X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/8f8329e7d99e9d1c0e753fb26bf4dc1e76828017..887a23521d1f8b284e510041b269e5c9608687d6:/lib/controller/integration_test.go

diff --git a/lib/controller/integration_test.go b/lib/controller/integration_test.go
index 03c8850925..7b1dcbea66 100644
--- a/lib/controller/integration_test.go
+++ b/lib/controller/integration_test.go
@@ -7,48 +7,46 @@ package controller
 import (
 	"bytes"
 	"context"
+	"database/sql"
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"math"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
+	"os/exec"
 	"path/filepath"
+	"strconv"
+	"strings"
 
 	"git.arvados.org/arvados.git/lib/boot"
 	"git.arvados.org/arvados.git/lib/config"
-	"git.arvados.org/arvados.git/lib/controller/rpc"
-	"git.arvados.org/arvados.git/lib/service"
 	"git.arvados.org/arvados.git/sdk/go/arvados"
-	"git.arvados.org/arvados.git/sdk/go/arvadosclient"
-	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/arvadostest"
 	"git.arvados.org/arvados.git/sdk/go/ctxlog"
-	"git.arvados.org/arvados.git/sdk/go/keepclient"
 	check "gopkg.in/check.v1"
 )
 
 var _ = check.Suite(&IntegrationSuite{})
 
-type testCluster struct {
-	super         boot.Supervisor
-	config        arvados.Config
-	controllerURL *url.URL
-}
-
 type IntegrationSuite struct {
-	testClusters map[string]*testCluster
+	testClusters map[string]*boot.TestCluster
+	oidcprovider *arvadostest.OIDCProvider
 }
 
 func (s *IntegrationSuite) SetUpSuite(c *check.C) {
-	if forceLegacyAPI14 {
-		c.Skip("heavy integration tests don't run with forceLegacyAPI14")
-		return
-	}
-
 	cwd, _ := os.Getwd()
-	s.testClusters = map[string]*testCluster{
+
+	s.oidcprovider = arvadostest.NewOIDCProvider(c)
+	s.oidcprovider.AuthEmail = "user@example.com"
+	s.oidcprovider.AuthEmailVerified = true
+	s.oidcprovider.AuthName = "Example User"
+	s.oidcprovider.ValidClientID = "clientid"
+	s.oidcprovider.ValidClientSecret = "clientsecret"
+
+	s.testClusters = map[string]*boot.TestCluster{
 		"z1111": nil,
 		"z2222": nil,
 		"z3333": nil,
@@ -76,8 +74,6 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
         ExternalURL: https://` + hostport[id] + `
     TLS:
       Insecure: true
-    Login:
-      LoginCluster: z1111
     SystemLogs:
       Format: text
     RemoteClusters:
@@ -106,6 +102,24 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
         ActivateUsers: true
 `
 		}
+		if id == "z1111" {
+			yaml += `
+    Login:
+      LoginCluster: z1111
+      OpenIDConnect:
+        Enable: true
+        Issuer: ` + s.oidcprovider.Issuer.URL + `
+        ClientID: ` + s.oidcprovider.ValidClientID + `
+        ClientSecret: ` + s.oidcprovider.ValidClientSecret + `
+        EmailClaim: email
+        EmailVerifiedClaim: email_verified
+`
+		} else {
+			yaml += `
+    Login:
+      LoginCluster: z1111
+`
+		}
 
