X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/89bdd6bf07147ad707125fc3882caebb5402ab09..9ffdf93f954bfe7bfe2269d361961d653caea146:/lib/controller/integration_test.go

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index 8a23bccfb7..9f5d12598b 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -510,10 +510,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		{"/arvados/v1/collections/" + coll.UUID, true, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, false, false},
 		{"/arvados/v1/specimens/" + specimen.UUID, true, false},
+		// new code path (lib/controller/router etc) - single-cluster request
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", false, true},
 		{"/arvados/v1/collections/z1111-4zz18-0123456789abcde", true, true},
+		// new code path (lib/controller/router etc) - federated request
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", false, true},
+		{"/arvados/v1/collections/z2222-4zz18-0123456789abcde", true, true},
+		// old code path (proxyRailsAPI) - single-cluster request
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", false, true},
 		{"/arvados/v1/specimens/z1111-j58dm-0123456789abcde", true, true},
+		// old code path (setupProxyRemoteCluster) - federated request
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", false, true},
+		{"/arvados/v1/workflows/z2222-7fd4e-0123456789abcde", true, true},
 	}
 
 	for _, tt := range tests {
@@ -533,24 +541,18 @@ func (s *IntegrationSuite) TestRequestIDHeader(c *check.C) {
 		} else {
 			c.Check(resp.StatusCode, check.Equals, http.StatusOK)
 		}
-		if !tt.reqIdProvided {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Matches, "^req-[0-9a-zA-Z]{20}$")
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*(req-[0-9a-zA-Z]{20}).*$")
-			}
+		respHdr := resp.Header.Get("X-Request-Id")
+		if tt.reqIdProvided {
+			c.Check(respHdr, check.Equals, customReqId)
 		} else {
-			c.Check(resp.Header.Get("X-Request-Id"), check.Equals, customReqId)
-			if tt.notFoundRequest {
-				var jresp httpserver.ErrorResponse
-				err := json.NewDecoder(resp.Body).Decode(&jresp)
-				c.Check(err, check.IsNil)
-				c.Assert(jresp.Errors, check.HasLen, 1)
-				c.Check(jresp.Errors[0], check.Matches, "^.*("+customReqId+").*$")
-			}
+			c.Check(respHdr, check.Matches, `req-[0-9a-zA-Z]{20}`)
+		}
+		if tt.notFoundRequest {
+			var jresp httpserver.ErrorResponse
+			err := json.NewDecoder(resp.Body).Decode(&jresp)
+			c.Check(err, check.IsNil)
+			c.Assert(jresp.Errors, check.HasLen, 1)
+			c.Check(jresp.Errors[0], check.Matches, `.*\(`+respHdr+`\).*`)
 		}
 	}
 }
@@ -662,6 +664,57 @@ func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) {
 	}
 }
 
+// Test for #17785
+func (s *IntegrationSuite) TestFederatedApiClientAuthHandling(c *check.C) {
+	rootctx1, rootclnt1, _ := s.testClusters["z1111"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+
+	// Make sure LoginCluster is properly configured
+	for _, cls := range []string{"z1111", "z3333"} {
+		c.Check(
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
+	}
+	// Get user's UUID & attempt to create a token for it on the remote cluster
+	_, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1,
+		"user@example.com", true)
+	_, rootclnt3, _ := s.testClusters["z3333"].ClientsWithToken(rootclnt1.AuthToken)
+	var resp arvados.APIClientAuthorization
+	err := rootclnt3.RequestAndDecode(
+		&resp, "POST", "arvados/v1/api_client_authorizations", nil,
+		map[string]interface{}{
+			"api_client_authorization": map[string]string{
+				"owner_uuid": user.UUID,
+			},
+		},
+	)
+	c.Assert(err, check.IsNil)
+	c.Assert(resp.APIClientID, check.Not(check.Equals), 0)
+	newTok := resp.TokenV2()
+	c.Assert(newTok, check.Not(check.Equals), "")
+
+	// Confirm the token is from z1111
+	c.Assert(strings.HasPrefix(newTok, "v2/z1111-gj3su-"), check.Equals, true)
+
+	// Confirm the token works and is from the correct user
+	_, rootclnt3bis, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+	var curUser arvados.User
+	err = rootclnt3bis.RequestAndDecode(
+		&curUser, "GET", "arvados/v1/users/current", nil, nil,
+	)
+	c.Assert(err, check.IsNil)
+	c.Assert(curUser.UUID, check.Equals, user.UUID)
+
+	// Request the ApiClientAuthorization list using the new token
+	_, userClient, _ := s.testClusters["z3333"].ClientsWithToken(newTok)
+	var acaLst arvados.APIClientAuthorizationList
+	err = userClient.RequestAndDecode(
+		&acaLst, "GET", "arvados/v1/api_client_authorizations", nil, nil,
+	)
+	c.Assert(err, check.IsNil)
+}
+
 // Test for bug #18076
 func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
 	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
@@ -670,13 +723,11 @@ func (s *IntegrationSuite) TestStaleCachedUserRecord(c *check.C) {
 	conn3 := s.testClusters["z3333"].Conn()
 
