X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/86660414472d4ff0d8267f9845a753497bd41692..74323ae3de455071de4fce0c2e2ee79a5650a040:/lib/controller/localdb/group_test.go diff --git a/lib/controller/localdb/group_test.go b/lib/controller/localdb/group_test.go index 2d55def9f6..1fde64d119 100644 --- a/lib/controller/localdb/group_test.go +++ b/lib/controller/localdb/group_test.go @@ -24,14 +24,7 @@ type GroupSuite struct { railsSpy *arvadostest.Proxy } -func (s *GroupSuite) TearDownSuite(c *check.C) { - // Undo any changes/additions to the user database so they - // don't affect subsequent tests. - arvadostest.ResetEnv() - c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil) -} - -func (s *GroupSuite) SetUpTest(c *check.C) { +func (s *GroupSuite) SetUpSuite(c *check.C) { cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load() c.Assert(err, check.IsNil) s.cluster, err = cfg.GetCluster("") @@ -41,8 +34,12 @@ func (s *GroupSuite) SetUpTest(c *check.C) { *s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider) } -func (s *GroupSuite) TearDownTest(c *check.C) { +func (s *GroupSuite) TearDownSuite(c *check.C) { s.railsSpy.Close() + // Undo any changes/additions to the user database so they + // don't affect subsequent tests. + arvadostest.ResetEnv() + c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil) } func (s *GroupSuite) setUpVocabulary(c *check.C, testVocabulary string) { @@ -136,3 +133,99 @@ func (s *GroupSuite) TestGroupUpdateWithProperties(c *check.C) { } } } + +func (s *GroupSuite) TestCanWriteCanManageResponses(c *check.C) { + ctxUser1 := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.ActiveTokenV2}}) + ctxUser2 := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.SpectatorToken}}) + ctxAdmin := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{arvadostest.AdminToken}}) + project, err := s.localdb.GroupCreate(ctxUser1, arvados.CreateOptions{ + Attrs: map[string]interface{}{ + "group_class": "project", + }, + }) + c.Assert(err, check.IsNil) + c.Check(project.CanWrite, check.Equals, true) + c.Check(project.CanManage, check.Equals, true) + + subproject, err := s.localdb.GroupCreate(ctxUser1, arvados.CreateOptions{ + Attrs: map[string]interface{}{ + "owner_uuid": project.UUID, + "group_class": "project", + }, + }) + c.Assert(err, check.IsNil) + c.Check(subproject.CanWrite, check.Equals, true) + c.Check(subproject.CanManage, check.Equals, true) + + // Give 2nd user permission to read + permlink, err := s.localdb.LinkCreate(ctxAdmin, arvados.CreateOptions{ + Attrs: map[string]interface{}{ + "link_class": "permission", + "name": "can_read", + "tail_uuid": arvadostest.SpectatorUserUUID, + "head_uuid": project.UUID, + }, + }) + c.Assert(err, check.IsNil) + + // As 2nd user: can read, cannot manage, cannot write + project2, err := s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID}) + c.Assert(err, check.IsNil) + c.Check(project2.CanWrite, check.Equals, false) + c.Check(project2.CanManage, check.Equals, false) + + _, err = s.localdb.LinkUpdate(ctxAdmin, arvados.UpdateOptions{ + UUID: permlink.UUID, + Attrs: map[string]interface{}{ + "name": "can_write", + }, + }) + c.Assert(err, check.IsNil) + + // As 2nd user: cannot manage, can write + project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID}) + c.Assert(err, check.IsNil) + c.Check(project2.CanWrite, check.Equals, true) + c.Check(project2.CanManage, check.Equals, false) + + // As owner: after freezing, can manage (owner), cannot write (frozen) + project, err = s.localdb.GroupUpdate(ctxUser1, arvados.UpdateOptions{ + UUID: project.UUID, + Attrs: map[string]interface{}{ + "frozen_by_uuid": arvadostest.ActiveUserUUID, + }}) + c.Assert(err, check.IsNil) + c.Check(project.CanWrite, check.Equals, false) + c.Check(project.CanManage, check.Equals, true) + + // As admin: can manage (admin), cannot write (frozen) + project, err = s.localdb.GroupGet(ctxAdmin, arvados.GetOptions{UUID: project.UUID}) + c.Assert(err, check.IsNil) + c.Check(project.CanWrite, check.Equals, false) + c.Check(project.CanManage, check.Equals, true) + + // As 2nd user: cannot manage (perm), cannot write (frozen) + project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID}) + c.Assert(err, check.IsNil) + c.Check(project2.CanWrite, check.Equals, false) + c.Check(project2.CanManage, check.Equals, false) + + // After upgrading perm to "manage", as 2nd user: can manage (perm), cannot write (frozen) + _, err = s.localdb.LinkUpdate(ctxAdmin, arvados.UpdateOptions{ + UUID: permlink.UUID, + Attrs: map[string]interface{}{ + "name": "can_manage", + }, + }) + c.Assert(err, check.IsNil) + project2, err = s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: project.UUID}) + c.Assert(err, check.IsNil) + c.Check(project2.CanWrite, check.Equals, false) + c.Check(project2.CanManage, check.Equals, true) + + // 2nd user can also manage (but not write) the subject inside the frozen project + subproject2, err := s.localdb.GroupGet(ctxUser2, arvados.GetOptions{UUID: subproject.UUID}) + c.Assert(err, check.IsNil) + c.Check(subproject2.CanWrite, check.Equals, false) + c.Check(subproject2.CanManage, check.Equals, true) +}