 		loader := config.NewLoader(bytes.NewBufferString(yaml), ctxlog.TestLogger(c))
 		loader.Path = "-"
@@ -113,112 +127,30 @@ func (s *IntegrationSuite) SetUpSuite(c *check.C) {
 		loader.SkipAPICalls = true
 		cfg, err := loader.Load()
 		c.Assert(err, check.IsNil)
-		s.testClusters[id] = &testCluster{
-			super: boot.Supervisor{
-				SourcePath:           filepath.Join(cwd, "..", ".."),
-				ClusterType:          "test",
-				ListenHost:           "127.0.0." + id[3:],
-				ControllerAddr:       ":0",
-				OwnTemporaryDatabase: true,
-				Stderr:               &service.LogPrefixer{Writer: ctxlog.LogWriter(c.Log), Prefix: []byte("[" + id + "] ")},
-			},
-			config: *cfg,
-		}
-		s.testClusters[id].super.Start(context.Background(), &s.testClusters[id].config, "-")
+		tc := boot.NewTestCluster(
+			filepath.Join(cwd, "..", ".."),
+			id, cfg, "127.0.0."+id[3:], c.Log)
+		tc.Super.NoWorkbench1 = true
+		tc.Start()
+		s.testClusters[id] = tc
 	}
 	for _, tc := range s.testClusters {
-		au, ok := tc.super.WaitReady()
+		ok := tc.WaitReady()
 		c.Assert(ok, check.Equals, true)
-		u := url.URL(*au)
-		tc.controllerURL = &u
 	}
 }
 
 func (s *IntegrationSuite) TearDownSuite(c *check.C) {
 	for _, c := range s.testClusters {
-		c.super.Stop()
-	}
-}
-
-// Get rpc connection struct initialized to communicate with the
-// specified cluster.
-func (s *IntegrationSuite) conn(clusterID string) *rpc.Conn {
-	return rpc.NewConn(clusterID, s.testClusters[clusterID].controllerURL, true, rpc.PassthroughTokenProvider)
-}
-
-// Return Context, Arvados.Client and keepclient structs initialized
-// to connect to the specified cluster (by clusterID) using with the supplied
-// Arvados token.
-func (s *IntegrationSuite) clientsWithToken(clusterID string, token string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
-	cl := s.testClusters[clusterID].config.Clusters[clusterID]
-	ctx := auth.NewContext(context.Background(), auth.NewCredentials(token))
-	ac, err := arvados.NewClientFromConfig(&cl)
-	if err != nil {
-		panic(err)
-	}
-	ac.AuthToken = token
-	arv, err := arvadosclient.New(ac)
-	if err != nil {
-		panic(err)
-	}
-	kc := keepclient.New(arv)
-	return ctx, ac, kc
-}
-
-// Log in as a user called "example", get the user's API token,
-// initialize clients with the API token, set up the user and
-// optionally activate the user.  Return client structs for
-// communicating with the cluster on behalf of the 'example' user.
-func (s *IntegrationSuite) userClients(rootctx context.Context, c *check.C, conn *rpc.Conn, clusterID string, activate bool) (context.Context, *arvados.Client, *keepclient.KeepClient) {
-	login, err := conn.UserSessionCreate(rootctx, rpc.UserSessionCreateOptions{
-		ReturnTo: ",https://example.com",
-		AuthInfo: rpc.UserSessionAuthInfo{
-			Email:     "user@example.com",
-			FirstName: "Example",
-			LastName:  "User",
-			Username:  "example",
-		},
-	})
-	c.Assert(err, check.IsNil)
-	redirURL, err := url.Parse(login.RedirectLocation)
-	c.Assert(err, check.IsNil)
-	userToken := redirURL.Query().Get("api_token")
-	c.Logf("user token: %q", userToken)
-	ctx, ac, kc := s.clientsWithToken(clusterID, userToken)
-	user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
-	c.Assert(err, check.IsNil)
-	_, err = conn.UserSetup(rootctx, arvados.UserSetupOptions{UUID: user.UUID})
-	c.Assert(err, check.IsNil)
-	if activate {
-		_, err = conn.UserActivate(rootctx, arvados.UserActivateOptions{UUID: user.UUID})
-		c.Assert(err, check.IsNil)
-		user, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
-		c.Assert(err, check.IsNil)
-		c.Logf("user UUID: %q", user.UUID)
-		if !user.IsActive {
-			c.Fatalf("failed to activate user -- %#v", user)
-		}
+		c.Super.Stop()
 	}
-	return ctx, ac, kc
-}
-
-// Return Context, arvados.Client and keepclient structs initialized
-// to communicate with the cluster as the system root user.
-func (s *IntegrationSuite) rootClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
-	return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].SystemRootToken)
-}
-
-// Return Context, arvados.Client and keepclient structs initialized
-// to communicate with the cluster as the anonymous user.
-func (s *IntegrationSuite) anonymousClients(clusterID string) (context.Context, *arvados.Client, *keepclient.KeepClient) {
-	return s.clientsWithToken(clusterID, s.testClusters[clusterID].config.Clusters[clusterID].Users.AnonymousUserToken)
 }
 
