try to read collection as spectator get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) @@ -100,7 +110,7 @@ class PermissionsTest < ActionDispatch::IntegrationTest # try to read collection as spectator get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) assert_response 404 - + end @@ -151,7 +161,7 @@ class PermissionsTest < ActionDispatch::IntegrationTest # try to read collection as spectator get "/arvados/v1/collections/#{collections(:foo_file).uuid}", {:format => :json}, auth(:spectator) assert_response 404 - + end test "adding can_read links from user to group, group to group, group to collection" do @@ -212,18 +222,6 @@ class PermissionsTest < ActionDispatch::IntegrationTest assert_response 404 end - test "read-only group-admin sees correct subset of user list" do - get "/arvados/v1/users", {:format => :json}, auth(:rominiadmin) - assert_response :success - resp_uuids = json_response['items'].collect { |i| i['uuid'] } - [[true, users(:rominiadmin).uuid], - [true, users(:active).uuid], - [false, users(:miniadmin).uuid], - [false, users(:spectator).uuid]].each do |should_find, uuid| - assert_equal should_find, !resp_uuids.index(uuid).nil?, "rominiadmin should #{'not ' if !should_find}see #{uuid} in user list" - end - end - test "read-only group-admin cannot modify administered user" do put "/arvados/v1/users/#{users(:active).uuid}", { :user => { @@ -284,14 +282,19 @@ class PermissionsTest < ActionDispatch::IntegrationTest end test "get_permissions returns list" do - # add some permissions + # First confirm that user :active cannot get permissions on group :public + get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active) + assert_response 404 + + # add some permissions, including can_manage + # permission for user :active post "/arvados/v1/links", { :format => :json, :link => { tail_uuid: users(:spectator).uuid, link_class: 'permission', name: 'can_read', - head_uuid: collections(:foo_file).uuid, + head_uuid: groups(:public).uuid, properties: {} } }, auth(:admin) @@ -301,10 +304,10 @@ class PermissionsTest < ActionDispatch::IntegrationTest post "/arvados/v1/links", { :format => :json, :link => { - tail_uuid: users(:active).uuid, + tail_uuid: users(:inactive).uuid, link_class: 'permission', name: 'can_write', - head_uuid: collections(:foo_file).uuid, + head_uuid: groups(:public).uuid, properties: {} } }, auth(:admin) @@ -314,39 +317,62 @@ class PermissionsTest < ActionDispatch::IntegrationTest post "/arvados/v1/links", { :format => :json, :link => { - tail_uuid: users(:inactive).uuid, + tail_uuid: users(:active).uuid, link_class: 'permission', name: 'can_manage', - head_uuid: collections(:foo_file).uuid, + head_uuid: groups(:public).uuid, properties: {} } }, auth(:admin) assert_response :success can_manage_uuid = json_response['uuid'] - get "/arvados/v1/permissions/#{collections(:foo_file).uuid}", { - :format => :json, - }, auth(:admin) + # Now user :active should be able to retrieve permissions + # on group :public. + get("/arvados/v1/permissions/#{groups(:public).uuid}", + { :format => :json }, + auth(:active)) assert_response :success perm_uuids = json_response['items'].map { |item| item['uuid'] } - assert perm_uuids.include?(can_read_uuid), "can_read_uuid not found" - assert perm_uuids.include?(can_write_uuid), "can_write_uuid not found" - assert perm_uuids.include?(can_manage_uuid), "can_manage_uuid not found" + assert_includes perm_uuids, can_read_uuid, "can_read_uuid not found" + assert_includes perm_uuids, can_write_uuid, "can_write_uuid not found" + assert_includes perm_uuids, can_manage_uuid, "can_manage_uuid not found" end test "get_permissions returns 404 for nonexistent uuid" do - nonexistent = Collection.generate_uuid + nonexistent = Group.generate_uuid # make sure it really doesn't exist - get "/arvados/v1/collections/#{nonexistent}", { :format => :json }, auth(:admin) + get "/arvados/v1/groups/#{nonexistent}", nil, auth(:admin) assert_response 404 - get "/arvados/v1/permissions/#{nonexistent}", { :format => :json }, auth(:active) + get "/arvados/v1/permissions/#{nonexistent}", nil, auth(:active) assert_response 404 end - test "get_permissions returns 403 if user lacks manage permission" do - get "/arvados/v1/permissions/#{collections(:foo_file).uuid}", { :format => :json }, auth(:active) + test "get_permissions returns 403 if user can read but not manage" do + post "/arvados/v1/links", { + :link => { + tail_uuid: users(:active).uuid, + link_class: 'permission', + name: 'can_read', + head_uuid: groups(:public).uuid, + properties: {} + } + }, auth(:admin) + assert_response :success + + get "/arvados/v1/permissions/#{groups(:public).uuid}", nil, auth(:active) assert_response 403 end + + test "active user can read the empty collection" do + # The active user should be able to read the empty collection. + + get("/arvados/v1/collections/#{empty_collection_uuid}", + { :format => :json }, + auth(:active)) + assert_response :success + assert_empty json_response['manifest_text'], "empty collection manifest_text is not empty" + end end