X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7c3e13d4876a8e37feffee3cdaebc44b20b7b61b..b7fb5c4593dcc679f5343f0f55b3774a7bcfe499:/services/api/test/integration/remote_user_test.rb diff --git a/services/api/test/integration/remote_user_test.rb b/services/api/test/integration/remote_user_test.rb index 957051833c..179d30f3cb 100644 --- a/services/api/test/integration/remote_user_test.rb +++ b/services/api/test/integration/remote_user_test.rb @@ -67,9 +67,19 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest res.status = @stub_status res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json end - srv.mount_proc '/arvados/v1/users/register' do |req, res| - res.status = @stub_status - res.body = @stub_content.is_a?(String) ? @stub_content : @stub_content.to_json + srv.mount_proc '/arvados/v1/api_client_authorizations/current' do |req, res| + if clusterid == 'zbbbb' and req.header['authorization'][0][10..14] == 'zbork' + # asking zbbbb about zbork should yield an error, zbbbb doesn't trust zbork + res.status = 401 + return + end + res.status = @stub_token_status + if res.status == 200 + res.body = { + uuid: api_client_authorizations(:active).uuid.sub('zzzzz', clusterid), + scopes: @stub_token_scopes, + }.to_json + end end Thread.new do srv.start @@ -83,12 +93,15 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest Arvados::V1::SchemaController.any_instance.stubs(:root_url).returns "https://#{@remote_host[0]}" @stub_status = 200 @stub_content = { - uuid: 'zbbbb-tpzed-000000000000000', + uuid: 'zbbbb-tpzed-000000000000001', email: 'foo@example.com', username: 'barney', is_admin: true, is_active: true, + is_invited: true, } + @stub_token_status = 200 + @stub_token_scopes = ["all"] end teardown do @@ -97,12 +110,37 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end end + test 'authenticate with remote token that has limited scope' do + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + @stub_token_scopes = ["GET /arvados/v1/users/current"] + + # re-authorize before cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + + # simulate cache expiry + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). + update_all(expires_at: db_current_time - 1.minute) + + # re-authorize after cache expires + get '/arvados/v1/collections', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response 403 + end + test 'authenticate with remote token' do get '/arvados/v1/users/current', params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal false, json_response['is_admin'] assert_equal false, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] @@ -118,8 +156,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest assert_response :success # simulate cache expiry - ApiClientAuthorization.where( - uuid: salted_active_token(remote: 'zbbbb').split('/')[1]). + ApiClientAuthorization.where('uuid like ?', 'zbbbb-%'). update_all(expires_at: db_current_time - 1.minute) # re-authorize after cache expires @@ -147,6 +184,31 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest assert_equal 'blarney@example.com', json_response['email'] end + test 'remote user is deactivated' do + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = true + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal true, json_response['is_active'] + + # revoke original token + @stub_content[:is_active] = false + @stub_content[:is_invited] = false + + # simulate cache expiry + ApiClientAuthorization.where( + uuid: salted_active_token(remote: 'zbbbb').split('/')[1]). + update_all(expires_at: db_current_time - 1.minute) + + # re-authorize after cache expires + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_equal false, json_response['is_active'] + + end + test 'authenticate with remote token, remote username conflicts with local' do @stub_content[:username] = 'active' get '/arvados/v1/users/current', @@ -242,6 +304,7 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end test "list readable groups with salted token" do + Rails.configuration.Users.RoleGroupsVisibleToAll = false salted_token = salt_token(fixture: :active, remote: 'zbbbb') get '/arvados/v1/groups', params: { @@ -259,13 +322,31 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest refute_includes(group_uuids, groups(:testusergroup_admins).uuid) end + test 'do not auto-activate user from untrusted cluster' do + Rails.configuration.RemoteClusters['zbbbb'].AutoSetupNewUsers = false + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = false + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal false, json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + post '/arvados/v1/users/zbbbb-tpzed-000000000000001/activate', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response 422 + end + test 'auto-activate user from trusted cluster' do Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = true get '/arvados/v1/users/current', params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal false, json_response['is_admin'] assert_equal true, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] @@ -278,21 +359,129 