 func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
-	conn1 := s.conn("z1111")
-	rootctx1, _, _ := s.rootClients("z1111")
-	conn3 := s.conn("z3333")
-	userctx1, ac1, kc1 := s.userClients(rootctx1, c, conn1, "z1111", true)
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	conn3 := s.testClusters["z3333"].Conn()
+	userctx1, ac1, kc1, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 
 	// Create the collection to find its PDH (but don't save it
 	// anywhere yet)
@@ -252,11 +184,84 @@ func (s *IntegrationSuite) TestGetCollectionByPDH(c *check.C) {
 	c.Check(coll.PortableDataHash, check.Equals, pdh)
 }
 
+func (s *IntegrationSuite) TestS3WithFederatedToken(c *check.C) {
+	if _, err := exec.LookPath("s3cmd"); err != nil {
+		c.Skip("s3cmd not in PATH")
+		return
+	}
+
+	testText := "IntegrationSuite.TestS3WithFederatedToken"
+
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	userctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
+	conn3 := s.testClusters["z3333"].Conn()
+
+	createColl := func(clusterID string) arvados.Collection {
+		_, ac, kc := s.testClusters[clusterID].ClientsWithToken(ac1.AuthToken)
+		var coll arvados.Collection
+		fs, err := coll.FileSystem(ac, kc)
+		c.Assert(err, check.IsNil)
+		f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
+		c.Assert(err, check.IsNil)
+		_, err = io.WriteString(f, testText)
+		c.Assert(err, check.IsNil)
+		err = f.Close()
+		c.Assert(err, check.IsNil)
+		mtxt, err := fs.MarshalManifest(".")
+		c.Assert(err, check.IsNil)
+		coll, err = s.testClusters[clusterID].Conn().CollectionCreate(userctx1, arvados.CreateOptions{Attrs: map[string]interface{}{
+			"manifest_text": mtxt,
+		}})
+		c.Assert(err, check.IsNil)
+		return coll
+	}
+
+	for _, trial := range []struct {
+		clusterID string // create the collection on this cluster (then use z3333 to access it)
+		token     string
+	}{
+		// Try the hardest test first: z3333 hasn't seen
+		// z1111's token yet, and we're just passing the
+		// opaque secret part, so z3333 has to guess that it
+		// belongs to z1111.
+		{"z1111", strings.Split(ac1.AuthToken, "/")[2]},
+		{"z3333", strings.Split(ac1.AuthToken, "/")[2]},
+		{"z1111", strings.Replace(ac1.AuthToken, "/", "_", -1)},
+		{"z3333", strings.Replace(ac1.AuthToken, "/", "_", -1)},
+	} {
+		c.Logf("================ %v", trial)
+		coll := createColl(trial.clusterID)
+
+		cfgjson, err := conn3.ConfigGet(userctx1)
+		c.Assert(err, check.IsNil)
+		var cluster arvados.Cluster
+		err = json.Unmarshal(cfgjson, &cluster)
+		c.Assert(err, check.IsNil)
+
+		c.Logf("TokenV2 is %s", ac1.AuthToken)
+		host := cluster.Services.WebDAV.ExternalURL.Host
+		s3args := []string{
+			"--ssl", "--no-check-certificate",
+			"--host=" + host, "--host-bucket=" + host,
+			"--access_key=" + trial.token, "--secret_key=" + trial.token,
+		}
+		buf, err := exec.Command("s3cmd", append(s3args, "ls", "s3://"+coll.UUID)...).CombinedOutput()
+		c.Check(err, check.IsNil)
+		c.Check(string(buf), check.Matches, `.* `+fmt.Sprintf("%d", len(testText))+` +s3://`+coll.UUID+`/test.txt\n`)
+
+		buf, _ = exec.Command("s3cmd", append(s3args, "get", "s3://"+coll.UUID+"/test.txt", c.MkDir()+"/tmpfile")...).CombinedOutput()
+		// Command fails because we don't return Etag header.
+		flen := strconv.Itoa(len(testText))
+		c.Check(string(buf), check.Matches, `(?ms).*`+flen+` (bytes in|of `+flen+`).*`)
+	}
+}
+
 func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
-	conn1 := s.conn("z1111")
-	conn3 := s.conn("z3333")
-	rootctx1, rootac1, rootkc1 := s.rootClients("z1111")
-	anonctx3, anonac3, _ := s.anonymousClients("z3333")
+	conn1 := s.testClusters["z1111"].Conn()
+	conn3 := s.testClusters["z3333"].Conn()
+	rootctx1, rootac1, rootkc1 := s.testClusters["z1111"].RootClients()
+	anonctx3, anonac3, _ := s.testClusters["z3333"].AnonymousClients()
 