 	// Make sure LoginCluster is properly configured
-	for cls := range s.testClusters {
-		if cls == "z1111" || cls == "z3333" {
-			c.Check(
-				s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
-				check.Equals, "z1111",
-				check.Commentf("incorrect LoginCluster config on cluster %q", cls))
-		}
+	for _, cls := range []string{"z1111", "z3333"} {
+		c.Check(
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
+			check.Equals, "z1111",
+			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
 	}
 
 	for testCaseNr, testCase := range []struct {
@@ -831,11 +882,9 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) {
 	}
 	c.Check(found, check.Equals, true)
 
-	// Deactivated user can see is_active==false via "get current
-	// user" API
+	// Deactivated user no longer has working token
 	user1, err = conn3.UserGetCurrent(userctx1, arvados.GetOptions{})
-	c.Assert(err, check.IsNil)
-	c.Check(user1.IsActive, check.Equals, false)
+	c.Assert(err, check.ErrorMatches, `.*401 Unauthorized.*`)
 }
 
 func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
@@ -961,3 +1010,63 @@ func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
 		}
 	}
 }
+
+// z3333 should not forward a locally-issued container runtime token,
+// associated with a z1111 user, to its login cluster z1111. z1111
+// would only call back to z3333 and then reject the response because
+// the user ID does not match the token prefix. See
+// dev.arvados.org/issues/18346
+func (s *IntegrationSuite) TestForwardRuntimeTokenToLoginCluster(c *check.C) {
+	db3, db3conn := s.dbConn(c, "z3333")
+	defer db3.Close()
+	defer db3conn.Close()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	rootctx3, _, _ := s.testClusters["z3333"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+	conn3 := s.testClusters["z3333"].Conn()
+	userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+	user1, err := conn1.UserGetCurrent(userctx1, arvados.GetOptions{})
+	c.Assert(err, check.IsNil)
+	c.Logf("user1 %+v", user1)
+
+	imageColl, err := conn3.CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"manifest_text": ". d41d8cd98f00b204e9800998ecf8427e+0 0:0:sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.tar\n",
+	}})
+	c.Assert(err, check.IsNil)
+	c.Logf("imageColl %+v", imageColl)
+
+	cr, err := conn3.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+		"state":           "Committed",
+		"command":         []string{"echo"},
+		"container_image": imageColl.PortableDataHash,
+		"cwd":             "/",
+		"output_path":     "/",
+		"priority":        1,
+		"runtime_constraints": arvados.RuntimeConstraints{
+			VCPUs: 1,
+			RAM:   1000000000,
+		},
+	}})
+	c.Assert(err, check.IsNil)
+	c.Logf("container request %+v", cr)
+	ctr, err := conn3.ContainerLock(rootctx3, arvados.GetOptions{UUID: cr.ContainerUUID})
+	c.Assert(err, check.IsNil)
+	c.Logf("container %+v", ctr)
+
+	// We could use conn3.ContainerAuth() here, but that API
+	// hasn't been added to sdk/go/arvados/api.go yet.
+	row := db3conn.QueryRowContext(context.Background(), `SELECT api_token from api_client_authorizations where uuid=$1`, ctr.AuthUUID)
+	c.Check(row, check.NotNil)
+	var val sql.NullString
+	row.Scan(&val)
+	c.Assert(val.Valid, check.Equals, true)
+	runtimeToken := "v2/" + ctr.AuthUUID + "/" + val.String
+	ctrctx, _, _ := s.testClusters["z3333"].ClientsWithToken(runtimeToken)
+	c.Logf("container runtime token %+v", runtimeToken)
+
+	_, err = conn3.UserGet(ctrctx, arvados.GetOptions{UUID: user1.UUID})
+	c.Assert(err, check.NotNil)
+	c.Check(err, check.ErrorMatches, `request failed: .* 401 Unauthorized: cannot use a locally issued token to forward a request to our login cluster \(z1111\)`)
+	c.Check(err, check.Not(check.ErrorMatches), `(?ms).*127\.0\.0\.11.*`)
+}