X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/927524f1be454de021180b74999d682780b8cb6b..07baa0ed049746514495d1648c1aef0c40545141:/services/api/test/integration/users_test.rb diff --git a/services/api/test/integration/users_test.rb b/services/api/test/integration/users_test.rb index f3e787e3df..ca14336389 100644 --- a/services/api/test/integration/users_test.rb +++ b/services/api/test/integration/users_test.rb @@ -40,7 +40,7 @@ class UsersTest < ActionDispatch::IntegrationTest verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', @@ -85,7 +85,7 @@ class UsersTest < ActionDispatch::IntegrationTest verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', 'foo/usertestrepo', created['uuid'], 'arvados#repository', true, 'Repository' - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', @@ -113,7 +113,7 @@ class UsersTest < ActionDispatch::IntegrationTest # two new links: system_group, and 'All users' group. - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', false, 'permission', 'can_login', @@ -135,7 +135,7 @@ class UsersTest < ActionDispatch::IntegrationTest assert_equal 'foo@example.com', created['email'], 'expected input email' # verify links - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', @@ -163,7 +163,7 @@ class UsersTest < ActionDispatch::IntegrationTest assert_equal created['email'], 'foo@example.com', 'expected original email' # verify links - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#virtualMachine', true, 'permission', 'can_login', @@ -187,7 +187,7 @@ class UsersTest < ActionDispatch::IntegrationTest # four extra links: system_group, login, group, repo and vm - verify_link response_items, 'arvados#group', true, 'permission', 'can_read', + verify_link response_items, 'arvados#group', true, 'permission', 'can_write', 'All users', created['uuid'], 'arvados#group', true, 'Group' verify_link response_items, 'arvados#repository', true, 'permission', 'can_manage', @@ -203,6 +203,22 @@ class UsersTest < ActionDispatch::IntegrationTest ApiClientAuthorization.create!(user: User.find_by_uuid(created['uuid']), api_client: ApiClient.all.first).api_token end + # share project and collections with the new user + act_as_system_user do + Link.create!(tail_uuid: created['uuid'], + head_uuid: groups(:aproject).uuid, + link_class: 'permission', + name: 'can_manage') + Link.create!(tail_uuid: created['uuid'], + head_uuid: collections(:collection_owned_by_active).uuid, + link_class: 'permission', + name: 'can_read') + Link.create!(tail_uuid: created['uuid'], + head_uuid: collections(:collection_owned_by_active_with_file_stats).uuid, + link_class: 'permission', + name: 'can_write') + end + assert_equal 1, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'expected token not found' post "/arvados/v1/users/#{created['uuid']}/unsetup", params: {}, headers: auth(:admin) @@ -213,6 +229,8 @@ class UsersTest < ActionDispatch::IntegrationTest assert_not_nil created2['uuid'], 'expected uuid for the newly created user' assert_equal created['uuid'], created2['uuid'], 'expected uuid not found' assert_equal 0, ApiClientAuthorization.where(user_id: User.find_by_uuid(created['uuid']).id).size, 'token should have been deleted by user unsetup' + # check permissions are deleted + assert_empty Link.where(tail_uuid: created['uuid']) verify_link_existence created['uuid'], created['email'], false, false, false, false, false end @@ -480,4 +498,60 @@ class UsersTest < ActionDispatch::IntegrationTest assert_response 403 end + test "disabling system root user not permitted" do + put("/arvados/v1/users/#{users(:system_user).uuid}", + params: { + user: {is_admin: false} + }, + headers: auth(:admin)) + assert_response 422 + + post("/arvados/v1/users/#{users(:system_user).uuid}/unsetup", + params: {}, + headers: auth(:admin)) + assert_response 422 + end + + test "creating users only accepted for admins" do + assert_equal false, users(:active).is_admin + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "username" => "barney" + } + }, + headers: auth(:active) + assert_response 403 + end + + test "create users assigns the system root user as their owner" do + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "username" => "barney" + } + }, + headers: auth(:admin) + assert_response :success + assert_not_nil json_response["uuid"] + assert_equal users(:system_user).uuid, json_response["owner_uuid"] + end + + test "create users ignores provided owner_uuid field" do + assert_equal false, users(:admin).uuid == users(:system_user).uuid + post '/arvados/v1/users', + params: { + "user" => { + "email" => 'foo@example.com', + "owner_uuid" => users(:admin).uuid, + "username" => "barney" + } + }, + headers: auth(:admin) + assert_response :success + assert_not_nil json_response["uuid"] + assert_equal users(:system_user).uuid, json_response["owner_uuid"] + end end