 	// Make sure anonymous token was set
 	c.Assert(anonac3.AuthToken, check.Not(check.Equals), "")
@@ -305,7 +310,7 @@ func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
 	c.Check(err, check.IsNil)
 
 	// Make a v2 token of the z3 anonymous user, and use it on z1
-	_, anonac1, _ := s.clientsWithToken("z1111", fmt.Sprintf("v2/%v/%v", outAuth.UUID, outAuth.APIToken))
+	_, anonac1, _ := s.testClusters["z1111"].ClientsWithToken(outAuth.TokenV2())
 	outUser2, err := anonac1.CurrentUser()
 	c.Check(err, check.IsNil)
 	// z3 anonymous user will be mapped to the z1 anonymous user
@@ -320,14 +325,14 @@ func (s *IntegrationSuite) TestGetCollectionAsAnonymous(c *check.C) {
 // Get a token from the login cluster (z1111), use it to submit a
 // container request on z2222.
 func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
-	conn1 := s.conn("z1111")
-	rootctx1, _, _ := s.rootClients("z1111")
-	_, ac1, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	_, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 
 	// Use ac2 to get the discovery doc with a blank token, so the
 	// SDK doesn't magically pass the z1111 token to z2222 before
 	// we're ready to start our test.
-	_, ac2, _ := s.clientsWithToken("z2222", "")
+	_, ac2, _ := s.testClusters["z2222"].ClientsWithToken("")
 	var dd map[string]interface{}
 	err := ac2.RequestAndDecode(&dd, "GET", "discovery/v1/apis/arvados/v1/rest", nil, nil)
 	c.Assert(err, check.IsNil)
@@ -355,6 +360,7 @@ func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
 	c.Assert(err, check.IsNil)
 	req.Header.Set("Content-Type", "application/json")
 	err = ac2.DoAndDecode(&cr, req)
+	c.Assert(err, check.IsNil)
 	c.Logf("err == %#v", err)
 