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] assert_equal true, json_response['is_admin'] assert_equal true, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] assert_equal 'barney', json_response['username'] end + [true, false].each do |trusted| + [true, false].each do |logincluster| + [true, false].each do |admin| + [true, false].each do |active| + [true, false].each do |autosetup| + [true, false].each do |invited| + test "get invited=#{invited}, active=#{active}, admin=#{admin} user from #{if logincluster then "Login" else "peer" end} cluster when AutoSetupNewUsers=#{autosetup} ActivateUsers=#{trusted}" do + Rails.configuration.Login.LoginCluster = 'zbbbb' if logincluster + Rails.configuration.RemoteClusters['zbbbb'].ActivateUsers = trusted + Rails.configuration.Users.AutoSetupNewUsers = autosetup + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: admin, + is_active: active, + is_invited: invited, + } + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal (logincluster && admin && invited && active), json_response['is_admin'] + assert_equal (invited and (logincluster || trusted || autosetup)), json_response['is_invited'] + assert_equal (invited and (logincluster || trusted) and active), json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + end + end + end + end + end + end + end + + test 'get active user from Login cluster when AutoSetupNewUsers is set' do + Rails.configuration.Login.LoginCluster = 'zbbbb' + Rails.configuration.Users.AutoSetupNewUsers = true + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: false, + is_active: true, + is_invited: true, + } + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal true, json_response['is_active'] + assert_equal true, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + @stub_content = { + uuid: 'zbbbb-tpzed-000000000000001', + email: 'foo@example.com', + username: 'barney', + is_admin: false, + is_active: false, + is_invited: false, + } + + # Use cached value. User will still be active because we haven't + # re-queried the upstream cluster. + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal true, json_response['is_active'] + assert_equal true, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + # Delete cached value. User should be inactive now. + act_as_system_user do + ApiClientAuthorization.delete_all + end + + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000000001', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal false, json_response['is_active'] + assert_equal false, json_response['is_invited'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + + end + test 'pre-activate remote user' do + @stub_content = { + uuid: 'zbbbb-tpzed-000000000001234', + email: 'foo@example.com', + username: 'barney', + is_admin: true, + is_active: true, + is_invited: true, + } + post '/arvados/v1/users', params: { "user" => { - "uuid" => "zbbbb-tpzed-000000000000000", + "uuid" => "zbbbb-tpzed-000000000001234", "email" => 'foo@example.com', "username" => 'barney', - "is_active" => true + "is_active" => true, + "is_admin" => false } }, headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_token(:admin)}"} @@ -302,13 +491,35 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest params: {format: 'json'}, headers: auth(remote: 'zbbbb') assert_response :success - assert_equal 'zbbbb-tpzed-000000000000000', json_response['uuid'] - assert_equal nil, json_response['is_admin'] + assert_equal 'zbbbb-tpzed-000000000001234', json_response['uuid'] + assert_equal false, json_response['is_admin'] assert_equal true, json_response['is_active'] assert_equal 'foo@example.com', json_response['email'] assert_equal 'barney', json_response['username'] end + + test 'remote user inactive without pre-activation' do + @stub_content = { + uuid: 'zbbbb-tpzed-000000000001234', + email: 'foo@example.com', + username: 'barney', + is_admin: true, + is_active: true, + is_invited: true, + } + + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zbbbb-tpzed-000000000001234', json_response['uuid'] + assert_equal false, json_response['is_admin'] + assert_equal false, json_response['is_active'] + assert_equal 'foo@example.com', json_response['email'] + assert_equal 'barney', json_response['username'] + end + test "validate unsalted v2 token for remote cluster zbbbb" do auth = api_client_authorizations(:active) token = "v2/#{auth.uuid}/#{auth.api_token}" @@ -344,4 +555,22 @@ class RemoteUsersTest < ActionDispatch::IntegrationTest end end + test 'authenticate with remote token, remote user is system user' do + @stub_content[:uuid] = 'zbbbb-tpzed-000000000000000' + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_equal 'from cluster zbbbb', json_response['last_name'] + end + + test 'authenticate with remote token, remote user is anonymous user' do + @stub_content[:uuid] = 'zbbbb-tpzed-anonymouspublic' + get '/arvados/v1/users/current', + params: {format: 'json'}, + headers: auth(remote: 'zbbbb') + assert_response :success + assert_equal 'zzzzz-tpzed-anonymouspublic', json_response['uuid'] + end + + end