X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/848940a94d956c26297164cd6c7a51785db82726..5ea0a240eb08a4d43d5f7670a694f0158f0bac36:/services/api/test/integration/api_client_authorizations_api_test.rb

diff --git a/services/api/test/integration/api_client_authorizations_api_test.rb b/services/api/test/integration/api_client_authorizations_api_test.rb
index 5c3c0ddfea..b9bfd3a395 100644
--- a/services/api/test/integration/api_client_authorizations_api_test.rb
+++ b/services/api/test/integration/api_client_authorizations_api_test.rb
@@ -1,11 +1,59 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
 require 'test_helper'
 
 class ApiClientAuthorizationsApiTest < ActionDispatch::IntegrationTest
   fixtures :all
 
   test "create system auth" do
-    post "/arvados/v1/api_client_authorizations/create_system_auth", {:format => :json, :scopes => ['test'].to_json}, {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
+    post "/arvados/v1/api_client_authorizations/create_system_auth",
+      params: {:format => :json, :scopes => ['test'].to_json},
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
     assert_response :success
   end
 
+  test "create token for different user" do
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => users(:spectator).uuid
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin_trustedclient).api_token}"}
+    assert_response :success
+
+    get "/arvados/v1/users/current",
+      params: {:format => :json},
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{json_response['api_token']}"}
+    @json_response = nil
+    assert_equal users(:spectator).uuid, json_response['uuid']
+  end
+
+  test "refuse to create token for different user if not trusted client" do
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => users(:spectator).uuid
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:admin).api_token}"}
+    assert_response 403
+  end
+
+  test "refuse to create token for different user if not admin" do
+    post "/arvados/v1/api_client_authorizations",
+      params: {
+        :format => :json,
+        :api_client_authorization => {
+          :owner_uuid => users(:spectator).uuid
+        }
+      },
+      headers: {'HTTP_AUTHORIZATION' => "OAuth2 #{api_client_authorizations(:active_trustedclient).api_token}"}
+    assert_response 403
+  end
+
 end