 	c.Log("...get user with good token")
@@ -381,24 +387,167 @@ func (s *IntegrationSuite) TestCreateContainerRequestWithFedToken(c *check.C) {
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Authorization", "OAuth2 "+ac2.AuthToken)
 	resp, err = arvados.InsecureHTTPClient.Do(req)
-	if c.Check(err, check.IsNil) {
-		err = json.NewDecoder(resp.Body).Decode(&cr)
+	c.Assert(err, check.IsNil)
+	err = json.NewDecoder(resp.Body).Decode(&cr)
+	c.Check(err, check.IsNil)
+	c.Check(cr.UUID, check.Matches, "z2222-.*")
+}
+
+func (s *IntegrationSuite) TestCreateContainerRequestWithBadToken(c *check.C) {
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	_, ac1, _, au := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+	tests := []struct {
+		name         string
+		token        string
+		expectedCode int
+	}{
+		{"Good token", ac1.AuthToken, http.StatusOK},
+		{"Bogus token", "abcdef", http.StatusUnauthorized},
+		{"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
+		{"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", http.StatusUnauthorized},
+	}
+
+	body, _ := json.Marshal(map[string]interface{}{
+		"container_request": map[string]interface{}{
+			"command":         []string{"echo"},
+			"container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+			"cwd":             "/",
+			"output_path":     "/",
+		},
+	})
+
+	for _, tt := range tests {
+		c.Log(c.TestName() + " " + tt.name)
+		ac1.AuthToken = tt.token
+		req, err := http.NewRequest("POST", "https://"+ac1.APIHost+"/arvados/v1/container_requests", bytes.NewReader(body))
+		c.Assert(err, check.IsNil)
+		req.Header.Set("Content-Type", "application/json")
+		resp, err := ac1.Do(req)
+		c.Assert(err, check.IsNil)
+		c.Assert(resp.StatusCode, check.Equals, tt.expectedCode)
+	}
+}
+
+// We test the direct access to the database
+// normally an integration test would not have a database access, but  in this case we need
+// to test tokens that are secret, so there is no API response that will give them back
+func (s *IntegrationSuite) dbConn(c *check.C, clusterID string) (*sql.DB, *sql.Conn) {
+	ctx := context.Background()
+	db, err := sql.Open("postgres", s.testClusters[clusterID].Super.Cluster().PostgreSQL.Connection.String())
+	c.Assert(err, check.IsNil)
+
+	conn, err := db.Conn(ctx)
+	c.Assert(err, check.IsNil)
+
+	rows, err := conn.ExecContext(ctx, `SELECT 1`)
+	c.Assert(err, check.IsNil)
+	n, err := rows.RowsAffected()
+	c.Assert(err, check.IsNil)
+	c.Assert(n, check.Equals, int64(1))
+	return db, conn
+}
+
+// TestRuntimeTokenInCR will test several different tokens in the runtime attribute
+// and check the expected results accessing directly to the database if needed.
+func (s *IntegrationSuite) TestRuntimeTokenInCR(c *check.C) {
+	db, dbconn := s.dbConn(c, "z1111")
+	defer db.Close()
+	defer dbconn.Close()
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	userctx1, ac1, _, au := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+	tests := []struct {
+		name                 string
+		token                string
+		expectAToGetAValidCR bool
+		expectedToken        *string
+	}{
+		{"Good token z1111 user", ac1.AuthToken, true, &ac1.AuthToken},
+		{"Bogus token", "abcdef", false, nil},
+		{"v1-looking token", "badtoken00badtoken00badtoken00badtoken00b", false, nil},
+		{"v2-looking token", "v2/" + au.UUID + "/badtoken00badtoken00badtoken00badtoken00b", false, nil},
+	}
+
+	for _, tt := range tests {
+		c.Log(c.TestName() + " " + tt.name)
+
+		rq := map[string]interface{}{
+			"command":         []string{"echo"},
+			"container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+			"cwd":             "/",
+			"output_path":     "/",
+			"runtime_token":   tt.token,
+		}
+		cr, err := conn1.ContainerRequestCreate(userctx1, arvados.CreateOptions{Attrs: rq})
+		if tt.expectAToGetAValidCR {
+			c.Check(err, check.IsNil)
+			c.Check(cr, check.NotNil)
+			c.Check(cr.UUID, check.Not(check.Equals), "")
+		}
+
+		if tt.expectedToken == nil {
+			continue
+		}
+
+		c.Logf("cr.UUID: %s", cr.UUID)
+		row := dbconn.QueryRowContext(rootctx1, `SELECT runtime_token from container_requests where uuid=$1`, cr.UUID)
+		c.Check(row, check.NotNil)
+		var token sql.NullString
+		row.Scan(&token)
+		if c.Check(token.Valid, check.Equals, true) {
+			c.Check(token.String, check.Equals, *tt.expectedToken)
+		}
+	}
+}
+
+// TestIntermediateCluster will send a container request to
+// one cluster with another cluster as the destination
+// and check the tokens are being handled properly
+func (s *IntegrationSuite) TestIntermediateCluster(c *check.C) {
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	uctx1, ac1, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, "user@example.com", true)
+
+	tests := []struct {
+		name                 string
+		token                string
+		expectedRuntimeToken string
+		expectedUUIDprefix   string
+	}{
+		{"Good token z1111 user sending a CR to z2222", ac1.AuthToken, "", "z2222-xvhdp-"},
+	}
+
+	for _, tt := range tests {
+		c.Log(c.TestName() + " " + tt.name)
+		rq := map[string]interface{}{
+			"command":         []string{"echo"},
+			"container_image": "d41d8cd98f00b204e9800998ecf8427e+0",
+			"cwd":             "/",
+			"output_path":     "/",
+			"runtime_token":   tt.token,
+		}
+		cr, err := conn1.ContainerRequestCreate(uctx1, arvados.CreateOptions{ClusterID: "z2222", Attrs: rq})
+
 		c.Check(err, check.IsNil)
-		c.Check(cr.UUID, check.Matches, "z2222-.*")
+		c.Check(strings.HasPrefix(cr.UUID, tt.expectedUUIDprefix), check.Equals, true)
+		c.Check(cr.RuntimeToken, check.Equals, tt.expectedRuntimeToken)
 	}
 }
 
 // Test for bug #16263
 func (s *IntegrationSuite) TestListUsers(c *check.C) {
-	rootctx1, _, _ := s.rootClients("z1111")
-	conn1 := s.conn("z1111")
-	conn3 := s.conn("z3333")
-	userctx1, _, _ := s.userClients(rootctx1, c, conn1, "z1111", true)
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	conn1 := s.testClusters["z1111"].Conn()
+	conn3 := s.testClusters["z3333"].Conn()
+	userctx1, _, _, _ := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
 
 	// Make sure LoginCluster is properly configured
 	for cls := range s.testClusters {
 		c.Check(
-			s.testClusters[cls].config.Clusters[cls].Login.LoginCluster,
+			s.testClusters[cls].Config.Clusters[cls].Login.LoginCluster,
 			check.Equals, "z1111",
 			check.Commentf("incorrect LoginCluster config on cluster %q", cls))
 	}
@@ -457,3 +606,127 @@ func (s *IntegrationSuite) TestListUsers(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Check(user1.IsActive, check.Equals, false)
 }
+
+func (s *IntegrationSuite) TestSetupUserWithVM(c *check.C) {
+	conn1 := s.testClusters["z1111"].Conn()
+	conn3 := s.testClusters["z3333"].Conn()
+	rootctx1, rootac1, _ := s.testClusters["z1111"].RootClients()
+
+	// Create user on LoginCluster z1111
+	_, _, _, user := s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
+
+	// Make a new root token (because rootClients() uses SystemRootToken)
+	var outAuth arvados.APIClientAuthorization
+	err := rootac1.RequestAndDecode(&outAuth, "POST", "/arvados/v1/api_client_authorizations", nil, nil)
+	c.Check(err, check.IsNil)
+
+	// Make a v2 root token to communicate with z3333
+	rootctx3, rootac3, _ := s.testClusters["z3333"].ClientsWithToken(outAuth.TokenV2())
+
+	// Create VM on z3333
+	var outVM arvados.VirtualMachine
+	err = rootac3.RequestAndDecode(&outVM, "POST", "/arvados/v1/virtual_machines", nil,
+		map[string]interface{}{"virtual_machine": map[string]interface{}{
+			"hostname": "example",
+		},
+		})
+	c.Check(outVM.UUID[0:5], check.Equals, "z3333")
+	c.Check(err, check.IsNil)
+
+	// Make sure z3333 user list is up to date
+	_, err = conn3.UserList(rootctx3, arvados.ListOptions{Limit: 1000})
+	c.Check(err, check.IsNil)
+
+	// Try to set up user on z3333 with the VM
+	_, err = conn3.UserSetup(rootctx3, arvados.UserSetupOptions{UUID: user.UUID, VMUUID: outVM.UUID})
+	c.Check(err, check.IsNil)
+
+	var outLinks arvados.LinkList
+	err = rootac3.RequestAndDecode(&outLinks, "GET", "/arvados/v1/links", nil,
+		arvados.ListOptions{
+			Limit: 1000,
+			Filters: []arvados.Filter{
+				{
+					Attr:     "tail_uuid",
+					Operator: "=",
+					Operand:  user.UUID,
+				},
+				{
+					Attr:     "head_uuid",
+					Operator: "=",
+					Operand:  outVM.UUID,
+				},
+				{
+					Attr:     "name",
+					Operator: "=",
+					Operand:  "can_login",
+				},
+				{
+					Attr:     "link_class",
+					Operator: "=",
+					Operand:  "permission",
+				}}})
+	c.Check(err, check.IsNil)
+
+	c.Check(len(outLinks.Items), check.Equals, 1)
+}
+
+func (s *IntegrationSuite) TestOIDCAccessTokenAuth(c *check.C) {
+	conn1 := s.testClusters["z1111"].Conn()
+	rootctx1, _, _ := s.testClusters["z1111"].RootClients()
+	s.testClusters["z1111"].UserClients(rootctx1, c, conn1, s.oidcprovider.AuthEmail, true)
+
+	accesstoken := s.oidcprovider.ValidAccessToken()
+
+	for _, clusterID := range []string{"z1111", "z2222"} {
+
+		var coll arvados.Collection
+
+		// Write some file data and create a collection
+		{
+			c.Logf("save collection to %s", clusterID)
+
+			conn := s.testClusters[clusterID].Conn()
+			ctx, ac, kc := s.testClusters[clusterID].ClientsWithToken(accesstoken)
+
+			fs, err := coll.FileSystem(ac, kc)
+			c.Assert(err, check.IsNil)
+			f, err := fs.OpenFile("test.txt", os.O_CREATE|os.O_RDWR, 0777)
+			c.Assert(err, check.IsNil)
+			_, err = io.WriteString(f, "IntegrationSuite.TestOIDCAccessTokenAuth")
+			c.Assert(err, check.IsNil)
+			err = f.Close()
+			c.Assert(err, check.IsNil)
+			mtxt, err := fs.MarshalManifest(".")
+			c.Assert(err, check.IsNil)
+			coll, err = conn.CollectionCreate(ctx, arvados.CreateOptions{Attrs: map[string]interface{}{
+				"manifest_text": mtxt,
+			}})
+			c.Assert(err, check.IsNil)
+		}
+
+		// Read the collection & file data -- both from the
+		// cluster where it was created, and from the other
+		// cluster.
+		for _, readClusterID := range []string{"z1111", "z2222", "z3333"} {
+			c.Logf("retrieve %s from %s", coll.UUID, readClusterID)
+
+			conn := s.testClusters[readClusterID].Conn()
+			ctx, ac, kc := s.testClusters[readClusterID].ClientsWithToken(accesstoken)
+
+			user, err := conn.UserGetCurrent(ctx, arvados.GetOptions{})
+			c.Assert(err, check.IsNil)
+			c.Check(user.FullName, check.Equals, "Example User")
+			readcoll, err := conn.CollectionGet(ctx, arvados.GetOptions{UUID: coll.UUID})
+			c.Assert(err, check.IsNil)
+			c.Check(readcoll.ManifestText, check.Not(check.Equals), "")
+			fs, err := readcoll.FileSystem(ac, kc)
+			c.Assert(err, check.IsNil)
+			f, err := fs.Open("test.txt")
+			c.Assert(err, check.IsNil)
+			buf, err := ioutil.ReadAll(f)
+			c.Assert(err, check.IsNil)
+			c.Check(buf, check.DeepEquals, []byte("IntegrationSuite.TestOIDCAccessTokenAuth"))
+		}
+	}
+}